Ingress 是从Kubernetes集群外部访问集群内部服务的入口。以HTTP/HTTPS route的方式将集群内的Service资源暴露到集群外部。
本文将以开源的nginx-ingress controller为例,说明在集群中定义HTTP、HTTPS类型的Ingress Resource的方法。
Kubernetes 命令行客户端 kubectl可以让您从客户端计算机连接到 Kubernetes 集群,实现应用部署。详情参考使用Kubectl客户端连接到Kubernetes集群。
Nginx-ingress Controller是Nginx官方开源的ingress controller,部署方法参考Nginx-ingress controller部署。
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginxdemos/hello:latest #Nginx webserver容器镜像 ports: - containerPort: 80
下载YAML文件: wget https://kubernetes.s3.cn-north-1.jdcloud-oss.com/ingress/deploy-nginx-server.yml 部署到集群: kubectl create -f deploy-nginx-server.yml 确认deployment运行状态: kubectl get deployment nginx-deployment NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE nginx-deployment 3 3 3 3 24s
创建Service: kubectl expose deployment nginx-deployment --target-port=80 --port=60000 --protocol=TCP --name=servicetest-jdcloud 确认Service状态: kubectl get service servicetest-jdcloud NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE servicetest-jdcloud ClusterIP 10.0.63.197 <none> 60000/TCP 46s 确认Endpoints状态: kubectl get endpoints servicetest-jdcloud NAME ENDPOINTS AGE servicetest-jdcloud 10.0.0.19:80,10.0.0.6:80,10.0.0.8:80 88s
wget https://kubernetes.s3.cn-north-1.jdcloud-oss.com/ingress/deploy-http-ingress-resource.yml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: k8s-app-monitor-agent-ingress annotations: metadata.annotations.kubernetes.io/ingress.class: "nginx" #指定Ingress Resource创建时使用的Ingress Controller,本例使用上述创建的Nginx Controller spec: rules: - host: k8s-ingress-nginx-controller-test.jdcloud http: paths: - path: / backend: serviceName: servicetest-jdcloud servicePort: 60000
kubectl create -f deploy-http-ingress-resource.yml
kubectl get ingress k8s-app-monitor-agent-ingress NAME HOSTS ADDRESS PORTS AGE k8s-app-monitor-agent-ingress k8s-ingress-nginx-controller-test.jdcloud 80 23s
获取Nginx-ingress Controller的外网IP,即Nginx-ingress Controller 关联的LoadBalancer类型Service的External IP,详情参考Nginx-ingress controller部署。
在本地服务器的/etc/hosts中增加DNS配置:IP为上一步操作中查询到的LoadBalance类型service的external IP,域名为ingress resource rule中配置的虚拟主机名:k8s-ingress-nginx-controller-test.jdcloud;
在浏览器中输入k8s-ingress-nginx-controller-test.jdcloud/servicetest-jdcloud即可验证nginx webserver已经暴露在集群外。
kubectl create secret tls ingress-ssl-secret --cert web-server.pem --key web-server-key.pem #cert和key的value值请使用实际申请的SSL证书和私钥名称替换
kubectl describe secret/ingress-ssl-secret Name: ingress-ssl-secret Namespace: nginx-ingress Labels: <none> Annotations: <none> Type: kubernetes.io/tls Data ==== tls.crt: 1448 bytes tls.key: 1675 bytes
wget https://kubernetes.s3.cn-north-1.jdcloud-oss.com/ingress/deploy-https-ingress-resource.yml
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: metadata.annotations.kubernetes.io/ingress.class: "nginx" #指定Ingress Resource创建时使用的Ingress Controller,本例使用上述创建的Nginx Controller name: myingress namespace: nginx-ingress spec: rules: - host: nginx-ingress-test.jdcloud http: paths: - backend: serviceName: servicetest-jdcloud servicePort: 60000 path: /nginx-demo tls: - hosts: - nginx-ingress-test.jdcloud secretName: ingress-ssl-secret #secretName请使用第二步中创建的TLS类型的Secret名称替换
kubectl create -f deploy-https-ingress-resource.yml
获取Nginx-ingress Controller的外网IP,即Nginx-ingress Controller 关联的LoadBalancer类型Service的External IP,详情参考Nginx-ingress controller部署;
在本地服务器的/etc/hosts中增加DNS配置:IP为上一步操作中查询到的LoadBalance类型service的external IP,域名为ingress resource rule中配置的虚拟主机名:nginx-ingress-test.jdcloud;
在浏览器中输入nginx-ingress-test.jdcloud/nginx-demo即可验证输出结果。
备注: 使用自定义CA证书时,浏览器会提示证书不备信任,您可以将自建CA的ca.pem文件导入到操作系统并设置永久信任。