current position:Home>K8s deployment-43-take you to learn ingress nginx (Part 2)

K8s deployment-43-take you to learn ingress nginx (Part 2)

2022-04-29 18:34:4551CTO

k8s Deploy -43- Take you in-depth study ingress-nginx( Next )_spring


Continuation ~~~ This article is done

k8s Deploy -43- Take you in-depth study ingress-nginx( Next )_spring_02


3


TLS and https Configuration of


In many cases ,nginx I can represent https agreement , So our ingress-nginx How to realize this function , Let's see below. .

I don't have https certificate , So you need to generate your own https certificate ;

      
      
[[email protected] ~]# cd namespace/
[[email protected] namespace]# mkdir tls
[[email protected] namespace]# cd tls/
[[email protected] tls]# vim gen-secret.sh
#!/bin/bash

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout yunweijia.key -out yunweijia.crt -subj "/CN=*.yunweijia.com/O=*.yunweijia.com"

kubectl create secret tls yunweijia-tls --key yunweijia.key --cert yunweijia.crt
[[email protected] tls]# sh gen-secret.sh
Generating a 2048 bit RSA private key
.......+++
.....................................+++
writing new private key to 'yunweijia.key'
-----
secret/yunweijia-tls created
[[email protected] tls]#
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.


After running the above script , Generated and imported k8s in , Let's look at ;

      
      
[[email protected] tls]# ls
gen-secret.sh yunweijia.crt yunweijia.key
[[email protected] tls]#
[[email protected] tls]# kubectl get secret yunweijia-tls -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURPekNDQWlPZ0F3SUJBZ0lKQU42S1M2MjRCTld4TUEwR0NTcUdTSWIzRFFFQkN3VUFNRFF4R0RBV0JnTlYKQkFNTUR5b3VlWFZ1ZDJWcGFtbGhMbU52YlRFWU1CWUdBMVVFQ2d3UEtpNTVkVzUzWldscWFXRXVZMjl0TUI0WApEVEl5TURReU1URXdNRGN4TUZvWERUSXpNRFF5TVRFd01EY3hNRm93TkRFWU1CWUdBMVVFQXd3UEtpNTVkVzUzClpXbHFhV0V1WTI5dE1SZ3dGZ1lEVlFRS0RBOHFMbmwxYm5kbGFXcHBZUzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDaFozcVFaZWxLTkYvYStOYUNqTGVUS21xWWhDN3Mza0Y4TW5BdApXS0l1Z1llT1hlTmpBdUZ2aFIvRklJU1lhM2F2aG03UGMzNlhNRzBNVDZWRUhjakt3VkxLTWcvZnFyKys5QzB0CjV3Ujd4NngrWFVRLzRDQmRkZDlkeCtJOHN4bUgzLzRxODYxd211YVNGRHFEYWZUSVUyVSs1bHQ2VnZ5V29IRjcKYWFNSGxjZUNMUTFtKzJha1RGNDFPSERUSFhRemh0bUhHck9paHBLYmZWbmJtQmltb1RoU1RwRzJTcWJWZlVHOQphT2Z5UnNBTmlCNmtDeXgrVTNrZWVmc0FUOVJIbmVSZDhrR25lclMxQ1JGdzB4K3JhcVRzQ25Nb3dJdDBHbXpGCi9Md2R0YVVVWUFQeFRnaThNQjhsSjJPNnZFTVRuOVg5SHhrM0NqRHY1eGx6RVlzcEFnTUJBQUdqVURCT01CMEcKQTFVZERnUVdCQlRpTld4Zmhub3dMQTlCZjhxSld3ZlYrV3NER0RBZkJnTlZIU01FR0RBV2dCVGlOV3hmaG5vdwpMQTlCZjhxSld3ZlYrV3NER0RBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFjCnZNak1VdGZnQ1R0N3BJMG9Vb0tEVU52VEdRY3p0clpCQUYwMzNwR1FNL3htTlIrUFNLbDZGc0FYWjRZd1NkYjYKNUVDMXYwN09zclVWam9xajh6UDNpQXFrVkdISVFFYmpFK1dyaDZsVHpDVkJUbUlXekFKbjRpMTJYcTh3QmljKwpaVzVYN1FRc3NBcGc0SHBVL0owNG9DYklyS1EvNFdkb2IyNzN3STVVYWNHUXFLbVlaZ01jWnY4Vjc0a004ZTFTCnl4OGNPTzMxaGNaTzRLYXY3N1F2L0hjT0g1RnRVY09jbVBiTk5VSEpwT3FJcEIyUHhLUnZibWpQSmE2Zk1xTDcKWDBzV1VTNDFzcitVWW8xcGU2bTJLZndDd2RlaHZVWlRqNG1ubWErZXYvN1pwRnhjdHNicU9sR1BPZFVVZXpDYwp4NkNUa3VXODY2cmdFM1ZzMUh6bQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2haM3FRWmVsS05GL2EKK05hQ2pMZVRLbXFZaEM3czNrRjhNbkF0V0tJdWdZZU9YZU5qQXVGdmhSL0ZJSVNZYTNhdmhtN1BjMzZYTUcwTQpUNlZFSGNqS3dWTEtNZy9mcXIrKzlDMHQ1d1I3eDZ4K1hVUS80Q0JkZGQ5ZHgrSThzeG1IMy80cTg2MXdtdWFTCkZEcURhZlRJVTJVKzVsdDZWdnlXb0hGN2FhTUhsY2VDTFExbSsyYWtURjQxT0hEVEhYUXpodG1IR3JPaWhwS2IKZlZuYm1CaW1vVGhTVHBHMlNxYlZmVUc5YU9meVJzQU5pQjZrQ3l4K1Uza2VlZnNBVDlSSG5lUmQ4a0duZXJTMQpDUkZ3MHgrcmFxVHNDbk1vd0l0MEdtekYvTHdkdGFVVVlBUHhUZ2k4TUI4bEoyTzZ2RU1UbjlYOUh4azNDakR2CjV4bHpFWXNwQWdNQkFBRUNnZ0VBSDVya3JCdllsN2d6d093VERSTkM2eVZXSkRGV0F2bnVkc1JscE91RExub2MKc2lyK1dLZjZ2dHloZ1BkQ0g1cURiaEZ6NTFsbFEzT3ZGc2NOeEkzVWdLZGtiOFZueUZObUlwMHJyNTVhQ1dicgpCdjk2V3N1bmFzV25ESFVVZnZCUElvVWcvd1lpUXplQnlMNy9TalpZUVZYYk1IcnBGTWF0eFV6N2k3Lyt0WUEyCkQvTVRjTWdKeFhkY2JWSWN1SFc2clFlVnV6MVlJYWV5ZENra3BFZmdXVXhSaEtXZ0dlRlpGT0FXMUVldEd4KzkKYjBQK21HZmY5YWFQMUNCdWJaT0ZZZHdhNFczQVJWbGlmZit1VWNod1BQUG1ZNmFTSmhCa1VUN0t2QkhlOUM1RwovazNGc0M4T1J0UkFoWXpWNnRPdjlqV0Z5b2liQVNnMHVaZXR2VkNaaFFLQmdRRFY0Yk05UEZ0VjB5ZmVoUlpqCnYwYUZ0Rm95cTlJQ2JndVdFaG9KVXNseFpsc1VzOGd3MUx1Z013VDVtcWpydVRPMm8waEhQVGV1MTRBYUhwWjYKUm1NOEh4c0kwZ3o4Zy9ocW4vN3NhQ253VjJRSzFKOTNSYW9QemI5RVQ3c0ttRWxITVBaM1NNWnYwQXk5MmdtMwpxbmFnOHREZUlLdC8xWE1YclJpMll3cEx5d0tCZ1FEQk1FTXFqbXNjZFBVa20vUkp5aDdpSjBhY0VXSUtHSWt3CkMvV1o5T1h3MFdMeTAyTEJYTHR1cEZ5UEpUR0xkU21iZjVEYTl1ZkFWRW04Z1RYSGxWd0hKUDJSQWduU1pIMEIKbE5pKzQwMVNRQmdyZHpZME9xYTVOK1lQY3Y0djM5aDI3cURKaGJSZmFibE9kMFpndVh2UlhsSDRjRU0yajR3cgpVWVVyU1ZxT1d3S0JnR1VLd0hPd2ZQRzUxTDhDSHNhMnlXbEcvOG1xZElkalY2UHBIMVhDUDVxTUlZRlJRY1VYCjZ4L09tbzRVNjdLWkJ2NUVlMVAwYnNieDFmb0E4MVFHeHNEVGJTRW9vcXYwNkxudXBpOG5NcER4cURpWnBGQmoKbitqaGFYZXJOeERWU3VFUUY0L1kySzVnR25UaWVlN0Q0RkUvQlQrN0xXb3grN0oydXhNSERRa3JBb0dCQUxUQgorNVp0K3pwOUZJSlVpWlloVUJRNnU0NTdsVWZzL1MrL2dPVzBoeEYwV1Nqck1KUEx1SFFseFpVS0wvbFVmc0hICjhqbHVuQmtReEkxa09IV3VBcFdNdnRSWEcrbUhySTgyUGpjZFp0TjJ0U2EyUERsU1IzMDJHRVNNUzlsdmtKSjMKWkdvcWVFSnVJYnlSVFlCakRMOHhpWER6V1hCTGo5TllTMG5kTUtYUkFvR0FER1hOYUhNMW95ZElVd1lnQ3ZmNAo0ZzJlb0dycXBrOGg4aFNJWmVybVltbnptS2V6WHcveGhMd3N1dWVrYi93YUZnVkZ6NXQ5WWFHTnljQ0RaeFJmCm5Ya0xCTW85UE4xMElEQmlzVmR4Y1ZENUE5UlNmZS9PNUlhOTFiUi9qQUtuL3Z4Mk9RL3RxY014ZnZaVGlQZFAKbE5mUXdZR2tubHZhVWxlQlRQSWNkSkU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
creationTimestamp: "2022-04-21T10:07:11Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:tls.crt: {}
f:tls.key: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2022-04-21T10:07:11Z"
name: yunweijia-tls
namespace: default
resourceVersion: "556920"
uid: 787c6446-84f5-41ca-aa05-8ca417b4dabd
type: kubernetes.io/tls
[[email protected] tls]#
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.


So how do we use this certificate ? We can log in to the container , Look at the specific method of using , Let's log in to have ingress-nginx Look at the node of ;

      
      
[[email protected] ~]# crictl ps | grep ingress
be698c18d686e acac7d63e4060 3 hours ago Running nginx-ingress-controller 6 5460063ad17c5
[[email protected] ~]# crictl exec -it be698c18d686e bash
[email protected]:/etc/nginx$ /nginx-ingress-controller --help
# Omit part
--default-ssl-certificate string Secret containing a SSL certificate to be used by the default HTTPS server (catch-all).
Takes the form "namespace/name".

# Omit part
[[email protected] ~]#
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.


You can see that we need to add a parameter to specify , Then let's revise ingress-nginx The configuration file ;

      
      
[[email protected] tls]# vim /root/ingress-nginx/mandatory.yaml
# stay args Next add a line ;
- --default-ssl-certificate=default/yunweijia-tls

# It becomes the following format ;
containers:
- name: nginx-ingress-controller
image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.20.0
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
- --default-ssl-certificate=default/yunweijia-tls
[[email protected] tls]#
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.


After modification , Let's make it work , That is to say, re apply once ;

      
      
[[email protected] tls]# cd /root/ingress-nginx/
[[email protected] ingress-nginx]# kubectl apply -f mandatory.yaml
[[email protected] ingress-nginx]# cd -
/root/namespace/tls
[[email protected] tls]#
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.


After the container is successfully restarted , Let's use https The way to visit and have a look ;

      
      
[[email protected] tls]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-86dcdf4845-gfwn8 1/1 Running 5 4d20h
nginx-ingress-controller-b228z 1/1 Running 0 60s
nginx-ingress-controller-zlpm4 1/1 Running 0 77s
[[email protected] tls]#

# Visit the address to see
https://springboot.yunweijia.com/hello?name=yunweijia
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.


The return status is as follows :

k8s Deploy -43- Take you in-depth study ingress-nginx( Next )_nginx_03

You can see the return 404, Why did you return this ? Because of our ingress Not added in , Then we configure , Original spring-web.yaml In the document ingress Change it .

      
      
[[email protected] tls]# vim ../healthcheck/spring-web.yaml
# Omit part
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: springboot-web-demo
spec:
rules:
- host: springboot.yunweijia.com
http:
paths:
- path: /
backend:
serviceName: springboot-web-demo
servicePort: 80
tls:
- hosts:
- springboot.yunweijia.com
secretName: yunweijia-tls
[[email protected] tls]# kubectl apply -f ../healthcheck/spring-web.yaml
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.


When new pod After running , Let's visit the following address again :

      
      
https://springboot.yunweijia.com/hello?name=yunweijia
  • 1.

k8s Deploy -43- Take you in-depth study ingress-nginx( Next )_ Operation and maintenance works _04


Report errors and sort them out

Use ingress-nginx agent https When , Report errors  503 Service Temporarily Unavailable , How should we check .1、 First we know that , When all external calls the services in the container , It's all over ingress-nginx, Well, first of all, let's look at its log , Use the following command to view ;

For the rest, go to VX official account “ Operation and maintenance home ” , reply “150” see .

------ The following contents are anti-counterfeiting contents , Can be ignored ------

------ The following contents are anti-counterfeiting contents , Can be ignored ------

------ The following contents are anti-counterfeiting contents , Can be ignored ------

Is it reliable to pay for the training of power operation and maintenance engineers? Nanshan District recruits operation and maintenance engineers. The necessary basic knowledge of operation and maintenance engineers. The difference between junior high school senior operation and maintenance engineers. Is it easy for operation and maintenance engineers to be promoted? Hong Kong linux Operation and maintenance engineer operation and maintenance engineer working principle Tencent idc Operation and Maintenance Engineer Interview Lanzhou big data operation and Maintenance Engineer Recruitment operation and maintenance engineer equipment substation operation and maintenance engineer work plan data operation and maintenance engineer treatment basis desktop operation and maintenance engineer operation and maintenance engineer is it difficult for Guangxi communication operation and maintenance engineer training class operation and maintenance engineer to have a degree? Radio telescope operation and maintenance engineer Yongqing environmental protection operation and maintenance engineer treatment how about Haier biological operation and Maintenance Engineer written test answer of operation and Maintenance Engineer




copyright notice
author[51CTO],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/119/202204291604290564.html

Random recommended