Kubernetes 集群中负载均衡的Ingress 支持

Ingress 为您提供七层负载均衡能力，通过 ROS 模板安装的 Kubernetes 高可用集群默认支持 Ingress。

简单的路由服务


通过以下命令创建一个简单的 Ingress，所有对 /svc 路径的访问都会被路由到名为 Nginx 的服务。

1. [backcolor=transparent]root@master [backcolor=transparent]# cat <<EOF | kubectl create -f -
2. [backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1
3. [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
4. [backcolor=transparent]metadata[backcolor=transparent]:
5. [backcolor=transparent]  name[backcolor=transparent]:[backcolor=transparent] simple
6. [backcolor=transparent]spec[backcolor=transparent]:
7. [backcolor=transparent]  rules[backcolor=transparent]:
8. [backcolor=transparent]  [backcolor=transparent]-[backcolor=transparent] http[backcolor=transparent]:
9. [backcolor=transparent]      paths[backcolor=transparent]:
10. [backcolor=transparent]      [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]svc
11. [backcolor=transparent]        backend[backcolor=transparent]:
12. [backcolor=transparent]          serviceName[backcolor=transparent]:[backcolor=transparent] nginx
13. [backcolor=transparent]          servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
14. [backcolor=transparent]EOF
16. [backcolor=transparent]root@master [backcolor=transparent]# kubectl get ing
17. [backcolor=transparent]NAME            HOSTS         ADDRESS          PORTS     AGE
18. [backcolor=transparent]simple          [backcolor=transparent]*[backcolor=transparent]             [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent]   [backcolor=transparent]80[backcolor=transparent]        [backcolor=transparent]11s

现在访问 http://101.37.192.211/svc 即可访问到 Nginx 服务。

基于域名的简单扇出路由


如果您有多个域名对外提供不同的服务，您可以生成如下的配置达到一个简单的基于域名的扇出效果。

1. [backcolor=transparent]root@master [backcolor=transparent]# cat <<EOF | kubectl create -f -
2. [backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1
3. [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
4. [backcolor=transparent]metadata[backcolor=transparent]:
5. [backcolor=transparent]  name[backcolor=transparent]:[backcolor=transparent] simple[backcolor=transparent]-[backcolor=transparent]fanout
6. [backcolor=transparent]spec[backcolor=transparent]:
7. [backcolor=transparent]  rules[backcolor=transparent]:
8. [backcolor=transparent]  [backcolor=transparent]-[backcolor=transparent] host[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar[backcolor=transparent].[backcolor=transparent]com
9. [backcolor=transparent]    http[backcolor=transparent]:
10. [backcolor=transparent]      paths[backcolor=transparent]:
11. [backcolor=transparent]      [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]foo
12. [backcolor=transparent]        backend[backcolor=transparent]:
13. [backcolor=transparent]          serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc1
14. [backcolor=transparent]          servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
15. [backcolor=transparent]      [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]bar
16. [backcolor=transparent]        backend[backcolor=transparent]:
17. [backcolor=transparent]          serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc2
18. [backcolor=transparent]          servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
19. [backcolor=transparent]  [backcolor=transparent]-[backcolor=transparent] host[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]example[backcolor=transparent].[backcolor=transparent]com
20. [backcolor=transparent]    http[backcolor=transparent]:
21. [backcolor=transparent]      paths[backcolor=transparent]:
22. [backcolor=transparent]      [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]film
23. [backcolor=transparent]        backend[backcolor=transparent]:
24. [backcolor=transparent]          serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc3
25. [backcolor=transparent]          servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80[backcolor=transparent]    
26. [backcolor=transparent]EOF
28. [backcolor=transparent]root@master [backcolor=transparent]# kubectl get ing
29. [backcolor=transparent]NAME            HOSTS         ADDRESS          PORTS     AGE
30. [backcolor=transparent]simple[backcolor=transparent]-[backcolor=transparent]fanout   [backcolor=transparent]*[backcolor=transparent]             [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent]   [backcolor=transparent]80[backcolor=transparent]        [backcolor=transparent]11s

这时您可以通过 http://foo.bar.com/foo 访问到 http-svc1 服务；通过 http://foo.bar.com/bar 访问到 http-svc2 服务；通过 http://foo.example.com/film 访问到 http-svc3 服务。

[backcolor=transparent]注意：

• 如果是生产环境，您需要将您的这个域名指向上面返回的 ADDRESS 101.37.192.211。
• 如果是测试环境测试，您可以修改 hosts 文件添加一条域名映射规则。
  1. [backcolor=transparent] 101.37[backcolor=transparent] .[backcolor=transparent] 192.211[backcolor=transparent] foo[backcolor=transparent] .[backcolor=transparent] bar[backcolor=transparent] .[backcolor=transparent] com
  2. [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]example[backcolor=transparent].[backcolor=transparent]com

配置安全的路由服务


支持多证书管理，为您的服务提供安全防护。

1. 
   准备您的服务证书。
   如果没有证书，可以通过下面的方法生成测试证书。

   
   [backcolor=transparent]注意：域名与您的 Ingress 配置要一致。

   [backcolor=transparent]root@master [backcolor=transparent]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"

上面命令会生成一个证书文件 tls.crt、一个私钥文件 tls.key。
然后用该证书和私钥创建一个名为 foo.bar 的 Kubernetes Secret。创建 Ingress 时需要引用这个 Secret。

1. [backcolor=transparent]root@master [backcolor=transparent]# kubectl create secret tls foo.bar --key tls.key --cert tls.crt

创建一个安全的 Ingress 服务。

1. [backcolor=transparent]root@master [backcolor=transparent]# cat <<EOF | kubectl create -f -
2. [backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1
3. [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
4. [backcolor=transparent]metadata[backcolor=transparent]:
5. [backcolor=transparent]  name[backcolor=transparent]:[backcolor=transparent] tls[backcolor=transparent]-[backcolor=transparent]fanout
6. [backcolor=transparent]spec[backcolor=transparent]:
7. [backcolor=transparent]  tls[backcolor=transparent]:
8. [backcolor=transparent]  [backcolor=transparent]-[backcolor=transparent] hosts[backcolor=transparent]:
9. [backcolor=transparent]    [backcolor=transparent]-[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar[backcolor=transparent].[backcolor=transparent]com
10. [backcolor=transparent]    secretName[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar
11. [backcolor=transparent]  rules[backcolor=transparent]:
12. [backcolor=transparent]  [backcolor=transparent]-[backcolor=transparent] host[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar[backcolor=transparent].[backcolor=transparent]com
13. [backcolor=transparent]    http[backcolor=transparent]:
14. [backcolor=transparent]      paths[backcolor=transparent]:
15. [backcolor=transparent]      [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]foo
16. [backcolor=transparent]        backend[backcolor=transparent]:
17. [backcolor=transparent]          serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc1
18. [backcolor=transparent]          servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
19. [backcolor=transparent]      [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]bar
20. [backcolor=transparent]        backend[backcolor=transparent]:
21. [backcolor=transparent]          serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc2
22. [backcolor=transparent]          servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
23. [backcolor=transparent]EOF
24. [backcolor=transparent]root@master [backcolor=transparent]# kubectl get ing
25. [backcolor=transparent]NAME            HOSTS         ADDRESS          PORTS     AGE
26. [backcolor=transparent]tls[backcolor=transparent]-[backcolor=transparent]fanout      [backcolor=transparent]*[backcolor=transparent]             [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent]   [backcolor=transparent]80[backcolor=transparent]        [backcolor=transparent]11s

按照 [backcolor=transparent]基于域名的简单扇出路由 中的注意事项，配置 hosts 文件或者设置域名来访问该 tls 服务。
您可以通过 http://foo.bar.com/foo 访问到 http-svc1 服务；通过 http://foo.bar.com/bar 访问到 http-svc2 服务。
您也可以通过 HTTP 的方式访问该 HTTPS 的服务。Ingress 默认对配置了 HTTPS 的 HTTP 访问重定向到 HTTPS 上面。所以访问 http://foo.bar.com/foo 会被自动重定向到 https://foo.bar.com/foo。

通过 Kubernetes Web UI 部署 Ingress

1. 
   将下面的 yml code 保存到 nginx-ingress.yml 文件中。[backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1
2. [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
3. [backcolor=transparent]metadata[backcolor=transparent]:
4. [backcolor=transparent]  name[backcolor=transparent]:[backcolor=transparent] simple
5. [backcolor=transparent]spec[backcolor=transparent]:
6. [backcolor=transparent]  rules[backcolor=transparent]:
7. [backcolor=transparent]  [backcolor=transparent]-[backcolor=transparent] http[backcolor=transparent]:
8. [backcolor=transparent]      paths[backcolor=transparent]:
9. [backcolor=transparent]      [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]svc
10. [backcolor=transparent]        backend[backcolor=transparent]:
11. [backcolor=transparent]          serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc
12. [backcolor=transparent]          servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80

登录 Kubernetes Web UI。
有关如何访问 Kubernetes Web UI，参见 访问 Kubernetes Web UI。
单击 [backcolor=transparent]CREATE 创建应用。
单击 [backcolor=transparent]Upload a YAML or JSON file。选择刚才保存的 nginx-svc.yml 文件
单击 [backcolor=transparent]DEPLOY。
这样就创建了一个 Ingress 的七层代理路由到 http-svc 服务上。
在 Kubernetes Web UI 上定位到 default 命名空间，选择 Ingress 资源。
可以看到您刚刚创建的 Ingress 资源及其访问地址 http://101.37.178.224/svc。

打开浏览器输入该地址即可访问刚刚创建的 http-svc 服务。