91、K8s之ingress上集

一、Ingress

service模式:

loadbalance

NodePort:每个节点都会有一个指定的端口 30000-32767 内网

clusterip:默认模式,只能pod内部访问

externalName:需要dns提供域名

1.1、对外提供服务的ingress

service:网关的概念-----标签来匹配pod,还能通过endpoint更新pod的变化,集群内部的ip地址。也可以实现负载均衡,四层代理。

service暴露的端口只能用于内网访问,局域网。

loadbalance-------公有云--------提供负载均衡的ip-------公网地址。

Ingress

Ingress:在k8s当中,Ingress是一个独立的组件(deployment ns svc)独立的配置,只能通过yaml文件配置。不能命令行。

定义请求如何转发到service的规则。

ingress通过http或者https暴露内部的service,给service提供外部的url,负载均衡 SSL/TLS。基于域名的反向代理。

ingess通过ingress-controller来实现上述的功能。

ingress-controller不是k8s自带的组件,这是插件的统称。

k8s维护的插件类型

  • glogle云的GCE
  • Ingress-nginx-------最常用的模式
  • traefik--------------带可视化界面---ui界面---并发量只有ingress-nginx的流程。
流量转发示意图:

1.2、ingress-nginx暴露服务的方式:

  • 1、deployment+loadbalance------->service
  • 需要公有云提供负载均衡的ip地址---------公网地址。
  • 2、DaemonSet+HostNetwork + NodeSelector
  • ingress-controller会在每个节点部署一个pod,ingress-controller直接使用每个节点的80和443端口,直接实现流量的转发和访问。

NodeSelector用来选择设备优良,或者选择端口没被占用的节点。

DaemonSet+HostNetwork + NodeSelector模式:
  • 优点:
    使用宿主机端口,适合大并发的生产环境,性能是最好的
  • 缺点:
  • 和宿主机公用端口,一个node节点只能部署一个ingress-controller的pod

3、Deployment+nodePort模式:

nodePort--------->30000-------80---80

ingress根据副本数和调度在节点上部署多个pod。在根据nodePort在每个节点打开一个指定的端口 30000-32767

客户端--------->www.xy102.com------------->service-------------->nodeport---------->clusterip-------容器端口

1、这种模式优点:不占用宿主机的端口,配置简单使用于内部并发不大的访问。

2、缺点,性能差,多了一个nodeport还涉及nodeport的转发,实际上通过nat模式做地址转换,性能上有影响。

3、DaemonSet+HostNetwork + NodeSelector模式

复制代码
-----------------同步操作--------------------------
[root@master01 opt]# tar -xf ingree.contro-0.30.0.tar.gz 

[root@master01 opt]# docker load -i ingree.contro-0.30.0.tar


[root@master01 opt]# mkdir ingress
[root@master01 opt]# cd ingress/
[root@master01 ingress]# wget https://gitee.com/mirrors/ingress-nginx/raw/0.30.0/deploy/static/mandatory.yaml
-------------------结束同步---------------------

[root@master01 ingress]# vim mandatory.yaml 

apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
200 #  replicas: 1

219       hostNetwork: true


[root@master01 ingress]# kubectl apply -f mandatory.yaml 

[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx 
NAME                             READY   STATUS    RESTARTS   AGE   IP               NODE       NOMINATED NODE   READINESS GATES
nginx-ingress-controller-27lvf   1/1     Running   0          23s   192.168.168.81   master01   <none>           <none>
nginx-ingress-controller-29ckx   1/1     Running   0          23s   192.168.168.83   node02     <none>           <none>
nginx-ingress-controller-kn8ww   1/1     Running   0          23s   192.168.168.82   node01     <none>           <none>
---------------开启同步-------------------------
打开同步查看80+443端口
[root@master01 ingress]# netstat -antp | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      22509/nginx: master 
tcp        0      0 0.0.0.0:8181            0.0.0.0:*               LISTEN      22509/nginx: master 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      22509/nginx: master 
[root@node01 ingress]# netstat -antp | grep nginx

[root@node02 ingress]# netstat -antp | grep nginx

8181 端口是nginx-controller的默认配置,当ingress没有资源可以匹配时,会自动转发到这个端口。
---------------------查看节点端口开放----------------

[root@master01 ingress]# kubectl explain ingress
KIND:     Ingress
VERSION:  networking.k8s.io/v1



[root@master01 ingress]# vim ingress-nginx1.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storageclass
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.22
          ports:
            - containerPort: 80
          volumeMounts:
          - name: nfs-pvc
            mountPath: /usr/share/nginx/html
      volumes:
      - name: nfs-pvc
        persistentVolumeClaim:
          claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-daemon-svc
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-daemon-ingress
spec:
  rules:
  - host: www.xy102.com
    http:
      paths:
      - path: /
        pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
        backend:
#匹配的svc的名称----pod
          service:
            name: nginx-daemon-svc
            port:
              number: 80



[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml 


[root@k8s5 k8s]# ll
总用量 0
drwxrwxrwx. 2 root root  6 9月  10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9
drwxrwxrwx. 2 root root 62 9月   8 16:55 default-redis-data-redis-master-0-pvc-4c38e65b-5e5d-45c5-a58d-6d7c0bd69b39
drwxrwxrwx. 2 root root 62 9月   8 16:55 default-redis-data-redis-replica-0-pvc-eabc2e78-7b0c-4c72-ac16-bf44eca0d524
drwxrwxrwx. 2 root root 62 9月   8 16:43 default-redis-data-redis-replica-1-pvc-d5b0e813-8bed-4b00-8df6-69ad648ecc2c
[root@k8s5 k8s]# rm -rf default-redis-data-redis-*
[root@k8s5 k8s]# ll
总用量 0
drwxrwxrwx. 2 root root 6 9月  10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9
[root@k8s5 k8s]# cd default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9/
[root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# ls
[root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# echo 123 > index.html

[root@master01 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com
192.168.168.82 node01
192.168.168.83 node02
192.168.168.84 hub.test.com
192.168.168.85 k8s5

[root@master01 ingress]# curl www.xy102.com
123



[root@node01 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com

[root@node01 ingress]# curl www.xy102.com
123

[root@node02 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com

[root@node02 ingress]# curl www.xy102.com
123


[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# mkdir test1
[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# ll
总用量 4
-rw-r--r--. 1 root root 4 9月  10 11:51 index.html
drwxr-xr-x. 2 root root 6 9月  10 12:32 test1
[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# cd test1/
[root@k8s5 test1]# echo 456 > index.html
[root@k8s5 test1]# 

[root@master01 ingress]# curl www.xy102.com/test1
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
[root@master01 ingress]# curl -L www.xy102.com/test1
456



[root@k8s5 test1]# pwd
/opt/k8s/default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3/test1
[root@k8s5 test1]# ll
总用量 4
-rw-r--r--. 1 root root 4 9月  10 12:32 index.html
[root@k8s5 test1]# mkdir test2
[root@k8s5 test1]# cd test2/
[root@k8s5 test2]# echo 789 > index.html


[root@master01 ingress]# curl -L www.xy102.com/test1/test2
789
-----------------------------------------------------------------------------------------

------------------------DaemonSet+HostNetwork+NodeSelector模式----------------------------
##节点选择NodeSelector模式
[root@master01 ingress]# vim mandatory.yaml 


190 apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
193 metadata:
194   name: nginx-ingress-controller
195   namespace: ingress-nginx
196   labels:
197     app.kubernetes.io/name: ingress-nginx
198     app.kubernetes.io/part-of: ingress-nginx
199 spec:
200 #  replicas: 1
201   selector:
202     matchLabels:
203       app.kubernetes.io/name: ingress-nginx
204       app.kubernetes.io/part-of: ingress-nginx
205   template:
206     metadata:
207       labels:
208         app.kubernetes.io/name: ingress-nginx
209         app.kubernetes.io/part-of: ingress-nginx
210       annotations:
211         prometheus.io/port: "10254"
212         prometheus.io/scrape: "true"
213     spec:
214       # wait up to five minutes for the drain of connections
215       terminationGracePeriodSeconds: 300
216       serviceAccountName: nginx-ingress-serviceaccount
217       nodeSelector:
218         kubernetes.io/os: linux
219       hostNetwork: true
220       nodeSelector:
221         ingress: "true"

[root@master01 ingress]# kubectl get nodes --show-labels 
NAME       STATUS   ROLES                  AGE   VERSION    LABELS
master01   Ready    control-plane,master   14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master01,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/master=
node01     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux,memory=1000,test1=a,test3=b
node02     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux,test2=b,xy102=98


打上ingress=true标签
[root@master01 ingress]# kubectl label nodes node01 ingress=true
node/node01 labeled
[root@master01 ingress]# kubectl get nodes --show-labels 
NAME       STATUS   ROLES                  AGE   VERSION    LABELS
master01   Ready    control-plane,master   14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master01,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/master=
node01     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ingress=true,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux,memory=1000,test1=a,test3=b
node02     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux,test2=b,xy102=98


[root@master01 ingress]# kubectl apply -f mandatory.yaml 

[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME                             READY   STATUS    RESTARTS   AGE   IP               NODE     NOMINATED NODE   READINESS GATES
nginx-ingress-controller-p52jc   1/1     Running   0          11s   192.168.168.82   node01   <none>           <none>


[root@node01 ingress]# curl www.xy102.com
curl: (7) Failed connect to www.xy102.com:80; 拒绝连接
[root@node01 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.168.82 node01 www.xy102.com



[root@node01 ingress]# curl www.xy102.com
123
[root@node01 ingress]# curl -L www.xy102.com/test1/test2
789
[root@node01 ingress]# curl -L www.xy102.com/test1
456

4、基于deployment+nodeport

复制代码
[root@master01 ingress]# kubectl delete -f mandatory.yaml 

[root@master01 ingress]# vim mandatory.yaml

190 apiVersion: apps/v1
191 kind: Deployment
192 #kind: DaemonSet
193 metadata:
194   name: nginx-ingress-controller
195   namespace: ingress-nginx
196   labels:
197     app.kubernetes.io/name: ingress-nginx
198     app.kubernetes.io/part-of: ingress-nginx
199 spec:
200   replicas: 1
201   selector:
202     matchLabels:
203       app.kubernetes.io/name: ingress-nginx
204       app.kubernetes.io/part-of: ingress-nginx
205   template:
206     metadata:
207       labels:
208         app.kubernetes.io/name: ingress-nginx
209         app.kubernetes.io/part-of: ingress-nginx
210       annotations:
211         prometheus.io/port: "10254"
212         prometheus.io/scrape: "true"
213     spec:
214       # wait up to five minutes for the drain of connections
215       terminationGracePeriodSeconds: 300
216       serviceAccountName: nginx-ingress-serviceaccount
217       nodeSelector:
218         kubernetes.io/os: linux
219 #      hostNetwork: true
220 #      nodeSelector:
221 #        ingress: "true"


wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml

[root@master01 ingress]# kubectl apply -f mandatory.yaml 

[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE     IP             NODE     NOMINATED NODE   READINESS GATES
nginx-ingress-controller-54b86f8f7b-4qszc   1/1     Running   0          2m15s   10.244.2.239   node02   <none>           <none>


[root@master01 ingress]# kubectl get svc -o wide -n ingress-nginx
NAME            TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE   SELECTOR
ingress-nginx   NodePort   10.96.183.19   <none>        80:31185/TCP,443:32676/TCP   19s   app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx

[root@master01 ingress]# netstat -antp | grep 31185
tcp        0      0 0.0.0.0:31185           0.0.0.0:*               LISTEN      28697/kube-proxy 

[root@node01 ingress]# netstat -antp | grep 31185
tcp        0      0 0.0.0.0:31185           0.0.0.0:*               LISTEN      20187/kube-proxy  

[root@node02 ingress]# netstat -antp | grep 31185
tcp        0      0 0.0.0.0:31185           0.0.0.0:*               LISTEN      44530/kube-proxy  


[root@master01 ingress]# vim ingress-nginx1.yaml 

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storageclass
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.22
          ports:
            - containerPort: 80
          volumeMounts:
          - name: nfs-pvc
            mountPath: /usr/share/nginx/html
      volumes:
      - name: nfs-pvc
        persistentVolumeClaim:
          claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-deployment-svc
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-deployment-ingress
spec:
  rules:
  - host: www.xy102.com
    http:
      paths:
      - path: /
        pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
        backend:
#匹配的svc的名称----pod
          service:
            name: nginx-deployment-svc
            port:
              number: 80


[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml 


[root@master01 ingress]# curl www.xy102.com:31185
123

5、https

复制代码
[root@master01 ingress]# mkdir https
[root@master01 ingress]# cd https/
[root@master01 https]# ls
[root@master01 https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ" 
Generating a 2048 bit RSA private key
.............................+++
...+++
writing new private key to 'tls.key'
-----
##解释
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"


req:表示指定证书请求和生成相关文件
-x509:生成自签名的x.509证书
-sha256:sha-256的散列算法
-nodes:生成的私钥不加密
-days 365: 证书的有效期为365天
-newkey rsa:2048::表示使用RSA的密钥队,长度2048个单位
-keyout tls.key -out tls.cr:生成两个文件
-keyout 私钥保存到tls.key文件
-out 保存证书到tls.crt
-subj 添加证书的主题

[root@master01 https]# kubectl create secret tls tls.secret --key tls.key --cert tls.crt

[root@master01 https]# kubectl create secret tls(指定type) tls.secret --key(指定密钥) tls.key --cert(指定证书) tls.crt 



[root@master01 ingress]# vim ingress-nginx1.yaml


 55 apiVersion: networking.k8s.io/v1
 56 kind: Ingress
 57 metadata:
 58   name: nginx-deployment-ingress
 59 spec:
 60   tls:
 61     - hosts:
 62       - www.xy102.com
 63       secretName: tls.secret
 64 #指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书

[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@master01 ingress]# curl -k https://www.xy102.com:32676
123

作业:

#daemonset+hostnetwork实现https访问。

复制代码
[root@master01 ingress]# vim mandatory.yaml 

190 apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
193 metadata:
194   name: nginx-ingress-controller
195   namespace: ingress-nginx
196   labels:
197     app.kubernetes.io/name: ingress-nginx
198     app.kubernetes.io/part-of: ingress-nginx
199 spec:
200 #  replicas: 1
201   selector:
202     matchLabels:
203       app.kubernetes.io/name: ingress-nginx
204       app.kubernetes.io/part-of: ingress-nginx
205   template:
206     metadata:
207       labels:
208         app.kubernetes.io/name: ingress-nginx
209         app.kubernetes.io/part-of: ingress-nginx
210       annotations:
211         prometheus.io/port: "10254"
212         prometheus.io/scrape: "true"
213     spec:
214       # wait up to five minutes for the drain of connections
215       terminationGracePeriodSeconds: 300
216       serviceAccountName: nginx-ingress-serviceaccount
217       nodeSelector:
218         kubernetes.io/os: linux
219       hostNetwork: true
220 #      nodeSelector:
221 #        ingress: "true"
222       containers:


[root@master01 ingress]# kubectl apply -f mandatory.yaml 


[root@master01 ingress]# vim ingress-nginx1.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storageclass
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.22
          ports:
            - containerPort: 80
          volumeMounts:
          - name: nfs-pvc
            mountPath: /usr/share/nginx/html
      volumes:
      - name: nfs-pvc
        persistentVolumeClaim:
          claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-daemon-svc
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-daemon-ingress
spec:
  tls:
    - hosts:
      - www.xy102.com
      secretName: tls.secret
#指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书
  rules:
  - host: www.xy102.com
    http:
      paths:
      - path: /
        pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
        backend:
#匹配的svc的名称----pod
          service:
            name: nginx-daemon-svc
            port:
              number: 80

 
 
[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml 
persistentvolumeclaim/nfs-pvc created
deployment.apps/nginx-app created
service/nginx-daemon-svc unchanged
ingress.networking.k8s.io/nginx-daemon-ingress configured
[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx 
NAME                             READY   STATUS    RESTARTS   AGE     IP               NODE       NOMINATED NODE   READINESS GATES
nginx-ingress-controller-44ktd   1/1     Running   0          7m52s   192.168.168.83   node02     <none>           <none>
nginx-ingress-controller-ksjkr   1/1     Running   0          7m52s   192.168.168.81   master01   <none>           <none>
nginx-ingress-controller-z4lrr   1/1     Running   0          7m52s   192.168.168.82   node01     <none>           <none>


##之前https已经创建
-----------------------------------------------------------------------------------------------------------------------------------
[root@master01 ingress]# mkdir https
[root@master01 ingress]# cd https/
[root@master01 https]# ls
[root@master01 https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ" 
Generating a 2048 bit RSA private key
.............................+++
...+++
writing new private key to 'tls.key'
-----
##解释
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"


req:表示指定证书请求和生成相关文件
-x509:生成自签名的x.509证书
-sha256:sha-256的散列算法
-nodes:生成的私钥不加密
-days 365: 证书的有效期为365天
-newkey rsa:2048::表示使用RSA的密钥队,长度2048个单位
-keyout tls.key -out tls.cr:生成两个文件
-keyout 私钥保存到tls.key文件
-out 保存证书到tls.crt
-subj 添加证书的主题

[root@master01 https]# kubectl create secret tls tls.secret --key tls.key --cert tls.crt

[root@master01 https]# kubectl create secret tls(指定type) tls.secret --key(指定密钥) tls.key --cert(指定证书) tls.crt 



[root@master01 ingress]# vim ingress-nginx1.yaml


 55 apiVersion: networking.k8s.io/v1
 56 kind: Ingress
 57 metadata:
 58   name: nginx-deployment-ingress
 59 spec:
 60   tls:
 61     - hosts:
 62       - www.xy102.com
 63       secretName: tls.secret
 64 #指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书

[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@master01 ingress]# curl -k https://www.xy102.com:32676
123

----------------------------------------------------------------------------------------------------------------------------------

[root@master01 ingress]# curl www.xy102.com
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>

[root@k8s5 k8s]# cd default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb/
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# ll
总用量 0
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# echo 123 > index.html
 

[root@master01 ingress]# curl -Lk https://www.xy102.com
123



[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# mkdir test1
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# cd test1/
[root@k8s5 test1]# echo 456 > index.html

[root@master01 ingress]# curl -Lk https://www.xy102.com/test1
456

[root@master01 ingress]# curl -Lk https://www.xy102.com/test1/test2
789
相关推荐
moppol2 小时前
Serverless 架构入门与实战:AWS Lambda、Azure Functions、Cloudflare Workers 对比
云原生·serverless·aws
IvanCodes2 小时前
一、Docker:一场颠覆应用部署与运维的容器革命
docker·容器
栗子~~3 小时前
Milvus docker-compose 部署
docker·容器·milvus
没有名字的小羊4 小时前
2.安装Docker
运维·docker·容器
xiezhr4 小时前
50 个常用 Docker 命令
运维·docker·容器
退役小学生呀10 天前
三、kubectl使用详解
云原生·容器·kubernetes·k8s
被困者10 天前
Linux部署Sonic前后端(详细版)(腾讯云)
spring cloud·云原生·eureka
程序员小潘10 天前
Kubernetes多容器Pod实战
云原生·容器·kubernetes
进击的码码码码N10 天前
Docker 镜像加速
运维·docker·容器