kubeadm部署ingress-controller

九:kubeadm集群裸机部署:nginx-ingress-controller:0.30.0
以daemonset + hostnetwork + nodeselector为例
集群环境:
1.查看开启是ipvs
[root@master01 ~]# kubectl get pods -n kube-system |grep kube-proxy
kube-proxy-5pl4d                   1/1     Running   0          3h17m
kube-proxy-lmfmm                   1/1     Running   0          179m
kube-proxy-tfq9c                   1/1     Running   0          175m

#如果开启ipvs,会有输出,需要查看三个kube-proxy的pod。
[root@master01 ~]# kubectl logs -f kube-proxy-5pl4d -n kube-system |grep ipvs
I1215 04:08:14.351482       1 server_others.go:259] Using ipvs Proxier.

2.如果没有开启,可以修改配置文件,指定kube-proxy调度为ipvs
[root@master01 ~]# kubectl get cm -n kube-system|grep kube-proxy
kube-proxy                           2      3h21m

[root@master01 ~]# kubectl edit cm  kube-proxy -n kube-system
。。。。。。。。。。。。。
    ipvs:
      excludeCIDRs: null
      minSyncPeriod: 0s
      scheduler: ""      #这里默认调度算法是rr,
      strictARP: false
      syncPeriod: 0s
      tcpFinTimeout: 0s
      tcpTimeout: 0s
      udpTimeout: 0s
    kind: KubeProxyConfiguration
    metricsBindAddress: ""
    mode: ipvs           #指定kube-proxy调度规则为ipvs
    nodePortAddresses: null
    oomScoreAdj: null
    portRange: ""
    showHiddenMetricsForVersion: ""
    udpIdleTimeout: 0s
    winkernel:
    
#保存后,需要删除kube-proxy的pod,重新拉去kube-proxy的配置文件,才可以生效
[root@master01 ~]# kubectl get pod -n kube-system | grep kube-proxy | awk '{system("kubectl delete pod "$1" -n kube-system")}'

#查看新的kube-proxy的pod。是否生效开启ipvs
[root@master01 ~]# kubectl logs -f kube-proxy-5pldd -n kube-system |grep ipvs
I1215 04:08:14.351482       1 server_others.go:259] Using ipvs Proxier.

[root@master01 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.96.0.1:443 rr
  -> 192.128.232.11:6443               Masq    1      3          0         
  -> 192.128.232.12:6443               Masq    1      0          0         
TCP  10.96.0.10:53 rr
  -> 10.244.0.2:53                Masq    1      0          0         
  -> 10.244.0.3:53                Masq    1      0          0        
TCP  10.96.0.10:9153 rr
  -> 10.244.0.2:9153              Masq    1      0          0         
  -> 10.244.0.3:9153              Masq    1      0          0         
UDP  10.96.0.10:53 rr
  -> 10.244.0.2:53                Masq    1      0          0         
  -> 10.244.0.3:53                Masq    1      0          0        
  
3.部署ingress-nginx
# 以daemonset + hostnetwork + nodeselector为例
下载地址:https://github.com/kubernetes/ingress-nginx/
[root@master01 ~]# mkdir ingress/
[root@master01 ingress]# unzip nginx-0.30.0.zip
[root@master01 ingress]# cd ingress-nginx-nginx-0.30.0/deploy/static/
[root@master01 static]# ll
total 28
-rw-rw-r-- 1 root root  580 Feb 24  2020 configmap.yaml
-rw-r--r-- 1 root root  240 Dec 15 13:39 kube-backend.yaml
-rw-rw-r-- 1 root root 6649 Dec 15 11:10 mandatory.yaml
-rw-rw-r-- 1 root root  166 Feb 24  2020 namespace.yaml
drwxrwxr-x 4 root root   60 Feb 24  2020 provider
-rw-rw-r-- 1 root root 2922 Feb 24  2020 rbac.yaml
-rw-rw-r-- 1 root root 2643 Feb 24  2020 with-rbac.yaml

#修改mandatory.yaml的rbac的apiversion
[root@master01 static]# sed -i "s#rbac.authorization.k8s.io/v1beta1#rbac.authorization.k8s.io/v1#g" mandatory.yaml

#修改images地址
[root@master01 static]# cat mandatory.yaml | grep image
image: harbor.od.com/kubeadm/nginx-ingress-controller:0.30.0

#修改mandatory.yaml文件(215行左右)使用宿主机网络:hostNetwork: true

#文件中的kind 类型由Deployent改为DaemonSet,然后去掉replicas
[root@master01 static]# vi mandatory.yaml 
......................................................
---
apiVersion: apps/v1
kind: DaemonSet    #把Deployent改为DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
 # replicas: 1   #注释掉
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      hostNetwork: true  #主机网络
      # wait up to five minutes for the drain of connections
      terminationGracePeriodSeconds: 300
      serviceAccountName: nginx-ingress-serviceaccount
      nodeSelector:        #部署ingress-nginx选择节点的选择器
        node: ingress-controller   #标签选择

      tolerations:     #容忍master的taint污点,表示master也可以部署ingress
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

      containers:
        - name: nginx-ingress-controller
          image: harbor.od.com/kubeadm/nginx-ingress-controller:0.30.0
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services

#给节点打标签,好指定ingress-controller的pod部署指定节点上,指定两台,建议是master节点打上标签,

[root@master01 ~]# kubectl label node master01 node=ingress-controller

[root@master01 ~]# kubectl label node master02 node=ingress-controller

[root@master01 ~]# kubectl label node master03 node=ingress-controller

[root@master01 ~]# kubectl get nodes --show-labels |grep node=ingress-controller


[root@master01 static]# kubectl apply -f mandatory.yaml 
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
daemonset.apps/nginx-ingress-controller created
limitrange/ingress-nginx created

#查看nginx-ingress-controller的pod
[root@master01 static]# kubectl get pod -n ingress-nginx
NAME                             READY   STATUS    RESTARTS   AGE
nginx-ingress-controller-nqgpb   1/1     Running   0          3h38m

#查看ingress-controller的pod描述

[root@master01 static]# kubectl describe pod nginx-ingress-controller-nqgpb -n ingress-nginx

#ingress-controller部署在master01,master02,master03节点上,使用hostnetwork网络。三台主机上都 监听 80,8181,443 端口。
[root@node01 ~]# netstat -lntup|grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      8426/nginx: master  
tcp        0      0 0.0.0.0:8181            0.0.0.0:*               LISTEN      8426/nginx: master  
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      8426/nginx: master  
tcp        0      0 127.0.0.1:10245         0.0.0.0:*               LISTEN      8350/nginx-ingress- 
tcp        0      0 127.0.0.1:10246         0.0.0.0:*               LISTEN      8426/nginx: master  
tcp        0      0 127.0.0.1:10247         0.0.0.0:*               LISTEN      8426/nginx: master  
tcp6       0      0 :::10254                :::*                    LISTEN      8350/nginx-ingress- 
tcp6       0      0 :::80                   :::*                    LISTEN      8426/nginx: master  
tcp6       0      0 :::8181                 :::*                    LISTEN      8426/nginx: master  
tcp6       0      0 :::443                  :::*                    LISTEN      8426/nginx: master  

5.发布服务测试
[root@master01 ~]# cat nginx-service-deployment.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: harbor.od.com/kubeadm/myapp:v1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service   #被后面ingress调度
spec:
  type: ClusterIP
  selector:
    app: nginx
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

    
[root@master01 ~]# kubectl apply -f nginx-service-deployment.yaml 

[root@master01 ~]# kubectl get pod -n default
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-77db97fb47-2p8f7   1/1     Running   0          3h54m
nginx-deployment-77db97fb47-ql98t   1/1     Running   0          3h54m

[root@master01 ~]# kubectl get svc -n default
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes      ClusterIP   10.96.0.1              443/TCP   4h33m
nginx-service   ClusterIP   10.97.95.213          80/TCP    3h55m

#访问,kube-proxy是ipvs指定的rr(轮询访问)
[root@master01 ~]# curl 10.97.95.213
Hello MyApp | Version: v1 | Pod Name

[root@master01 ~]# curl 10.97.95.213/hostname.html
nginx-deployment-77db97fb47-2p8f7

[root@master01 ~]# curl 10.97.95.213/hostname.html
nginx-deployment-77db97fb47-ql98t

#配置nginx-service的ingress
[root@master01 ~]# cat nginx-ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-service-ingress
  namespace: default
  annotations:
    kubernets.io/ingress.class: "nginx"    #ingress的注解,一定要标识
spec:
  rules:
  - host: demo.od.com   #配置service服务的域名
    http:
      paths:
      - path:  /
        backend:
          serviceName: nginx-service    #指定后端service的名字
          servicePort: 80               #指定后端service的端口

[root@master01 ~]# kubectl apply -f nginx-ingress.yaml 

[root@master01 ~]# kubectl get ingress
NAME                   CLASS    HOSTS         ADDRESS        PORTS   AGE
test-service-ingress     demo.od.com   10.108.95.79   80      4h37m

#查看ingress时,发现报错了,(),
因为缺少了一个后端服务叫 “”default-http-backend“”,所以后面创建这个service

[root@master01 ~]# kubectl describe ingress test-service-ingress
Name:             test-service-ingress
Namespace:        default
Address:          10.108.95.79
Default backend: default-http-backend:80 ()
Rules:
  Host         Path  Backends
  ----         ----  --------
  demo.od.com  
                  nginx-service:80 (10.244.2.2:80,10.244.2.3:80)
Annotations:   kubernets.io/ingress.class: nginx
Events:        


5.先查看default-back-end服务是否存在,在kube-system名称空间,跟kube-dns同一个名称空间里
[root@master01 ~]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10              53/UDP,53/TCP,9153/TCP   4h43m

6.使用下面的 yaml 文件创建 default-back-end 服务:
[root@master01 static]# cat kube-backend.yaml 
apiVersion: v1
kind: Service
metadata:
  name: default-http-backend   #不能随便改,ingress服务缺少这个名字"default-http-backend"的服务。
  namespace: kube-system      
spec:
  selector:
    #app: ingress-nginx-controller
    app: ingress-controller   #名字随便定义
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80

[root@master01 static]# kubectl apply -f kube-backend.yaml 

[root@master01 static]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
default-http-backend   ClusterIP   10.102.127.253          80/TCP                   27m
kube-dns               ClusterIP   10.96.0.10              53/UDP,53/TCP,9153/TCP   4h47m

#查看ingress时,已经正常了
[root@master01 static]# kubectl get ingress 
NAME                   CLASS    HOSTS         ADDRESS        PORTS   AGE
test-service-ingress     demo.od.com   10.108.95.79   80      4h5m

[root@master01 static]# kubectl describe ingress test-service-ingress
Name:             test-service-ingress
Namespace:        default
Address:          10.108.95.79
Default backend:  default-http-backend:80 ()    #正常了
Rules:
  Host         Path  Backends
  ----         ----  --------
  demo.od.com  
                  nginx-service:80 (10.244.2.2:80,10.244.2.3:80)
Annotations:   kubernets.io/ingress.class: nginx
Events:        

#demo.od.com解析到vip上面,
[root@master01 ~]# cat /var/named/od.com.zone 
demo               A   10.4.7.48

[root@master01 ~]# systemctl restart named

[root@master01 ~]# curl ingresstest.od.com
Hello MyApp | Version: v1 | Pod Name

6.配置所有http的域名转发到

#两台nginx机器,做反代:都是ingress-controller指定部署ingress的节点,上面 mandatory.yaml w 文件通过nodeselector指定标有" node=ingress-controller " 三台master节点ip跟nodeport,

#demo.od.com解析到vip上面,
[root@master01 ~]# cat /var/named/od.com.zone 
demo               A   10.4.7.48

下面只是http服务的配置,https的配置,需要单独配置每个conf文件
[root@nginx01 ~]# vi /etc/nginx/conf.d/od.com.conf
upstream default_backend_ingress {
    server 192.128.232.16:80    max_fails=3 fail_timeout=10s;
    server 192.128.232.17:80    max_fails=3 fail_timeout=10s;

    server 192.128.232.19:80    max_fails=3 fail_timeout=10s;
}
server {
    server_name *.od.com;
  
    location / {
        proxy_pass http://default_backend_ingress;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}

[root@nginx01 ~]# nginx -t
[root@nginx01 ~]# nginx -s reload


7.再发布一个服务到k8s,使用ingress
[root@master01 ~]# cat nginx-clusterIP02-service.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment2
  labels:
    app: nginx2
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx2
  template:
    metadata:
      labels:
        app: nginx2
    spec:
      containers:
      - name: nginx2
        image: harbor.od.com/kubeadm/myapp:v2
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service2
spec:
  type: ClusterIP
  selector:
    app: nginx2
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

[root@master01 ~]# kubectl apply -f nginx-clusterIP02-service.yaml 
    
[root@master01 ~]# cat nginx-clusterIP02-ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test02-service-ingress
  namespace: default
  annotations:
    kubernets.io/ingress.class: "nginx"
spec:
  rules:
  - host: ingresstest02.od.com
    http:
      paths:
      - path:
        backend:
          serviceName: nginx-service2
          servicePort: 80

[root@master01 ~]# kubectl apply -f nginx-clusterIP02-ingress.yaml
          
[root@master01 ~]# kubectl describe ingress test02-service-ingress
Name:             test02-service-ingress
Namespace:        default
Address:          10.99.155.170
Default backend:  default-http-backend:80 ()
Rules:
  Host                  Path  Backends
  ----                  ----  --------
  ingresstest02.od.com  
                           nginx-service2:80 (10.244.2.4:80,10.244.2.5:80)
Annotations:            kubernets.io/ingress.class: nginx02
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  CREATE  52m                nginx-ingress-controller  Ingress default/test02-service-ingress
  Normal  UPDATE  78s (x2 over 52m)  nginx-ingress-controller  Ingress default/test02-service-ingress
          

[root@master01 ~]# vi /var/named/od.com.zone 
ingresstest02      A   10.4.7.48

[root@master01 ~]# systemctl restart named

[root@master01 ~]# curl ingresstest02.od.com
Hello MyApp | Version: v2 | Pod Name

[root@master01 ingress]# kubectl get pod -n ingress-nginx
NAME                             READY   STATUS    RESTARTS   AGE
nginx-ingress-controller-jv79q   1/1     Running   0          46m

#进入容器,可以查看配置文件
[root@master01 ingress]# kubectl exec -it nginx-ingress-controller-jv79q -n ingress-nginx -- /bin/bash
bash-5.0$ vi nginx.conf   

kubeadm部署ingress-controller_第1张图片

 

8.自签证书,创建私钥
[root@master01 tls]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
....................................................................................................................+++
......+++
e is 65537 (0x10001)

#通过私钥生成证书,我指定有效期设置10年
[root@master01 ssl]# openssl req -new -x509 -days 3650 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=tomcat.od.com
[root@master01 ssl]# ll
total 8
-rw-r--r-- 1 root root 1237 Dec 16 13:26 tls.crt
-rw-r--r-- 1 root root 1675 Dec 16 12:26 tls.key

#查看证书有效期
[root@master01 ssl]# openssl x509 -noout -text -in tls.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ac:97:46:33:e0:d1:6c:46
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Beijing, O=DevOps, CN=tomcat.od.com
        Validity
            Not Before: Dec 16 05:26:22 2021 GMT
            Not After : Dec 14 05:26:22 2031 GMT   
        Subject: C=CN, ST=Beijing, O=DevOps, CN=tomcat.od.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:


#创建secret对象,把这些证书添加到ingress对象里,默认是default名称空间可以指定名称空间
[root@master01 tls]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key 
secret/tomcat-ingress-secret created

[root@master01 tls]# kubectl get secret
NAME                    TYPE                                  DATA   AGE
default-token-fcmwb     kubernetes.io/service-account-token   3      23h
tomcat-ingress-secret   kubernetes.io/tls                     2      111s

[root@master01 tls]# kubectl describe secret tomcat-ingress-secret
Name:         tomcat-ingress-secret
Namespace:    default    #默认是default名称空间。
Labels:      
Annotations:  

Type:  kubernetes.io/tls

Data
====
tls.key:  1675 bytes
tls.crt:  1237 bytes

#部署tomcat服务到k8s里
[root@master01 yaml]# cat tomcat-clusterIP-service.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deployment
  labels:
    app: tomcat
spec:
  replicas: 2
  selector:
    matchLabels:
      app: tomcat
  template:
    metadata:
      labels:
        app: tomcat
    spec:
      containers:
      - name: tomcat
        image: harbor.od.com/kubeadm/tomcat:8.5.15-jre8-alpine   #tomcat镜像,测试下载alpine
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080    #容器tomcat服务端口
---
apiVersion: v1
kind: Service
metadata:
  name: tomcat-service    #定义tomcat服务的名字,ingress通过这个名字调用,使外部访问。
spec:
  type: ClusterIP
  selector:
    app: tomcat
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080

#配置tomcat的ingress,使用tls证书
[root@master01 yaml]# cat tomcat-clusterIP-ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat-tls-ingress   #定义创建tomcat的ingress名字
  namespace: default
  annotations:
    kubernets.io/ingress.class: "tomcat"    #注解一定要有,否则不生效
spec:
  tls:        #开启tls
  - hosts:
    - tomcat.od.com     #配置外部访问的域名,可以配置多个域名使用同一个secret
    secretName: tomcat-ingress-secret    #配置使用创建的secret的名字
  rules:
  - host: tomcat.od.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-service     #调用tomcat的service名字
          servicePort: 8080

#创建tomcat的ingress的pod
[root@master01 tls]# kubectl apply -f tomcat-clusterIP-ingress.yaml

[root@master01 yaml]# kubectl describe ingress tomcat-tls-ingress
Name:             tomcat-tls-ingress
Namespace:        default
Address:          10.99.155.170
Default backend:  default-http-backend:80 ()
TLS:
  tomcat-ingress-secret terminates tomcat.od.com
Rules:
  Host           Path  Backends
  ----           ----  --------
  tomcat.od.com  
                 /   tomcat-service:8080 (10.244.2.8:8080,10.244.2.9:8080)
Annotations:     kubernets.io/ingress.class: tomcat
Events:
  Type    Reason  Age    From                      Message
  ----    ------  ----   ----                      -------
  Normal  CREATE  4m27s  nginx-ingress-controller  Ingress default/tomcat-tls-ingress
  Normal  UPDATE  4m15s  nginx-ingress-controller  Ingress default/tomcat-tls-ingress

#解析tomcat.od.com到部署节点,跟http不一样,
[root@master01 ssl]# cat /var/named/od.com.zone 
tomcat             A   10.4.7.51

[root@master01 ssl]# systemctl restart named

#浏览器测试或者命令行

[root@master01 yaml]# curl -k https://tomcat.od.com

#############################################################################

第二种:配置外部https在外部nginx服务
配置tomcat02.od.com域名为https,一个service可以被多个ingress调用,那这里就直接调用tomcat-service,

[root@master01 yaml]# cat tomcat02-clusterIP-ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat02-ingress    #同一个名称空间的名字一定要不一样。
  namespace: default
  annotations:
    kubernets.io/ingress.class: "tomcat"
spec:
  rules:
  - host: tomcat02.od.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-service   #调用前面创建的tomcat-service
          servicePort: 8080

#创建tomcat02的ingress
[root@master01 yaml]# kubectl apply -f tomcat02-clusterIP-ingress.yaml

[root@master01 yaml]# kubectl get ingress |grep tomcat02-ingress
NAME                     CLASS    HOSTS                  ADDRESS         PORTS     AGE
tomcat02-ingress           tomcat02.od.com        10.99.155.170   80        27m


#############################################################################
#在yunwei主机上操作
#nginx配置tomcat02.od.com域名的https,
[root@yunwei ~]# mkdir -p /opt/certs/CA && cd /opt/certs/CA

#创建域名自签CA证书,先创建域名私钥
[root@yunwei CA]# umask 077; openssl genrsa -out tomcat02.od.com.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
..........................................................................................................................+++
e is 65537 (0x10001)


#查看生成的CA签证私钥
[root@yunwei CA]# ll CA.key 
-rw------- 1 root root 1675 Dec 17 15:06 tomcat02.od.com.key

#通过CA自签证书创建域名请求文件csr
[root@yunwei CA]# openssl req -new -key tomcat02.od.com.key -out tomcat02.od.com.csr -subj "/CN=tomcat02.od.com/C=CN/ST=BJ/L=Beijing/O=fengge123/OU=ops"

#查看是否生成成功
[root@yunwei CA]# ll tomcat02.od.com.*
-rw------- 1 root root 1005 Dec 17 15:01 tomcat02.od.com.csr
-rw------- 1 root root 1675 Dec 17 14:59 tomcat02.od.com.key

#通过域名请求文件csr,这里的ca.crt, ca.key都是k8s集群的ca一对证书,运维主机没有,就需要拷贝过来。否则有问题
#拷贝master节点k8s的ca证书到运维节点
[root@yunwei CA]# scp master01:/etc/kubernetes/pki/ca.* .
root@master01's password: 
ca.crt                                                                                 100% 1029   631.4KB/s   00:00    
ca.key                                                                                 100% 1675   429.5KB/s   00:00    
ca.srl                                                                                 100%   17     7.3KB/s   00:00     

#把k8s集群的证书也内嵌到域名证书里,指定有效期10年
[root@yunwei CA]# openssl x509 -req -in tomcat02.od.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tomcat02.od.com.crt -days 3650
Signature ok
subject=/CN=tomcat02.od.com/C=CN/ST=BJ/L=Beijing/O=fengge123/OU=ops
Getting CA Private Key

[root@yunwei CA]# ll tomcat02.od.com.*
-rw------- 1 root root 1090 Dec 17 15:17 tomcat02.od.com.crt
-rw------- 1 root root 1005 Dec 17 15:10 tomcat02.od.com.csr
-rw------- 1 root root 1679 Dec 17 15:09 tomcat02.od.com.key


#上面tomcat02.od.com域名证书就自签成功了,需要拷贝到nginx节点反向代理,部署https
[root@nginx01 yaml]# mkdir -p /etc/nginx/ssl/
[root@nginx01 yaml]# cd /etc/nginx/ssl/

#拷贝运维节点创建好的域名证书
[root@master01 ssl]# scp yunwei:/opt/certs/CA/tomcat02.od.com.crt .
[root@master01 ssl]# scp yunwei:/opt/certs/CA/tomcat02.od.com.key .

#配置https反向代理,这里的节点可以是集群任何节点
[root@nginx01 ~]# cd /etc/nginx/conf.d/
[root@nginx01 conf.d]# cat tomcat02.do.com.conf 
upstream tomcat02_ingress {
    server 192.128.232.16:80    max_fails=3 fail_timeout=10s;
    server 192.128.232.17:80    max_fails=3 fail_timeout=10s;
}
server {
    listen       80;
    server_name  tomcat02.od.com;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
    listen       443 ssl;
    server_name  tomcat02.od.com;
    ssl_certificate "/etc/nginx/ssl/tomcat02.od.com.crt";
    ssl_certificate_key "/etc/nginx/ssl/tomcat02.od.com.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://tomcat02_ingress;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}

[root@nginx01 conf.d]# nginx -t
[root@nginx01 conf.d]# nginx -s reload


#解析域名到vip地址,在DNS服务器操作
[root@master01 ssl]# vi /var/named/od.com.zone 
tomcat02           A   192.128.232.15

[root@master01 ssl]# systemctl restart named

#测试命令行访问或者浏览器访问
[root@yunwei ~]# curl -k https://tomcat02.od.com
 

你可能感兴趣的:(k8s,docker)