91、K8s之ingress上集

一、Ingress

service模式:

loadbalance

NodePort:每个节点都会有一个指定的端口 30000-32767 内网

clusterip:默认模式,只能pod内部访问

externalName:需要dns提供域名

1.1、对外提供服务的ingress

service:网关的概念-----标签来匹配pod,还能通过endpoint更新pod的变化,集群内部的ip地址。也可以实现负载均衡,四层代理。

service暴露的端口只能用于内网访问,局域网。

loadbalance-------公有云--------提供负载均衡的ip-------公网地址。

Ingress

Ingress:在k8s当中,Ingress是一个独立的组件(deployment ns svc)独立的配置,只能通过yaml文件配置。不能命令行。

定义请求如何转发到service的规则。

ingress通过http或者https暴露内部的service,给service提供外部的url,负载均衡 SSL/TLS。基于域名的反向代理。

ingess通过ingress-controller来实现上述的功能。

ingress-controller不是k8s自带的组件,这是插件的统称。

k8s维护的插件类型

  • glogle云的GCE
  • Ingress-nginx-------最常用的模式
  • traefik--------------带可视化界面---ui界面---并发量只有ingress-nginx的流程。
流量转发示意图:

1.2、ingress-nginx暴露服务的方式:

  • 1、deployment+loadbalance------->service
  • 需要公有云提供负载均衡的ip地址---------公网地址。
  • 2、DaemonSet+HostNetwork + NodeSelector
  • ingress-controller会在每个节点部署一个pod,ingress-controller直接使用每个节点的80和443端口,直接实现流量的转发和访问。

NodeSelector用来选择设备优良,或者选择端口没被占用的节点。

DaemonSet+HostNetwork + NodeSelector模式:
  • 优点:
    使用宿主机端口,适合大并发的生产环境,性能是最好的
  • 缺点:
  • 和宿主机公用端口,一个node节点只能部署一个ingress-controller的pod

3、Deployment+nodePort模式:

nodePort--------->30000-------80---80

ingress根据副本数和调度在节点上部署多个pod。在根据nodePort在每个节点打开一个指定的端口 30000-32767

客户端--------->www.xy102.com------------->service-------------->nodeport---------->clusterip-------容器端口

1、这种模式优点:不占用宿主机的端口,配置简单使用于内部并发不大的访问。

2、缺点,性能差,多了一个nodeport还涉及nodeport的转发,实际上通过nat模式做地址转换,性能上有影响。

3、DaemonSet+HostNetwork + NodeSelector模式

-----------------同步操作--------------------------
[root@master01 opt]# tar -xf ingree.contro-0.30.0.tar.gz 

[root@master01 opt]# docker load -i ingree.contro-0.30.0.tar


[root@master01 opt]# mkdir ingress
[root@master01 opt]# cd ingress/
[root@master01 ingress]# wget https://gitee.com/mirrors/ingress-nginx/raw/0.30.0/deploy/static/mandatory.yaml
-------------------结束同步---------------------

[root@master01 ingress]# vim mandatory.yaml 

apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
200 #  replicas: 1

219       hostNetwork: true


[root@master01 ingress]# kubectl apply -f mandatory.yaml 

[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx 
NAME                             READY   STATUS    RESTARTS   AGE   IP               NODE       NOMINATED NODE   READINESS GATES
nginx-ingress-controller-27lvf   1/1     Running   0          23s   192.168.168.81   master01   <none>           <none>
nginx-ingress-controller-29ckx   1/1     Running   0          23s   192.168.168.83   node02     <none>           <none>
nginx-ingress-controller-kn8ww   1/1     Running   0          23s   192.168.168.82   node01     <none>           <none>
---------------开启同步-------------------------
打开同步查看80+443端口
[root@master01 ingress]# netstat -antp | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      22509/nginx: master 
tcp        0      0 0.0.0.0:8181            0.0.0.0:*               LISTEN      22509/nginx: master 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      22509/nginx: master 
[root@node01 ingress]# netstat -antp | grep nginx

[root@node02 ingress]# netstat -antp | grep nginx

8181 端口是nginx-controller的默认配置,当ingress没有资源可以匹配时,会自动转发到这个端口。
---------------------查看节点端口开放----------------

[root@master01 ingress]# kubectl explain ingress
KIND:     Ingress
VERSION:  networking.k8s.io/v1



[root@master01 ingress]# vim ingress-nginx1.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storageclass
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.22
          ports:
            - containerPort: 80
          volumeMounts:
          - name: nfs-pvc
            mountPath: /usr/share/nginx/html
      volumes:
      - name: nfs-pvc
        persistentVolumeClaim:
          claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-daemon-svc
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-daemon-ingress
spec:
  rules:
  - host: www.xy102.com
    http:
      paths:
      - path: /
        pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
        backend:
#匹配的svc的名称----pod
          service:
            name: nginx-daemon-svc
            port:
              number: 80



[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml 


[root@k8s5 k8s]# ll
总用量 0
drwxrwxrwx. 2 root root  6 9月  10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9
drwxrwxrwx. 2 root root 62 9月   8 16:55 default-redis-data-redis-master-0-pvc-4c38e65b-5e5d-45c5-a58d-6d7c0bd69b39
drwxrwxrwx. 2 root root 62 9月   8 16:55 default-redis-data-redis-replica-0-pvc-eabc2e78-7b0c-4c72-ac16-bf44eca0d524
drwxrwxrwx. 2 root root 62 9月   8 16:43 default-redis-data-redis-replica-1-pvc-d5b0e813-8bed-4b00-8df6-69ad648ecc2c
[root@k8s5 k8s]# rm -rf default-redis-data-redis-*
[root@k8s5 k8s]# ll
总用量 0
drwxrwxrwx. 2 root root 6 9月  10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9
[root@k8s5 k8s]# cd default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9/
[root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# ls
[root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# echo 123 > index.html

[root@master01 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com
192.168.168.82 node01
192.168.168.83 node02
192.168.168.84 hub.test.com
192.168.168.85 k8s5

[root@master01 ingress]# curl www.xy102.com
123



[root@node01 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com

[root@node01 ingress]# curl www.xy102.com
123

[root@node02 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.168.81 master01 www.xy102.com

[root@node02 ingress]# curl www.xy102.com
123


[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# mkdir test1
[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# ll
总用量 4
-rw-r--r--. 1 root root 4 9月  10 11:51 index.html
drwxr-xr-x. 2 root root 6 9月  10 12:32 test1
[root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# cd test1/
[root@k8s5 test1]# echo 456 > index.html
[root@k8s5 test1]# 

[root@master01 ingress]# curl www.xy102.com/test1
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
[root@master01 ingress]# curl -L www.xy102.com/test1
456



[root@k8s5 test1]# pwd
/opt/k8s/default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3/test1
[root@k8s5 test1]# ll
总用量 4
-rw-r--r--. 1 root root 4 9月  10 12:32 index.html
[root@k8s5 test1]# mkdir test2
[root@k8s5 test1]# cd test2/
[root@k8s5 test2]# echo 789 > index.html


[root@master01 ingress]# curl -L www.xy102.com/test1/test2
789
-----------------------------------------------------------------------------------------

------------------------DaemonSet+HostNetwork+NodeSelector模式----------------------------
##节点选择NodeSelector模式
[root@master01 ingress]# vim mandatory.yaml 


190 apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
193 metadata:
194   name: nginx-ingress-controller
195   namespace: ingress-nginx
196   labels:
197     app.kubernetes.io/name: ingress-nginx
198     app.kubernetes.io/part-of: ingress-nginx
199 spec:
200 #  replicas: 1
201   selector:
202     matchLabels:
203       app.kubernetes.io/name: ingress-nginx
204       app.kubernetes.io/part-of: ingress-nginx
205   template:
206     metadata:
207       labels:
208         app.kubernetes.io/name: ingress-nginx
209         app.kubernetes.io/part-of: ingress-nginx
210       annotations:
211         prometheus.io/port: "10254"
212         prometheus.io/scrape: "true"
213     spec:
214       # wait up to five minutes for the drain of connections
215       terminationGracePeriodSeconds: 300
216       serviceAccountName: nginx-ingress-serviceaccount
217       nodeSelector:
218         kubernetes.io/os: linux
219       hostNetwork: true
220       nodeSelector:
221         ingress: "true"

[root@master01 ingress]# kubectl get nodes --show-labels 
NAME       STATUS   ROLES                  AGE   VERSION    LABELS
master01   Ready    control-plane,master   14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master01,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/master=
node01     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux,memory=1000,test1=a,test3=b
node02     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux,test2=b,xy102=98


打上ingress=true标签
[root@master01 ingress]# kubectl label nodes node01 ingress=true
node/node01 labeled
[root@master01 ingress]# kubectl get nodes --show-labels 
NAME       STATUS   ROLES                  AGE   VERSION    LABELS
master01   Ready    control-plane,master   14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master01,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/master=
node01     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ingress=true,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux,memory=1000,test1=a,test3=b
node02     Ready    <none>                 14d   v1.20.15   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux,test2=b,xy102=98


[root@master01 ingress]# kubectl apply -f mandatory.yaml 

[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME                             READY   STATUS    RESTARTS   AGE   IP               NODE     NOMINATED NODE   READINESS GATES
nginx-ingress-controller-p52jc   1/1     Running   0          11s   192.168.168.82   node01   <none>           <none>


[root@node01 ingress]# curl www.xy102.com
curl: (7) Failed connect to www.xy102.com:80; 拒绝连接
[root@node01 ingress]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.168.82 node01 www.xy102.com



[root@node01 ingress]# curl www.xy102.com
123
[root@node01 ingress]# curl -L www.xy102.com/test1/test2
789
[root@node01 ingress]# curl -L www.xy102.com/test1
456

4、基于deployment+nodeport

[root@master01 ingress]# kubectl delete -f mandatory.yaml 

[root@master01 ingress]# vim mandatory.yaml

190 apiVersion: apps/v1
191 kind: Deployment
192 #kind: DaemonSet
193 metadata:
194   name: nginx-ingress-controller
195   namespace: ingress-nginx
196   labels:
197     app.kubernetes.io/name: ingress-nginx
198     app.kubernetes.io/part-of: ingress-nginx
199 spec:
200   replicas: 1
201   selector:
202     matchLabels:
203       app.kubernetes.io/name: ingress-nginx
204       app.kubernetes.io/part-of: ingress-nginx
205   template:
206     metadata:
207       labels:
208         app.kubernetes.io/name: ingress-nginx
209         app.kubernetes.io/part-of: ingress-nginx
210       annotations:
211         prometheus.io/port: "10254"
212         prometheus.io/scrape: "true"
213     spec:
214       # wait up to five minutes for the drain of connections
215       terminationGracePeriodSeconds: 300
216       serviceAccountName: nginx-ingress-serviceaccount
217       nodeSelector:
218         kubernetes.io/os: linux
219 #      hostNetwork: true
220 #      nodeSelector:
221 #        ingress: "true"


wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml

[root@master01 ingress]# kubectl apply -f mandatory.yaml 

[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE     IP             NODE     NOMINATED NODE   READINESS GATES
nginx-ingress-controller-54b86f8f7b-4qszc   1/1     Running   0          2m15s   10.244.2.239   node02   <none>           <none>


[root@master01 ingress]# kubectl get svc -o wide -n ingress-nginx
NAME            TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE   SELECTOR
ingress-nginx   NodePort   10.96.183.19   <none>        80:31185/TCP,443:32676/TCP   19s   app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx

[root@master01 ingress]# netstat -antp | grep 31185
tcp        0      0 0.0.0.0:31185           0.0.0.0:*               LISTEN      28697/kube-proxy 

[root@node01 ingress]# netstat -antp | grep 31185
tcp        0      0 0.0.0.0:31185           0.0.0.0:*               LISTEN      20187/kube-proxy  

[root@node02 ingress]# netstat -antp | grep 31185
tcp        0      0 0.0.0.0:31185           0.0.0.0:*               LISTEN      44530/kube-proxy  


[root@master01 ingress]# vim ingress-nginx1.yaml 

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storageclass
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.22
          ports:
            - containerPort: 80
          volumeMounts:
          - name: nfs-pvc
            mountPath: /usr/share/nginx/html
      volumes:
      - name: nfs-pvc
        persistentVolumeClaim:
          claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-deployment-svc
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-deployment-ingress
spec:
  rules:
  - host: www.xy102.com
    http:
      paths:
      - path: /
        pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
        backend:
#匹配的svc的名称----pod
          service:
            name: nginx-deployment-svc
            port:
              number: 80


[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml 


[root@master01 ingress]# curl www.xy102.com:31185
123

5、https

[root@master01 ingress]# mkdir https
[root@master01 ingress]# cd https/
[root@master01 https]# ls
[root@master01 https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ" 
Generating a 2048 bit RSA private key
.............................+++
...+++
writing new private key to 'tls.key'
-----
##解释
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"


req:表示指定证书请求和生成相关文件
-x509:生成自签名的x.509证书
-sha256:sha-256的散列算法
-nodes:生成的私钥不加密
-days 365: 证书的有效期为365天
-newkey rsa:2048::表示使用RSA的密钥队,长度2048个单位
-keyout tls.key -out tls.cr:生成两个文件
-keyout 私钥保存到tls.key文件
-out 保存证书到tls.crt
-subj 添加证书的主题

[root@master01 https]# kubectl create secret tls tls.secret --key tls.key --cert tls.crt

[root@master01 https]# kubectl create secret tls(指定type) tls.secret --key(指定密钥) tls.key --cert(指定证书) tls.crt 



[root@master01 ingress]# vim ingress-nginx1.yaml


 55 apiVersion: networking.k8s.io/v1
 56 kind: Ingress
 57 metadata:
 58   name: nginx-deployment-ingress
 59 spec:
 60   tls:
 61     - hosts:
 62       - www.xy102.com
 63       secretName: tls.secret
 64 #指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书

[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@master01 ingress]# curl -k https://www.xy102.com:32676
123

作业:

#daemonset+hostnetwork实现https访问。

[root@master01 ingress]# vim mandatory.yaml 

190 apiVersion: apps/v1
191 #kind: Deployment
192 kind: DaemonSet
193 metadata:
194   name: nginx-ingress-controller
195   namespace: ingress-nginx
196   labels:
197     app.kubernetes.io/name: ingress-nginx
198     app.kubernetes.io/part-of: ingress-nginx
199 spec:
200 #  replicas: 1
201   selector:
202     matchLabels:
203       app.kubernetes.io/name: ingress-nginx
204       app.kubernetes.io/part-of: ingress-nginx
205   template:
206     metadata:
207       labels:
208         app.kubernetes.io/name: ingress-nginx
209         app.kubernetes.io/part-of: ingress-nginx
210       annotations:
211         prometheus.io/port: "10254"
212         prometheus.io/scrape: "true"
213     spec:
214       # wait up to five minutes for the drain of connections
215       terminationGracePeriodSeconds: 300
216       serviceAccountName: nginx-ingress-serviceaccount
217       nodeSelector:
218         kubernetes.io/os: linux
219       hostNetwork: true
220 #      nodeSelector:
221 #        ingress: "true"
222       containers:


[root@master01 ingress]# kubectl apply -f mandatory.yaml 


[root@master01 ingress]# vim ingress-nginx1.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storageclass
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.22
          ports:
            - containerPort: 80
          volumeMounts:
          - name: nfs-pvc
            mountPath: /usr/share/nginx/html
      volumes:
      - name: nfs-pvc
        persistentVolumeClaim:
          claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-daemon-svc
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-daemon-ingress
spec:
  tls:
    - hosts:
      - www.xy102.com
      secretName: tls.secret
#指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书
  rules:
  - host: www.xy102.com
    http:
      paths:
      - path: /
        pathType: Prefix
#前缀匹配,匹配/ /test1 /test1/test2
        backend:
#匹配的svc的名称----pod
          service:
            name: nginx-daemon-svc
            port:
              number: 80

 
 
[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml 
persistentvolumeclaim/nfs-pvc created
deployment.apps/nginx-app created
service/nginx-daemon-svc unchanged
ingress.networking.k8s.io/nginx-daemon-ingress configured
[root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx 
NAME                             READY   STATUS    RESTARTS   AGE     IP               NODE       NOMINATED NODE   READINESS GATES
nginx-ingress-controller-44ktd   1/1     Running   0          7m52s   192.168.168.83   node02     <none>           <none>
nginx-ingress-controller-ksjkr   1/1     Running   0          7m52s   192.168.168.81   master01   <none>           <none>
nginx-ingress-controller-z4lrr   1/1     Running   0          7m52s   192.168.168.82   node01     <none>           <none>


##之前https已经创建
-----------------------------------------------------------------------------------------------------------------------------------
[root@master01 ingress]# mkdir https
[root@master01 ingress]# cd https/
[root@master01 https]# ls
[root@master01 https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ" 
Generating a 2048 bit RSA private key
.............................+++
...+++
writing new private key to 'tls.key'
-----
##解释
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ"


req:表示指定证书请求和生成相关文件
-x509:生成自签名的x.509证书
-sha256:sha-256的散列算法
-nodes:生成的私钥不加密
-days 365: 证书的有效期为365天
-newkey rsa:2048::表示使用RSA的密钥队,长度2048个单位
-keyout tls.key -out tls.cr:生成两个文件
-keyout 私钥保存到tls.key文件
-out 保存证书到tls.crt
-subj 添加证书的主题

[root@master01 https]# kubectl create secret tls tls.secret --key tls.key --cert tls.crt

[root@master01 https]# kubectl create secret tls(指定type) tls.secret --key(指定密钥) tls.key --cert(指定证书) tls.crt 



[root@master01 ingress]# vim ingress-nginx1.yaml


 55 apiVersion: networking.k8s.io/v1
 56 kind: Ingress
 57 metadata:
 58   name: nginx-deployment-ingress
 59 spec:
 60   tls:
 61     - hosts:
 62       - www.xy102.com
 63       secretName: tls.secret
 64 #指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书

[root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml
[root@master01 ingress]# curl -k https://www.xy102.com:32676
123

----------------------------------------------------------------------------------------------------------------------------------

[root@master01 ingress]# curl www.xy102.com
<html>
<head><title>308 Permanent Redirect</title></head>
<body>
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.17.8</center>
</body>
</html>

[root@k8s5 k8s]# cd default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb/
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# ll
总用量 0
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# echo 123 > index.html
 

[root@master01 ingress]# curl -Lk https://www.xy102.com
123



[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# mkdir test1
[root@k8s5 default-nfs-pvc-pvc-6a14c29f-4ba6-48e2-9f22-bc3dee4b2feb]# cd test1/
[root@k8s5 test1]# echo 456 > index.html

[root@master01 ingress]# curl -Lk https://www.xy102.com/test1
456

[root@master01 ingress]# curl -Lk https://www.xy102.com/test1/test2
789
相关推荐
€☞扫地僧☜€3 小时前
docker 拉取MySQL8.0镜像以及安装
运维·数据库·docker·容器
全能全知者4 小时前
docker快速安装与配置mongoDB
mongodb·docker·容器
为什么这亚子5 小时前
九、Go语言快速入门之map
运维·开发语言·后端·算法·云原生·golang·云计算
ZHOU西口7 小时前
微服务实战系列之玩转Docker(十八)
分布式·docker·云原生·架构·数据安全·etcd·rbac
牛角上的男孩8 小时前
Istio Gateway发布服务
云原生·gateway·istio
JuiceFS9 小时前
好未来:多云环境下基于 JuiceFS 建设低运维模型仓库
运维·云原生
景天科技苑10 小时前
【云原生开发】K8S多集群资源管理平台架构设计
云原生·容器·kubernetes·k8s·云原生开发·k8s管理系统
wclass-zhengge11 小时前
K8S篇(基本介绍)
云原生·容器·kubernetes
颜淡慕潇11 小时前
【K8S问题系列 |1 】Kubernetes 中 NodePort 类型的 Service 无法访问【已解决】
后端·云原生·容器·kubernetes·问题解决
川石课堂软件测试13 小时前
性能测试|docker容器下搭建JMeter+Grafana+Influxdb监控可视化平台
运维·javascript·深度学习·jmeter·docker·容器·grafana