一、Ingress
service模式:
loadbalance
NodePort:每个节点都会有一个指定的端口 30000-32767 内网
clusterip:默认模式,只能pod内部访问
externalName:需要dns提供域名
1.1、对外提供服务的ingress
service:网关的概念-----标签来匹配pod,还能通过endpoint更新pod的变化,集群内部的ip地址。也可以实现负载均衡,四层代理。
service暴露的端口只能用于内网访问,局域网。
loadbalance-------公有云--------提供负载均衡的ip-------公网地址。
Ingress
Ingress:在k8s当中,Ingress是一个独立的组件(deployment ns svc)独立的配置,只能通过yaml文件配置。不能命令行。
定义请求如何转发到service的规则。
ingress通过http或者https暴露内部的service,给service提供外部的url,负载均衡 SSL/TLS。基于域名的反向代理。
ingess通过ingress-controller来实现上述的功能。
ingress-controller不是k8s自带的组件,这是插件的统称。
k8s维护的插件类型
- glogle云的GCE
- Ingress-nginx-------最常用的模式
- traefik--------------带可视化界面---ui界面---并发量只有ingress-nginx的流程。
流量转发示意图:
1.2、ingress-nginx暴露服务的方式:
- 1、deployment+loadbalance------->service
- 需要公有云提供负载均衡的ip地址---------公网地址。
- 2、DaemonSet+HostNetwork + NodeSelector
- ingress-controller会在每个节点部署一个pod,ingress-controller直接使用每个节点的80和443端口,直接实现流量的转发和访问。
NodeSelector用来选择设备优良,或者选择端口没被占用的节点。
DaemonSet+HostNetwork + NodeSelector模式:
- 优点:
使用宿主机端口,适合大并发的生产环境,性能是最好的 - 缺点:
- 和宿主机公用端口,一个node节点只能部署一个ingress-controller的pod
3、Deployment+nodePort模式:
nodePort--------->30000-------80---80
ingress根据副本数和调度在节点上部署多个pod。在根据nodePort在每个节点打开一个指定的端口 30000-32767
客户端--------->www.xy102.com------------->service-------------->nodeport---------->clusterip-------容器端口
1、这种模式优点:不占用宿主机的端口,配置简单使用于内部并发不大的访问。
2、缺点,性能差,多了一个nodeport还涉及nodeport的转发,实际上通过nat模式做地址转换,性能上有影响。
3、DaemonSet+HostNetwork + NodeSelector模式
-----------------同步操作--------------------------
[root@master01 opt]# tar -xf ingree.contro-0.30.0.tar.gz
[root@master01 opt]# docker load -i ingree.contro-0.30.0.tar
[root@master01 opt]# mkdir ingress
[root@master01 opt]# cd ingress/
[root@master01 ingress]# wget https://gitee.com/mirrors/ingress-nginx/raw/0.30.0/deploy/static/mandatory.yaml
-------------------结束同步---------------------
[root@master01 ingress]# vim mandatory.yaml
apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
200 # replicas: 1
219 hostNetwork: true
[root@master01 ingress]# kubectl apply -f mandatory.yaml
[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-27lvf 1/1 Running 0 23s 192.168.168.81 master01 <none> <none>
nginx-ingress-controller-29ckx 1/1 Running 0 23s 192.168.168.83 node02 <none> <none>
nginx-ingress-controller-kn8ww 1/1 Running 0 23s 192.168.168.82 node01 <none> <none>
---------------开启同步-------------------------
打开同步查看80+443端口
[root@master01 ingress]# netstat -antp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22509/nginx: master
tcp 0 0 0.0.0.0:8181 0.0.0.0:* LISTEN 22509/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 22509/nginx: master
[root@node01 ingress]# netstat -antp | grep nginx
[root@node02 ingress]# netstat -antp | grep nginx
8181 端口是nginx-controller的默认配置,当ingress没有资源可以匹配时,会自动转发到这个端口。
---------------------查看节点端口开放----------------
[root@master01 ingress]# kubectl explain ingress
KIND: Ingress
VERSION: networking.k8s.io/v1
[root@master01 ingress]# vim ingress-nginx1.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs-client-storageclass
resources:
requests:
storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-app
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.22
ports:
- containerPort: 80
volumeMounts:
- name: nfs-pvc
mountPath: /usr/share/nginx/html
volumes:
- name: nfs-pvc
persistentVolumeClaim:
claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nginx-daemon-svc
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-daemon-ingress
spec:
rules:
- host: www.xy102.com
http:
paths:
- path: /
pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
backend:
#匹配的svc的名称----pod
service:
name: nginx-daemon-svc
port:
number: 80
[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@k8s5 k8s]# ll
总用量 0
drwxrwxrwx. 2 root root 6 9月 10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9
drwxrwxrwx. 2 root root 62 9月 8 16:55 default-redis-data-redis-master-0-pvc-4c38e65b-5e5d-45c5-a58d-6d7c0bd69b39
drwxrwxrwx. 2 root root 62 9月 8 16:55 default-redis-data-redis-replica-0-pvc-eabc2e78-7b0c-4c72-ac16-bf44eca0d524
drwxrwxrwx. 2 root root 62 9月 8 16:43 default-redis-data-redis-replica-1-pvc-d5b0e813-8bed-4b00-8df6-69ad648ecc2c
[root@k8s5 k8s]# rm -rf default-redis-data-redis-*
[root@k8s5 k8s]# ll
总用量 0
drwxrwxrwx. 2 root root 6 9月 10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9
[root@k8s5 k8s]# cd default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9/
[root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# ls
[root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# echo 123 > index.html
[root@master01 ingress]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com
192.168.168.82 node01
192.168.168.83 node02
192.168.168.84 hub.test.com
192.168.168.85 k8s5
[root@master01 ingress]# curl www.xy102.com
123
[root@node01 ingress]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com
[root@node01 ingress]# curl www.xy102.com
123
[root@node02 ingress]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com
[root@node02 ingress]# curl www.xy102.com
123
[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# mkdir test1
[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# ll
总用量 4
-rw-r--r--. 1 root root 4 9月 10 11:51 index.html
drwxr-xr-x. 2 root root 6 9月 10 12:32 test1
[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# cd test1/
[root@k8s5 test1]# echo 456 > index.html
[root@k8s5 test1]#
[root@master01 ingress]# curl www.xy102.com/test1
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
[root@master01 ingress]# curl -L www.xy102.com/test1
456
[root@k8s5 test1]# pwd
/opt/k8s/default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3/test1
[root@k8s5 test1]# ll
总用量 4
-rw-r--r--. 1 root root 4 9月 10 12:32 index.html
[root@k8s5 test1]# mkdir test2
[root@k8s5 test1]# cd test2/
[root@k8s5 test2]# echo 789 > index.html
[root@master01 ingress]# curl -L www.xy102.com/test1/test2
789
-----------------------------------------------------------------------------------------
------------------------DaemonSet+HostNetwork+NodeSelector模式----------------------------
##节点选择NodeSelector模式
[root@master01 ingress]# vim mandatory.yaml
190 apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
193 metadata:
194 name: nginx-ingress-controller
195 namespace: ingress-nginx
196 labels:
197 app.kubernetes.io/name: ingress-nginx
198 app.kubernetes.io/part-of: ingress-nginx
199 spec:
200 # replicas: 1
201 selector:
202 matchLabels:
203 app.kubernetes.io/name: ingress-nginx
204 app.kubernetes.io/part-of: ingress-nginx
205 template:
206 metadata:
207 labels:
208 app.kubernetes.io/name: ingress-nginx
209 app.kubernetes.io/part-of: ingress-nginx
210 annotations:
211 prometheus.io/port: "10254"
212 prometheus.io/scrape: "true"
213 spec:
214 # wait up to five minutes for the drain of connections
215 terminationGracePeriodSeconds: 300
216 serviceAccountName: nginx-ingress-serviceaccount
217 nodeSelector:
218 kubernetes.io/os: linux
219 hostNetwork: true
220 nodeSelector:
221 ingress: "true"
[root@master01 ingress]# kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
master01 Ready control-plane,master 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master01,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/master=
node01 Ready <none> 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux,memory=1000,test1=a,test3=b
node02 Ready <none> 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux,test2=b,xy102=98
打上ingress=true标签
[root@master01 ingress]# kubectl label nodes node01 ingress=true
node/node01 labeled
[root@master01 ingress]# kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
master01 Ready control-plane,master 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master01,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/master=
node01 Ready <none> 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ingress=true,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux,memory=1000,test1=a,test3=b
node02 Ready <none> 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux,test2=b,xy102=98
[root@master01 ingress]# kubectl apply -f mandatory.yaml
[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-p52jc 1/1 Running 0 11s 192.168.168.82 node01 <none> <none>
[root@node01 ingress]# curl www.xy102.com
curl: (7) Failed connect to www.xy102.com:80; 拒绝连接
[root@node01 ingress]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.82 node01 www.xy102.com
[root@node01 ingress]# curl www.xy102.com
123
[root@node01 ingress]# curl -L www.xy102.com/test1/test2
789
[root@node01 ingress]# curl -L www.xy102.com/test1
4564、基于deployment+nodeport
[root@master01 ingress]# kubectl delete -f mandatory.yaml
[root@master01 ingress]# vim mandatory.yaml
190 apiVersion: apps/v1
191 kind: Deployment
192 #kind: DaemonSet
193 metadata:
194 name: nginx-ingress-controller
195 namespace: ingress-nginx
196 labels:
197 app.kubernetes.io/name: ingress-nginx
198 app.kubernetes.io/part-of: ingress-nginx
199 spec:
200 replicas: 1
201 selector:
202 matchLabels:
203 app.kubernetes.io/name: ingress-nginx
204 app.kubernetes.io/part-of: ingress-nginx
205 template:
206 metadata:
207 labels:
208 app.kubernetes.io/name: ingress-nginx
209 app.kubernetes.io/part-of: ingress-nginx
210 annotations:
211 prometheus.io/port: "10254"
212 prometheus.io/scrape: "true"
213 spec:
214 # wait up to five minutes for the drain of connections
215 terminationGracePeriodSeconds: 300
216 serviceAccountName: nginx-ingress-serviceaccount
217 nodeSelector:
218 kubernetes.io/os: linux
219 # hostNetwork: true
220 # nodeSelector:
221 # ingress: "true"
wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
[root@master01 ingress]# kubectl apply -f mandatory.yaml
[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-54b86f8f7b-4qszc 1/1 Running 0 2m15s 10.244.2.239 node02 <none> <none>
[root@master01 ingress]# kubectl get svc -o wide -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
ingress-nginx NodePort 10.96.183.19 <none> 80:31185/TCP,443:32676/TCP 19s app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
[root@master01 ingress]# netstat -antp | grep 31185
tcp 0 0 0.0.0.0:31185 0.0.0.0:* LISTEN 28697/kube-proxy
[root@node01 ingress]# netstat -antp | grep 31185
tcp 0 0 0.0.0.0:31185 0.0.0.0:* LISTEN 20187/kube-proxy
[root@node02 ingress]# netstat -antp | grep 31185
tcp 0 0 0.0.0.0:31185 0.0.0.0:* LISTEN 44530/kube-proxy
[root@master01 ingress]# vim ingress-nginx1.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs-client-storageclass
resources:
requests:
storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-app
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.22
ports:
- containerPort: 80
volumeMounts:
- name: nfs-pvc
mountPath: /usr/share/nginx/html
volumes:
- name: nfs-pvc
persistentVolumeClaim:
claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nginx-deployment-svc
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-deployment-ingress
spec:
rules:
- host: www.xy102.com
http:
paths:
- path: /
pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
backend:
#匹配的svc的名称----pod
service:
name: nginx-deployment-svc
port:
number: 80
[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@master01 ingress]# curl www.xy102.com:31185
123
5、https
[root@master01 ingress]# mkdir https
[root@master01 ingress]# cd https/
[root@master01 https]# ls
[root@master01 https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"
Generating a 2048 bit RSA private key
.............................+++
...+++
writing new private key to 'tls.key'
-----
##解释
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"
req:表示指定证书请求和生成相关文件
-x509:生成自签名的x.509证书
-sha256:sha-256的散列算法
-nodes:生成的私钥不加密
-days 365: 证书的有效期为365天
-newkey rsa:2048::表示使用RSA的密钥队,长度2048个单位
-keyout tls.key -out tls.cr:生成两个文件
-keyout 私钥保存到tls.key文件
-out 保存证书到tls.crt
-subj 添加证书的主题
[root@master01 https]# kubectl create secret tls tls.secret --key tls.key --cert tls.crt
[root@master01 https]# kubectl create secret tls(指定type) tls.secret --key(指定密钥) tls.key --cert(指定证书) tls.crt
[root@master01 ingress]# vim ingress-nginx1.yaml
55 apiVersion: networking.k8s.io/v1
56 kind: Ingress
57 metadata:
58 name: nginx-deployment-ingress
59 spec:
60 tls:
61 - hosts:
62 - www.xy102.com
63 secretName: tls.secret
64 #指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书
[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@master01 ingress]# curl -k https://www.xy102.com:32676
123
作业:
#daemonset+hostnetwork实现https访问。
[root@master01 ingress]# vim mandatory.yaml
190 apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
193 metadata:
194 name: nginx-ingress-controller
195 namespace: ingress-nginx
196 labels:
197 app.kubernetes.io/name: ingress-nginx
198 app.kubernetes.io/part-of: ingress-nginx
199 spec:
200 # replicas: 1
201 selector:
202 matchLabels:
203 app.kubernetes.io/name: ingress-nginx
204 app.kubernetes.io/part-of: ingress-nginx
205 template:
206 metadata:
207 labels:
208 app.kubernetes.io/name: ingress-nginx
209 app.kubernetes.io/part-of: ingress-nginx
210 annotations:
211 prometheus.io/port: "10254"
212 prometheus.io/scrape: "true"
213 spec:
214 # wait up to five minutes for the drain of connections
215 terminationGracePeriodSeconds: 300
216 serviceAccountName: nginx-ingress-serviceaccount
217 nodeSelector:
218 kubernetes.io/os: linux
219 hostNetwork: true
220 # nodeSelector:
221 # ingress: "true"
222 containers:
[root@master01 ingress]# kubectl apply -f mandatory.yaml
[root@master01 ingress]# vim ingress-nginx1.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs-client-storageclass
resources:
requests:
storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-app
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.22
ports:
- containerPort: 80
volumeMounts:
- name: nfs-pvc
mountPath: /usr/share/nginx/html
volumes:
- name: nfs-pvc
persistentVolumeClaim:
claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nginx-daemon-svc
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-daemon-ingress
spec:
tls:
- hosts:
- www.xy102.com
secretName: tls.secret
#指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书
rules:
- host: www.xy102.com
http:
paths:
- path: /
pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
backend:
#匹配的svc的名称----pod
service:
name: nginx-daemon-svc
port:
number: 80
[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
persistentvolumeclaim/nfs-pvc created
deployment.apps/nginx-app created
service/nginx-daemon-svc unchanged
ingress.networking.k8s.io/nginx-daemon-ingress configured
[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-44ktd 1/1 Running 0 7m52s 192.168.168.83 node02 <none> <none>
nginx-ingress-controller-ksjkr 1/1 Running 0 7m52s 192.168.168.81 master01 <none> <none>
nginx-ingress-controller-z4lrr 1/1 Running 0 7m52s 192.168.168.82 node01 <none> <none>
##之前https已经创建
-----------------------------------------------------------------------------------------------------------------------------------
[root@master01 ingress]# mkdir https
[root@master01 ingress]# cd https/
[root@master01 https]# ls
[root@master01 https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"
Generating a 2048 bit RSA private key
.............................+++
...+++
writing new private key to 'tls.key'
-----
##解释
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"
req:表示指定证书请求和生成相关文件
-x509:生成自签名的x.509证书
-sha256:sha-256的散列算法
-nodes:生成的私钥不加密
-days 365: 证书的有效期为365天
-newkey rsa:2048::表示使用RSA的密钥队,长度2048个单位
-keyout tls.key -out tls.cr:生成两个文件
-keyout 私钥保存到tls.key文件
-out 保存证书到tls.crt
-subj 添加证书的主题
[root@master01 https]# kubectl create secret tls tls.secret --key tls.key --cert tls.crt
[root@master01 https]# kubectl create secret tls(指定type) tls.secret --key(指定密钥) tls.key --cert(指定证书) tls.crt
[root@master01 ingress]# vim ingress-nginx1.yaml
55 apiVersion: networking.k8s.io/v1
56 kind: Ingress
57 metadata:
58 name: nginx-deployment-ingress
59 spec:
60 tls:
61 - hosts:
62 - www.xy102.com
63 secretName: tls.secret
64 #指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书
[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@master01 ingress]# curl -k https://www.xy102.com:32676
123
----------------------------------------------------------------------------------------------------------------------------------
[root@master01 ingress]# curl www.xy102.com
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>
[root@k8s5 k8s]# cd default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb/
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# ll
总用量 0
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# echo 123 > index.html
[root@master01 ingress]# curl -Lk https://www.xy102.com
123
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# mkdir test1
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# cd test1/
[root@k8s5 test1]# echo 456 > index.html
[root@master01 ingress]# curl -Lk https://www.xy102.com/test1
456
[root@master01 ingress]# curl -Lk https://www.xy102.com/test1/test2
789