k8s 中 ingress 相关的一些操作,以及 GKE 中的一些特殊配置
根据 NGINX Ingress or GKE Ingress?
Ingress 是管理向集群中 service 的外部访问的一个 API 对象,特别是 http(s) 的访问。一般由两个组件构成:
- Ingress resoruce:提供路由规则
- Ingress controller:实施这些路由规则
每种 Ingress Controller 通常有自己的特性集合和设置方法(一般是通过 annotations 进行配置)。
新建一个 Nginx Ingress
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install nginx-ingress ingress-nginx/ingress-nginx
If there is already an Nginx Ingress in the cluster, try to create another one.
kubectl create namespace ingress-nginx-2
helm install ingress-nginx-2-native ingress-nginx/ingress-nginx \
--namespace ingress-nginx-2 \
--set controller.ingressClassResource.name=nginx-2-lb \
--set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \
--set controller.ingressClassResource.enabled=true \
--set controller.ingressClassByName=true
You will have a simple example showing how to use this ingress controller.
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace ingress-nginx-2 get services -o wide -w ingress-nginx-2-native-controller'
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: foo
spec:
ingressClassName: nginx-2-lb
rules:
- host: www.example.com
http:
paths:
- pathType: Prefix
backend:
service:
name: exampleService
port:
number: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
Set default namespace:
kubectl config set-context --current --namespace=ingress-nginx-2
通过 DNS 认证的方式进行 Challenge,生成证书
Issuing an ACME certificate using DNS validation
一个可以工作的例子:
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: digitalocean-dns
namespace: cmt-market
data:
# insert your DO access token here
access-token: "access-token"
nginx-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-ingress
namespace: test-namespace
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
cert-manager.io/issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- example.com
secretName: example-com-tls
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- backend:
service:
name: web-frontment
port:
number: 80
path: /
pathType: Prefix
- backend:
service:
name: web-ba
port:
number: 10088
path: /api/market
pathType: Prefix
待续