创建 HTTPS 入口控制器并在 Azure Kubernetes 服务 (AKS) 中使用自己的 TLS 证书Create an HTTPS ingress controller and use your own TLS certificates on Azure Kubernetes Service (AKS)

入口控制器是一个软件片段,为 Kubernetes 服务提供反向代理、可配置的流量路由和 TLS 终止。An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes 入口资源用于配置各个 Kubernetes 服务的入口规则和路由。Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. 借助入口控制器和入口规则,可以使用单个 IP 地址将流量路由到 Kubernetes 群集中的多个服务。Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.

本文介绍如何在 Azure Kubernetes 服务 (AKS) 群集中部署 NGINX 入口控制器This article shows you how to deploy the NGINX ingress controller in an Azure Kubernetes Service (AKS) cluster. 生成自己的证书,并创建用于入口路由的 Kubernetes 机密。You generate your own certificates, and create a Kubernetes secret for use with the ingress route. 最后,在 AKS 群集中运行两个应用程序(可通过单个 IP 地址访问其中的每个应用程序)。Finally, two applications are run in the AKS cluster, each of which is accessible over a single IP address.

也可执行以下操作:You can also:

准备阶段Before you begin

本文使用 Helm 3 安装 NGINX 入口控制器。This article uses Helm 3 to install the NGINX ingress controller. 确保使用最新版本的 Helm,并且有权访问 ingress-nginx Helm 存储库。Make sure that you are using the latest release of Helm and have access to the ingress-nginx Helm repository. 有关升级说明,请参阅 Helm 安装文档。有关配置和使用 Helm 的详细信息,请参阅在 Azure Kubernetes 服务 (AKS) 中使用 Helm 安装应用程序For upgrade instructions, see the Helm install docs. For more information on configuring and using Helm, see Install applications with Helm in Azure Kubernetes Service (AKS).

本文还要求运行 Azure CLI 2.0.64 或更高版本。This article also requires that you are running the Azure CLI version 2.0.64 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建入口控制器Create an ingress controller

若要创建入口控制器,请使用 Helm 来安装 nginx-ingressTo create the ingress controller, use Helm to install nginx-ingress. 对于增加的冗余,NGINX 入口控制器的两个副本会在部署时具备 --set controller.replicaCount 参数。For added redundancy, two replicas of the NGINX ingress controllers are deployed with the --set controller.replicaCount parameter. 若要充分利用正在运行的入口控制器副本,请确保 AKS 群集中有多个节点。To fully benefit from running replicas of the ingress controller, make sure there's more than one node in your AKS cluster.

还需要在 Linux 节点上计划入口控制器。The ingress controller also needs to be scheduled on a Linux node. Windows Server 节点不应运行入口控制器。Windows Server nodes shouldn't run the ingress controller. 使用 --set nodeSelector 参数指定节点选择器,以告知 Kubernetes 计划程序在基于 Linux 的节点上运行 NGINX 入口控制器。A node selector is specified using the --set nodeSelector parameter to tell the Kubernetes scheduler to run the NGINX ingress controller on a Linux-based node.

提示

以下示例为名为 ingress-basic 的入口资源创建 Kubernetes 命名空间。The following example creates a Kubernetes namespace for the ingress resources named ingress-basic. 根据需要为你自己的环境指定一个命名空间。Specify a namespace for your own environment as needed. 如果 AKS 群集未启用 RBAC,请将 --set rbac.create=false 添加到 Helm 命令中。If your AKS cluster is not RBAC enabled, add --set rbac.create=false to the Helm commands.

提示

若要为对群集中容器的请求启用客户端源 IP 保留,请将 --set controller.service.externalTrafficPolicy=Local 添加到 Helm install 命令中。If you would like to enable client source IP preservation for requests to containers in your cluster, add --set controller.service.externalTrafficPolicy=Local to the Helm install command. 客户端源 IP 存储在 X-Forwarded-For 下的请求头中。The client source IP is stored in the request header under X-Forwarded-For. 使用启用了“客户端源 IP 保留”的入口控制器时,TLS 直通将不起作用。When using an ingress controller with client source IP preservation enabled, TLS pass-through will not work.

# Create a namespace for your ingress resources
kubectl create namespace ingress-basic

# Add the ingress-nginx repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

# Use Helm to deploy an NGINX ingress controller
helm install nginx-ingress ingress-nginx/ingress-nginx \
    --namespace ingress-basic \
    --set controller.replicaCount=2 \
    --set controller.image.registry=usgcr.azk8s.cn \
    --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set defaultBackend.image.repository=gcr.azk8s.cn/google_containers/defaultbackend-amd64

在安装过程中,将为入口控制器创建一个 Azure 公共 IP 地址。During the installation, an Azure public IP address is created for the ingress controller. 此公共 IP 地址在入口控制器的寿命期内是静态的。This public IP address is static for the life-span of the ingress controller. 如果你删除入口控制器,则公共 IP 地址分配会丢失。If you delete the ingress controller, the public IP address assignment is lost. 如果你然后创建了另外的入口控制器,则会分配新的公共 IP 地址。If you then create an additional ingress controller, a new public IP address is assigned. 如果希望保持使用此公共 IP 地址,则可以改为创建具有静态公共 IP 地址的入口控制器If you wish to retain the use of the public IP address, you can instead create an ingress controller with a static public IP address.

若要获取公共 IP 地址,请使用 kubectl get service 命令。To get the public IP address, use the kubectl get service command.

kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller

将 IP 地址分配给服务需要几分钟时间。It takes a few minutes for the IP address to be assigned to the service.

$ kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller

NAME                                     TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)                      AGE   SELECTOR
nginx-ingress-ingress-nginx-controller   LoadBalancer   10.0.74.133   EXTERNAL_IP     80:32486/TCP,443:30953/TCP   44s   app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx

请记下此公共 IP 地址,因为在最后一个步骤中测试部署时需要用到。Make a note of this public IP address, as it's used in the last step to test the deployment.

尚未创建入口规则。No ingress rules have been created yet. 如果浏览到公共 IP 地址,将显示 NGINX 入口控制器的默认 404 页面。If you browse to the public IP address, the NGINX ingress controller's default 404 page is displayed.

生成 TLS 证书Generate TLS certificates

在本文中,我们将生成使用 openssl 的自签名证书。For this article, let's generate a self-signed certificate with openssl. 对于生产用途,应该通过提供商或你自己的证书颁发机构 (CA) 请求受信任的已签名证书。For production use, you should request a trusted, signed certificate through a provider or your own certificate authority (CA). 下一步骤将使用 TLS 证书和 OpenSSL 生成的私钥来生成 Kubernetes 机密。In the next step, you generate a Kubernetes Secret using the TLS certificate and private key generated by OpenSSL.

以下示例生成有效期为 365 天的、名为 aks-ingress-tls.crt 的 2048 位 RSA X509 证书。The following example generates a 2048-bit RSA X509 certificate valid for 365 days named aks-ingress-tls.crt. 私钥文件名为 aks-ingress-tls.keyThe private key file is named aks-ingress-tls.key. Kubernetes TLS 机密需要这两个文件。A Kubernetes TLS secret requires both of these files.

本文使用 demo.azure.com 使用者公用名,无需进行更改。This article works with the demo.azure.com subject common name and doesn't need to be changed. 对于生产用途,请为 -subj 参数指定自己的组织值:For production use, specify your own organizational values for the -subj parameter:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -out aks-ingress-tls.crt \
    -keyout aks-ingress-tls.key \
    -subj "/CN=demo.azure.com/O=aks-ingress-tls"

创建 TLS 证书的 Kubernetes 机密Create Kubernetes secret for the TLS certificate

若使 Kubernetes 能够对入口控制器使用 TLS 证书和私钥,需要创建并使用一个机密。To allow Kubernetes to use the TLS certificate and private key for the ingress controller, you create and use a Secret. 机密只需定义一次,它使用上一步骤中创建的证书和密钥文件。The secret is defined once, and uses the certificate and key file created in the previous step. 然后,可以在定义入口路由时引用此机密。You then reference this secret when you define ingress routes.

以下示例创建名为 aks-ingress-tls 的机密:The following example creates a Secret name aks-ingress-tls:

kubectl create secret tls aks-ingress-tls \
    --namespace ingress-basic \
    --key aks-ingress-tls.key \
    --cert aks-ingress-tls.crt

运行演示应用程序Run demo applications

已配置入口控制器和包含你的证书的机密。An ingress controller and a Secret with your certificate have been configured. 现在让我们在你的 AKS 群集中运行两个演示应用程序。Now let's run two demo applications in your AKS cluster. 此示例使用 Helm 来部署一个简单“Hello world”应用程序的两个实例。In this example, Helm is used to deploy two instances of a simple 'Hello world' application.

若要查看运行中的入口控制器,请在 AKS 群集中运行两个演示应用程序。To see the ingress controller in action, run two demo applications in your AKS cluster. 此示例使用 kubectl apply 来部署一个简单“Hello world”应用程序的两个实例。In this example, you use kubectl apply to deploy two instances of a simple Hello world application.

创建“aks-helloworld.yaml”文件,并将其复制到以下示例 YAML 中:Create a aks-helloworld.yaml file and copy in the following example YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: aks-helloworld
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aks-helloworld
  template:
    metadata:
      labels:
        app: aks-helloworld
    spec:
      containers:
      - name: aks-helloworld
        image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
        ports:
        - containerPort: 80
        env:
        - name: TITLE
          value: "Welcome to Azure Kubernetes Service (AKS)"
---
apiVersion: v1
kind: Service
metadata:
  name: aks-helloworld
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: aks-helloworld

创建“ingress-demo.yaml”文件,并将其复制到以下示例 YAML 中:Create a ingress-demo.yaml file and copy in the following example YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-demo
  template:
    metadata:
      labels:
        app: ingress-demo
    spec:
      containers:
      - name: ingress-demo
        image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
        ports:
        - containerPort: 80
        env:
        - name: TITLE
          value: "AKS Ingress Demo"
---
apiVersion: v1
kind: Service
metadata:
  name: ingress-demo
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: ingress-demo

使用 kubectl apply 运行这两个演示应用程序:Run the two demo applications using kubectl apply:

kubectl apply -f aks-helloworld.yaml --namespace ingress-basic
kubectl apply -f ingress-demo.yaml --namespace ingress-basic

创建入口路由Create an ingress route

两个应用程序现在都在 Kubernetes 群集中运行,但它们配置了服务类型 ClusterIPBoth applications are now running on your Kubernetes cluster, however they're configured with a service of type ClusterIP. 因此,无法通过 Internet 访问它们。As such, the applications aren't accessible from the internet. 若要公开发布这两个应用程序,请创建 Kubernetes 入口资源。To make them publicly available, create a Kubernetes ingress resource. 该入口资源配置将流量路由到这两个应用程序之一的规则。The ingress resource configures the rules that route traffic to one of the two applications.

在以下示例中,传往地址 https://demo.azure.com/ 的流量将路由到名为 aks-helloworld 的服务。In the following example, traffic to the address https://demo.azure.com/ is routed to the service named aks-helloworld. 传往地址 https://demo.azure.com/hello-world-two 的流量将路由到 ingress-demo 服务。Traffic to the address https://demo.azure.com/hello-world-two is routed to the ingress-demo service. 在本文中,无需更改这些演示主机名。For this article, you don't need to change those demo host names. 对于生产用途,请提供在证书请求和生成过程中指定的名称。For production use, provide the names specified as part of the certificate request and generation process.

提示

如果在证书请求过程中指定的主机名(CN 名称)与在入口路由中定义的主机不匹配,则入口控制器将显示“Kubernetes 入口控制器虚构证书”警告。If the host name specified during the certificate request process, the CN name, doesn't match the host defined in your ingress route, you ingress controller displays a Kubernetes Ingress Controller Fake Certificate warning. 请确保证书和入口路由主机名匹配。Make sure your certificate and ingress route host names match.

tls 节告知入口路由要对主机 demo.azure.com 使用名为 aks-ingress-tls 的机密。The tls section tells the ingress route to use the Secret named aks-ingress-tls for the host demo.azure.com. 同样,对于生产用途,请指定自己的主机地址。Again, for production use, specify your own host address.

创建名为 hello-world-ingress.yaml 的文件,并将其复制到以下示例 YAML 中。Create a file named hello-world-ingress.yaml and copy in the following example YAML.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: hello-world-ingress
  namespace: ingress-basic
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  tls:
  - hosts:
    - demo.azure.com
    secretName: aks-ingress-tls
  rules:
  - host: demo.azure.com
    http:
      paths:
      - backend:
          serviceName: aks-helloworld
          servicePort: 80
        path: /hello-world-one(/|$)(.*)
      - backend:
          serviceName: ingress-demo
          servicePort: 80
        path: /hello-world-two(/|$)(.*)
      - backend:
          serviceName: aks-helloworld
          servicePort: 80
        path: /(.*)

使用 kubectl apply -f hello-world-ingress.yaml 命令创建入口资源。Create the ingress resource using the kubectl apply -f hello-world-ingress.yaml command.

kubectl apply -f hello-world-ingress.yaml

示例输出中显示创建了入口资源。The example output shows the ingress resource is created.

$ kubectl apply -f hello-world-ingress.yaml

ingress.extensions/hello-world-ingress created

测试入口配置Test the ingress configuration

若要使用虚构的 demo.azure.com 主机测试证书,请使用 curl 并指定 --resolve 参数。To test the certificates with our fake demo.azure.com host, use curl and specify the --resolve parameter. 此参数告知要将 demo.azure.com 名称映射到入口控制器的公共 IP 地址。This parameter lets you map the demo.azure.com name to the public IP address of your ingress controller. 请按以下示例中所示,指定自己的入口控制器的公共 IP 地址:Specify the public IP address of your own ingress controller, as shown in the following example:

curl -v -k --resolve demo.azure.com:443:EXTERNAL_IP https://demo.azure.com

未为此地址提供其他路径,因此入口控制器默认为 / 路由。No additional path was provided with the address, so the ingress controller defaults to the / route. 第一个演示应用程序已返回,如以下精简版示例输出中所示:The first demo application is returned, as shown in the following condensed example output:

$ curl -v -k --resolve demo.azure.com:443:EXTERNAL_IP https://demo.azure.com

[...]
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <link rel="stylesheet" type="text/css" href="/static/default.css">
    <title>Welcome to Azure Kubernetes Service (AKS)</title>
[...]

curl 命令中的 -v 参数输出详细信息,包括收到的 TLS 证书。The -v parameter in our curl command outputs verbose information, including the TLS certificate received. 在输出 curl 结果的中途,可以验证是否使用了你自己的 TLS 证书。Half-way through your curl output, you can verify that your own TLS certificate was used. 即使使用的是自签名证书, -k 参数也会继续加载页面。The -k parameter continues loading the page even though we're using a self-signed certificate. 以下示例显示了使用“颁发者:CN=demo.azure.com; O=aks-ingress-tls”证书:The following example shows that the issuer: CN=demo.azure.com; O=aks-ingress-tls certificate was used:

[...]
* Server certificate:
* subject: CN=demo.azure.com; O=aks-ingress-tls
* start date: Oct 22 22:13:54 2018 GMT
* expire date: Oct 22 22:13:54 2019 GMT
* issuer: CN=demo.azure.com; O=aks-ingress-tls
* SSL certificate verify result: self signed certificate (18), continuing anyway.
[...]

现在向地址添加“/hello-world-two”路径,例如 https://demo.azure.com/hello-world-twoNow add /hello-world-two path to the address, such as https://demo.azure.com/hello-world-two. 第二个使用自定义标题的演示应用程序已返回,如以下精简版示例输出中所示:The second demo application with the custom title is returned, as shown in the following condensed example output:

$ curl -v -k --resolve demo.azure.com:443:EXTERNAL_IP https://demo.azure.com/hello-world-two

[...]
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <link rel="stylesheet" type="text/css" href="/static/default.css">
    <title>AKS Ingress Demo</title>
[...]

清理资源Clean up resources

本文使用了 Helm 来安装入口组件和示例应用。This article used Helm to install the ingress components and sample apps. 在部署 Helm 图表时,会创建若干 Kubernetes 资源。When you deploy a Helm chart, a number of Kubernetes resources are created. 这些资源包括 pod、部署和服务。These resources include pods, deployments, and services. 若要清理这些资源,可以删除整个示例命名空间,也可以删除单个资源。To clean up these resources, you can either delete the entire sample namespace, or the individual resources.

删除示例命名空间以及所有资源Delete the sample namespace and all resources

若要删除整个示例命名空间,请使用 kubectl delete 命令并指定命名空间名称。To delete the entire sample namespace, use the kubectl delete command and specify your namespace name. 将会删除命名空间中的所有资源。All the resources in the namespace are deleted.

kubectl delete namespace ingress-basic

单独删除资源Delete resources individually

也可采用更细致的方法来删除单个已创建的资源。Alternatively, a more granular approach is to delete the individual resources created. 使用 helm list 命令列出 Helm 版本。List the Helm releases with the helm list command.

helm list --namespace ingress-basic

查找名为“nginx-ingress”的图表,如以下示例输出中所示:Look for chart named nginx-ingress as shown in the following example output:

$ helm list --namespace ingress-basic

NAME                    NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
nginx-ingress           ingress-basic   1               2020-01-06 19:55:46.358275 -0600 CST    deployed        nginx-ingress-1.27.1    0.26.1 

使用 helm uninstall 命令卸载这些版本。Uninstall the releases with the helm uninstall command.

helm uninstall nginx-ingress --namespace ingress-basic

下面的示例将卸载 NGINX 入口部署。The following example uninstalls the NGINX ingress deployment.

$ helm uninstall nginx-ingress --namespace ingress-basic

release "nginx-ingress" uninstalled

接下来,删除两个示例应用程序:Next, remove the two sample applications:

kubectl delete -f aks-helloworld.yaml --namespace ingress-basic
kubectl delete -f ingress-demo.yaml --namespace ingress-basic

删除将流量定向到示例应用的入口路由:Remove the ingress route that directed traffic to the sample apps:

kubectl delete -f hello-world-ingress.yaml

删除证书机密:Delete the certificate Secret:

kubectl delete secret aks-ingress-tls

最后,可以删除自身命名空间。Finally, you can delete the itself namespace. 使用 kubectl delete 命令并指定命名空间名称。Use the kubectl delete command and specify your namespace name:

kubectl delete namespace ingress-basic

后续步骤Next steps

本文包含 AKS 的一些外部组件。This article included some external components to AKS. 若要详细了解这些组件,请参阅以下项目页面:To learn more about these components, see the following project pages:

也可执行以下操作:You can also: