1.使用Ingress發布應用準備;
1.1準備Tomcat應用的組態檔
root@ks-master01-10:~/ingress-test# cat tomcat-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
containers:
- name: java-test
image: tomcat:9.0.63
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command:
- "/bin/bash"
- "-c"
- "cp -rf /usr/local/tomcat/webapps.dist/* /usr/local/tomcat/webapps/"
root@ks-master01-10:~/ingress-test# kubectl apply -f tomcat-deployment.yaml
1.1.2查看Pod是否正常;
root@ks-master01-10:~/ingress-test# kubectl get pods -l app=tomcat
NAME READY STATUS RESTARTS AGE
tomcat-test-5fb68b5569-hwf4b 1/1 Running 0 25m
1.2準備Tomcat的Service
root@ks-master01-10:~/ingress-test# cat tomcat-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat-svc
spec:
type: ClusterIP
selector:
app: tomcat
ports:
- port: 8080
targetPort: 8080
root@ks-master01-10:~/ingress-test# kubectl apply -f tomcat-svc.yaml
service/tomcat-svc created
1.2.1查看Service
root@ks-master01-10:~/ingress-test# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
tomcat-svc ClusterIP 10.96.123.199 <none> 8080/TCP 4s
1.2.2describe查看可以看見后端就一個端點正好是該Pod的IP地址
root@ks-master01-10:~/ingress-test# kubectl describe svc tomcat-svc
Name: tomcat-svc
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=tomcat
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.96.123.199
IPs: 10.96.123.199
Port: <unset> 8080/TCP
TargetPort: 8080/TCP
Endpoints: 192.168.2.25:8080
Session Affinity: None
Events: <none>
1.3準備應用的Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tomcat-ingress-test
annotations: # 注解
nginx.ingress.kubernetes.io/rewrite-target: /$2 # 重寫
spec:
ingressClassName: "nginx" # 控制器選擇為Nginx
rules:
- host: haitangone.tomcat.net
http:
paths:
- path: /java(/|$)(.*)
pathType: Prefix
backend:
service:
name: tomcat-svc
port:
number: 8080
root@ks-master01-10:~/ingress-test# kubectl apply -f tomcat-ingress.yaml
ingress.networking.k8s.io/tomcat-ingress-test created
1.3.1查看Ingress資源
root@ks-master01-10:~/ingress-test# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
tomcat-ingress-test nginx haitangone.tomcat.net xx.xx.xx.xx 80 34s
1.3.2確保已經關聯到Service
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
haitang.tomcat.net
/java(/|$)(.*) tomcat-svc:8080 (192.168.2.25:8080)
Annotations: nginx.ingress.kubernetes.io/rewrite-target: /$2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 104s (x2 over 104s) nginx-ingress-controller Scheduled for sync
Normal Sync 104s (x2 over 104s) nginx-ingress-controller Scheduled for sync
1.4準備Tomcat的TLS資源
- 在Ingress控制器上配置HTTPS主機時,不能直接使用私鑰和證書檔案,而是要使用Secret資源物件來傳遞相關的資料;
- 一般來說,如果有基于HTTPS通信的需求,那么它應該由外部的負載均衡器(external lb)予以實作,并在SSL會話卸載后將其訪問請求轉發到Ingress控制器,不過,如果外部負載均衡作業于傳輸層而不是作業于應用層的反向代理服務器,或者存在直接通過Ingress控制器接受客戶端的請求的需求,又期望他們能夠提供HTTPS服務時,就應該配置TLS型別的Ingress資源;
- 將此類服務公開發布到互聯網時,HTTPS服務用到的證書由公信CA簽署并頒發,用戶遵循其相應流程準備好相關的證書即可,如果出于測驗或內部使用,那么也可以選擇自制私有證書,openssl工具程式是用于生成自簽證書的常用工具,那么使用它生成用于測驗的私鑰和自簽證書;
root@ks-master01-10:~/ingress-test# mkdir ssl
root@ks-master01-10:~/ingress-test# cd ssl/
root@ks-master01-10:~/ingress-test/ssl# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................................................................................................................+++++
.......................+++++
e is 65537 (0x010001)
root@ks-master01-10:~# openssl req -new -x509 -key tls.key -out tls.cert -days 360 -subj /CN=haitangone.tomcat.net
1.5創建Secrets
根據私鑰和證書檔案生成配置TLS Ingress的Secret資源,在創建Ingress規則時由其將用到的Secret資源的資訊注入Ingress控制器的Pod中,用于為配置的HTTPS虛擬主機提供相應的私鑰和證書,下面會創建一個TLS型別名為tomcat-tls-test的Secret資源:
TLS Secret中包含的檔案必須以tls.crt作為其鍵名,私鑰檔案必須以tls.key為鍵名,因此上面生成的私鑰檔案和證書檔案名將直接保存為鍵名形式,便于后面創建Secret物件時直接作為鍵名參考;
root@ks-master01-10:~/ingress-test/ssl# kubectl create secret tls tomcat-tls-test --cert=tls.cert --key=tls.key
secret/tomcat-tls-test created
1.5.1查看Secret
這里的TYPE型別應該為"kubernetes.io/tls"
root@ks-master01-10:~/ingress-test/ssl# kubectl get secret
kNAME TYPE DATA AGE
tomcat-tls-test kubernetes.io/tls 2 50s
root@ks-master01-10:~/ingress-test/ssl# kubectl describe secret tomcat-tls-test
Name: tomcat-tls-test
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
=https://www.cnblogs.com/xunweidezui/archive/2022/11/06/===
tls.crt: 1147 bytes
tls.key: 1675 bytes
1.6Ingress參考Secret資源實作HTTPS
tls物件由兩個內嵌欄位組成,僅在定義TLS主機的轉發規則時才需要定義此類物件,
- hosts: 包含于使用TLS證書之內的主機名稱字串串列,因此,此處使用的主機名必須匹配tlsSecret中的名稱;
- secretName: 用于參考SSL會話的secret物件名稱,在基于SNI實作多主機路由的場景中,此欄位為可選;
- 目前來說,Ingress資源僅支持單TLS埠,并且還會卸載TLS會話,在Ingress資源中參考此Secret即可讓Ingress控制器加載并配置為HTTPS服務;
編輯Ingress資源,引入Secret資源
root@ks-master01-10:~/ingress-test# cat tomcat-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tomcat-ingress-test
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2 # 重寫
spec:
ingressClassName: "nginx" # 這里選擇為nginx
rules:
- host: haitangone.tomcat.net
http:
paths:
- path: /java(/|$)(.*)
pathType: Prefix
backend:
service:
name: tomcat-svc
port:
number: 8080
tls: # tls資源
- hosts:
- haitangone.tomcat.net
secretName: tomcat-tls-test
root@ks-master01-10:~/ingress-test# kubectl apply -f tomcat-ingress.yaml
ingress.networking.k8s.io/tomcat-ingress-test configured
1.7測驗是否可以訪問;
1.6.2可以看到測驗是沒有問題的;
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/528083.html
標籤:其他
上一篇:LAPM概述及配置