K8s nginx-ingress 常见用法

2,065次阅读
没有评论

共计 6373 个字符,预计需要花费 16 分钟才能阅读完成。

本篇主要描述日常中较常用的ingress规则,做个记录收集下

自定义配置

Log format

Custom errors

自定义用户错误提示

# 创建一个默认后端,当错误请求未匹配任何ingress规则时则调用此默认backend
[root@master ingress]# cat >default-backend.yaml<<'EOF'
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-errors
  labels:
    app.kubernetes.io/name: nginx-errors
    app.kubernetes.io/part-of: ingress-nginx
spec:
  selector:
    app.kubernetes.io/name: nginx-errors
    app.kubernetes.io/part-of: ingress-nginx
  ports:
  - port: 80
    targetPort: 8080
    name: http
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-errors
  labels:
    app.kubernetes.io/name: nginx-errors
    app.kubernetes.io/part-of: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: nginx-errors
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: nginx-errors
        app.kubernetes.io/part-of: ingress-nginx
    spec:
      containers:
      - name: nginx-error-server
        image: k8sgcrioingressnginx/nginx-errors:0.49.0
        # image: k8s.gcr.io/ingress-nginx/nginx-errors:0.49.0
        ports:
        - containerPort: 8080
        # Setting the environment variable DEBUG we can see the headers sent 
        # by the ingress controller to the backend in the client response.
        # env:
        # - name: DEBUG
        #   value: "true"

        # Mounting custom error page from configMap
        # volumeMounts:
        # - name: custom_error_pages
        #   mountPath: /www

      # Mounting custom error page from configMap
      # volumes:
      # - name: custom_error_pages
      #   configMap:
      #     name: custom_error_pages
      #     items:
      #     - key: "404"
      #       path: "404.html"
      #     - key: "503"
      #       path: "503.html"
EOF

[root@master ingress]# kubectl apply -f default-backend.yaml 
[root@master ingress]# kubectl get -f default-backend.yaml 
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/nginx-errors   ClusterIP   10.96.154.247   <none>        80/TCP    4m54s

NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx-errors   1/1     1            1           4m53s
[root@master ingress]# curl 10.96.154.247
<span>The page you're looking for could not be found.</span>

测试

# 默认返回文本模式
[root@master ingress]# curl -D- http://10.96.154.247/
HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Mon, 09 Aug 2021 09:55:56 GMT
Content-Length: 60

<span>The page you're looking for could not be found.</span>

# 测试返回json格式

Regular expressions

测试正则表达式多域名

[root@node1 demo]# cat regular-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-regex
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/server-alias: '~^demo\d\.xadocker\.cn$, demo1.xadocker.cn'
spec:
  rules:
  - host: demo1.xadocker.cn
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx1-service
          servicePort: 80

[root@node1 demo]# kubectl apply -f regular-ingress.yaml
ingress.networking.k8s.io/ingress-regex created

[root@node1 demo]# kubectl exec -n ingress-nginx ingress-nginx-controller-xv8wl cat /etc/nginx/nginx.conf | grep -C3 xadocker
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
        }
        ## end server _

        ## start server demo1.xadocker.cn
        server {
                server_name demo1.xadocker.cn ~^demo\d\.xadocker\.cn$ ;

                listen 80  ;
                listen 443  ssl http2 ;
--
                }

        }
        ## end server demo1.xadocker.cn

        # backend for when default-backend-service is not configured or it does not have endpoints
        server {

[root@node1 demo]# curl 127.0.0.1/index.html -H 'HOST:demo3.xadocker.cn'
nginx1-859486d7bb-dvt2c 10.100.166.143
[root@node1 demo]# curl 127.0.0.1/index.html -H 'HOST:demo4.xadocker.cn'
nginx1-859486d7bb-dvt2c 10.100.166.143
[root@node1 demo]# curl 127.0.0.1/index.html -H 'HOST:demo10.xadocker.cn'
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.17.10</center>
</body>
</html>

泛域名示例

[root@node1 demo]# cat regular-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-regex
  namespace: default
spec:
  rules:
  - host: '*.demo10.xadocker.cn'
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx1-service
          servicePort: 80

[root@node1 demo]# kubectl apply -f regular-ingress.yaml
ingress.networking.k8s.io/ingress-regex created

[root@node1 demo]# curl 127.0.0.1/index.html -H 'HOST:demo10.xadocker.cn'
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.17.10</center>
</body>
</html>
[root@node1 demo]# curl 127.0.0.1/index.html -H 'HOST:a.demo10.xadocker.cn'
nginx1-859486d7bb-dvt2c 10.100.166.143
[root@node1 demo]# curl 127.0.0.1/index.html -H 'HOST:ab.demo10.xadocker.cn'
nginx1-859486d7bb-dvt2c 10.100.166.143

Rewrite

重定向路由

[root@node1 demo]# cat rewrite-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: rewrite-test-ingress
  namespace: default
  annotations:
    # URL重定向
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
  - host: rewrite-test.xadocker.cn
    http:
      paths:
      - path: /foo/(.*)
        backend:
          serviceName: nginx1-service
          servicePort: 80

[root@node1 demo]# curl 127.0.0.1/foo/index.html -H 'HOST:rewrite-test.xadocker.cn'
nginx1-859486d7bb-dvt2c 10.100.166.143

TLS/HTTPS

创建证书

# 创建自签CA证书
[root@node1 demo]# openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=Fern Cert Authority'
Generating a 4096 bit RSA private key
.......................................................................++
..............................................................................................................................++
writing new private key to 'ca.key'
-----

# 创建server端证书
[root@node1 demo]# openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=test.nginx.ingress.com'
Generating a 4096 bit RSA private key
.........................................................................++
..............++
writing new private key to 'server.key'
-----
[root@node1 demo]# openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/CN=test.nginx.ingress.com
Getting CA Private Key

# 创建客户端证书
[root@node1 demo]# openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Fern'
Generating a 4096 bit RSA private key
..........................................++
.....++
writing new private key to 'client.key'
-----
[root@node1 demo]# openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
Signature ok
subject=/CN=Fern
Getting CA Private Key

使用secret资源存储证书

[root@node1 demo]# kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt
secret/ca-secret created
[root@node1 demo]# kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
secret/tls-secret created

测试

[root@node1 demo]# curl --cacert ./ca.crt  https://test.nginx.ingress.com
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.17.10</center>
</body>
</html>
[root@node1 demo]# curl --cacert ./ca.crt --cert ./client.crt --key ./client.key https://test.nginx.ingress.com
nginx1-859486d7bb-dvt2c 10.100.166.143

正文完
ingress
2021-09-11
 40
xadocker
版权声明:本站原创文章,由 xadocker 2021-09-11发表,共计6373字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
k8s孤儿Pod
k8s 安装dashboard
k8s中的权限-RBAC
谷歌ADS总算解封了
评论(没有评论)