kubernetes Ingress tls的部署案例
2022-08-07
11 min read
1.安装ingress 按照官方文档我已经安装完成了
[root@master-etcd1-234-31 ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create--1-6v54t 0/1 Completed 0 17h
ingress-nginx-admission-patch--1-cbhbq 0/1 Completed 0 17h
ingress-nginx-controller-2j7kr 1/1 Running 1 (106m ago) 16h
ingress-nginx-controller-5gfwf 1/1 Running 1 (106m ago) 16h
ingress-nginx-controller-cp8m4 1/1 Running 1 (106m ago) 16h
ingress-nginx-controller-jggwn 1/1 Running 1 (107m ago) 16h
ingress-nginx-controller-t4g4s 1/1 Running 6 (106m ago) 16h
ingress-nginx-controller-xshjn 1/1 Running 6 (106m ago) 16h

2.安装部署ingress tls
[root@master-etcd1-234-31 ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create--1-6v54t 0/1 Completed 0 17h
ingress-nginx-admission-patch--1-cbhbq 0/1 Completed 0 17h
ingress-nginx-controller-2j7kr 1/1 Running 1 (106m ago) 16h
ingress-nginx-controller-5gfwf 1/1 Running 1 (106m ago) 16h
ingress-nginx-controller-cp8m4 1/1 Running 1 (106m ago) 16h
ingress-nginx-controller-jggwn 1/1 Running 1 (107m ago) 16h
ingress-nginx-controller-t4g4s 1/1 Running 6 (106m ago) 16h
ingress-nginx-controller-xshjn 1/1 Running 6 (106m ago) 16h
total 4
-rw-r--r-- 1 root root 3939 Aug 7 14:50 ingress-tls.yaml
[root@master-etcd1-234-31 ingress]# bash ~/secret/1k-key-crt.sh
请输入要签发证书的域名:www.orochw.com
Generating RSA private key, 4096 bit long modulus
...........................................................................................++
.............++
e is 65537 (0x10001)
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=pskzs/CN=PSKZS CA Center
Getting Private key
Generating RSA private key, 2048 bit long modulus
.........................................+++
.........................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=pskzs/CN=www.orochw.com
Getting CA Private Key
key:server.key
crt:server.crt
[root@master-etcd1-234-31 ingress]# ll
total 32
-rw-r--r-- 1 root root 1866 Aug 7 14:59 ca.crt
-rw-r--r-- 1 root root 1679 Aug 7 14:59 ca.csr
-rw-r--r-- 1 root root 3243 Aug 7 14:59 ca.key
-rw-r--r-- 1 root root 17 Aug 7 14:59 ca.srl
-rw-r--r-- 1 root root 3939 Aug 7 14:50 ingress-tls.yaml
-rw-r--r-- 1 root root 1574 Aug 7 14:59 server.crt
-rw-r--r-- 1 root root 1058 Aug 7 14:59 server.csr
-rw-r--r-- 1 root root 1675 Aug 7 14:59 server.key
drwxr-xr-x 2 root root 40 Aug 7 14:59 www.orochw.com
使用的一键签发证书的脚本
https://raw.githubusercontent.com/OrochW/scripts/master/1k-key-crt.sh
3. 创建一个secret为ingress使用
kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n test
3.1报错排错
[root@master-etcd1-234-31 ingress]# kubectl apply -f ingress-tls-single.yaml
Error from server (BadRequest): error when creating "ingress-tls-single.yaml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: host "www.orochw.com" and path "/" is already defined in ingress test/tls-ingress
[root@master-etcd1-234-31 ingress]# kubectl get ValidatingWebhookConfiguration
NAME WEBHOOKS AGE
ingress-nginx-admission 1 17h
[root@master-etcd1-234-31 ingress]# kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
validatingwebhookconfiguration.admissionregistration.k8s.io "ingress-nginx-admission" deleted
[root@master-etcd1-234-31 ingress]# kubectl apply -f ingress-tls-single.yaml
ingress.networking.k8s.io/nginx-web created
3.2 使用的namespace && pod && svc
[root@master-etcd1-234-31 ingress]# kubectl get ns -A
NAME STATUS AGE
default Active 24h
ingress-nginx Active 17h
kube-node-lease Active 24h
kube-public Active 24h
kube-system Active 24h
linux Active 22h
test Active 16h
python Active 22h
[root@master-etcd1-234-31 ingress]# kubectl get pod -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
default net-test-centos-pod3 1/1 Running 1 (151m ago) 22h 10.20.214.140 192.168.234.41 <none> <none>
ingress-nginx ingress-nginx-admission-create--1-6v54t 0/1 Completed 0 17h <none> 192.168.234.41 <none> <none>
ingress-nginx ingress-nginx-admission-patch--1-cbhbq 0/1 Completed 0 17h <none> 192.168.234.43 <none> <none>
ingress-nginx ingress-nginx-controller-2j7kr 1/1 Running 1 (151m ago) 17h 192.168.234.43 192.168.234.43 <none> <none>
ingress-nginx ingress-nginx-controller-5gfwf 1/1 Running 1 (151m ago) 17h 192.168.234.41 192.168.234.41 <none> <none>
ingress-nginx ingress-nginx-controller-cp8m4 1/1 Running 1 (151m ago) 17h 192.168.234.42 192.168.234.42 <none> <none>
ingress-nginx ingress-nginx-controller-jggwn 1/1 Running 1 (152m ago) 17h 192.168.234.31 192.168.234.31 <none> <none>
ingress-nginx ingress-nginx-controller-t4g4s 1/1 Running 6 (151m ago) 17h 192.168.234.33 192.168.234.33 <none> <none>
ingress-nginx ingress-nginx-controller-xshjn 1/1 Running 6 (151m ago) 17h 192.168.234.32 192.168.234.32 <none> <none>
kube-system calico-kube-controllers-59df8b6856-8qkd5 1/1 Running 2 (157m ago) 24h 192.168.234.43 192.168.234.43 <none> <none>
kube-system calico-node-27wpq 1/1 Running 3 (151m ago) 24h 192.168.234.33 192.168.234.33 <none> <none>
kube-system calico-node-67vv9 1/1 Running 4 (152m ago) 24h 192.168.234.31 192.168.234.31 <none> <none>
kube-system calico-node-nkkgv 1/1 Running 2 (151m ago) 24h 192.168.234.41 192.168.234.41 <none> <none>
kube-system calico-node-rmztm 1/1 Running 2 (151m ago) 24h 192.168.234.43 192.168.234.43 <none> <none>
kube-system calico-node-v848h 1/1 Running 2 (151m ago) 24h 192.168.234.32 192.168.234.32 <none> <none>
kube-system calico-node-wf2v6 1/1 Running 2 (151m ago) 24h 192.168.234.42 192.168.234.42 <none> <none>
linux linux-nginx-deployment-5cd9566d7f-qh8b4 1/1 Running 1 (151m ago) 21h 10.20.216.205 192.168.234.42 <none> <none>
linux linux-tomcat-app1-deployment-6f8864d5d9-8ljqc 1/1 Running 1 (151m ago) 21h 10.20.146.74 192.168.234.43 <none> <none>
linux net-test-centos-pod1 1/1 Running 1 (151m ago) 22h 10.20.216.204 192.168.234.42 <none> <none>
test test-tomcat-app1-deployment-6b6b655ddc-dqhbw 1/1 Running 1 (151m ago) 16h 10.20.214.141 192.168.234.41 <none> <none>
test test-tomcat-app2-deployment-555d558d49-6jvhh 1/1 Running 1 (151m ago) 16h 10.20.146.73 192.168.234.43 <none> <none>
python net-test-centos-pod2 1/1 Running 1 (151m ago) 22h 10.20.146.75 192.168.234.43 <none> <none>
python python-nginx-deployment-7bbc6bf578-bmq6r 1/1 Running 1 (151m ago) 21h 10.20.214.142 192.168.234.41 <none> <none>
python python-tomcat-app1-deployment-6b795c66d5-bh97w 1/1 Running 1 (151m ago) 21h 10.20.216.203 192.168.234.42 <none> <none>
[root@master-etcd1-234-31 ingress]# kubectl get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 24h
ingress-nginx ingress-nginx-controller-admission ClusterIP 10.100.71.67 <none> 443/TCP 17h
linux linux-nginx-service NodePort 10.100.56.67 <none> 80:30004/TCP,443:30443/TCP 21h
linux linux-tomcat-app1-service NodePort 10.100.117.202 <none> 80:30005/TCP 21h
test test-tomcat-app1-service NodePort 10.100.78.216 <none> 80:30080/TCP 16h
test test-tomcat-app2-service NodePort 10.100.190.157 <none> 80:30081/TCP 16h
python python-nginx-service NodePort 10.100.154.110 <none> 80:30014/TCP,443:30453/TCP 21h
python python-tomcat-app1-service NodePort 10.100.188.3 <none> 80:30015/TCP 21h
4.编辑ingress的yaml文件
#apiVersion: networking.k8s.io/v1beta1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-web
namespace: test ##namespace
annotations:
kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
nginx.ingress.kubernetes.io/ssl-redirect: 'true' #SSL重定向,即将http请求强制重定向至https,等于nginx中的全站https
spec:
tls:
- hosts:
- www.orochw.com #使用tls的域名
secretName: tls-secret #刚创建的secret名字
rules:
- host: www.orochw.com #域名
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: test-tomcat-app1-service ## 访问http://www.orochw.com 强制转到回https://www.orochw.com 访问orochw的根直接跳到test-tomcat-app1-service
port:
number: 80