在 Azure Kubernetes 服务 (AKS) 中使用静态公共 IP 地址创建入口控制器Create an ingress controller with a static public IP address in Azure Kubernetes Service (AKS)
入口控制器是一个软件片段,为 Kubernetes 服务提供反向代理、可配置的流量路由和 TLS 终止。An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes 入口资源用于配置各个 Kubernetes 服务的入口规则和路由。Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. 借助入口控制器和入口规则,可以使用单个 IP 地址将流量路由到 Kubernetes 群集中的多个服务。Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.
本文介绍如何在 Azure Kubernetes 服务 (AKS) 群集中部署 NGINX 入口控制器。This article shows you how to deploy the NGINX ingress controller in an Azure Kubernetes Service (AKS) cluster. 入口控制器配置了一个静态公共 IP 地址。The ingress controller is configured with a static public IP address. cert-manager 项目用于自动生成和配置 Let's Encrypt 证书。The cert-manager project is used to automatically generate and configure Let's Encrypt certificates. 最后,在 AKS 群集中运行两个应用程序(可通过单个 IP 地址访问其中的每个应用程序)。Finally, two applications are run in the AKS cluster, each of which is accessible over a single IP address.
也可执行以下操作:You can also:
创建具有外部网络连接的基本入口控制器Create a basic ingress controller with external network connectivity
创建使用你自己的 TLS 证书的入口控制器Create an ingress controller that uses your own TLS certificates
创建一个使用 Let's Encrypt 的入口控制器,以自动生成具有动态公共 IP 地址的 TLS 证书Create an ingress controller that uses Let's Encrypt to automatically generate TLS certificates with a dynamic public IP address
准备阶段Before you begin
本文假定你拥有现有的 AKS 群集。This article assumes that you have an existing AKS cluster. 如果需要 AKS 群集,请参阅 AKS 快速入门使用 Azure CLI 或使用 Azure 门户。If you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.
本文使用 Helm 3 安装 NGINX 入口控制器和证书管理器。This article uses Helm 3 to install the NGINX ingress controller and cert-manager. 请确保使用最新版本的 Helm,并且有权访问 ingress-nginx 和 jetstack Helm 存储库 。Make sure that you are using the latest release of Helm and have access to the ingress-nginx and jetstack Helm repositories. 有关升级说明,请参阅 Helm 安装文档。有关配置和使用 Helm 的详细信息,请参阅在 Azure Kubernetes 服务 (AKS) 中使用 Helm 安装应用程序。For upgrade instructions, see the Helm install docs. For more information on configuring and using Helm, see Install applications with Helm in Azure Kubernetes Service (AKS).
本文还要求运行 Azure CLI 2.0.64 或更高版本。This article also requires that you are running the Azure CLI version 2.0.64 or later. 运行 az --version
即可查找版本。Run az --version
to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLI。If you need to install or upgrade, see Install Azure CLI.
创建入口控制器Create an ingress controller
默认情况下,NGINX 入口控制器通过新的公共 IP 地址分配创建。By default, an NGINX ingress controller is created with a new public IP address assignment. 此公共 IP 地址仅对入口控制器的生命周期而言是静态的,如果删除并重新创建控制器,它将会丢失。This public IP address is only static for the life-span of the ingress controller, and is lost if the controller is deleted and re-created. 常见的配置要求是为 NGINX 入口控制器提供现有的静态公共 IP 地址。A common configuration requirement is to provide the NGINX ingress controller an existing static public IP address. 如果删除入口控制器,静态公共 IP 地址仍存在。The static public IP address remains if the ingress controller is deleted. 此方法允许在应用程序的整个生命周期中以一致的方式使用现有的 DNS 记录和网络配置。This approach allows you to use existing DNS records and network configurations in a consistent manner throughout the lifecycle of your applications.
如果需要创建静态公共 IP 地址,请首先使用 az aks show 命令获取 AKS 群集的资源组名称:If you need to create a static public IP address, first get the resource group name of the AKS cluster with the az aks show command:
az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv
接下来,使用 az network public-ip create 命令通过静态分配方法创建一个公共 IP 地址。Next, create a public IP address with the static allocation method using the az network public-ip create command. 以下示例在前面的步骤中获取的 AKS 群集资源组中创建名为 myAKSPublicIP 的公共 IP 地址:The following example creates a public IP address named myAKSPublicIP in the AKS cluster resource group obtained in the previous step:
az network public-ip create --resource-group MC_myResourceGroup_myAKSCluster_chinaeast2 --name myAKSPublicIP --sku Standard --allocation-method static --query publicIp.ipAddress -o tsv
备注
以上命令创建一个 IP 地址,如果你删除了 AKS 群集,该 IP 地址会被删除。The above commands create an IP address that will be deleted if you delete your AKS cluster. 或者,你可以在不同的资源组中创建一个 IP 地址,该资源组可以与你的 AKS 群集分开管理。Alternatively, you can create an IP address in a different resource group which can be managed separately from your AKS cluster. 如果在不同的资源组中创建 IP 地址,请确保 AKS 群集使用的服务主体具有委托给其他资源组的权限,例如网络参与者。If you create an IP address in a different resource group, ensure the service principal used by the AKS cluster has delegated permissions to the other resource group, such as Network Contributor. 有关详细信息,请参阅将静态公共 IP 地址和 DNS 标签用于 AKS 负载均衡器。For more information, see Use a static public IP address and DNS label with the AKS load balancer.
现在,通过 Helm 部署 nginx-ingress 图表。Now deploy the nginx-ingress chart with Helm. 对于增加的冗余,NGINX 入口控制器的两个副本会在部署时具备 --set controller.replicaCount
参数。For added redundancy, two replicas of the NGINX ingress controllers are deployed with the --set controller.replicaCount
parameter. 若要充分利用正在运行的入口控制器副本,请确保 AKS 群集中有多个节点。To fully benefit from running replicas of the ingress controller, make sure there's more than one node in your AKS cluster.
必须将另外两个参数传递给 Helm 版本,以便入口控制器知道要分配给入口控制器服务的负载均衡器的静态 IP 地址,以及应用到公共 IP 地址资源的 DNS 名称标签的静态 IP 地址。You must pass two additional parameters to the Helm release so the ingress controller is made aware both of the static IP address of the load balancer to be allocated to the ingress controller service, and of the DNS name label being applied to the public IP address resource. 为使 HTTPS 证书正常工作,使用 DNS 名称标签来配置用于入口控制器 IP 地址的 FQDN。For the HTTPS certificates to work correctly, a DNS name label is used to configure an FQDN for the ingress controller IP address.
- 添加
--set controller.service.loadBalancerIP
参数。Add the--set controller.service.loadBalancerIP
parameter. 指定在前面的步骤中创建的你自己的公共 IP 地址。Specify your own public IP address that was created in the previous step. - 添加
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"
参数。Add the--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"
parameter. 指定要应用于在前面的步骤中创建的公共 IP 地址的 DNS 名称标签。Specify a DNS name label to be applied to the public IP address that was created in the previous step.
还需要在 Linux 节点上计划入口控制器。The ingress controller also needs to be scheduled on a Linux node. Windows Server 节点不应运行入口控制器。Windows Server nodes shouldn't run the ingress controller. 使用 --set nodeSelector
参数指定节点选择器,以告知 Kubernetes 计划程序在基于 Linux 的节点上运行 NGINX 入口控制器。A node selector is specified using the --set nodeSelector
parameter to tell the Kubernetes scheduler to run the NGINX ingress controller on a Linux-based node.
提示
以下示例为名为 ingress-basic 的入口资源创建 Kubernetes 命名空间。The following example creates a Kubernetes namespace for the ingress resources named ingress-basic. 根据需要为你自己的环境指定一个命名空间。Specify a namespace for your own environment as needed. 如果 AKS 群集未启用 Kubernetes RBAC,请将 --set rbac.create=false
添加到 Helm 命令中。If your AKS cluster is not Kubernetes RBAC enabled, add --set rbac.create=false
to the Helm commands.
提示
若要为对群集中容器的请求启用客户端源 IP 保留,请将 --set controller.service.externalTrafficPolicy=Local
添加到 Helm install 命令中。If you would like to enable client source IP preservation for requests to containers in your cluster, add --set controller.service.externalTrafficPolicy=Local
to the Helm install command. 客户端源 IP 存储在 X-Forwarded-For 下的请求头中。The client source IP is stored in the request header under X-Forwarded-For. 使用启用了“客户端源 IP 保留”的入口控制器时,TLS 直通将不起作用。When using an ingress controller with client source IP preservation enabled, TLS pass-through will not work.
使用入口控制器的 IP 地址以及要用于 FQDN 前缀的唯一名称来更新以下脚本 。Update the following script with the IP address of your ingress controller and a unique name that you would like to use for the FQDN prefix.
重要
运行命令时,必须将 STATIC_IP 和 DNS_LABEL 更新/替换为自己的 IP 地址和唯一名称。You must update replace STATIC_IP and DNS_LABEL with your own IP address and unique name when running the command.
# Create a namespace for your ingress resources
kubectl create namespace ingress-basic
# Add the ingress-nginx repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
# Use Helm to deploy an NGINX ingress controller
helm install nginx-ingress ingress-nginx/ingress-nginx \
--namespace ingress-basic \
--set controller.replicaCount=2 \
--set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set controller.image.registry=usgcr.azk8s.cn \
--set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set defaultBackend.image.repository=gcr.azk8s.cn/google_containers/defaultbackend-amd64 \
--set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set controller.service.loadBalancerIP="STATIC_IP" \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"="DNS_LABEL"
为 NGINX 入口控制器创建 Kubernetes 负载均衡器服务时,会分配你的静态 IP 地址,如以下示例输出中所示:When the Kubernetes load balancer service is created for the NGINX ingress controller, your static IP address is assigned, as shown in the following example output:
$ kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
nginx-ingress-ingress-nginx-controller LoadBalancer 10.0.74.133 EXTERNAL_IP 80:32486/TCP,443:30953/TCP 44s app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx-ingress,app.kubernetes.io/name=ingress-nginx
由于尚未创建入口规则,如果浏览到该公共 IP 地址,则会显示 NGINX 入口控制器的默认 404 页面。No ingress rules have been created yet, so the NGINX ingress controller's default 404 page is displayed if you browse to the public IP address. 入口规则是通过以下步骤配置的。Ingress rules are configured in the following steps.
你可以通过查询公共 IP 地址上的 FQDN 来验证是否已应用 DNS 名称标签,如下所示:You can verify that the DNS name label has been applied by querying the FQDN on the public IP address as follows:
az network public-ip list --resource-group MC_myResourceGroup_myAKSCluster_chinaeast2 --query "[?ipAddress=='myAKSPublicIP'].[dnsSettings.fqdn]" -o tsv
现在可以通过 IP 地址或 FQDN 访问入口控制器。The ingress controller is now accessible through the IP address or the FQDN.
安装证书管理器Install cert-manager
NGINX 入口控制器支持 TLS 终止。The NGINX ingress controller supports TLS termination. 可通过多种方法为 HTTPS 检索和配置证书。There are several ways to retrieve and configure certificates for HTTPS. 本文演示如何使用证书管理器,该管理器提供自动 Lets Encrypt 证书生成和管理功能。This article demonstrates using cert-manager, which provides automatic Lets Encrypt certificate generation and management functionality.
备注
本文为 Let's Encrypt 使用 staging
环境。This article uses the staging
environment for Let's Encrypt. 在生产部署中,请在安装 Helm 图表时使用资源定义中的 letsencrypt-prod
和 https://acme-v02.api.letsencrypt.org/directory
。In production deployments, use letsencrypt-prod
and https://acme-v02.api.letsencrypt.org/directory
in the resource definitions and when installing the Helm chart.
若要在启用了 Kubernetes RBAC 的群集中安装 cert-manager 控制器,请使用以下 helm install
命令:To install the cert-manager controller in an Kubernetes RBAC-enabled cluster, use the following helm install
command:
# Label the cert-manager namespace to disable resource validation
kubectl label namespace ingress-basic cert-manager.io/disable-validation=true
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install \
cert-manager \
--namespace ingress-basic \
--version v0.16.1 \
--set installCRDs=true \
--set nodeSelector."beta\.kubernetes\.io/os"=linux \
jetstack/cert-manager
若要详细了解证书管理器配置,请参阅证书管理器项目。For more information on cert-manager configuration, see the cert-manager project.
创建 CA 群集证书颁发者Create a CA cluster issuer
证书管理器需要 Issuer 或 ClusterIssuer 资源,才能颁发证书。Before certificates can be issued, cert-manager requires an Issuer or ClusterIssuer resource. 这两种 Kubernetes 资源的功能完全相同,区别在于 Issuer
适用于单一命名空间,而 ClusterIssuer
适用于所有命名空间。These Kubernetes resources are identical in functionality, however Issuer
works in a single namespace, and ClusterIssuer
works across all namespaces. 有关详细信息,请参阅证书管理器颁发者文档。For more information, see the cert-manager issuer documentation.
使用以下示例清单创建群集证书颁发者,例如 cluster-issuer.yaml
。Create a cluster issuer, such as cluster-issuer.yaml
, using the following example manifest. 将电子邮件地址更新为组织提供的有效地址:Update the email address with a valid address from your organization:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: user@contoso.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
若要创建证书颁发者,请使用 kubectl apply
命令。To create the issuer, use the kubectl apply
command.
kubectl apply -f cluster-issuer.yaml --namespace ingress-basic
输出应类似于以下示例:The output should be similar to this example:
clusterissuer.cert-manager.io/letsencrypt-staging created
运行演示应用程序Run demo applications
入口控制器和证书管理解决方案已配置完毕。An ingress controller and a certificate management solution have been configured. 现在让我们在你的 AKS 群集中运行两个演示应用程序。Now let's run two demo applications in your AKS cluster. 此示例使用 Helm 来部署一个简单“Hello world”应用程序的两个实例。In this example, Helm is used to deploy two instances of a simple 'Hello world' application.
若要查看运行中的入口控制器,请在 AKS 群集中运行两个演示应用程序。To see the ingress controller in action, run two demo applications in your AKS cluster. 此示例使用 kubectl apply
来部署一个简单“Hello world”应用程序的两个实例。In this example, you use kubectl apply
to deploy two instances of a simple Hello world application.
创建“aks-helloworld.yaml”文件,并将其复制到以下示例 YAML 中:Create a aks-helloworld.yaml file and copy in the following example YAML:
apiVersion: apps/v1
kind: Deployment
metadata:
name: aks-helloworld
spec:
replicas: 1
selector:
matchLabels:
app: aks-helloworld
template:
metadata:
labels:
app: aks-helloworld
spec:
containers:
- name: aks-helloworld
image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
ports:
- containerPort: 80
env:
- name: TITLE
value: "Welcome to Azure Kubernetes Service (AKS)"
---
apiVersion: v1
kind: Service
metadata:
name: aks-helloworld
spec:
type: ClusterIP
ports:
- port: 80
selector:
app: aks-helloworld
创建“ingress-demo.yaml”文件,并将其复制到以下示例 YAML 中:Create a ingress-demo.yaml file and copy in the following example YAML:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-demo
spec:
replicas: 1
selector:
matchLabels:
app: ingress-demo
template:
metadata:
labels:
app: ingress-demo
spec:
containers:
- name: ingress-demo
image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
ports:
- containerPort: 80
env:
- name: TITLE
value: "AKS Ingress Demo"
---
apiVersion: v1
kind: Service
metadata:
name: ingress-demo
spec:
type: ClusterIP
ports:
- port: 80
selector:
app: ingress-demo
使用 kubectl apply
运行这两个演示应用程序:Run the two demo applications using kubectl apply
:
kubectl apply -f aks-helloworld.yaml --namespace ingress-basic
kubectl apply -f ingress-demo.yaml --namespace ingress-basic
创建入口路由Create an ingress route
两个应用程序现在都在 Kubernetes 群集中运行,但它们配置了服务类型 ClusterIP
。Both applications are now running on your Kubernetes cluster, however they're configured with a service of type ClusterIP
. 因此,无法通过 Internet 访问它们。As such, the applications aren't accessible from the internet. 若要公开发布这两个应用程序,请创建 Kubernetes 入口资源。To make them publicly available, create a Kubernetes ingress resource. 该入口资源配置将流量路由到这两个应用程序之一的规则。The ingress resource configures the rules that route traffic to one of the two applications.
在以下示例中,传往地址 https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn/
的流量将路由到名为 aks-helloworld
的服务。In the following example, traffic to the address https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn/
is routed to the service named aks-helloworld
. 传往地址 https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn/hello-world-two
的流量将路由到 ingress-demo
服务。Traffic to the address https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn/hello-world-two
is routed to the ingress-demo
service. 将 hosts 和 host 更新为在前面步骤中创建的 DNS 名称。Update the hosts and host to the DNS name you created in a previous step.
创建名为 hello-world-ingress.yaml
的文件,并将其复制到以下示例 YAML 中。Create a file named hello-world-ingress.yaml
and copy in the following example YAML.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: hello-world-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
tls:
- hosts:
- demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn
secretName: tls-secret
rules:
- host: demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn
http:
paths:
- backend:
serviceName: aks-helloworld
servicePort: 80
path: /hello-world-one(/|$)(.*)
- backend:
serviceName: ingress-demo
servicePort: 80
path: /hello-world-two(/|$)(.*)
- backend:
serviceName: aks-helloworld
servicePort: 80
path: /(.*)
使用 kubectl apply
命令创建入口资源。Create the ingress resource using the kubectl apply
command.
kubectl apply -f hello-world-ingress.yaml --namespace ingress-basic
输出应类似于以下示例:The output should be similar to this example:
ingress.extensions/hello-world-ingress created
创建证书对象Create a certificate object
接下来,必须创建证书资源。Next, a certificate resource must be created. 证书资源定义了必需的 X.509 证书。The certificate resource defines the desired X.509 certificate. 有关详细信息,请参阅证书管理器证书。For more information, see cert-manager certificates.
证书管理器可能已使用 ingress-shim(自 v0.2.2 以来随证书管理器自动部署)为你自动创建了证书对象。Cert-manager has likely automatically created a certificate object for you using ingress-shim, which is automatically deployed with cert-manager since v0.2.2. 有关详细信息,请参阅 ingress-shim 文档。For more information, see the ingress-shim documentation.
若要验证证书是否已成功创建,请使用 kubectl describe certificate tls-secret --namespace ingress-basic
命令。To verify that the certificate was created successfully, use the kubectl describe certificate tls-secret --namespace ingress-basic
command.
如果颁发了证书,你将看到如下输出:If the certificate was issued, you will see output similar to the following:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateOrder 11m cert-manager Created new ACME order, attempting validation...
Normal DomainVerified 10m cert-manager Domain "demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn" verified with "http-01" validation
Normal IssueCert 10m cert-manager Issuing certificate...
Normal CertObtained 10m cert-manager Obtained certificate from ACME server
Normal CertIssued 10m cert-manager Certificate issued successfully
如果需要创建其他证书资源,则使用以下示例清单来实现。If you need to create an additional certificate resource, you can do so with the following example manifest. 将 dnsNames 和 domains 更新为在前面步骤中创建的 DNS 名称。Update the dnsNames and domains to the DNS name you created in a previous step. 如果使用仅限内部使用的入口控制器,请指定服务的内部 DNS 名称。If you use an internal-only ingress controller, specify the internal DNS name for your service.
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: tls-secret
namespace: ingress-basic
spec:
secretName: tls-secret
dnsNames:
- demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn
acme:
config:
- http01:
ingressClass: nginx
domains:
- demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
若要创建证书资源,请使用 kubectl apply
命令。To create the certificate resource, use the kubectl apply
command.
$ kubectl apply -f certificates.yaml
certificate.cert-manager.io/tls-secret created
测试入口配置Test the ingress configuration
打开 Web 浏览器,访问 Kubernetes 入口控制器的 FQDN,例如 https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn
。Open a web browser to the FQDN of your Kubernetes ingress controller, such as https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn
.
由于这些示例使用 letsencrypt-staging
,浏览器不信任颁发的 TLS/SSL 证书。As these examples use letsencrypt-staging
, the issued TLS/SSL certificate is not trusted by the browser. 接受警告提示以继续运行应用程序。Accept the warning prompt to continue to your application. 证书信息显示这个 伪 LE 中间 X1 证书是由 Let's Encrypt 颁发的。The certificate information shows this Fake LE Intermediate X1 certificate is issued by Let's Encrypt. 此伪证书指出 cert-manager
正确处理了请求并接收了提供程序提供的证书:This fake certificate indicates cert-manager
processed the request correctly and received a certificate from the provider:
如果将 Let's Encrypt 更改为使用 prod
而不是 staging
,则会使用由 Let's Encrypt 颁发的可信证书,如以下示例所示:When you change Let's Encrypt to use prod
rather than staging
, a trusted certificate issued by Let's Encrypt is used, as shown in the following example:
演示应用程序显示在 Web 浏览器中:The demo application is shown in the web browser:
现在向 FQDN 添加 /hello-world-two 路径,例如 https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn/hello-world-two
。Now add the /hello-world-two path to the FQDN, such as https://demo-aks-ingress.chinaeast2.cloudapp.chinacloudapi.cn/hello-world-two
. 下面显示了带自定义标题的第二个演示应用程序:The second demo application with the custom title is shown:
清理资源Clean up resources
本文使用 Helm 来安装入口组件、证书和示例应用。This article used Helm to install the ingress components, certificates, and sample apps. 在部署 Helm 图表时,会创建若干 Kubernetes 资源。When you deploy a Helm chart, a number of Kubernetes resources are created. 这些资源包括 pod、部署和服务。These resources includes pods, deployments, and services. 若要清理这些资源,可以删除整个示例命名空间,也可以删除单个资源。To clean up these resources, you can either delete the entire sample namespace, or the individual resources.
删除示例命名空间以及所有资源Delete the sample namespace and all resources
若要删除整个示例命名空间,请使用 kubectl delete
命令并指定命名空间名称。To delete the entire sample namespace, use the kubectl delete
command and specify your namespace name. 将会删除命名空间中的所有资源。All the resources in the namespace are deleted.
kubectl delete namespace ingress-basic
单独删除资源Delete resources individually
也可采用更细致的方法来删除单个已创建的资源。Alternatively, a more granular approach is to delete the individual resources created. 首先,请删除证书资源:First, remove the certificate resources:
kubectl delete -f certificates.yaml
kubectl delete -f cluster-issuer.yaml
现在使用 helm list
命令列出 Helm 版本。Now list the Helm releases with the helm list
command. 查找名为“nginx-ingress”和“cert-manager”的图表,如以下示例输出中所示 :Look for charts named nginx-ingress and cert-manager as shown in the following example output:
$ helm list --all-namespaces
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
nginx-ingress ingress-basic 1 2020-01-11 14:51:03.454165006 deployed nginx-ingress-1.28.2 0.26.2
cert-manager ingress-basic 1 2020-01-06 21:19:03.866212286 deployed cert-manager-v0.13.0 v0.13.0
使用 helm uninstall
命令卸载这些版本。Uninstall the releases with the helm uninstall
command. 下面的示例将卸载 NGINX 入口部署和证书管理器部署。The following example uninstalls the NGINX ingress deployment and certificate manager deployments.
$ helm uninstall nginx-ingress cert-manager -n ingress-basic
release "nginx-ingress" deleted
release "cert-manager" deleted
接下来,删除两个示例应用程序:Next, remove the two sample applications:
kubectl delete -f aks-helloworld.yaml --namespace ingress-basic
kubectl delete -f ingress-demo.yaml --namespace ingress-basic
删除命名空间自身。Delete the itself namespace. 使用 kubectl delete
命令并指定命名空间名称。Use the kubectl delete
command and specify your namespace name:
kubectl delete namespace ingress-basic
最后,删除为入口控制器创建的静态公共 IP 地址。Finally, remove the static public IP address created for the ingress controller. 提供在本文第一步中获取的 MC_ 群集资源组名,例如 MC_myResourceGroup_myAKSCluster_chinaeast2:Provide your MC_ cluster resource group name obtained in the first step of this article, such as MC_myResourceGroup_myAKSCluster_chinaeast2:
az network public-ip delete --resource-group MC_myResourceGroup_myAKSCluster_chinaeast2 --name myAKSPublicIP
后续步骤Next steps
本文包含 AKS 的一些外部组件。This article included some external components to AKS. 若要详细了解这些组件,请参阅以下项目页面:To learn more about these components, see the following project pages:
也可执行以下操作:You can also:
创建具有外部网络连接的基本入口控制器Create a basic ingress controller with external network connectivity
创建使用内部、专用网络和 IP 地址的入口控制器Create an ingress controller that uses an internal, private network and IP address
创建使用你自己的 TLS 证书的入口控制器Create an ingress controller that uses your own TLS certificates
使用动态公共 IP 创建入口控制器并配置 Let 's Encrypt 以自动生成 TLS 证书Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates