[kubernetes]10-2 ingress -- 四层代理、session保持、定制配置、流量控制(中)
10-2 ingress -- 四层代理、session保持、定制配置、流量控制(中)创建custom-header-global.yaml定义全局headerapiVersion: v1kind: ConfigMapdata:proxy-set-headers: "ingress-nginx/custom-headers"metadata:name: n...
10-2 ingress -- 四层代理、session保持、定制配置、流量控制(中)
创建custom-header-global.yaml
定义全局header
apiVersion: v1
kind: ConfigMap
data:
proxy-set-headers: "ingress-nginx/custom-headers"
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
data:
X-Different-Name: "true"
X-Request-Start: t=${msec}
X-Using-Nginx-Controller: "true"
metadata:
name: custom-headers
namespace: ingress-nginx
kubectl apply -f custom-header-global.yaml
然后登录ingress-nginx容器 查看配置 发现已经生效
定义某个ingress中的header
创建custom-header-spec-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Request-Id: $req_id";
name: web-demo
namespace: dev
spec:
rules:
- host: web-dev.pdabc.com
http:
paths:
- backend:
serviceName: web-demo
servicePort: 80
path: /
kubectl apply -f custom-header-spec-ingress.yaml
配置模板 通过程序生成模板文件 课上kubernetes.github.io查看
创建nginx-ingress-controller.yaml 先不apply等下create了configmap之后再apply
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
creationTimestamp: null
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
volumeMounts:
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.19.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: nginx-ingress-controller
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 33
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostNetwork: true
nodeSelector:
app: ingress
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: nginx-ingress-serviceaccount
serviceAccountName: nginx-ingress-serviceaccount
terminationGracePeriodSeconds: 30
volumes:
- name: nginx-template-volume
configMap:
name: nginx-template
items:
- key: nginx.tmpl
path: nginx.tmpl
创建configmap
先把容器里的nginx.tmpl 复制出来并拷贝到master01上
docker cp 9be9cb6d7830:/etc/nginx/template/nginx.tmpl .
创建configmap 这里file文件要和yaml文件在一个路径
kubectl create cm nginx-template --from-file nginx.tmpl -n ingress-nginx
kubectl create cm nginx-template --from-file nginx.tmpl -n ingress-nginx -o yaml
kubectl apply -f nginx-ingress-controller.yaml
通过docker logs -f 03f8b72a8ffd 查看nginx容器是否启动成功
可以在线编辑配置
kubectl edit cm -n ingress-nginx nginx-template
配置tls/https证书
创建生成密钥和证书的脚本
gen-secret.sh
#!/bin/bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout pdabc.key -out pdabc.crt -subj "/CN=*.pdabc.com/O=*.pdabc.com"
kubectl create secret tls pdabc-tls --key pdabc.key --cert pdabc.crt
证书创建了之后 如何使用呢
进入容器使用
/nginx-ingress-controller --help
最好创建证书的时候 带上命名空间dev.
修改nginx-ingress-controller.yaml
spec:
containers:
- args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
# 这条加上
- --default-ssl-certificate=default/pdabc-tls
kubectl apply -f nginx-ingress-controller.yaml
访问
https://web-dev.pdabc.com/hello?name=jiaminxu
说明证书没问题
访问返回404 需要指定一下使用证书
web-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: web-demo
namespace: dev
spec:
rules:
- host: web-dev.pdabc.com
http:
paths:
- backend:
serviceName: web-demo
servicePort: 80
path: /
tls:
- hosts:
- web-dev.pdabc.com
secretName: pdabc-tls
kubectl apply -f web-ingress.yaml
就可以正常返回了
访问控制 如 需要会话保持
查看之前创建的web-demo和web-demo-new的镜像 是否相同 如果相同修改掉一个 以便测试
kubectl get deploy -n dev web-demo-new -o yaml |grep image
kubectl get deploy -n dev web-demo -o yaml |grep image
都是v3 需要修改
修改web-demo-new的配置
kubectl edit deploy -n dev web-demo-new
修改为
- image: harbor.pdabc.com/kubernetes/springboot-web:v1
更多推荐
所有评论(0)