Shulou(Shulou.com)06/02 Report--

[TOC]

I. background 1.1 requirements

We have such a requirement, that is, to upgrade the Pod cluster to https. The current method is to configure https for each container, and then the front end is scheduled through Service, but this will be troublesome to configure, and each container is established through https, which also increases the burden of establishing a connection.

We need such a transformation, that is, the client connects to the Service through https, and the scheduling of Service to the back-end Pod through http, which can greatly optimize our cluster, so we need to use Ingress, another resource of Kubernetes.

1.2 Ingress

Ingress is a load balancer application. The difference between Service and Service is that Service can only support layer 4 load balancers, while Ingress supports layer 7 load balancers, http and https, including filtering of access paths through hostname.

Then why not just use Nginx? This is because in the K8S cluster, if we add a configuration to the Nginx every time we join a service, it is actually a repetitive manual work, as long as it is repetitive manual work, we should kill it through technology.

Ingress can solve the above problem, which consists of two components, Ingress Controller and Ingress:

Ingress: abstract the configuration of Nginx into an Ingress object, and you only need to write a new yaml file of Ingress for each new service added. Ingress Controller: convert the newly added Ingress into a configuration file of Nginx and make it effective, including Contour, F5, HAProxy, Istio, Kong, Nginx and Traefik. It is officially recommended that we use Nginx.

1.3 introduction to the environment

We are a cluster of three servers. Please see my previous blog post for deployment documentation.

IP role 192.168.1.200k8s-master192.168.1.201k8s-node01192.168.1.202k8s-node02 [root@master ~] # kubectl get nodesNAME STATUS ROLES AGE VERSIONmaster Ready master 117s v1.13.0node01 Ready 52s v1.13.0node02 Ready 42s v1.13.0 II. Installation and deployment

We only transform the domain name www.wzlinux.com in the above architecture diagram into https.

We will build it on the basis of the official standard script. Please refer to the official document. The following command is required in the official documentation:

Kubectl apply-f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml2.1, create backend Pod application

Let's create a controller wzlinux-deploy.yaml with the following contents:

ApiVersion: extensions/v1beta1kind: Deploymentmetadata: name: wzlinux-depspec: replicas: 3 template: metadata: labels: run: wzlinux spec: containers:-name: wzlinux image: wangzan18/mytest:v1 ports:-containerPort: 8080

After you have created it, view it as follows:

[root@master ingress] # kubectl get podNAME READY STATUS RESTARTS AGEwzlinux-dep-78d5d86c7c-fj8f5 1 root@master ingress 1 Running 0 53mwzlinux-dep-78d5d86c7c-hr6gd 1 53m2.2 1 Running 0 53mwzlinux-dep-78d5d86c7c-jqf59 1 53m2.2 create a backend Pod Service

After testing some normal Pod, we create a Service for this group of Pod. The contents of the file wzlinux-svc.yaml are as follows:

ApiVersion: v1kind: Servicemetadata: name: wzlinux-svcspec: selector: run: wzlinux ports:-port: 80 targetPort: 8080

This Service is not used by the agent to access the Pod, but only used by ingress-controller for selection control, so the figure above is described as a dotted line.

[root@master ingress] # kubectl get svcNAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGEkubernetes ClusterIP 10.96.0.1 443/TCP 58mwzlinux-svc ClusterIP 10.106.219.230 8080/TCP 50m [root@master ingress] # curl 10.106.219.230:8080Hello Kubernetes bootcamp! | Running on: wzlinux-dep-78d5d86c7c-fj8f5 | ingress 12.3. Create ingress resource

In order to filter and https, we need to create an ingress resource file. Ingress controller loads the resources into nginx. The content of the resource file wzlinux-ingress.yaml file is as follows:

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: wzlinux-ingressspec: rules:-host: www.wzlinux.com http: paths:-path: backend: serviceName: wzlinux-svc servicePort: 8080

Instead of changing it to https here, we will first use the virtual host domain name filtering mode, and then check it after creating the resource.

[root@master ingress] # kubectl get ingressNAME HOSTS ADDRESS PORTS AGEwzlinux-ingress www.wzlinux.com 80 37m

You can see that the domain name www.wzlinux.com is configured, and other address visits will return 404.

2.4.Create a Service for Nginx Pod

We can view the deployed Nginx Pod container, and the ingress resources we set will be updated by controller. We can view them as follows:

[root@master ingress] # kubectl get pod-n ingress-nginxNAME READY STATUS RESTARTS AGEnginx-ingress-controller-766c77b7d4-dlcpf 1 Running 0 31m

In order for the public network to access this Nginx Pod, we need to create another Service for it, the file ingress-nginx.yaml, which contains the following contents:

ApiVersion: v1kind: Servicemetadata: name: ingress-nginx namespace: ingress-nginxspec: type: NodePort ports:-name: http port: 80 targetPort: 80 nodePort: 30080-name: https port: 443 targetPort: 443 nodePort: 30443 selector: app.kubernetes.io/name: ingress-nginx

To test whether it is normal, remember to change the IP executed by the domain name to the address of the node node in / etc/hosts.

[root@master ~] # curl 192.168.1.200 Not Found404 Not Foundnginx/1.15.6 30080404 Not Found404 Not Foundnginx/1.15.6 [root@master ~] # curl www.wzlinux.com:30080Hello Kubernetes bootcamp! | Running on: wzlinux-dep-78d5d86c7c-hr6gd | vault 1

You can see that the domain name access is normally scheduled to the backend, and the other address access returns 404.At present, the whole process has been tested, so let's upgrade it to https.

Upgrade to https3.1 first we need to make a certificate

For certificates, you can use openssl to create private certificates:

Openssl genrsa-out wzlinux.key 2048

Make a self-signed certificate.

Openssl req-new-x509-key wzlinux.key-out wzlinux.crt-subj / C=CN/ST=Shanghai/L=Shanghai/O=DevOps/CN=www.wzlinux.com

However, I use Aliyun's official free certificate here, and you can apply to Aliyun.

After making the certificate, you can download it, which contains the public key and private key.

3.2.Create secret resources

You can create it using a yaml file with the file name wzlinux-secret.yaml as follows:

ApiVersion: v1kind: Secretdata: tls.crt: base64 encoded cert tls.key: base64 encoded keymetadata: name: wzlinux-secret namespace: defaulttype: Opaque

Because the encoded password is too long, we use the command line to create it directly here, the operation is relatively simple.

Kubectl create secret tls wzlinux-secret-cert=wzlinux.crt-key=wzlinux.key

View the created secret.

[root@master ingress] # kubectl describe secret wzlinux-secretName: wzlinux-secretNamespace: defaultLabels: Annotations: Type: kubernetes.io/tlsData====tls.crt: 1996 bytestls.key: 1675 bytes3.3 change ingress resource

Re-edit the wzlinux-ingress.yaml and add a tls field:

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: wzlinux-ingressspec: tls:-hosts:-www.wzlinux.com secretName: wzlinux-secret rules:-host: www.wzlinux.com http: paths:-path: backend: serviceName: wzlinux-svc servicePort: 80803.4 browser access Verification

Open the browser and remember to modify the hosts domain name resolution.

4. Introduction of ingress resources 4.1. Filter foo.bar.com by access path-> 178.91.123.132-> / foo service1:4200 / bar service2:8080

We set the configuration file as follows:

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: simple-fanout-example annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules:-host: foo.bar.com http: paths:-path: / foo backend: serviceName: service1 servicePort: 4200-path: / bar backend: serviceName: service2 servicePort: 80804.2 Virtual host foo.bar.com based on name resolution-- |-> foo.bar.com S1 bar.foo.com 80 | 178.91.123.132 | bar.foo.com-- |-> bar.foo.com s2VR 80

The content format of the configuration file is as follows:

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: name-virtual-host-ingressspec: rules:-host: first.bar.com http: paths:-backend: serviceName: service1 servicePort: 80-host: second.foo.com http: paths:-backend: serviceName: service2 servicePort: 80-http: paths:-backend: serviceName: service3 servicePort: 804.3, HttpsapiVersion: extensions/v1beta1kind: Ingressmetadata: name: tls-example-ingressspec: tls:-hosts:-sslexample.foo.com secretName: testsecret-tls rules:-host: sslexample.foo.com http: paths:-path: / backend: serviceName: service1 servicePort: 80

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.