Service ingress
资料信息:
Ingress-Nginx github 地址:https://github.com/kubernetes/ingress-nginx
Ingress-Nginx官方网站:https://kubernetes.github.io/ingress-nginx/
一、引言
Nginx-ingress 是 Kubernetes 生态中的重要成员,主要负责向外暴露服务,同时提供负载均衡等附加功能;
截至目前,nginx-ingress 已经能够完成 7/4 层的代理功能(4 层代理基于 ConfigMap,感觉还有改进的空间);
Nginx 的 7 层反向代理模式,可以简单用下图表示:
Nginx 对后端运行的服务(Service1、Service2)提供反向代理,在配置文件中配置了域名与后端服务 Endpoints 的对应关系。客户端通过使用 DNS 服务或者直接配置本地的 hosts 文件,将域名都映射到 Nginx 代理服务器。当客户端访问 service1.com 时,浏览器会把包含域名的请求发送给 nginx 服务器,nginx 服务器根据传来的域名,选择对应的 Service,这里就是选择 Service 1 后端服务,然后根据一定的负载均衡策略,选择 Service1 中的某个容器接收来自客户端的请求并作出响应。过程很简单,nginx 在整个过程中仿佛是一台根据域名进行请求转发的“路由器”,这也就是7层代理的整体工作流程了!
对于 Nginx 反向代理做了什么,我们已经大概了解了。在 k8s 系统中,后端服务的变化是十分频繁的,单纯依靠人工来更新nginx 的配置文件几乎不可能,nginx-ingress 由此应运而生。Nginx-ingress 通过监视 k8s 的资源状态变化实现对 nginx 配置文件的自动更新,下面本文就来分析下其工作原理。
二、nginx-ingress 工作流程分析
首先,上一张整体工作模式架构图
不考虑 nginx 状态收集等附件功能,nginx-ingress 模块在运行时主要包括三个主体:NginxController、Store、SyncQueue。其中,Store 主要负责从 kubernetes APIServer 收集运行时信息,感知各类资源(如 ingress、service等)的变化,并及时将更新事件消息(event)写入一个环形管道;SyncQueue 协程定期扫描 syncQueue 队列,发现有任务就执行更新操作,即借助 Store 完成最新运行数据的拉取,然后根据一定的规则产生新的 nginx 配置,(有些更新必须 reload,就本地写入新配置,执行 reload),然后执行动态更新操作,即构造 POST 数据,向本地 Nginx Lua 服务模块发送 post 请求,实现配置更新;NginxController 作为中间的联系者,监听 updateChannel,一旦收到配置更新事件,就向同步队列 syncQueue 里写入一个更新请求。
部署ingress-nginx
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml
kubectl apply -f mandatory.yaml
kubectl apply -f service-nodeport.yaml
Ingress HTTP代理访问
deployment、Service、Ingress Yaml
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment1 spec: replicas: 3 template: metadata: labels: name: nginx1 spec: containers: - name: nginx1 image: wangyanglinux/myapp:v1 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc-1 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx1 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-test1 spec: rules: - host: www1.atguigu.com http: paths: - path: / backend: serviceName: svc-1 servicePort: 80
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment2 spec: replicas: 3 template: metadata: labels: name: nginx2 spec: containers: - name: nginx2 image: wangyanglinux/myapp:v2 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc-2 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx2 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-test2 spec: rules: - host: www2.atguigu.com http: paths: - path: / backend: serviceName: svc-2 servicePort: 80
本地做好域名解析
Ingress HTTPS代理访问
创建证书,以及cert存储方式
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/0=nginxsvc" kubectl create secret tls tls-secret --key tls.key --cert tls.crt
deployment、Service、Ingress Yaml文件
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment3 spec: replicas: 3 template: metadata: labels: name: nginx3 spec: containers: - name: nginx3 image: wangyanglinux/myapp:v3 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc-3 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx3 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-test3 spec: tls: - hosts: - www3.atguigu.com secretName: tls-secret rules: - host: www3.atguigu.com http: paths: - path: / backend: serviceName: svc-3 servicePort: 80
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment4 spec: replicas: 3 template: metadata: labels: name: nginx4 spec: containers: - name: nginx4 image: wangyanglinux/myapp:v2 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc-4 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx4 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-test4 spec: tls: - hosts: - www4.atguigu.com secretName: tls-secret rules: - host: www4.atguigu.com http: paths: - path: / backend: serviceName: svc-4 servicePort: 80
Nginx进行BasicAuth
yum -y install httpd htpasswd -c auth foo kubectl create secret generic basic-auth --from-file=auth
vim ingress-auth.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-with-auth annotations: nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo' spec: rules: - host: auth.atguigu.com http: paths: - path: / backend: serviceName: svc-1 servicePort: 80
nginx进行重写
| 名称 | 描述 | 值 |
| nginx.ingress.kubernetes.io/rewrite-target | 必须重定向流量的目标URI | 串 |
| nginx.ingress.kubernetes.io/ssl-redirect | 指定位置部分是否仅可访问SSL(当Ingress包含证书时默认为True) | 布尔 |
| nginx.ingress.kubernetes.io/force-ssl-redirect | 即使ingress未启用TLS,也强制重定向到HTTPS | 布尔 |
| nginx.ingress.kubernetes.io/app-root | 定义Controller必须重定向的应用程序根,如果它在“/”上下文中 | 串 |
| nginx.ingress.kubernetes.io/use-regex | 指示ingress上定义的路径是否使用正则表达式 | 布尔 |
vim ingress-rewrite.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-test annotations: nginx.ingress.kubernetes.io/rewrite-target: https://www3.atguigu.com:30643/hostname.html spec: rules: - host: re.atguigu.com http: paths: - path: / backend: serviceName: svc-1 servicePort: 80
浙公网安备 33010602011771号