更新ingress部署

yushantao · Dec 17, 2017 · 57e19cf · 57e19cf
1 parent e50f974
commit 57e19cf
Show file tree

Hide file tree

Showing 4 changed files with 118 additions and 21 deletions.
diff --git a/docs/guide/ingress.md b/docs/guide/ingress.md
@@ -0,0 +1,96 @@
+## Ingress简介
+
+ingress就是从kubernetes集群外访问集群的入口，将用户的URL请求转发到不同的service上。ingress相当于nginx反向代理服务器，它包括的规则定义就是URL的路由信息；它的实现需要部署`Ingress controller`(比如 [traefik](https://github.com/containous/traefik) [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 等)，`Ingress controller`通过apiserver监听ingress和service的变化，并根据规则配置负载均衡并提供访问入口，达到服务发现的作用。
+
++ 未配置ingress：
+
+集群外部 -> NodePort -> K8S Service
+
++ 配置ingress:
+
+集群外部 -> Ingress -> K8S Service
+
++ 注意：ingress 本身也需要部署`Ingress controller`时暴露`NodePort`让外部访问
+
+### 部署 Traefik
+
+Traefik 提供了一个简单好用 `Ingress controller`，下文基于它讲解一个简单的 ingress部署和测试例子。请查看yaml配置 [traefik-ingress.yaml](../../manifests/ingress/traefik-ingress.yaml)，参考[traefik 官方k8s例子](https://github.com/containous/traefik/tree/master/examples/k8s)
+
+#### 安装 traefik ingress-controller
+
+``` bash
+kubectl create -f /etc/ansible/manifests/ingress/traefik-ingress.yaml
+```
++ 注意需要配置 `RBAC`授权
++ 注意trafik `Service`中 `80`端口为 traefik ingress-controller的服务端口，`8080`端口为 traefik 的管理WEB界面；为后续配置方便指定`80` 端口暴露`NodePort`端口为 `23456`(对应于在hosts配置中`NODE_PORT_RANGE`范围内可用端口)
+
+#### 验证 traefik ingress-controller
+
+``` bash
+# kubectl get deploy -n kube-system traefik-ingress-controller
+NAME                         DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
+traefik-ingress-controller   1         1         1            1           4m
+
+# kubectl get svc -n kube-system traefik-ingress-service
+NAME                      TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                       AGE
+traefik-ingress-service   NodePort   10.68.69.170   <none>        80:23456/TCP,8080:34815/TCP   4m
+```
++ 可以看到`traefik-ingress-service` 服务端口`80`暴露的nodePort确实为`23456`
+
+#### 测试 ingress
+
++ 首先创建测试用K8S应用，并且该应用服务不用nodePort暴露，而是用ingress方式让外部访问
+
+``` bash
+kubectl run test-hello --image=nginx --expose --port=80
+##
+# kubectl get deploy test-hello
+NAME         DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
+test-hello   1         1         1            1           56s
+# kubectl get svc test-hello
+NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
+test-hello   ClusterIP   10.68.124.115   <none>        80/TCP    1m
+```
++ 然后为这个应用创建 ingress，`kubectl create -f /etc/ansible/manifests/ingress/test-hello.ing.yaml`
+
+``` bash
+# test-hello.ing.yaml内容
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: test-hello
+spec:
+  rules:
+  - host: hello.test.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: test-hello
+          servicePort: 80
+```
++ 集群内部尝试访问: `curl -H Host:hello.test.com 10.68.124.115` 能够看到欢迎页面 `Welcome to nginx!`；在集群外部尝试访问(假定集群一个NodeIP为 192.168.1.1): `curl -H Host:hello.test.com 192.168.1.1:23456`，也能够看到欢迎页面 `Welcome to nginx!`，说明ingress测试成功
+
++ 最后我们可以为traefik WEB管理页面也创建一个ingress, `kubectl create -f /etc/ansible/manifests/ingress/traefik-ui.ing.yaml`
+
+``` bash
+# traefik-ui.ing.yaml内容
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: traefik-web-ui
+  namespace: kube-system
+spec:
+  rules:
+  - host: traefik-ui.test.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: traefik-ingress-service
+          servicePort: 8080
+```
+这样在集群外部可以使用 `curl -H Host:traefik-ui.test.com 192.168.1.1:23456` 尝试访问WEB管理页面，返回 `<a href="/dashboard/">Found</a>.`说明 traefik-ui的ingress配置生效了。
+
+
diff --git a/manifests/ingress/example-ingress-conf.yaml → manifests/ingress/test-hello.ing.yaml b/manifests/ingress/example-ingress-conf.yaml → manifests/ingress/test-hello.ing.yaml
@@ -1,17 +1,13 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: test
+  name: test-hello
 spec:
   rules:
-  - host: k8s.test.tf56
+  - host: hello.test.com
     http:
       paths:
       - path: /
         backend:
           serviceName: test-hello
           servicePort: 80
-      - path: /site
-        backend:
-          serviceName: test-site
-          servicePort: 80
diff --git a/manifests/ingress/traefik-ingress.yaml b/manifests/ingress/traefik-ingress.yaml
@@ -80,24 +80,14 @@ spec:
     k8s-app: traefik-ingress-lb
   ports:
     - protocol: TCP
+      # 该端口为 traefik ingress-controller的服务端口
       port: 80
+      # 集群hosts文件中设置的 NODE_PORT_RANGE 作为 NodePort的可用范围
+      # 从默认20000~40000之间选一个可用端口，让ingress-controller暴露给外部的访问
+      nodePort: 23456
       name: web
     - protocol: TCP
+      # 该端口为 traefik 的管理WEB界面
       port: 8080
       name: admin
   type: NodePort
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: traefik-web-ui
-  namespace: kube-system
-spec:
-  rules:
-  - host: traefik.tf56.lo
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: traefik-ingress-service
-          servicePort: 8080
diff --git a/manifests/ingress/traefik-ui.ing.yaml b/manifests/ingress/traefik-ui.ing.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: traefik-web-ui
+  namespace: kube-system
+spec:
+  rules:
+  - host: traefik-ui.test.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: traefik-ingress-service
+          servicePort: 8080