Kubernetes的Ingress Controller-编程知识

前言

Kubernetes暴露服务的方式有一下几种：LoadBlancer Service、ExternalName、NodePort Service、Ingress，使用四层负载均衡调度器Service时，当客户端访问kubernetes集群内部的应用时，数据包的走向如下面流程所示：Client——>NodeIp:Port——>ServiceIp:Port——>PodIp:Port。四层代理的时候我们需要在服务暴露端口，过多的业务暴露过多的端口对服务器来说是一种安全风险。

Ingress是Kubernetes中的一个AP对象，属于七层代理用于管理HTTP和HTTPS流量的路由规则。它充当了集群内部服务与外部流量之间的网关，允许将外部请求路由到集群内部的不同服务上。他有多种控制器如：NGINX Ingress Controller、Traefik Ingress Controller、HAProxy Ingress Controller、Contour Ingress Controller等。

NGINX Ingress Controller

Ingress-nginx是将Nginx的配置抽象成一个Ingress对象，每添加一个新的服务只需写一个新的Ingress的yaml文件。它的工作原理是：

ingress controller通过和kubernetes api交互，动态的去感知集群中Ingress规则变化。
然后读取它，按照自定义的规则，规则就是写明了哪个域名对应哪个service，生成一段nginx配置.
再写到nginx-ingress-control的pod里，这个Ingress controller的pod里运行着一个Nginx服务，控制器会把生成的nginx配置写入nginx的配置文件中。
然后reload一下使配置生效。以此达到域名分配置和动态更新的问题。

部署Ingress Controller

官方地址：https://github.com/kubernetes/ingress-nginx
镜像下载代理地址：https://dockerproxy.com/

部署文件路径：ingress-nginx-release-1.10\deploy\static\provider\baremetal\delop.yaml（我是从Github把包下载下来了）

官方Kubernetes和Ingress的版本对应：
在这里插入图片描述

我的Kubernetes是1.28.7所以选择了ingress-nginx-release-1.10。

修改YAML文件Service部分，它有两个Service修改类型为type:NodePort部分的Service如下

apiVersion: v1
kind: Service
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-controllernamespace: ingress-nginx
spec:ipFamilies:- IPv4ipFamilyPolicy: SingleStackports:- appProtocol: httpname: httpport: 80protocol: TCPtargetPort: httpnodePort: 30080- appProtocol: httpsname: httpsport: 443protocol: TCPtargetPort: httpsnodePort: 30443selector:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxtype: NodePort

修改镜像image,文件中有三个image位置共两个镜像

#image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
image: k8s.dockerproxy.com/ingress-nginx/controller:v1.10.0#image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
image: k8s.dockerproxy.com/ingress-nginx/kube-webhook-certgen:v1.4.0

修改完成的YAML:

apiVersion: v1
kind: Namespace
metadata:labels:app.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxname: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginxnamespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admissionnamespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginxnamespace: ingress-nginx
rules:
- apiGroups:- ""resources:- namespacesverbs:- get
- apiGroups:- ""resources:- configmaps- pods- secrets- endpointsverbs:- get- list- watch
- apiGroups:- ""resources:- servicesverbs:- get- list- watch
- apiGroups:- networking.k8s.ioresources:- ingressesverbs:- get- list- watch
- apiGroups:- networking.k8s.ioresources:- ingresses/statusverbs:- update
- apiGroups:- networking.k8s.ioresources:- ingressclassesverbs:- get- list- watch
- apiGroups:- coordination.k8s.ioresourceNames:- ingress-nginx-leaderresources:- leasesverbs:- get- update
- apiGroups:- coordination.k8s.ioresources:- leasesverbs:- create
- apiGroups:- ""resources:- eventsverbs:- create- patch
- apiGroups:- discovery.k8s.ioresources:- endpointslicesverbs:- list- watch- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admissionnamespace: ingress-nginx
rules:
- apiGroups:- ""resources:- secretsverbs:- get- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:labels:app.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx
rules:
- apiGroups:- ""resources:- configmaps- endpoints- nodes- pods- secrets- namespacesverbs:- list- watch
- apiGroups:- coordination.k8s.ioresources:- leasesverbs:- list- watch
- apiGroups:- ""resources:- nodesverbs:- get
- apiGroups:- ""resources:- servicesverbs:- get- list- watch
- apiGroups:- networking.k8s.ioresources:- ingressesverbs:- get- list- watch
- apiGroups:- ""resources:- eventsverbs:- create- patch
- apiGroups:- networking.k8s.ioresources:- ingresses/statusverbs:- update
- apiGroups:- networking.k8s.ioresources:- ingressclassesverbs:- get- list- watch
- apiGroups:- discovery.k8s.ioresources:- endpointslicesverbs:- list- watch- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admission
rules:
- apiGroups:- admissionregistration.k8s.ioresources:- validatingwebhookconfigurationsverbs:- get- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginxnamespace: ingress-nginx
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: ingress-nginx
subjects:
- kind: ServiceAccountname: ingress-nginxnamespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admissionnamespace: ingress-nginx
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: ingress-nginx-admission
subjects:
- kind: ServiceAccountname: ingress-nginx-admissionnamespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:labels:app.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: ingress-nginx
subjects:
- kind: ServiceAccountname: ingress-nginxnamespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admission
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: ingress-nginx-admission
subjects:
- kind: ServiceAccountname: ingress-nginx-admissionnamespace: ingress-nginx
---
apiVersion: v1
data:allow-snippet-annotations: "false"
kind: ConfigMap
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-controllernamespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-controllernamespace: ingress-nginx
spec:ipFamilies:- IPv4ipFamilyPolicy: SingleStackports:- appProtocol: httpname: httpport: 80protocol: TCPtargetPort: httpnodePort: 30080- appProtocol: httpsname: httpsport: 443protocol: TCPtargetPort: httpsnodePort: 30443selector:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxtype: NodePort
---
apiVersion: v1
kind: Service
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-controller-admissionnamespace: ingress-nginx
spec:ports:- appProtocol: httpsname: https-webhookport: 443targetPort: webhookselector:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxtype: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-controllernamespace: ingress-nginx
spec:minReadySeconds: 0revisionHistoryLimit: 10selector:matchLabels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxstrategy:rollingUpdate:maxUnavailable: 1type: RollingUpdatetemplate:metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0spec:containers:- args:- /nginx-ingress-controller- --election-id=ingress-nginx-leader- --controller-class=k8s.io/ingress-nginx- --ingress-class=nginx- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller- --validating-webhook=:8443- --validating-webhook-certificate=/usr/local/certificates/cert- --validating-webhook-key=/usr/local/certificates/key- --enable-metrics=falseenv:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace- name: LD_PRELOADvalue: /usr/local/lib/libmimalloc.so#image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379cimage: k8s.dockerproxy.com/ingress-nginx/controller:v1.10.0imagePullPolicy: IfNotPresentlifecycle:preStop:exec:command:- /wait-shutdownlivenessProbe:failureThreshold: 5httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 1name: controllerports:- containerPort: 80name: httpprotocol: TCP- containerPort: 443name: httpsprotocol: TCP- containerPort: 8443name: webhookprotocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 1resources:requests:cpu: 100mmemory: 90MisecurityContext:allowPrivilegeEscalation: falsecapabilities:add:- NET_BIND_SERVICEdrop:- ALLreadOnlyRootFilesystem: falserunAsNonRoot: truerunAsUser: 101seccompProfile:type: RuntimeDefaultvolumeMounts:- mountPath: /usr/local/certificates/name: webhook-certreadOnly: true- mountPath: /etc/localtimename: timereadOnly: truednsPolicy: ClusterFirstnodeSelector:kubernetes.io/os: linuxserviceAccountName: ingress-nginxterminationGracePeriodSeconds: 300volumes:- name: webhook-certsecret:secretName: ingress-nginx-admission- name: time hostPath: path: /etc/localtimetype: File
---
apiVersion: batch/v1
kind: Job
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admission-createnamespace: ingress-nginx
spec:template:metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admission-createspec:containers:- args:- create- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc- --namespace=$(POD_NAMESPACE)- --secret-name=ingress-nginx-admissionenv:- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace#image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334image: k8s.dockerproxy.com/ingress-nginx/kube-webhook-certgen:v1.4.0imagePullPolicy: IfNotPresentname: createsecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLreadOnlyRootFilesystem: truerunAsNonRoot: truerunAsUser: 65532seccompProfile:type: RuntimeDefaultvolumeMounts:      - mountPath: /etc/localtimename: timereadOnly: truenodeSelector:kubernetes.io/os: linuxrestartPolicy: OnFailureserviceAccountName: ingress-nginx-admissionvolumes:- name: time hostPath: path: /etc/localtimetype: File
---
apiVersion: batch/v1
kind: Job
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admission-patchnamespace: ingress-nginx
spec:template:metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admission-patchspec:containers:- args:- patch- --webhook-name=ingress-nginx-admission- --namespace=$(POD_NAMESPACE)- --patch-mutating=false- --secret-name=ingress-nginx-admission- --patch-failure-policy=Failenv:- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace#image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334image: k8s.dockerproxy.com/ingress-nginx/kube-webhook-certgen:v1.4.0imagePullPolicy: IfNotPresentname: patchsecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLreadOnlyRootFilesystem: truerunAsNonRoot: truerunAsUser: 65532seccompProfile:type: RuntimeDefaultvolumeMounts:      - mountPath: /etc/localtimename: timereadOnly: truenodeSelector:kubernetes.io/os: linuxrestartPolicy: OnFailureserviceAccountName: ingress-nginx-admissionvolumes:- name: time hostPath: path: /etc/localtimetype: File
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: nginx
spec:controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:labels:app.kubernetes.io/component: admission-webhookapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.10.0name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:- v1clientConfig:service:name: ingress-nginx-controller-admissionnamespace: ingress-nginxpath: /networking/v1/ingressesfailurePolicy: FailmatchPolicy: Equivalentname: validate.nginx.ingress.kubernetes.iorules:- apiGroups:- networking.k8s.ioapiVersions:- v1operations:- CREATE- UPDATEresources:- ingressessideEffects: None

部署完成查看状态：

[root@master back]# kubectl get svc,pod -n ingress-nginx
NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
service/ingress-nginx-controller             NodePort    10.100.169.162   <none>        80:30080/TCP,443:30443/TCP   5h41m
service/ingress-nginx-controller-admission   ClusterIP   10.100.239.92    <none>        443/TCP                      5h41mNAME                                            READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-5rgbk        0/1     Completed   0          5h41m
pod/ingress-nginx-admission-patch-9glvg         0/1     Completed   0          5h41m
pod/ingress-nginx-controller-7b498f7d8c-7j2qd   1/1     Running     0          5h41m

创建Ingress资源

Ingress资源是基于HTTP虚拟主机或URL的转发规则，需要强调的是，这是一条转发规则。它在资源配置清单中的spec字段中嵌套了rules、backend和tls等字段进行定义。

rules：用于定义当前Ingress资源的转发规则列表；由rules定义规则，或没有匹配到规则时，所有的流量会转发到由backend定义的默认后端。它是一个对象列表。
backend：默认的后端用于服务那些没有匹配到任何规则的请求；定义Ingress资源时，必须要定义backend或rules两者之一，该字段用于让负载均衡器指定一个全局默认的后端。
tls：TLS配置，目前仅支持通过默认端口443提供服务，如果要配置指定的列表成员指向不同的主机，则需要通过SNI TLS扩展机制来支持该功能。

部署一个Delopment的nginx服务

apiVersion: v1
kind: Service
metadata: name: nginx-testnamespace: default
spec:ports:- name: nginx targetPort: 80port: 80selector:ser: nginx-test---
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-dylabels:web: nginxnamespace: defaultannotations:dac: " image version to v1.0"
spec:minReadySeconds: 10#新创建的Pod成为就绪状态之前，Deployment控制器等待的最短时间（秒数）。确保Pod中的业务程序能正常工作之前有做狗的时候完成初始化和准备工作。paused: falseprogressDeadlineSeconds: 60#该字段用于指定部署操作的进度检查的超时时间（以秒为单位）。这个字段的作用是为了确保部署操作能够在指定的时间内完成，并在超时后进行相应的处理。replicas: 4revisionHistoryLimit: 5#该用于指定要保留的 Deployment 版本历史记录的最大数量。Deployment 版本历史记录包含了过去创建的每个 Deployment 的详细信息，包括创建时间、更新时间、副本数量等。#如果设置为 0，则不会保留任何历史记录；如果设置为负值，则表示将保留所有历史记录。selector:matchLabels:ser: nginx-teststrategy:#定义滚动更新策略type: RollingUpdaterollingUpdate:maxSurge: 1maxUnavailable: 0template:metadata:name: nginx#namespeacelabels:ser: nginx-testspec:# nodeSelector:#   app: tohostname: nginx-dycontainers:- image: docker.io/library/nginx:v1name: nginx-dyimagePullPolicy: IfNotPresentports:- name: nginx-postcontainerPort: 80# volumeMounts:# - name: nginx-conf#   mountPath: /etc/nginx/conf.d#   readOnly: false#   #为true为只读方式挂载# volumes:# - name: nginx-conf#   emptyDir: {}

部署Igress

apiVersion: networking.k8s.io/v1        #api版本
kind: Ingress           #清单类型
metadata:                       #元数据name: ingress-my   #ingress的名称namespace: default     #所属名称空间
spec:      ingressClassName: nginx# tls:# - hosts: #   - nginx.bwk.com#   secretName: nginx-ingress-secretrules:   #定义后端转发的规则- host: nginx.bwk.com    #通过域名进行转发http:paths:       - path: /   #配置访问路径（客户端的访问，请求的路径），如果通过url进行转发，需要修改；空默认为访问的路径为"/"pathType: Prefix  #   匹配的方式  backend:    #配置后端服务service:name: nginx-testport:number: 80

ingress.spec.rules.http.paths.path和ingress.spec.rules.http.paths.pathType两个字段定义的是客户端的访问请求的路径和路径的匹配方式。
ingress.spec.rules.http.paths.pathType路径的匹配方式：

Prefix（前缀匹配）：当请求的路径以指定的路径前缀开头时，将匹配该路径规则。例如：/app、/app/subpath 等都将匹配/app的前缀路径规则。
Exact（完全匹配）：只有当请求的路径与指定的路径完全相同时，才会匹配该路径规则。例如：只有请求的路径是/app时才会匹配/app的完全路径规则。
ImplementationSpecific 时，Ingress控制器会根据其特定的实现逻辑来确定如何匹配请求的路径。这意味着路径的匹配方式可能因不同的Ingress控制器而异。
ingressClassName：Ingress控制器。此处用的是NGINX Ingress Controller。

配置一个虚拟域名nginx.bwk.com。

部署后访问测试：

[root@localhost k8s]# curl nginx.bwk.com:30080
v1

nginx页面进行了修改访问结果就是V1

部署TLS Igress

创建Secret

openssl genrsa -out tls.key 2048
openssl req -new -x509 -key ./tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=nginx.bwk.com
kubectl create secret tls nginx-ingress-secret --cert=./tls.crt --key=./tls.key

查看Secret

[root@master ~]# kubectl describe secret nginx-ingress-secret
Name:         nginx-ingress-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>Type:  kubernetes.io/tlsData
====
tls.crt:  1285 bytes
tls.key:  1679 bytes
[root@master ~]#

部署ingress

apiVersion: networking.k8s.io/v1        #api版本
kind: Ingress           #清单类型
metadata:                       #元数据name: ingress-my   #ingress的名称namespace: default     #所属名称空间
spec:      ingressClassName: nginxtls:- hosts: - nginx.bwk.comsecretName: nginx-ingress-secretrules:   #定义后端转发的规则- host: nginx.bwk.com    #通过域名进行转发http:paths:       - path: /   #配置访问路径（客户端的访问，请求的路径），如果通过url进行转发，需要修改；空默认为访问的路径为"/"pathType: Prefix  #   匹配的方式  backend:    #配置后端服务service:name: nginx-testport:number: 80

去掉yaml文件的注释部署
部署测试拷贝证书到测试主机

[root@localhost home]# curl --cacert ./tls.crt  https://nginx.bwk.com:30443
v1