kubernetes-ingress-nginx

目录

一、部署

二、访问

1.基于路径访问

2.基于域名访问

三、加密与认证

1.TLS加密

2.auth认证

四、rewrite重定向

五、canary金丝雀发布

1.基于header灰度

2.基于权重灰度

3.业务域拆分


一、部署

ingress-nginx是一个开源的Kubernetes Ingress控制器,用于将HTTP(S)流量路由Kubernetes集群内不同的服务和应用程序。它提供了丰富的功能和灵活的配置选项,支持多种路由策略和负载均衡算法,还支持TLS终止、HTTP/2等高级协议,并且具有高可用、自动扩缩容、安全性等优点。因此,ingress-nginx已经成为Kubernetes生态系统中最流行、最常用的Ingress控制器之一。
官网:https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal-clusters
下载部署文件

复制代码
wget  https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/baremetal/deploy.yaml

上传镜像到harbor

复制代码
docker pull dyrnq/ingress-nginx-controller:v1.8.2
docker pull dyrnq/kube-webhook-certgen:v20230407
docker tag dyrnq/kube-webhook-certgen:v20230407 reg.westos.org/ingress-nginx/kube-webhook-certgen:v20230407
docker tag dyrnq/ingress-nginx-controller:v1.8.2 reg.westos.org/ingress-nginx/ingress-nginx-controller:v1.8.2
docker push reg.westos.org/ingress-nginx/ingress-nginx-controller:v1.8.2
docker push reg.westos.org/ingress-nginx/kube-webhook-certgen:v20230407


修改3个镜像路径

复制代码
kubectl apply -f deploy.yaml
kubectl -n ingress-nginx get pod
kubectl -n ingress-nginx get svc


修改为LoadBalancer方式

复制代码
kubectl -n ingress-nginx edit  svc ingress-nginx-controller
kubectl -n ingress-nginx get svc


创建ingress策略

复制代码
vim ingress.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp
            port:
              number: 80


ingress必须和输出的service资源处于同一namespace

测试:

二、访问

1.基于路径访问

文档: Ingress | Kubernetes
创建svc

复制代码
vim myapp-v1.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: myapp-v1
  name: myapp-v1
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp-v1
  template:
    metadata:
      labels:
        app: myapp-v1
    spec:
      containers:
      - image: myapp:v1
        name: myapp-v1

---

apiVersion: v1
kind: Service
metadata:
  labels:
    app: myapp-v1
  name: myapp-v1
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: myapp-v1
  type: ClusterIP
复制代码
vim myapp-v2.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: myapp-v2
  name: myapp-v2
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp-v2
  template:
    metadata:
      labels:
        app: myapp-v2
    spec:
      containers:
      - image: myapp:v2
        name: myapp-v2

---

apiVersion: v1
kind: Service
metadata:
  labels:
    app: myapp-v2
  name: myapp-v2
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: myapp-v2
  type: ClusterIP
复制代码
kubectl get svc


创建ingress

复制代码
vim ingress1.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - path: /v1
        pathType: Prefix
        backend:
          service:
            name: myapp-v1
            port:
              number: 80

      - path: /v2
        pathType: Prefix
        backend:
          service:
            name: myapp-v2
            port:
              number: 80
复制代码
kubectl describe ingress minimal-ingress


测试

记得回收资源哦

2.基于域名访问

复制代码
vim ingress2.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: myapp1.westos.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-v1
            port:
              number: 80

  - host: myapp2.westos.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-v2
            port:
              number: 80
复制代码
kubectl describe ingress minimal-ingress

测试:

**三、**加密与认证

1.TLS加密

创建证书

复制代码
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
复制代码
vim ingress3.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-tls
spec:
  tls:
    - hosts:
      - myapp.westos.org
      secretName: tls-secret
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-v1
            port:
              number: 80
复制代码
kubectl describe ingress ingress-tls

测试:

2.auth认证

创建认证文件

复制代码
yum install -y httpd-tools
htpasswd -c auth yyl
cat auth
kubectl create secret generic basic-auth --from-file=auth
复制代码
vim ingress3.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-tls
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - yyl'
spec:
  tls:
    - hosts:
      - myapp.westos.org
      secretName: tls-secret
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-v1
            port:
              number: 80
复制代码
kubectl describe ingress ingress-tls

测试:

四、rewrite重定向

示例一:

复制代码
vim ingress3.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-tls
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - yyl'
    nginx.ingress.kubernetes.io/app-root: /hostname.html
spec:
  tls:
    - hosts:
      - myapp.westos.org
      secretName: tls-secret
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-v1
            port:
              number: 80
复制代码
kubectl describe ingress ingress-tls

测试:


示例二:

复制代码
vim ingress3.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-tls
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - yyl'
    #nginx.ingress.kubernetes.io/app-root: /hostname.html
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
  tls:
    - hosts:
      - myapp.westos.org
      secretName: tls-secret
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myapp-v1
            port:
              number: 80
      - path: /westos(/|$)(.*)
        pathType: ImplementationSpecific
        backend:
          service:
            name: myapp-v1
            port:
              number: 80
复制代码
kubectl describe ingress ingress-tls


测试:

记得回收资源哦

五、canary金丝雀发布

1.基于header灰度

Canary发布是一种渐进式发布技术,可以将新版本的应用程序逐步推送给一小部分用户,以便在生产环境中测试其稳定性和性能。基于header的灰度是其中一种实现方式,即通过在HTTP请求的头部添加特定标记,然后在应用程序中处理该标记,以区分是否将请求路由到新版本或旧版本的应用程序中。通过这种方式,可以以逐渐增加的百分比向用户推送新版本,并在推送完成后逐步停止旧版本的支持。这种方法允许应用程序在不影响所有用户的情况下进行测试和升级,并且可以帮助识别和解决潜在问题。

复制代码
vim ingress4.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-v1-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myapp-v1
            port:
              number: 80

kubectl apply -f ingress4.yml
kubectl get ingress
复制代码
vim ingress5.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/canary: "true"
    nginx.ingress.kubernetes.io/canary-by-header: stage
    nginx.ingress.kubernetes.io/canary-by-header-value: gray
  name: myapp-v2-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myapp-v2
            port:
              number: 80

kubectl apply -f ingress5.yml
kubectl describe ingress myapp-v2-ingress


测试:

2.基于权重灰度

Canary发布是一种逐步部署新代码版本的方法,其中新代码版本仅在一小部分用户中运行,以测试其稳定性和性能。基于权重的灰度发布是Canary发布的一种变体,其中不同用户组被分配不同的权重,以控制他们接收新代码版本的比例。例如,较新和更有经验的用户可以分配较高的权重,以测试新功能和修复问题,而较少用到的或新购买的用户可以分配较低的权重,以减少潜在的影响。灰度发布的目的是最大限度地减少对生产环境的影响,同时仍然有助于确认发布的正确性。

复制代码
vim ingress5.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/canary: "true"
    #nginx.ingress.kubernetes.io/canary-by-header: stage
    #nginx.ingress.kubernetes.io/canary-by-header-value: gray
    nginx.ingress.kubernetes.io/canary-weight: "50"
    nginx.ingress.kubernetes.io/canary-weight-total: "100"

  name: myapp-v2-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myapp-v2
            port:
              number: 80

kubectl apply -f ingress5.yml
kubectl describe ingress myapp-v2-ingress

测试:

复制代码
vim ingress.sh
#!/bin/bash

v1=0
v2=0

for (( i=0; i<100; i++))
do
    response=`curl -s myapp.westos.org |grep -c v1`

    v1=`expr $v1 + $response`
    v2=`expr $v2 + 1 - $response`

done

echo "v1:$v1, v2:$v2"

sh ingress.sh

3.业务域拆分

复制代码
vim ingress6.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
  name: rewrite-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: myapp.westos.org
    http:
      paths:
      - path: /user/(.*)
        pathType: Prefix
        backend:
          service:
            name: myapp-v1
            port:
              number: 80
      - path: /order/(.*)
        pathType: Prefix
        backend:
          service:
            name: myapp-v2
            port:
              number: 80

kubectl apply -f ingress6.yml
复制代码
kubectl describe ingress rewrite-ingress

测试:


回收资源哦

相关推荐
人生偌只如初见1 小时前
Kubernetes学习笔记-配置Service对接第三方访问
kubernetes·k8s
liang89992 小时前
Docker(二):docker常用命令
spring cloud·docker·容器
PWRJOY3 小时前
在 Ubuntu 24.04 系统上安装和管理 Nginx
linux·nginx·ubuntu
启明真纳4 小时前
统信操作系统使用默认yum源安装 Docker 的踩坑
运维·docker·容器
云攀登者-望正茂4 小时前
Golang 遇见 Kubernetes:云原生开发的完美结合
云原生·golang·kubernetes
weisian1515 小时前
云原生--核心组件-容器篇-1-Docker和云原生关系(Docker是云原生的基石)
docker·云原生·容器
David爱编程5 小时前
Service 与 Headless Service 全面对比与实战指南
docker·容器·kubernetes
dessler6 小时前
Kubernetes(k8s)-集群监控(Prometheus)
linux·运维·kubernetes
PyFans6 小时前
求助:为什么k8s调度器对PV的节点亲和性检查会失效呢?
kubernetes
DavidSoCool8 小时前
k8s生成StarRocks集群模版
云原生·容器·kubernetes