k8s的域名访问

小清爷 發表於 2022-1-5 16:17:00

https://www.bilibili.com/video/av66617940?p=36
一、域名访问设置
1）获取ingress的pod。添加的路由规则都记录在里面
<div class="cnblogs_code">
<pre>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-5694ccb578-78ldg 1/1 Running 5 23d
# kubectl exec nginx-ingress-controller-5694ccb578-78ldg -n ingress-nginx -it /bin/bash
www-data@nginx-ingress-controller-5694ccb578-78ldg:/etc/nginx$ ls nginx.conf
nginx.conf</pre>
</div>
 2）获取访问nginx的代理端口
<div class="cnblogs_code">
<pre>kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml
# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.97.138.34 <none> 80:32116/TCP,443:30338/TCP 12s</pre>
</div>
默认的执行的配置文件，协议端口随机变化
<div class="cnblogs_code">
<pre>apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
 port: 80
 targetPort: 80
 protocol: TCP
- name: https
 port: 443
 targetPort: 443
 protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---</pre>
</div>
 
如果后面生成的域名访问方法
<div class="cnblogs_code">
<pre>curl www1.test.com:32116
curl www2.test.com:32116 </pre>
</div>
二、域名访问具体示例
1）例如设置访问域名 www1.test.com
1.1）创建pod和service
<div class="cnblogs_code"><img src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_7df0d5bc-0f4d-47b7-a4e6-9de49d1e98c9" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_7df0d5bc-0f4d-47b7-a4e6-9de49d1e98c9" class="cnblogs_code_hide">
<pre>apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment1
spec:
replicas: 2
template:
metadata:
 labels:
 name: nginx
spec:
 containers:
 - name: nginx
 image: wangyanglinux/myapp:v1
 imagePullPolicy: IfNotPresent
 ports:
 - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-1
spec:
ports:
- port: 80
 targetPort: 80
 protocol: TCP
selector:
name: nginx</pre>
</div>
pod_service1.yaml</div>
1.2）设置访问的域名
<div class="cnblogs_code"><img id="code_img_closed_c2ccf19f-164f-4068-8b0b-a03ef7546691" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_c2ccf19f-164f-4068-8b0b-a03ef7546691" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_c2ccf19f-164f-4068-8b0b-a03ef7546691" class="cnblogs_code_hide">
<pre>apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress1
spec:
rules:
- host: www1.test.com
 http:
 paths:
 - path: /
 backend:
 serviceName: svc-1
 servicePort: 80</pre>
</div>
ingress1.yaml</div>
访问
<div class="cnblogs_code">
<pre># curl www1.test.com:32116
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a></pre>
</div>
2）设置访问域名 www2.test.com
2.1）创建pod和service
<div class="cnblogs_code"><img id="code_img_closed_e6d5bdb9-7c92-4e98-ab61-43c9b7c9bccc" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_e6d5bdb9-7c92-4e98-ab61-43c9b7c9bccc" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_e6d5bdb9-7c92-4e98-ab61-43c9b7c9bccc" class="cnblogs_code_hide">
<pre>apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment2
spec:
replicas: 2
template:
metadata:
 labels:
 name: nginx2
spec:
 containers:
 - name: nginx2
 image: wangyanglinux/myapp:v2
 imagePullPolicy: IfNotPresent
 ports:
 - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-2
spec:
ports:
- port: 80
 targetPort: 80
 protocol: TCP
selector:
name: nginx2</pre>
</div>
pod_service2.yaml</div>
2.2）设置访问的域名
<div class="cnblogs_code"><img id="code_img_closed_9b7cc73b-5673-4c21-a459-86b7e43173ce" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_9b7cc73b-5673-4c21-a459-86b7e43173ce" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_9b7cc73b-5673-4c21-a459-86b7e43173ce" class="cnblogs_code_hide">
<pre>apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress2
spec:
rules:
- host: www2.test.com
 http:
 paths:
 - path: /
 backend:
 serviceName: svc-2
 servicePort: 80</pre>
</div>
ingress2.yaml</div>
2.3）查看 ingress
<div class="cnblogs_code">
<pre># kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress1 www1.test.com 80 19m
ingress2 www2.test.com 80 19m</pre>
</div>
访问
<div class="cnblogs_code">
<pre># curl www1.test.com:32116
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
# curl www2.test.com:32116
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a></pre>
</div>
 三、使用加密的方式 https://www3.test.com进行访问
1）创建证书 tls-secret 
<div class="cnblogs_code">
<pre>openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/0=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt</pre>
</div>
2）创建pod和service
<div class="cnblogs_code"><img id="code_img_closed_fbdd88da-0cd8-4e10-a963-57aeeb369581" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_fbdd88da-0cd8-4e10-a963-57aeeb369581" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_fbdd88da-0cd8-4e10-a963-57aeeb369581" class="cnblogs_code_hide">
<pre>apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment3
spec:
replicas: 2
template:
metadata:
 labels:
 name: nginx3
spec:
 containers:
 - name: nginx3
 image: wangyanglinux/myapp:v3
 imagePullPolicy: IfNotPresent
 ports:
 - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-3
spec:
ports:
- port: 80
 targetPort: 80
 protocol: TCP
selector:
name: nginx3</pre>
</div>
pod_service3.yaml</div>
3）设置的访问的域名，加载证书的方式
<div class="cnblogs_code"><img id="code_img_closed_4d5252ef-80a6-4c6a-89ba-5e7a91aea376" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_4d5252ef-80a6-4c6a-89ba-5e7a91aea376" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_4d5252ef-80a6-4c6a-89ba-5e7a91aea376" class="cnblogs_code_hide">
<pre>apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress3
spec:
tls:
- hosts:
 - www3.test.com
 secretName: tls-secret
rules:
- host: www3.test.com
 http:
 paths:
 - path: /
 backend:
 serviceName: svc-3
 servicePort: 80</pre>
</div>
ingress3.yaml</div>
此时访问已经不是 http 服务了，需使用 443 端口对应的端口
4）访问服务
<div class="cnblogs_code">
<pre># kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.97.138.34 <none> 80:32116/TCP,443:30338/TCP 142m</pre>
</div>
 https://www3.test.com:30338 
 四、访问认证
1) 设置访问的认证用户名和密码
<div class="cnblogs_code">
<pre># yum install httpd -y
# mkdir -p basic-auth
# htpasswd -c auth foo
New password:
Re-type new password:
Adding password for user foo
# ll
total 4
-rw-r--r-- 1 root root 42 Nov 11 01:34 auth</pre>
</div>
2）创建  secret 引入认证方式
<div class="cnblogs_code">
<pre># kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created</pre>
</div>
3）添加域名引入 auth 认证
<div class="cnblogs_code"><img id="code_img_closed_6de14472-4d1e-41a8-9e72-4997b4882a18" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_6de14472-4d1e-41a8-9e72-4997b4882a18" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_6de14472-4d1e-41a8-9e72-4997b4882a18" class="cnblogs_code_hide">
<pre>apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress4
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: auth.test.com
 http:
 paths:
 - path: /
 backend:
 serviceName: svc-2
 servicePort: 80</pre>
</div>
auth_ingress.yaml</div>
此时访问网站内容，需输入用户名，密码
<img alt="" data-src="https://img2018.cnblogs.com/blog/1209248/201911/1209248-20191111014417527-693936760.png">
 
 用户名：foo
密码：xxxxxxx
 五、地址跳转
<div class="cnblogs_code">
<pre>apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-test
annotations:
nginx.ingress.kubernetes.io/rewrite-target: https://www3.test.com:30338
spec:
rules:
- host: re.test.com
http:
 paths:
 - path: /
 backend:
 serviceName: svc-2
 servicePort: 80</pre>
</div>
访问  re.test.com:32116 跳转到 https://www3.test.com:30338
六、问题。代理的访问端口存在不确定性
<div class="cnblogs_code">
<pre># kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.97.138.34 <none> 80:32116/TCP,443:30338/TCP 3h7m
# kubectl delete -f service-nodeport.yaml
service "ingress-nginx" deleted

# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.106.225.226 <none> 80:31813/TCP,443:32425/TCP 1s</pre>
</div>
重启了  service-nodeport.yaml 服务，访问的端口将发生变化。
6.1）修改配置文件，固定端口测试
<div class="cnblogs_code">
<pre>apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
 port: 80
 targetPort: 80
 nodePort: 30080
 protocol: TCP
- name: https
 port: 443
 targetPort: 443
 nodePort: 30443
 protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---</pre>
</div>
 测试
<div class="cnblogs_code">
<pre># kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.107.188.157 <none> 80:30080/TCP,443:30443/TCP 2s</pre>
</div>
 通用域名
<div class="cnblogs_code"><img id="code_img_closed_7661b3e8-529b-48bd-b71d-a3c5aa99e544" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_7661b3e8-529b-48bd-b71d-a3c5aa99e544" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_7661b3e8-529b-48bd-b71d-a3c5aa99e544" class="cnblogs_code_hide">
<pre># cat apaas.conf
upstream apaas-infra-http {
 serverapaas-master0001.eniot.io:80;
 serverapaas-master0002.eniot.io:80;
 serverapaas-master0003.eniot.io:80;
 check interval=3000 rise=2 fall=5 timeout=1000 default_down=false type=http port=1936;
 check_http_send "GET /healthz HTTP/1.0\r\n\r\n";
 check_http_expect_alive http_2xx http_3xx;
}
upstream apaas-infra-https {
 serverapaas-master0001.eniot.io:443;
 serverapaas-master0002.eniot.io:443;
 serverapaas-master0003.eniot.io:443;
 check interval=3000 rise=2 fall=5 timeout=1000 default_down=false type=http port=1936;
 check_http_send "GET /healthz HTTP/1.0\r\n\r\n";
 check_http_expect_alive http_2xx http_3xx;
}
server {
listen 80;
server_name *.apaas-gf1.eniot.io;
underscores_in_headers on;
client_max_body_size 100m;
location / {
 proxy_passhttp://apaas-infra-http;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 proxy_connect_timeout 3;
 proxy_send_timeout 9000;
 proxy_read_timeout 9000;
}
}
server {
listen 443 ssl;
server_name *.apaas-gf1.eniot.io;
ssl_certificate /etc/nginx/ssl/Server_wildcard_eniot_io_20180308.cer;
ssl_certificate_key /etc/nginx/ssl/Server_wildcard_eniot_io_20180308.key;
underscores_in_headers on;
location / {
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header Host $http_host;
 proxy_set_header X-Forwarded-Proto https;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 proxy_redirect off;
 proxy_ssl_verify off;
 proxy_ssl_session_reuse on;
 proxy_http_version 1.1;
 proxy_pass https://apaas-infra-https;
 proxy_connect_timeout 3;
 proxy_send_timeout 9000;
 proxy_read_timeout 9000;
}
}</pre>
</div>
匹配域名</div>
 *.apaas-ptt1.eniot.io       10.65.54.56 10.65.54.57
<div class="cnblogs_code"><img id="code_img_closed_d65fc69e-8340-49b0-a95e-19d92bb88d45" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_d65fc69e-8340-49b0-a95e-19d92bb88d45" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_d65fc69e-8340-49b0-a95e-19d92bb88d45" class="cnblogs_code_hide">
<pre>新增域名 私有云dns指向 其它环境dns指向其它环境
apaas-ptt1.eniot.io 10.65.54.56 10.65.54.57 10.10.1.42 AWS中国、办公网
*.apaas-ptt1.eniot.io 10.65.54.56 10.65.54.57 10.10.1.42 AWS中国、办公网
apaas-internal.eniot.io 10.65.54.56 10.65.54.57
harbor-cn2.eniot.io 52.80.242.65
falcon-ptt1.eniot.io 10.10.1.42 10.10.1.42 AWS中国、办公网
notice.eniot.io 10.10.1.42

其中：10.65.54.5610.65.54.57 nginx机器</pre>
</div>
View Code</div>
  
来源：https://www.cnblogs.com/linu/p/11832560.html

頁: [1]

琼殿技术论坛's Archiver

k8s的域名访问