#### 环境介绍
```sh
k8s版本:1.18.20
ingress-nginx: 3.4.0
```
#### 安装ingress-nginx
##### 下载helm安装包
```sh
$ wget https://github.com/kubernetes/ingress-nginx/releases/download/ingress-nginx-3.4.0/ingress-nginx-3.4.0.tgz
$ tar xvf ingress-nginx-3.4.0.tgz
$ cd ingress-nginx
```
#### 配置参数
```sh
$ cat > values.yaml <<EOF
controller:
image:
repository: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller #更好阿里云镜像
tag: "v0.40.1"
digest: sha256:abffcf2d25e3e7c7b67a315a7c664ec79a1588c9c945d3c7a75637c2f55caec6
pullPolicy: IfNotPresent
runAsUser: 101
allowPrivilegeEscalation: true
containerPort:
http: 80
https: 443
config: {}
configAnnotations: {}
proxySetHeaders: {}
addHeaders: {}
dnsConfig: {}
dnsPolicy: ClusterFirst
reportNodeInternalIp: false
hostNetwork: true #开启主机网络
hostPort:
enabled: true #开启主机端口
ports:
http: 80
https: 443
electionID: ingress-controller-leader
ingressClass: nginx
podLabels: {}
podSecurityContext: {}
sysctls: {}
publishService:
enabled: true
pathOverride: ""
scope:
enabled: false
tcp:
annotations: {}
udp:
annotations: {}
extraArgs: {}
extraEnvs: []
kind: DaemonSet #DaemonSet运行
annotations: {}
labels: {}
updateStrategy: {}
minReadySeconds: 0
tolerations: []
affinity: {}
topologySpreadConstraints: []
terminationGracePeriodSeconds: 300
nodeSelector:
ingress: nginx #配置部署选择ingress=nginx节点
livenessProbe:
failureThreshold: 5
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
port: 10254
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
port: 10254
healthCheckPath: "/healthz"
podAnnotations: {}
#replicaCount: 1 #关闭
minAvailable: 1
resources:
requests:
cpu: 100m
memory: 90Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 11
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
autoscalingTemplate: []
enableMimalloc: true
customTemplate:
configMapName: ""
configMapKey: ""
service:
enabled: true
annotations: {}
labels: {}
externalIPs: []
loadBalancerSourceRanges: []
enableHttp: true
enableHttps: true
ports:
http: 80
https: 443
targetPorts:
http: http
https: https
type: LoadBalancer
nodePorts:
http: ""
https: ""
tcp: {}
udp: {}
internal:
enabled: false
annotations: {}
extraContainers: []
extraVolumeMounts: []
extraVolumes: []
extraInitContainers: []
admissionWebhooks:
enabled: false #关闭
failurePolicy: Fail
port: 8443
service:
annotations: {}
externalIPs: []
loadBalancerSourceRanges: []
servicePort: 443
type: ClusterIP
patch:
enabled: true
image:
repository: docker.io/jettech/kube-webhook-certgen
tag: v1.3.0
pullPolicy: IfNotPresent
priorityClassName: ""
podAnnotations: {}
nodeSelector: {}
tolerations: []
runAsUser: 2000
metrics:
port: 10254
enabled: false
service:
annotations: {}
externalIPs: []
loadBalancerSourceRanges: []
servicePort: 9913
type: ClusterIP
serviceMonitor:
enabled: false
additionalLabels: {}
namespace: ""
namespaceSelector: {}
scrapeInterval: 30s
targetLabels: []
metricRelabelings: []
prometheusRule:
enabled: false
additionalLabels: {}
rules: []
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
priorityClassName: ""
revisionHistoryLimit: 10
maxmindLicenseKey: ""
defaultBackend:
enabled: false
image:
repository: k8s.gcr.io/defaultbackend-amd64
tag: "1.5"
pullPolicy: IfNotPresent
runAsUser: 65534
extraArgs: {}
serviceAccount:
create: true
name:
extraEnvs: []
port: 8080
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 6
initialDelaySeconds: 0
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
tolerations: []
affinity: {}
podSecurityContext: {}
podLabels: {}
nodeSelector: {}
podAnnotations: {}
replicaCount: 1
minAvailable: 1
resources: {}
service:
annotations: {}
externalIPs: []
loadBalancerSourceRanges: []
servicePort: 80
type: ClusterIP
priorityClassName: ""
rbac:
create: true
scope: false
podSecurityPolicy:
enabled: false
serviceAccount:
create: true
name:
imagePullSecrets: []
tcp: {}
udp: {}
EOF
```
#### 创建命名空间
```sh
$ kubectl create namespace ingress-nginx
```
#### 节点打标签
```sh
$ kubectl label nodes k8s-master1 ingress=nginx
$ kubectl label nodes k8s-master2 ingress=nginx
$ kubectl label nodes k8s-node1 ingress=nginx
```
#### 安装nginx-ingress
```sh
$ helm -n ingress-nginx upgrade -i ingress-nginx .
```
#### 卸载ingress-nginx
```sh
$ helm -n ingress-nginx uninstall ingress-nginx
```
#### 测试nginx-ingress
#### 部署一个测试nginx服务
```sh
$ cat > nginx-deployment.yml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deploy
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: ClusterIP
EOF
```
配置ingress对象
创建TLS证书
```sh
$ kubectl create secret tls shudoon-com-tls --cert=5024509__example.com.pem --key=5024509__example.com.key
```
#### 创建ingress规则
```sh
$ cat >tnginx-ingress.yaml <<EOF
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: tnginx-ingress
spec:
rules:
- host: tnginx.example.com
http:
paths:
- path: /
backend:
serviceName: nginx-service
servicePort: 80
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- tnginx.example.com
secretName: shudoon-com-tls
EOF
```
测试 https://tnginx.example.com/
#### 问题
`问题:创建自定义ingress报错:Internal error occurred: failed calling webhook “validate.nginx.ingress.kubernetes.io`
查看策略
```sh
$ kubectl get validatingwebhookconfigurations
```
删除策略
```sh
$ kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
```