Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you the installation, configuration and use of nginx-based ingress. The article is rich in content. I hope you can get something after reading this article. 1. Brief introduction to Ingress

An API object that manages external access to the services in a cluster, typically HTTP.

Ingress can provide load balancing, SSL termination and name-based virtual hosting.

Citing the official introduction on ingress, we can see that ingress is an api object that exposes kubernetes internal services through http protocol, that is, acting as an Edge Router border router, which is based on layer 7 load balancing scheduling mechanism, and can provide the following functions:

Load balancer, automatically load balancing requests to the backend Pod; SSL encryption, client-to-Ingress Controller encryption for https, and back-end Pod for plaintext http; name-based virtual host, providing more flexible routing based on domain name or URI

The components that implement Ingress include:

Ingress, the client, is responsible for defining the ingress configuration and forwarding requests to Ingress Controller The Ingress Controller,Ingress controller, which implements layer 7 forwarding Edge Router, dynamically updates the configuration file and reloads the configuration file by calling the api of K8s to dynamically sense the changes of Pod in the cluster. Controller needs to be deployed in the K8s cluster to communicate with pod in the cluster, usually in the form of DaemonSets or Deployments, and exposes ports 80 and 443. For DaemonSets, it is generally exposed in the form of hostNetwork or hostPort, while Deployments is exposed as NodePort. Multiple nodes of the controller use external load balancing ExternalLB to achieve unified access. Ingress configuration rules, Controller controller dynamically implements back-end Pod routing and forwarding rules through service service discovery mechanism; load balancing scheduling mechanism in Service,kuberntes, Ingress realizes dynamic perception of Pod resources in the cluster with the help of service service discovery mechanism; Pod, the backend is actually responsible for responding to the request container, which is created by controllers such as Deployment and associated with Labels and service tags to discover services.

In short, the ingress controller implements the dynamic update of the configuration with the help of the service discovery mechanism of service to realize the load balancing mechanism of Pod. Because it involves the dynamic update of Ingress Controller, the current community Ingress Controller generally includes two types of controllers:

Traditional seven-layer load balancers, such as Nginx,HAproxy, have developed plug-ins for micro-service applications, which have the advantages of maturity and high performance, while new micro-service load balancers, such as Traefik,Envoy,Istio, are specially suitable for micro-service + containerized application scenarios and have the characteristics of dynamic update. Traditional load balancer nginx,haproxy is mature, stable, high-performance dynamic update requires reload profile micro-service load balancing Traefik,Envoy,Istio is born for micro-service, dynamic update performance needs to be improved 2. Nginx Ingress2.1 Nginx ingress introduction

By default, pods of Kubernetes services are not accessible from the external network, but only by other pods within the Kubernetes cluster. Kubernetes has a built-in configuration for HTTP load balancing, called Ingress, that defines rules for external connectivity to Kubernetes services. Users who need to provide external access to their Kubernetes services create an Ingress resource that defines rules, including the URI path, backing service name, and other information. The Ingress controller can then automatically program a frontend load balancer to enable Ingress configuration. The NGINX Ingress Controller for Kubernetes is what enables Kubernetes to configure NGINX and NGINX Plus for load balancing Kubernetes services.

Nginx Ingress Controller is a concrete implementation of ingress, including two versions: Ngnix OSS and Nginx Plus, the latter is a commercial enhanced version that supports more features. For more information, please refer to the official documentation to introduce https://www.nginx.com/products/nginx/kubernetes-ingress-controller#compare-versions.

2.2 Nginx ingress installation

First of all, you need to install the Nginx Ingress Controller controller, which can be installed in two ways: DaemonSets and Deployments.

DaemonSets exposes ports 80 and 443 through hostPort, which can be dispatched by Node and deployed by dedicated nodes. Deployments can be deployed through NodePort to expose controller ports and achieve high availability load balancing with external load balancing.

In addition, resources such as Namespace,ServiceAccount,RBAC,Secrets,Custom Resource Definitions need to be deployed, as shown below.

2.2.1 basic dependent environment preparation

1. Download the source package in github, and install the deployment files in the kubernetes-ingress/deployments/ directory.

[root@node-1 ~] # git clone https://github.com/nginxinc/kubernetes-ingress.git[root@node-1 ~] # tree kubernetes-ingress/deployments/kubernetes-ingress/deployments/ ├── common │ ├── custom-resource-definitions.yaml Custom Resources │ ├── default-server-secret.yaml Secrets │ ├── nginx-config.yaml │ └── ns-and-sa.yaml Namspace+ServiceAccount ├── daemon-set │ ├── nginx-ingress.yaml DaemonSets controller │ └── nginx-plus-ingress.yaml ├── deployment │ ├── nginx-ingress.yaml Deployments controller │ └── nginx-plus-ingress.yaml ├── helm-chart Helm installation package │ ├── chart-icon.png │ ├ ── Chart.yaml │ ├── README.md │ ├── templates │ │ ├── controller-configmap.yaml │ │ ├── controller-custom-resources.yaml │ │ ├── controller-daemonset.yaml │ │ ├── controller-deployment.yaml │ │ controller-leader-election-configmap.yaml controller-secret.yaml Controller-serviceaccount.yaml │ │ ├── controller-service.yaml │ │ ├── controller-wildcard-secret.yaml │ │ ├── _ helpers.tpl │ │ ├── NOTES.txt │ │ └── rbac.yaml │ ├── values-icp.yaml │ ├── values-plus.yaml values.yaml rbac RBAC Certification Authorization │ └── rbac.yaml ├── README.md └── service Service defines ├── loadbalancer-aws-elb.yaml ├── loadbalancer.yaml DaemonSets exposure Service └── nodeport.yaml Deployments exposure Service

2. Create Namespace and ServiceAccount, kubectl apply-f common/default-server-secret.yaml

ApiVersion: v1kind: Namespacemetadata: name: nginx-ingress-apiVersion: v1kind: ServiceAccountmetadata: name: nginx-ingress namespace: nginx-ingress

3. Create Secrets self-signed certificate, kubectl apply-f common/default-server-secret.yaml

ApiVersion: v1kind: Secretmetadata: name: default-server-secret namespace: nginx-ingresstype: Opaquedata: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh4VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h2SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh2dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh6YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

4. Create a custom configuration file for ConfigMap, kubectl apply-f common/nginx-config.yaml

Kind: ConfigMapapiVersion: v1metadata: name: nginx-config namespace: nginx-ingressdata:

5. Define custom resources for virtual CVM and virtual CVM routing, and support custom virtual host and virtual routing, kubectl apply-f common/custom-resource-definitions.yaml

ApiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata: name: virtualservers.k8s.nginx.orgspec: group: k8s.nginx.org versions:-name: v1 served: true storage: true scope: Namespaced names: plural: virtualservers singular: virtualserver kind: VirtualServer shortNames:-vs---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata: name: virtualserverroutes.k8s.nginx.orgspec: group: k8s.nginx.org versions:-name: v1 served: true storage: true Scope: Namespaced names: plural: virtualserverroutes singular: virtualserverroute kind: VirtualServerRoute shortNames:-vsr

6. Configure RBAC authentication and authorization to enable ingress controller to access other resources in the cluster, kubectl apply-f rbac/rbac.yaml

Kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: nginx-ingressrules:- apiGroups:-"resources:-services-endpoints verbs:-get-list-watch- apiGroups: -" resources:-secrets verbs:-get-list-watch- apiGroups:-"" resources:-configmaps verbs:-get-list-watch- update-create- apiGroups:-"" resources:-pods verbs :-list-watch- apiGroups:-"" resources:-events verbs:-create-patch- apiGroups:-extensions resources:-ingresses verbs:-list-watch- get- apiGroups:-"extensions" resources:-ingresses/status verbs:-update- apiGroups:-k8s.nginx.org resources:-virtualservers-virtualserverroutes verbs:-list-watch- get---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: Name: nginx-ingresssubjects:- kind: ServiceAccount name: nginx-ingress namespace: nginx-ingressroleRef: kind: ClusterRole name: nginx-ingress apiGroup: rbac.authorization.k8s.io2.2.2 deploy Ingress Controller

1. Deploy the controller, which can be deployed in the form of DaemonSets and Deployment. The following is the configuration file of DaemonSets.

ApiVersion: apps/v1kind: DaemonSetmetadata: name: nginx-ingress namespace: nginx-ingressspec: selector: matchLabels: app: metadata: metadata: labels: nginx-ingress # annotations: # prometheus.io/scrape: "true" # prometheus.io/port: "9113" spec: serviceAccountName: nginx-ingress containers:-image: nginx/nginx-ingress:edge ImagePullPolicy: Always name: nginx-ingress ports:-name: http containerPort: 80 hostPort: 80 # expose ports by hostPort-name: https containerPort: 443 hostPort: 443 #-name: prometheus # containerPort: 9113 securityContext: allowPrivilegeEscalation: true runAsUser: 101 # nginx Capabilities: drop:-ALL add:-NET_BIND_SERVICE env:-name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace-name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: -- nginx-configmaps=$ (POD_NAMESPACE) / nginx-config-- default-server-tls-secret=$ (POD_NAMESPACE) / default-server-secret #-- vault 3 # Enables extensive logging. Useful for troubleshooting. #-report-ingress-status #-external-service=nginx-ingress #-enable-leader-election #-enable-prometheus-metrics

Configuration file for Deployments

ApiVersion: apps/v1kind: Deploymentmetadata: name: nginx-ingress namespace: nginx-ingressspec: replicas: 1 # number of copies selector: matchLabels: app: nginx-ingress template: metadata: labels: app: nginx-ingress # annotations: # prometheus.io/scrape: "true" # prometheus.io/port: "9113" spec: serviceAccountName: nginx- Ingress containers:-image: nginx/nginx-ingress:edge imagePullPolicy: Always name: nginx-ingress ports: # internally exposed service port Need to expose to the outside through NodePort-name: http containerPort: 80-name: https containerPort: 443 #-name: prometheus # containerPort: 9113 securityContext: allowPrivilegeEscalation: true runAsUser: 101 # nginx capabilities: drop:-ALL add:-NET_BIND _ SERVICE env:-name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace-name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args:-- nginx-configmaps=$ (POD_NAMESPACE) / nginx-config-- default-server-tls-secret=$ ( POD_NAMESPACE) / default-server-secret #-vault 3 # Enables extensive logging. Useful for troubleshooting. #-report-ingress-status #-external-service=nginx-ingress #-enable-leader-election #-enable-prometheus-metrics

2. We deploy in the form of DaemonSets. Each node in the DaemonSet deployment cluster is peer-to-peer. If there is an external LoadBalancer, it is routed to the Ingress through external load balancing.

[root@node-1 deployments] # kubectl apply-f daemon-set/nginx-ingress.yaml daemonset.apps/nginx-ingress created [root @ node-1 deployments] # kubectl get daemonsets-n nginx-ingressNAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGEnginx-ingress 3 3 3 15s [root @ node-1 ~] # kubectl get pods-n nginx -ingress- o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESnginx-ingress-7mpfc 1 Running 0 2m44s 10.244.0.50 node-1 nginx-ingress-l2rtj 1 Running 0 2m44s 10.244.1.144 node-2 nginx-ingress-tgf6r 1 Running 0 2m44s 10.244.2.160 node-3

3. Verify the installation of Nginx Ingress. In this case, all three nodes are peer-to-peer, that is, access to any node can achieve the same effect, and unified entry can achieve the same effect through external load balancers. If you execute kubectl apply-f service/loadbalancer.yaml in the cloud environment to create external load balancers to achieve ingress scheduling, self-built ones can be accessed through load balancers such as lvs or nginx. Readers can study them on their own.

Note: if you deploy as Deployments, you need to execute service/nodeport.yaml to create a Service of type NodePort, which is similar to DaemonSets.

3. Ingress resource definition

The above chapter has installed a Nginx Ingress Controller controller, with the Ingress controller, we can define Ingress resources to achieve seven layers of load forwarding, in general, Ingress supports three ways of use: 1. Based on virtual host forwarding, 2. Based on virtual machine host URI forwarding, 3. TLS encryption forwarding is supported.

3.1 Ingress definition

1. For environment preparation, first create a Deployment application for nginx, including 2 replicas

[root@node-1 ~] # kubectl run ingress-demo-- image=nginx:1.7.9-- port=80-- replicas= 2 [root @ node-1 ~] # kubectl get deploymentsNAME READY UP-TO-DATE AVAILABLE AGEingress-demo 2amp 2 2 2 116s

2. Expose the service port by service

[root@node-1 ~] # kubectl expose deployment ingress-demo-- port=80-- protocol=TCP-- target-port=80service/ingress-demo exposed [root @ node-1 ~] # kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGEingress-demo ClusterIP 10.109.33.91 80/TCP 2m15s

3. A service has been created in the above two steps. As follows, we define an ingress object that will be forwarded to the service ingress-demo, and specify the controller type as nginx through ingress.class.

[root@node-1 nginx-ingress] # cat nginx-ingress-demo.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata: name: nginx-ingress-demo labels: ingres-controller: nginx annotations: kubernets.io/ingress.class: rules:-host: www.happylau.cn http: paths:-path: / backend: serviceName: ingress-demo servicePort: 80

4. Create an ingress object

[root@node-1 nginx-ingress] # kubectl apply-f nginx-ingress-demo.yaml ingress.extensions/nginx-ingress-demo created View ingress resource list [root@node-1 nginx-ingress] # kubectl get ingressesNAME HOSTS ADDRESS PORTS AGEnginx-ingress-demo www.happylau.cn 80 4m4s

5. Check the details of ingress. You can see the list of backend Pod in Rules rules, and automatically discover and associate relevant Pod.

[root@node-1 ~] # kubectl describe ingresses nginx-ingress-demoName: nginx-ingress-demoNamespace: defaultAddress: Default backend: default-http-backend:80 () Rules: Host Path Backends-www.happylau.cn / ingress-demo:80 ( 10.244.1.146 apiVersion 80) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion": "extensions/v1beta1" "kind": "Ingress", "metadata": {"annotations": {"kubernets.io/ingress.class": "nginx"}, "labels": {"ingres-controller": "nginx"}, "name": "nginx-ingress-demo", "namespace": "default"}, "spec": {"rules": [{"host": "www.happylaulab.cn", "http": {"paths": [{"backend": {"serviceName": "ingress-demo", "servicePort": 80}} "path": "/"}]}} kubernets.io/ingress.class: nginxEvents: Type Reason Age From Message-Normal AddedOrUpdated 9m7s nginx-ingress-controller Configuration for default/nginx-ingress-demo was added or updated Normal AddedOrUpdated 9m7s nginx- Ingress-controller Configuration for default/nginx-ingress-demo was added or updated Normal AddedOrUpdated 9m7s nginx-ingress-controller Configuration for default/nginx-ingress-demo was added or updated

6. Test and verify that the configuration information of the ingress rule has been injected into the Ingress Controller, and the Ingress Controller in the environment is deployed in the cluster as DaemonSets. If there is an external load balancer, the address of the www.happylau.cn domain name is resolved to the load balancer VIP. Since no load balancer has been set up in the test environment, parsing hosts to execute node-1,node-2 or node-3 any IP can achieve the same function.

The parsing of the above test is normal, but it can also be resolved to the IP of node-1 and node-2, as follows:

[root@node-1] # curl-I http://www.happylau.cn-- resolve www.happylau.cn:80:10.254.100.101HTTP/1.1 200 OKServer: nginx/1.17.6Date: Tue, 24 Dec 2019 10:32:22 GMTContent-Type: text/htmlContent-Length: 612Connection: keep-aliveLast-Modified: Tue 23 Dec 2014 16:25:09 GMTETag: "54999765-2014" Accept-Ranges: [root @ node-1 ~] # curl-I http://www.happylau.cn-- resolve www.happylau.cn:80:10.254.100.102HTTP/1.1 200 OKServer: nginx/1.17.6Date: Tue, 24 Dec 2019 10:32:24 GMTContent-Type: text/htmlContent-Length: 612Connection: keep-aliveLast-Modified: Tue 23 Dec 2014 16:25:09 GMTETag: "54999765-264" Accept-Ranges: bytes3.2 Ingress dynamic configuration

The above section introduces the declared configuration of the ingress resource object. In this chapter, we explore the implementation mechanism of Nginx Ingress Controller and the dynamic configuration update mechanism to facilitate understanding of the working mechanism of the Ingress controller.

1. View the configuration file of the Nginx Controller controller, and store the configuration file of ingress in nginx-ingress pod

[root@node-1 ~] # kubectl get pods-n nginx-ingress NAME READY STATUS RESTARTS AGEnginx-ingress-7mpfc 1 nginx-ingress NAME READY STATUS RESTARTS AGEnginx-ingress-7mpfc 1 Running 0 6h25mnginx-ingress-l2rtj 1 Running 0 6h25mnginx-ingress-tgf6r 1 Running 0 6h25m# View the configuration file, and each ingress generates a configuration file The name of the file is: namespace-ingres name. Confu [root @ node-1 ~] # kubectl exec-it nginx-ingress-7mpfc-n nginx-ingress--ls-l / etc/nginx/conf.dtotal 4When Rwashi Rafael-1 nginx nginx 1005 Dec 24 10:06 default-nginx-ingress-demo.conf# View the configuration file [root@node-1 ~] # kubectl exec-it nginx-ingress-7mpfc-n nginx-ingress--cat / etc/nginx/conf.d Configuration of / default-nginx-ingress-demo.conf# configuration for default/nginx-ingress-demo#upstream The least_conn algorithm is used to dynamically identify the back-end Podupstream default-nginx-ingress-demo-www.happylau.cn-ingress-demo-80 {zone default-nginx-ingress-demo-www.happylau.cn-ingress-demo-80 256k through the service service discovery mechanism. Random two least_conn; server 10.244.1.146 max_fails=1 fail_timeout=10s max_conns=0; 80 max_fails=1 fail_timeout=10s max_conns=0; server 10.244.2.162 max_fails=1 fail_timeout=10s max_conns=0;} server {listen 80; server_tokens on; server_name www.happylau.cn; location / {proxy_http_version 1.1; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s Client_max_body_size 1m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering on Proxy_pass http://default-nginx-ingress-demo-www.happylau.cn-ingress-demo-80; # calls upstream to implement proxy}}

From the above view of the configuration file, we can see that Nginx Ingress Controller actually generates the corresponding nginx configuration file according to the ingress rules to achieve the function of proxy forwarding. What will happen to the nginx configuration file when the number of copies added to Deployments is changed?

2. Update the number of copies of the controller, expanding the capacity from 2 Pod copies to 3.

[root@node-1 ~] # kubectl scale-- replicas=3 deployment ingress-demo deployment.extensions/ingress-demo scaled [root @ node-1 ~] # kubectl get deploymentsNAME READY UP-TO-DATE AVAILABLE AGEingress-demo 3max 3 3 3 123m

3. Check the configuration file of nginx again. Ingress automatically adds the joined Pod to nginx upstream with the help of service's service discovery mechanism.

4. Check the nginx pod log (kubectl logs nginx-ingress-7mpfc-n nginx-ingress), and there is a record of reload's graceful restart, that is, the configuration is dynamically updated by updating the configuration file + reload.

From the above configuration, ingress calls kubernetes api to perceive the changes in the kubernetes cluster, the increase or decrease of Pod, and then dynamically updates the nginx ingress controller configuration file and reloads the configuration. When the cluster size is larger, it will frequently involve configuration file changes and overloading, so nginx will have inherent disadvantages, especially for micro-service load balancers, such as Traefik,Envoy,Istio, these load balancing tools can provide large-scale, frequently dynamic update scenarios, but there are still some disadvantages compared with Nginx,HAproxy. In the following chapters, we will introduce other Ingress controllers.

3.3 Ingress path forwarding

Ingress supports forwarding in URI format as well as URL rewriting. Take two service as examples. Service-1 installs nginx,service-2, installs httpd, and forwards to two different service using http://demo.happylau.cn/news and http://demo.happylau.cn/sports, respectively.

1. Prepare the environment, create two applications and implement service exposure. Specify-- explose to create service when creating deployments

[root@node-1 ~] # kubectl run service-1-- image=nginx:1.7.9-- port=80-- replicas=1-- expose=true service/service-1 createddeployment.apps/service-1 created [root @ node-1 ~] # kubectl run service-2-- image=httpd-- port=80-- replicas=1-- expose=true service/service-2 createddeployment.apps/service-2 created View deployment status [root@node-1 ~] # kubectl get deployments NAME READY UP-TO-DATE AVAILABLE AGEingress-demo 4 4h46mservice-1 4 4 4 1 1 1 65sservice-2 1 65sservice-2 1 1 1 52s View service status Service is normal [root@node-1 ~] # kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGEingress-demo ClusterIP 10.109.33.91 80/TCP 4h46mkubernetes ClusterIP 10.96.0.1 443/TCP 101dservice-1 ClusterIP 10.106.245.71 80/TCP 68sservice-2 ClusterIP 10 .104.204.158 80/TCP 55s

2. Create an ingress object and forward the request to the two service at the back end through a domain name.

[root@node-1 nginx-ingress] # cat nginx-ingress-uri-demo.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata: name: nginx-ingress-uri-demo labels: ingres-controller: nginx annotations: kubernets.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: / spec: rules:-host: demo.happylau.cn http: paths:-path: / news backend: serviceName: service -1 servicePort: 80-path: / sports backend: serviceName: service-2 servicePort: 80

3. Create ingress rules and view details

[root@node-1 nginx-ingress] # kubectl apply-f nginx-ingress-uri-demo.yaml ingress.extensions/nginx-ingress-uri-demo created# View details [root@node-1 nginx-ingress] # kubectl get ingresses.NAME HOSTS ADDRESS PORTS AGEnginx-ingress-demo www.happylau.cn 80 4h45mnginx-ingress-uri-demo demo.happylau.cn 80 4s [root @ node-1 nginx-ingress] # kubectl describe ingresses nginx-ingress-uri-demoName: nginx-ingress-uri-demoNamespace: defaultAddress: Default backend: default-http-backend:80 () Rules: # corresponding forwarding url rule Host Path Backends-demo. Happylau.cn / news service-1:80 (10.244.2.163Annotations 80) / sports service-2:80 (10.244.1.148VR 80) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion": "extensions/v1beta1" "kind": "Ingress", "metadata": {"annotations": {"kubernets.io/ingress.class": "nginx", "nginx.ingress.kubernetes.io/rewrite-target": "/"}, "labels": {"ingres-controller": "nginx"}, "name": "nginx-ingress-uri-demo", "namespace": "default"}, "spec": {"rules": [{"host": "demo.happylau.cn" "http": {"paths": [{"backend": {"serviceName": "service-1", "servicePort": 80}, "path": "/ news"}, {"backend": {"serviceName": "service-2", "servicePort": 80} "path": "/ sports"}]}} kubernets.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: / Events: Type Reason Age From Message-Normal AddedOrUpdated 11s nginx-ingress-controller Configuration for default/nginx-ingress-uri-demo was added or updated Normal AddedOrUpdated 11s nginx-ingress-controller Configuration for default/nginx-ingress-uri-demo was added or updated Normal AddedOrUpdated 11s nginx-ingress-controller Configuration for default/nginx-ingress-uri-demo was added or updated

4. Prepare for the test and create the corresponding path in the site.

[root@node-1 ~] # kubectl exec-it service-1-7b66bf758f-xj9jh / bin/bashroot@service-1-7b66bf758f-xj9jh:/# echo "service-1 website page" > / usr/share/nginx/html/news [root@node-1 ~] # kubectl exec-it service-2-7c7444684d-w9cv9 / bin/bashroot@service-2-7c7444684d-w9cv9:/usr/local/apache2# echo "service-2 website page" > / usr/local/apache2/htdocs/sports

5. Test and verification

[root@node-1 ~] # curl http://demo.happylau.cn/news-- resolve demo.happylau.cn:80:10.254.100.101service-1 website page [root @ node-1 ~] # curl http://demo.happylau.cn/sports-- resolve demo.happylau.cn:80:10.254.100.101service-2 website page

6. Through the above verification tests, we can know that ingress supports routing forwarding of URI. What is the corresponding configuration file content in ingress? let's see that ingress controller generates the corresponding nginx configuration file content, which is actually realized through ingress's location. Different localtion is forwarded to different upstream to achieve service association. The configuration file is as follows:

[root@node-1 ~] # kubectl exec-it nginx-ingress-7mpfc-n nginx-ingress / bin/bashnginx@nginx-ingress-7mpfc:/$ cat / etc/nginx/conf.d/default-nginx-ingress-uri-demo.conf | grep-v "^ $" # configuration for default/nginx-ingress-uri-demo# defines two upstream and backend service associations upstream default-nginx-ingress-uri-demo-demo.happylau.cn-service-1-80 {zone default-nginx-ingress- Uri-demo-demo.happylau.cn-service-1-80 256k Random two least_conn; server 10.244.2.163upstream default-nginx-ingress-uri-demo-demo.happylau.cn-service-2 80 max_fails=1 fail_timeout=10s max_conns=0;} upstream default-nginx-ingress-uri-demo-demo.happylau.cn-service-2-80 {zone default-nginx-ingress-uri-demo-demo.happylau.cn-service-2-80 256k; random two least_conn; server 10.244.1.148VR 80 max_fails=1 fail_timeout=10s max_conns=0;} server {listen 80; server_tokens on Server_name demo.happylau.cn; # defines the location implementation proxy, which associates location / news {proxy_http_version 1.1; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; client_max_body_size 1m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr through proxy_pass and backend service Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering on; proxy_pass http://default-nginx-ingress-uri-demo-demo.happylau.cn-service-1-80; } location / sports {proxy_http_version 1.1; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; client_max_body_size 1m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for Proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering on; proxy_pass http://default-nginx-ingress-uri-demo-demo.happylau.cn-service-2-80;}} 3.4 Ingress virtual host

Ingress supports name-based virtual hosts, which can be forwarded by multiple domain names in a single IP. It can be distinguished by carrying the host name in the request header, delete the ingress in the previous chapter, and use service-1 and service-2 service to demonstrate.

1. Create ingress rules and implement forwarding rules through hostname

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: nginx-ingress-virtualname-demo labels: ingres-controller: nginx annotations: kubernets.io/ingress.class: nginxspec: rules:-host: news.happylau.cn http: paths:-path: / backend: serviceName: service-1 servicePort: 80-host: sports.happylau.cn http: paths:-path: / Backend: serviceName: service-2 servicePort: 80

2. Generate ingress rules and view details. One ingress corresponds to two HOSTS

[root@node-1 nginx-ingress] # kubectl apply-f nginx-ingress-virtualname.yaml ingress.extensions/nginx-ingress-virtualname-demo created# View list [root@node-1 nginx-ingress] # kubectl get ingresses nginx-ingress-virtualname-demo NAME HOSTS ADDRESS PORTS AGEnginx-ingress-virtualname-demo news.happylau.cn Sports.happylau.cn 80 12s# View details [root@node-1 nginx-ingress] # kubectl describe ingresses nginx-ingress-virtualname-demoName: nginx-ingress-virtualname-demoNamespace: defaultAddress: Default backend: default-http-backend:80 () Rules: Host Path Backends News.happylau.cn / service-1:80 (10.244.2.163sports.happylau.cn / service-2:80) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion": "extensions/v1beta1" "kind": "Ingress", "metadata": {"annotations": {"kubernets.io/ingress.class": "nginx"}, "labels": {"ingres-controller": "nginx"}, "name": "nginx-ingress-virtualname-demo", "namespace": "default"}, "spec": {"rules": [{"host": "news.happylau.cn", "http": {"paths": [{"backend": {"serviceName": "service-1", "servicePort": 80}} "path": "/"}, {"host": "sports.happylau.cn", "http": {"paths": [{"backend": {"serviceName": "service-2", "servicePort": 80} "path": "/"}]}} kubernets.io/ingress.class: nginxEvents: Type Reason Age From Message-Normal AddedOrUpdated 28s nginx-ingress-controller Configuration for default/nginx-ingress-virtualname-demo was added or updated Normal AddedOrUpdated 28s nginx-ingress-controller Configuration for default/nginx-ingress-virtualname-demo was added or updated Normal AddedOrUpdated 28s nginx-ingress-controller Configuration for default/nginx-ingress-virtualname-demo was added or updated

3. Prepare test data and test

[root@node-1 ~] # kubectl exec-it service-1-7b66bf758f-xj9jh / bin/bashroot@service-1-7b66bf758f-xj9jh:/# echo "news demo" > / usr/share/nginx/html/index.html [root@node-1 ~] # kubectl exec-it service-2-7c7444684d-w9cv9 / bin/bashroot@service- 2-7c7444684d-w9cv9:/usr/local/apache2# echo "sports demo" > / usr/local/apache2/htdocs/index.html

Test:

[root@node-1 ~] # curl http://news.happylau.cn-- resolve news.happylau.cn:80:10.254.100.102news demotion [root @ node-1 ~] # curl http://sports.happylau.cn-- resolve sports.happylau.cn:80:10.254.100.102sports demo

4. Look at the contents of the configuration file of nginx, distinguish by defining different server_name in server, and proxy to different upstream to realize the proxy of service.

# configuration for default/nginx-ingress-virtualname-demoupstream default-nginx-ingress-virtualname-demo-news.happylau.cn-service-1-80 {zone default-nginx-ingress-virtualname-demo-news.happylau.cn-service-1-80 256k; random two least_conn; server 10.244.2.163 max_fails=1 fail_timeout=10s max_conns=0 } upstream default-nginx-ingress-virtualname-demo-sports.happylau.cn-service-2-80 {zone default-nginx-ingress-virtualname-demo-sports.happylau.cn-service-2-80 256k; random two least_conn; server 10.244.1.148 max_fails=1 fail_timeout=10s max_conns=0; 80 max_fails=1 fail_timeout=10s max_conns=0;} server {listen 80; server_tokens on; server_name news.happylau.cn; location / {proxy_http_version 1.1 Proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; client_max_body_size 1m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host Proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering on; proxy_pass http://default-nginx-ingress-virtualname-demo-news.happylau.cn-service-1-80;}} server {listen 80; server_tokens on; server_name sports.happylau.cn; location / {proxy_http_version 1.1 Proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; client_max_body_size 1m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host Proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering on; proxy_pass http://default-nginx-ingress-virtualname-demo-sports.happylau.cn-service-2-80;}} 3.5 Ingress TLS encryption

Layer-4 load balancers cannot support https requests. Currently, most businesses are required to access through https. Ingress can support https access, store certificates and private keys through Secrets, and achieve https access. At the same time, it can also support http jump. For user request traffic, client-to-ingress controller traffic is https traffic and ingress controller-to-backend service traffic is http to improve user access performance. The steps to implement ingress TLS function are described below.

1. Generate self-signed certificate and private key

[root@node-1] # openssl req-x509-newkey rsa:2048-nodes-days-keyout tls.key-out tls.crtGenerating a 2048 bit RSA private key...+++.. . + writing new private key to 'tls.key'-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CN # National State or Province Name (full name) []: GD # Provincial Locality Name (eg, city) [Default City]: ShenZhen # City Organization Name (eg, company) [Default Company Ltd]: Tencent # Company Organizational Unit Name (eg, section) []: HappyLau # Organization Common Name (eg Your name or your server's hostname) []: www.happylau.cn # domain name Email Address []: 573302346@qq.com # email address # tls.crt is the certificate Tls.key is the private key [root@node-1 ~] # ls tls.*-1 tls.crt-rw-r--r-- tls.crt-rw-r--r-- 1 root root 1708 December 26 13:21 tls.key

2. Configure Secrets to configure the certificate and private key into the Secrets

[root@node-1 ~] # kubectl create secret tls happylau-sslkey-- cert=tls.crt-- key=tls.key secret/happylau-sslkey created view Secrets details. The certificate and privacy should be included in the data. The file name is two different key:tls.crt and tls.key [root @ node-1 ~] # kubectl describe secrets happylau-sslkeyName: happylau-sslkeyNamespace: defaultLabels: Annotations: Type: kubernetes.io/tlsData====tls.crt: 1428 bytestls.key: 1708 bytes

3. Configure ingress to call Secrets to implement SSL certificate encryption

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: nginx-ingress-tls-demo labels: ingres-controller: nginx annotations: kubernets.io/ingress.class: nginxspec: tls:-hosts:-news.happylau.cn-sports.happylau.cn secretName: happylau-sslkey rules:-host: news.happylau.cn http: paths:-path: / backend: serviceName: service-1 servicePort: 80-host: sports.happylau.cn http: paths:-path: / backend: serviceName: service-2 servicePort: 80

4. Create an ingress and view the details of ingress

[root@node-1 nginx-ingress] # kubectl describe ingresses nginx-ingress-tls-demoName: nginx-ingress-tls-demoNamespace: defaultAddress: Default backend: default-http-backend:80 () TLS: happylau-sslkey terminates news.happylau.cn Sports.happylau.cnRules: Host Path Backends-news.happylau.cn / service-1:80 (10.244.2.163 sports.happylau.cn / service-2:80) sports.happylau.cn / service-2:80 (10.244.1.148) Annotations: kubectl .kubernetes.io / last-applied-configuration: {"apiVersion": "extensions/v1beta1" "kind": "Ingress", "metadata": {"annotations": {"kubernets.io/ingress.class": "nginx"}, "labels": {"ingres-controller": "nginx"}, "name": "nginx-ingress-tls-demo", "namespace": "default"}, "spec": {"rules": [{"host": "news.happylau.cn", "http": {"paths": [{"backend": {"serviceName": "service-1", "servicePort": 80}} "path": "/"}]}, {"host": "sports.happylau.cn", "http": {"paths": [{"backend": {"serviceName": "service-2", "servicePort": 80}, "path": "/"}]}], "tls": [{"hosts": ["news.happylau.cn", "sports.happylau.cn"] "secretName": "happylau-sslkey"}} kubernets.io/ingress.class: nginxEvents: Type Reason Age From Message-Normal AddedOrUpdated 22s nginx-ingress-controller Configuration for default/nginx-ingress-tls-demo was added or updated Normal AddedOrUpdated 22s Nginx-ingress-controller Configuration for default/nginx-ingress-tls-demo was added or updated Normal AddedOrUpdated 22s nginx-ingress-controller Configuration for default/nginx-ingress-tls-demo was added or updated

5. Write news.happylau.cn and sports.happylau.cn to the hosts file and access them through https://news.happylau.cn. The browser access content prompt certificate is as follows, and the trust certificate can access the site content.

To view the details of the certificate, it is the self-signed certificate we have made. When it is actually used in production, it is recommended to use the CA institution to issue the signature certificate.

6. Next, take a look at the contents of the nginx configuration file of tls configuration https. You can see that https is enabled and certificates are configured in the server block, and http redirection is configured at the same time. Therefore, direct access to http can also automatically jump to https.

# configuration for default/nginx-ingress-tls-demoupstream default-nginx-ingress-tls-demo-news.happylau.cn-service-1-80 {zone default-nginx-ingress-tls-demo-news.happylau.cn-service-1-80 256k; random two least_conn; server 10.244.2.163 max_fails=1 fail_timeout=10s max_conns=0 } upstream default-nginx-ingress-tls-demo-sports.happylau.cn-service-2-80 {zone default-nginx-ingress-tls-demo-sports.happylau.cn-service-2-80 256k; random two least_conn; server 10.244.1.148 max_fails=1 fail_timeout=10s max_conns=0; 80 max_fails=1 fail_timeout=10s max_conns=0;} server {listen 80; listen 443 ssl # https listens on port, certificate and key, and implements the ssl_certificate / etc/nginx/secrets/default-happylau-sslkey; ssl_certificate_key / etc/nginx/secrets/default-happylau-sslkey; server_tokens on; server_name news.happylau.cn; # http jump function associated with Secrets, that is, accessing http automatically redirects to https if ($scheme = http) {return 301 https://$host:443$request_uri; } location / {proxy_http_version 1.1; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; client_max_body_size 1m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for Proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering on; proxy_pass http://default-nginx-ingress-tls-demo-news.happylau.cn-service-1-80;}} server {listen 80; listen 443 ssl; ssl_certificate / etc/nginx/secrets/default-happylau-sslkey Ssl_certificate_key / etc/nginx/secrets/default-happylau-sslkey; server_tokens on; server_name sports.happylau.cn; if ($scheme = http) {return 301 https://$host:443$request_uri;} location / {proxy_http_version 1.1; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; client_max_body_size 1m Proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering on Proxy_pass http://default-nginx-ingress-tls-demo-sports.happylau.cn-service-2-80;}} 4. Nginx Ingress Advanced Features 4.1 customized parameters

Ingress controller provides the function of basic reverse proxy. If you need to customize the features or parameters of nginx, you need to implement them through ConfigMap and Annotations. The two methods are different. ConfigMap is used to specify the basic parameters of the entire ingress cluster resource, which will be inherited by all ingress objects after modification. Annotations is used by a specific ingress object, and the modification will only affect a specific ingress resource, and its priority is higher than ConfigMap in case of conflict.

4.1.1 ConfigMap Custom parameters

When installing nginx ingress controller, an empty ConfigMap is included by default. You can customize the default parameters of nginx controller through ConfigMap. Take modifying some parameters as an example:

1. Define ConfigMap parameters

Kind: ConfigMapapiVersion: v1metadata: name: nginx-config namespace: nginx-ingressdata: proxy-connect-timeout: "10s" proxy-read-timeout: "10s" proxy-send-timeout: "10" client-max-body-size: "3m"

2. Apply the configuration and view the ConfigMap configuration

[root@node-1 ~] # kubectl get configmaps-n nginx-ingress nginx-config-o yamlapiVersion: v1data: client-max-body-size: 3m proxy-connect-timeout: 10s proxy-read-timeout: 10s proxy-send-timeout: 10skind: ConfigMapmetadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion": "v1", "data": {"client-max-body-size": "3m", "proxy-connect-timeout": "10s" "proxy-read-timeout": "10s", "proxy-send-timeout": "10"}, "kind": "ConfigMap", "metadata": {"annotations": {}, "name": "nginx-config", "namespace": "nginx-ingress"} creationTimestamp: "2019-12-24T04:39:23Z" name: nginx-config namespace: nginx-ingress resourceVersion: "13845543" selfLink: / api/v1/namespaces/nginx-ingress/configmaps/nginx-config uid: 9313ae47-a0f0-463e-a25a-1658f1ca0d57

3. At this point, the configuration parameters defined by ConfigMap will be inherited by all Ingress resources in the cluster (except annotations definition).

There are many parameters that can be defined. For more information, please refer to the party's documentation: https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/configmap-and-annotations.md#Summary-of-ConfigMap-and-Annotations

4.1.2 Annotations Custom parameters

ConfigMap defines global configuration parameters, and all configurations will be affected after modification. If you want to customize parameters for a specific ingress resource, you can do so through Annotations. Here is a practical example to demonstrate the use of Annotations.

1. Modify the ingress resource, add the definition of annotations, and modify some parameters through the nginx.org group, such as proxy-connect-timeout. The scheduling algorithm is round_robin (default is least _ conn).

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: nginx-ingress-demo labels: ingres-controller: nginx annotations: kubernets.io/ingress.class: nginx nginx.org/proxy-connect-timeout: "30s" nginx.org/proxy-send-timeout: "20s" nginx.org/proxy-read-timeout: "20s" nginx.org/client-max-body-size: "2m" nginx.org/fail-timeout: "5s" nginx .org/lb-method: "round_robin" spec: rules:-host: www.happylau.cn http: paths:-path: / backend: serviceName: ingress-demo servicePort: 80

2. Reapply the ingress object and check the parameter configuration

As can be seen from the above demonstration, the priority of Annotations over ConfigMapMap,Annotations to modify parameters will only affect a specific ingress resource. The method of its definition is similar to that of ConfigMap, but it is different. Some parameters of ConfigMap cannot be supported by Annotations, and in turn, the parameter ConfigMap defined by Annotations may not be supported either. The following figure shows the general supported parameters:

ConfigMap and Annotations support details: link description

4.2 Virtual hosts and routin

When we installed nginx ingress, we installed a customresourcedefinitions custom resource that provides advanced features in addition to the default ingress features, such as

Virtual host VirtualServer virtual routing VirtualServerRoute health check Healthcheck traffic cutting Split session keeping SessionCookie redirecting Redirect

Most of these features rely on the support of the advanced version of Nginx Plus, while the community version only supports some of them. For enterprise development, rich and more features can be purchased for enterprise Nginx Plus version. The following example demonstrates the use of the upstream configuration defined by VirtualServer and VirtualServerRoute.

1. Define VirtualServer resources, whose configuration is similar to ingress resource objects, and can support more functions.

ApiVersion: k8s.nginx.org/v1kind: VirtualServermetadata: name: cafespec: host: cafe.example.com tls: secret: cafe-secret upstreams:-name: tea service: tea-svc port: 80 name: tea service: ingress-demo subselector: version: canary lb-method: round_robin fail-timeout: 10s max-fails: 1 max-conns: 32 keepalive: 32 connect-timeout: 30s read-timeout: 30s send-timeout: 30s next -upstream: "error timeout non_idempotent" next-upstream-timeout: 5s next-upstream-tries: 10 client-max-body-size: 2m tls: enable: true routes:-path: / tea action: pass: tea

2. Apply resources and view the list of VirtualServer resources

[root@node-1 ~] # kubectl apply-f vs.yaml virtualserver.k8s.nginx.org/cafe unchanged [root @ node-1 ~] # kubectl get virtualserverNAME AGEcafe 2m52s

3. Check the configuration file of the ingress controller, and the generated configuration is consistent with the upstream definition.

Nginx@nginx-ingress-7mpfc:/etc/nginx/conf.d$ cat vs_default_cafe.conf upstream vs_default_cafe_tea {zone vs_default_cafe_tea 256k; server 10.244.0.51 server 80 max_fails=1 fail_timeout=10s max_conns=32; server 10.244.1.146 max_fails=1 fail_timeout=10s max_conns=32; server 10.244.1.147 server 80 max_fails=1 fail_timeout=10s max_conns=32 Server 10.244.2.162 server 80 max_fails=1 fail_timeout=10s max_conns=32; keepalive 32;} server {listen 80; server_name cafe.example.com; listen 443 ssl; ssl_certificate / etc/nginx/secrets/default; ssl_certificate_key / etc/nginx/secrets/default; ssl_ciphers NULL; server_tokens "on"; location / tea {proxy_connect_timeout 30s; proxy_read_timeout 30s Proxy_send_timeout 30s; client_max_body_size 2m; proxy_max_temp_file_size 1024m; proxy_buffering on; proxy_http_version 1.1; set $default_connection_header ""; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $vs_connection_header; proxy_set_header Host $host Proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass https://vs_default_cafe_tea; proxy_next_upstream error timeout non_idempotent Proxy_next_upstream_timeout 5s; proxy_next_upstream_tries 10;}}

So far, we have a basic understanding of ingress in nginx, but we still need to consolidate and practice how to use it. If you want to know more about it, please pay attention to the industry information.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.