kubernetes Ingress tls的部署案例

1.安装ingress 按照官方文档我已经安装完成了

[root@master-etcd1-234-31 ingress]# kubectl get pods -n ingress-nginx
NAME                                      READY   STATUS      RESTARTS       AGE
ingress-nginx-admission-create--1-6v54t   0/1     Completed   0              17h
ingress-nginx-admission-patch--1-cbhbq    0/1     Completed   0              17h
ingress-nginx-controller-2j7kr            1/1     Running     1 (106m ago)   16h
ingress-nginx-controller-5gfwf            1/1     Running     1 (106m ago)   16h
ingress-nginx-controller-cp8m4            1/1     Running     1 (106m ago)   16h
ingress-nginx-controller-jggwn            1/1     Running     1 (107m ago)   16h
ingress-nginx-controller-t4g4s            1/1     Running     6 (106m ago)   16h
ingress-nginx-controller-xshjn            1/1     Running     6 (106m ago)   16h

2.安装部署ingress tls

[root@master-etcd1-234-31 ingress]# kubectl get pods -n ingress-nginx
NAME                                      READY   STATUS      RESTARTS       AGE
ingress-nginx-admission-create--1-6v54t   0/1     Completed   0              17h
ingress-nginx-admission-patch--1-cbhbq    0/1     Completed   0              17h
ingress-nginx-controller-2j7kr            1/1     Running     1 (106m ago)   16h
ingress-nginx-controller-5gfwf            1/1     Running     1 (106m ago)   16h
ingress-nginx-controller-cp8m4            1/1     Running     1 (106m ago)   16h
ingress-nginx-controller-jggwn            1/1     Running     1 (107m ago)   16h
ingress-nginx-controller-t4g4s            1/1     Running     6 (106m ago)   16h
ingress-nginx-controller-xshjn            1/1     Running     6 (106m ago)   16h
total 4
-rw-r--r-- 1 root root 3939 Aug  7 14:50 ingress-tls.yaml
[root@master-etcd1-234-31 ingress]# bash ~/secret/1k-key-crt.sh
请输入要签发证书的域名：www.orochw.com
Generating RSA private key, 4096 bit long modulus
...........................................................................................++
.............++
e is 65537 (0x10001)
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=pskzs/CN=PSKZS CA Center
Getting Private key
Generating RSA private key, 2048 bit long modulus
.........................................+++
.........................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=pskzs/CN=www.orochw.com
Getting CA Private Key
key:server.key
crt:server.crt
[root@master-etcd1-234-31 ingress]# ll
total 32
-rw-r--r-- 1 root root 1866 Aug  7 14:59 ca.crt
-rw-r--r-- 1 root root 1679 Aug  7 14:59 ca.csr
-rw-r--r-- 1 root root 3243 Aug  7 14:59 ca.key
-rw-r--r-- 1 root root   17 Aug  7 14:59 ca.srl
-rw-r--r-- 1 root root 3939 Aug  7 14:50 ingress-tls.yaml
-rw-r--r-- 1 root root 1574 Aug  7 14:59 server.crt
-rw-r--r-- 1 root root 1058 Aug  7 14:59 server.csr
-rw-r--r-- 1 root root 1675 Aug  7 14:59 server.key
drwxr-xr-x 2 root root   40 Aug  7 14:59 www.orochw.com

使用的一键签发证书的脚本
https://raw.githubusercontent.com/OrochW/scripts/master/1k-key-crt.sh

3. 创建一个secret为ingress使用

kubectl  create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n test

3.1报错排错

[root@master-etcd1-234-31 ingress]# kubectl apply -f  ingress-tls-single.yaml
Error from server (BadRequest): error when creating "ingress-tls-single.yaml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: host "www.orochw.com" and path "/" is already defined in ingress test/tls-ingress
[root@master-etcd1-234-31 ingress]#  kubectl get ValidatingWebhookConfiguration
NAME                      WEBHOOKS   AGE
ingress-nginx-admission   1          17h
[root@master-etcd1-234-31 ingress]# kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
validatingwebhookconfiguration.admissionregistration.k8s.io "ingress-nginx-admission" deleted
[root@master-etcd1-234-31 ingress]# kubectl apply -f  ingress-tls-single.yaml
ingress.networking.k8s.io/nginx-web created

3.2 使用的namespace && pod && svc

[root@master-etcd1-234-31 ingress]# kubectl get ns -A
NAME              STATUS   AGE
default           Active   24h
ingress-nginx     Active   17h
kube-node-lease   Active   24h
kube-public       Active   24h
kube-system       Active   24h
linux             Active   22h
test              Active   16h
python            Active   22h


[root@master-etcd1-234-31 ingress]# kubectl get pod -A -o wide
NAMESPACE       NAME                                             READY   STATUS      RESTARTS       AGE   IP               NODE             NOMINATED NODE   READINESS GATES
default         net-test-centos-pod3                             1/1     Running     1 (151m ago)   22h   10.20.214.140    192.168.234.41   <none>           <none>
ingress-nginx   ingress-nginx-admission-create--1-6v54t          0/1     Completed   0              17h   <none>           192.168.234.41   <none>           <none>
ingress-nginx   ingress-nginx-admission-patch--1-cbhbq           0/1     Completed   0              17h   <none>           192.168.234.43   <none>           <none>
ingress-nginx   ingress-nginx-controller-2j7kr                   1/1     Running     1 (151m ago)   17h   192.168.234.43   192.168.234.43   <none>           <none>
ingress-nginx   ingress-nginx-controller-5gfwf                   1/1     Running     1 (151m ago)   17h   192.168.234.41   192.168.234.41   <none>           <none>
ingress-nginx   ingress-nginx-controller-cp8m4                   1/1     Running     1 (151m ago)   17h   192.168.234.42   192.168.234.42   <none>           <none>
ingress-nginx   ingress-nginx-controller-jggwn                   1/1     Running     1 (152m ago)   17h   192.168.234.31   192.168.234.31   <none>           <none>
ingress-nginx   ingress-nginx-controller-t4g4s                   1/1     Running     6 (151m ago)   17h   192.168.234.33   192.168.234.33   <none>           <none>
ingress-nginx   ingress-nginx-controller-xshjn                   1/1     Running     6 (151m ago)   17h   192.168.234.32   192.168.234.32   <none>           <none>
kube-system     calico-kube-controllers-59df8b6856-8qkd5         1/1     Running     2 (157m ago)   24h   192.168.234.43   192.168.234.43   <none>           <none>
kube-system     calico-node-27wpq                                1/1     Running     3 (151m ago)   24h   192.168.234.33   192.168.234.33   <none>           <none>
kube-system     calico-node-67vv9                                1/1     Running     4 (152m ago)   24h   192.168.234.31   192.168.234.31   <none>           <none>
kube-system     calico-node-nkkgv                                1/1     Running     2 (151m ago)   24h   192.168.234.41   192.168.234.41   <none>           <none>
kube-system     calico-node-rmztm                                1/1     Running     2 (151m ago)   24h   192.168.234.43   192.168.234.43   <none>           <none>
kube-system     calico-node-v848h                                1/1     Running     2 (151m ago)   24h   192.168.234.32   192.168.234.32   <none>           <none>
kube-system     calico-node-wf2v6                                1/1     Running     2 (151m ago)   24h   192.168.234.42   192.168.234.42   <none>           <none>
linux           linux-nginx-deployment-5cd9566d7f-qh8b4          1/1     Running     1 (151m ago)   21h   10.20.216.205    192.168.234.42   <none>           <none>
linux           linux-tomcat-app1-deployment-6f8864d5d9-8ljqc    1/1     Running     1 (151m ago)   21h   10.20.146.74     192.168.234.43   <none>           <none>
linux           net-test-centos-pod1                             1/1     Running     1 (151m ago)   22h   10.20.216.204    192.168.234.42   <none>           <none>
test            test-tomcat-app1-deployment-6b6b655ddc-dqhbw     1/1     Running     1 (151m ago)   16h   10.20.214.141    192.168.234.41   <none>           <none>
test            test-tomcat-app2-deployment-555d558d49-6jvhh     1/1     Running     1 (151m ago)   16h   10.20.146.73     192.168.234.43   <none>           <none>
python          net-test-centos-pod2                             1/1     Running     1 (151m ago)   22h   10.20.146.75     192.168.234.43   <none>           <none>
python          python-nginx-deployment-7bbc6bf578-bmq6r         1/1     Running     1 (151m ago)   21h   10.20.214.142    192.168.234.41   <none>           <none>
python          python-tomcat-app1-deployment-6b795c66d5-bh97w   1/1     Running     1 (151m ago)   21h   10.20.216.203    192.168.234.42   <none>           <none>


[root@master-etcd1-234-31 ingress]# kubectl get svc -A
NAMESPACE       NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
default         kubernetes                           ClusterIP   10.100.0.1       <none>        443/TCP                      24h
ingress-nginx   ingress-nginx-controller-admission   ClusterIP   10.100.71.67     <none>        443/TCP                      17h
linux           linux-nginx-service                  NodePort    10.100.56.67     <none>        80:30004/TCP,443:30443/TCP   21h
linux           linux-tomcat-app1-service            NodePort    10.100.117.202   <none>        80:30005/TCP                 21h
test            test-tomcat-app1-service             NodePort    10.100.78.216    <none>        80:30080/TCP                 16h
test            test-tomcat-app2-service             NodePort    10.100.190.157   <none>        80:30081/TCP                 16h
python          python-nginx-service                 NodePort    10.100.154.110   <none>        80:30014/TCP,443:30453/TCP   21h
python          python-tomcat-app1-service           NodePort    10.100.188.3     <none>        80:30015/TCP                 21h

4.编辑ingress的yaml文件

#apiVersion: networking.k8s.io/v1beta1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: test ##namespace
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/ssl-redirect: 'true' #SSL重定向，即将http请求强制重定向至https，等于nginx中的全站https
spec:
  tls:
  - hosts:
    - www.orochw.com #使用tls的域名
    secretName: tls-secret #刚创建的secret名字
  rules:
  - host: www.orochw.com #域名
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: test-tomcat-app1-service  ## 访问http://www.orochw.com 强制转到回https://www.orochw.com 访问orochw的根直接跳到test-tomcat-app1-service
            port:
              number: 80

OrochW's Blog

kubernetes Ingress tls的部署案例

1.安装ingress 按照官方文档我已经安装完成了

2.安装部署ingress tls

3. 创建一个secret为ingress使用

3.1报错排错

3.2 使用的namespace && pod && svc

4.编辑ingress的yaml文件

kubernetes pv&pvc实际案例