使用应用程序网关通过 HTTP 或 HTTPS 公开 AKS 服务Expose an AKS service over HTTP or HTTPS using Application Gateway

这些教程有助于演示如何使用 Kubernetes 入口资源,以便通过 Azure 应用程序网关经 HTTP 或 HTTPS 公开示例 Kubernetes 服务。These tutorials help illustrate the usage of Kubernetes Ingress Resources to expose an example Kubernetes service through the Azure Application Gateway over HTTP or HTTPS.

先决条件Prerequisites

  • 已安装 ingress-azure Helm Chart。Installed ingress-azure helm chart.
    • “绿色地带”部署:如果是从头开始,请参阅这些安装说明,大致了解如何通过应用程序网关部署 AKS 群集,以及如何在 AKS 群集上安装应用程序网关入口控制器。Greenfield Deployment: If you are starting from scratch, refer to these installation instructions, which outlines steps to deploy an AKS cluster with Application Gateway and install application gateway ingress controller on the AKS cluster.
    • “棕色地带”部署:如果有现有的 AKS 群集和应用程序网关,请参阅这些说明,了解如何在 AKS 群集上安装应用程序网关入口控制器。Brownfield Deployment: If you have an existing AKS cluster and Application Gateway, refer to these instructions to install application gateway ingress controller on the AKS cluster.
  • 若要在此应用程序上使用 HTTPS,则需 x509 证书及其私钥。If you want to use HTTPS on this application, you will need a x509 certificate and its private key.

部署 guestbook 应用程序Deploy guestbook application

guestbook 应用程序是一个规范的 Kubernetes 应用程序,由 Web UI 前端、后端和 Redis 数据库组成。The guestbook application is a canonical Kubernetes application that composes of a Web UI frontend, a backend and a Redis database. 默认情况下,guestbook 在端口 80 上通过名为 frontend 的服务公开其应用程序。By default, guestbook exposes its application through a service with name frontend on port 80. 在没有 Kubernetes 入口资源的情况下,该服务不能从 AKS 群集外部访问。Without a Kubernetes Ingress Resource, the service is not accessible from outside the AKS cluster. 我们将使用此应用程序并设置入口资源,以便通过 HTTP 和 HTTPS 来访问此应用程序。We will use the application and setup Ingress Resources to access the application through HTTP and HTTPS.

请按以下说明部署 guestbook 应用程序。Follow the instructions below to deploy the guestbook application.

  1. 此处下载 guestbook-all-in-one.yamlDownload guestbook-all-in-one.yaml from here
  2. 通过运行以下命令将 guestbook-all-in-one.yaml 部署到 AKS 群集中Deploy guestbook-all-in-one.yaml into your AKS cluster by running
kubectl apply -f guestbook-all-in-one.yaml

guestbook 应用程序现已部署。Now, the guestbook application has been deployed.

通过 HTTP 公开服务Expose services over HTTP

我们将使用以下入口资源公开 guestbook 应用程序:In order to expose the guestbook application, we will be using the following ingress resource:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: frontend
          servicePort: 80

此入口会将 guestbook-all-in-one 部署的 frontend 服务作为应用程序网关的默认后端公开。This ingress will expose the frontend service of the guestbook-all-in-one deployment as a default backend of the Application Gateway.

请将以上入口资源另存为 ing-guestbook.yamlSave the above ingress resource as ing-guestbook.yaml.

  1. 通过运行以下命令部署 ing-guestbook.yamlDeploy ing-guestbook.yaml by running:

    kubectl apply -f ing-guestbook.yaml
    
  2. 检查入口控制器的日志以了解部署状态。Check the log of the ingress controller for deployment status.

guestbook 应用程序现在应该可用。Now the guestbook application should be available. 可以通过访问应用程序网关的公共地址来检查它。You can check this by visiting the public address of the Application Gateway.

通过 HTTPS 公开服务Expose services over HTTPS

没有指定的主机名Without specified hostname

在不指定主机名的情况下,guestbook 服务会在所有指向应用程序网关的主机名上可用。Without specifying hostname, the guestbook service will be available on all the host-names pointing to the application gateway.

  1. 在部署入口之前,需创建 Kubernetes 机密来托管证书和私钥。Before deploying ingress, you need to create a kubernetes secret to host the certificate and private key. 可通过运行以下命令来创建 Kubernetes 机密You can create a kubernetes secret by running

    kubectl create secret tls <guestbook-secret-name> --key <path-to-key> --cert <path-to-cert>
    
  2. 定义以下入口。Define the following ingress. 在入口的 secretName 节中指定机密的名称。In the ingress, specify the name of the secret in the secretName section.

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: guestbook
      annotations:
        kubernetes.io/ingress.class: azure/application-gateway
    spec:
      tls:
        - secretName: <guestbook-secret-name>
      rules:
      - http:
          paths:
          - backend:
              serviceName: frontend
              servicePort: 80
    

    备注

    请将以上入口资源中的 <guestbook-secret-name> 替换为你的机密的名称。Replace <guestbook-secret-name> in the above Ingress Resource with the name of your secret. 将以上入口资源存储在名为 ing-guestbook-tls.yaml 的文件中。Store the above Ingress Resource in a file name ing-guestbook-tls.yaml.

  3. 通过运行以下命令部署 ing-guestbook-tls.yamlDeploy ing-guestbook-tls.yaml by running

    kubectl apply -f ing-guestbook-tls.yaml
    
  4. 检查入口控制器的日志以了解部署状态。Check the log of the ingress controller for deployment status.

现在,guestbook 应用程序会在 HTTP 和 HTTPS 上均可用。Now the guestbook application will be available on both HTTP and HTTPS.

使用指定的主机名With specified hostname

也可在入口上指定主机名,以便将 TLS 配置和服务多路复用。You can also specify the hostname on the ingress in order to multiplex TLS configurations and services. 指定主机名后,guestbook 服务将只能在指定主机上使用。By specifying hostname, the guestbook service will only be available on the specified host.

  1. 定义以下入口。Define the following ingress. 在入口的 secretName 节中指定机密的名称,并对 hosts 节中的主机名进行相应的替换。In the ingress, specify the name of the secret in the secretName section and replace the hostname in the hosts section accordingly.

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: guestbook
      annotations:
        kubernetes.io/ingress.class: azure/application-gateway
    spec:
      tls:
        - hosts:
          - <guestbook.contoso.com>
          secretName: <guestbook-secret-name>
      rules:
      - host: <guestbook.contoso.com>
        http:
          paths:
          - backend:
              serviceName: frontend
              servicePort: 80
    
  2. 通过运行以下命令部署 ing-guestbook-tls-sni.yamlDeploy ing-guestbook-tls-sni.yaml by running

    kubectl apply -f ing-guestbook-tls-sni.yaml
    
  3. 检查入口控制器的日志以了解部署状态。Check the log of the ingress controller for deployment status.

现在,guestbook 应用程序会在 HTTP 和 HTTPS 上均可用,但仅限于指定的主机(在此示例中为 <guestbook.contoso.com>)。Now the guestbook application will be available on both HTTP and HTTPS only on the specified host (<guestbook.contoso.com> in this example).

与其他服务集成Integrate with other services

以下入口允许你将其他路径添加到此入口中,并将这些路径重定向到其他服务:The following ingress will allow you to add additional paths into this ingress and redirect those paths to other services:

apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    name: guestbook
    annotations:
      kubernetes.io/ingress.class: azure/application-gateway
  spec:
    rules:
    - http:
        paths:
        - path: </other/*>
          backend:
            serviceName: <other-service>
            servicePort: 80
        - backend:
            serviceName: frontend
            servicePort: 80