Linux实战笔记-----通过Ingress-nginx实现负载均衡
一、ingress简介
Ingress是一个API对象,和其他对象一样,通过yaml文件来配置。ingress通过http或https暴露集群内部service,给service提供外部URL、负载均衡、SSL/TLS能力以及基于host的方向代理。
1.Ingress安装
官网下载yaml文件
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml
下载ingress-nginx/controller ingress-nginx/kube-webhook-certgen并上传至本地harbor仓库
修改yaml文件中image地址为本地harbor中存放刚才上传镜像的地址,完成后运行
将type改成LoadBalancer
kubectl -n ingress-nginx edit svc ingress-nginx-controller
查看创建出的ns和全部信息
kubectl get ns
kubectl -n ingress-nginx get all
查看svc端口
kubectl -n ingress-nginx get svc
2.Ingress-nginx+域名解析
创建pod
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: myapp:v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
labels:
app: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v2
应用,查看创建的pod
kubectl apply -f deployment.yaml
kubectl get pod
创建服务
vim svc.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: nginx
---
apiVersion: v1
kind: Service
metadata:
name: myapp-svc
spec:
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: myapp
应用,查看服务信息
kubectl describe svc nginx-svc
kubectl describe svc myapp-svc
ingress.yaml下赋予域名匹配,用于匹配service
vim ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
spec:
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
运行,查看
在真机中加入地址解析
vim /etc/hosts
172.25.21.10 www1.westos.org www2.westos.org
curl www1.westos.org
删除ingress,方便后续实验
kubectl delete -f ingress.html
3.Ingress TLS 配置
首先创建crt和key,然后生成secret
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
加入TLS配置,修改ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
应用,查看创建的secret
查看创建的ingress,查看这个ingress的具体信息,可以看到已经配置了TLS
kubectl get ingress
kubectl describe ingress
测试
curl www1.westos.org -I
curl https://www1.westos.org -k
3.Ingress 认证配置
首先下载httpd-tools 创建一个用户,并生成secret
yum install -y httpd-tools
htpasswd -c auth pwc
kubectl create secret generic basic-auth --from-file=auth
编辑yaml文件,加入认证
vim ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - pwc'
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
应用yaml文件后,查看ingress信息,可以看到已经加入了认证信息
4.Ingress 地址重写
新建ingress-rewrite.yaml
vim ingress-rewrite.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - pwc'
nginx.ingress.kubernetes.io/app-root: /hostname.html
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
重新应用,查看ingress信息
在浏览器测试