安裝ingress-controller

1. 部署在k8s中的服務(wù)默認只能在集群內(nèi)部方法，如果需要集群外部訪問可以通過:NodePort爆袍、LoadBalance和Ingress進行處理

   nginx-ingress

2. 工作流程：

   1. The Ingress controller can then automatically program a frontend load balancer to enable Ingress configuration.
   2. Users who need to provide external access to their Kubernetes services create an Ingress resource that defines rules, including the URI path, backing service name, and other information

3. 原理：ingress在向ingress-controller注冊的時候泣港，會將服務(wù)信息注冊到ingress-controller的nginx的配置中

   1. ingress-controller：實質(zhì)就是一個方向代理沼本，不同的實現(xiàn)對ingress的配置規(guī)則不一樣
   2. ingress：實質(zhì)就是定義代理的規(guī)則捎废，如何進行跳轉(zhuǎn)

4. 下載deployment

    curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
   

5. 修改鏡像和deployment的容器參數(shù)舒萎，并對Role中設(shè)置configmaps的添加update權(quán)限

     containers:
    - name: nginx-ingress-controller
      image: wistiaanders/nginx-ingress-controller:0.25.1
      args:
        - /nginx-ingress-controller
        - --configmap=$(POD_NAMESPACE)/nginx-configuration
        - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
        - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx
        - --annotations-prefix=nginx.ingress.kubernetes.io
        - --ingress-class=k8s-nginx-ingress # 設(shè)置唯一表示曹洽，用于ingress resource的注冊
        - --enable-ssl-passthrough          # 使用https時如果證書部署在server端這必須在啟動參數(shù)設(shè)置--enable-ssl-passthrough
   

6. 安裝deployment

    kubectl apply -f mandatory.yaml
   

7. 下載和部署service

    curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
    # 安裝
    kubectl apply -f cloud-generic.yaml
   

部署dashboard

kubernetes-dashboard必須通過https協(xié)議進行訪問，所以先生成證書辽剧。

1. 創(chuàng)建目錄

    mkdir dashboard
   

2. 生成密鑰

    mkdir certs
    cd certs
    openssl genrsa -des3 -passout pass:x -out tls.pass.key 2048
    ...
    openssl rsa -passin pass:x -in tls.pass.key -out tls.key
    # Writing RSA key
    rm tls.pass.key
    openssl req -new -key tls.key -out tls.csr
    # 密碼留空送淆，提示設(shè)置域名填寫  dashboard.tlh.com 也可以自行修改，其他信息更具自己的需求填寫
   
    # 生成證書
    openssl x509 -req -sha256 -days 365 -in tls.csr -signkey tls.key -out tls.crt
    # 將生成的tls.crt證書安裝到瀏覽器
   

3. 創(chuàng)建namespace和secrets

    # 創(chuàng)建namespace
    kubectl create namespace kubernetes-dashboard
    # 創(chuàng)建secrets怕轿，from-file為上面生成的密鑰文件的路徑
    kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kubernetes-dashboard
    # 查看密鑰
    kubectl describe secret kubernetes-dashboard-certs -n kubernetes-dashboard
   

4. 下載dashboard的部署文件

    curl -O https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
   

5. 修改部署文件，設(shè)置啟動參數(shù)配置密鑰文件

     containers:
    - name: kubernetes-dashboard
      image: kubernetesui/dashboard:v2.0.0-beta4
      imagePullPolicy: Always
      ports:
        - containerPort: 8443
          protocol: TCP
      args:
        - --namespace=kubernetes-dashboard
        - --tls-key-file=tls.key    # 配置密鑰文件
        - --tls-cert-file=tls.crt
   

6. 應(yīng)用部署

    kubectl apply -f recommended.yaml
   

7. 創(chuàng)建ingress

   1. 編寫ingress文件

       apiVersion: networking.k8s.io/v1beta1
       kind: Ingress
       metadata:
         labels:
           k8s-app: kubernetes-dashboard
         annotations:
           kubernetes.io/ingress.class: "k8s-nginx-ingress" # 選擇指定的ingress-controller
           nginx.ingress.kubernetes.io/ssl-redirect: "true" # 強制重定向到https
           nginx.ingress.kubernetes.io/ssl-passthrough: "true" # 配置不在nginx進行https的解密，強制轉(zhuǎn)發(fā)到server端進行處理质涛，需要在ingress-controller的deployment啟動參數(shù)添加enable-ssl-passthrough才生效
         name: kubernetes-dashboard
         namespace: kubernetes-dashboard
       spec:
         rules:
         - host: dashboard.tlh.com     # 為在創(chuàng)建自簽名密鑰時填寫的域名
           http:
             paths:
             - path: /
               backend:
                 servicePort: 443
                 serviceName: kubernetes-dashboard
         tls:
         - hosts:
           - dashboard.tlh.com
           secretName: kubernetes-dashboard-certs
      

   2. 應(yīng)用

       kubectl apply -f ingress.yaml
      

8. 查看ingress信息皱蹦，將metallb分配的IP地址到本機的hosts文件中

    # 查看分配的IP地址
    kubectl describe ingress -n kubernetes-dashboard
    # 配置到宿主機的hosts文件
    查詢到的IP  dashboard.tlh.com
   

9. 通過瀏覽器訪問

    https://dashboard.tlh.com
   

10. 創(chuàng)建admin用戶

    1. 創(chuàng)建dashboard-adminuser.yaml文件

        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: admin-user
          namespace: kubernetes-dashboard
        ---
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        metadata:
          name: admin-user
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: cluster-admin
        subjects:
        - kind: ServiceAccount
          name: admin-user
          namespace: kubernetes-dashboard
       

    2. 創(chuàng)建用戶

        kubectl apply -f dashboard-adminuser.yaml
       

11. 獲取登陸的token

    kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')