背景
本文主要讲解kubernetes 如何使用helm chart安装 ingress-nginx
kubernetes 使用helm chart安装 ingress-nginx
1. ingres nginx controller 和 k8s版本 兼容性要求
https://github.com/kubernetes/ingress-nginx/blob/main/README.md#supported-versions-table
Supported Ingress-NGINX version k8s supported version Alpine Version Nginx Version Helm Chart Version
🔄 v1.11.2 1.30, 1.29, 1.28, 1.27, 1.26 3.20.0 1.25.5 4.11.2
🔄 v1.11.1 1.30, 1.29, 1.28, 1.27, 1.26 3.20.0 1.25.5 4.11.1
🔄 v1.11.0 1.30, 1.29, 1.28, 1.27, 1.26 3.20.0 1.25.5 4.11.0
🔄 v1.10.4 1.30, 1.29, 1.28, 1.27, 1.26 3.20.0 1.25.5 4.10.4
🔄 v1.10.3 1.30, 1.29, 1.28, 1.27, 1.26 3.20.0 1.25.5 4.10.3
2.安装环境
注: linux amd64 替换相关镜像版本 & helm3安装包即可-安装流程同理
linux arm64: 内核版本 4.18.0-348.20.1.el7.aarch64 #1 SMP Wed Apr 13 20:57:50 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
Kubernetes: v1.28.0
Docker: 26.1.4
ingress-nginx: 4.11.2
3.安装离线镜像准备
# 下载 ingress-controller依赖镜像(国内机器有墙无法拉取)
docker pull registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3
docker pull registry.k8s.io/ingress-nginx/controller:v1.11.2
# 导出为离线镜像
docker save -o kube-webhook-certgen-v1.4.3.tar registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3
docker save -o controller-v1.11.2.tar registry.k8s.io/ingress-nginx/controller:v1.11.2
# 安装k8s所有机器节点导入离线镜像
docker load -i controller-v1.11.2.tar
docker load -i kube-webhook-certgen-v1.4.3.tar
# docker images|grep ingress
registry.k8s.io/ingress-nginx/controller v1.11.2 289a818c8d9c 2 weeks ago 294MB
registry.k8s.io/ingress-nginx/kube-webhook-certgen v1.4.3 420193b27261 3 weeks ago 53.3MB
# 镜像打tag & push到本地仓库[可选]
#docker tag registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3 sealos.hub:5000/ingress-nginx/kube-webhook-certgen:v1.4.3
#docker push sealos.hub:5000/ingress-nginx/kube-webhook-certgen:v1.4.3
#docker tag registry.k8s.io/ingress-nginx/controller:v1.11.2 sealos.hub:5000/ingress-nginx/controller:v1.11.2
#docker push sealos.hub:5000/ingress-nginx/controller:v1.11.2
4.linux(amd64)安装 helm3
参考 https://helm.sh/zh/docs/intro/install/
https://github.com/helm/helm/releases
wget https://get.helm.sh/helm-v3.15.4-linux-amd64.tar.gz
tar -xvf helm-v3.15.4-linux-amd64.tar.gz
mv linux-amd64/helm /usr/local/bin/helm
helm version
5.创建k8s拉取镜像-镜像仓库验证鉴权信息
# 创建镜像仓库验证鉴权信息: k8s拉取验证 结合 imagePullSecrets: imagePullSecrets: - name: scr 引用使用
kubectl create secret docker-registry scr \
-n ingress-nginx \
--docker-server=http://sealos.hub:5000 \
--docker-username=admin \
--docker-password=123456 \
--docker-email=jinze@ali.com
# 删除镜像仓库验证鉴权信息
kubectl delete secret -n ingress-nginx scr
# 查看解密secret内容
kubectl get secret -n ingress-nginx scr --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
4.解压安装ingress-nginx
# helmchart 安装 ingrss nginx
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
# helm列出所有版本:
helm search repo ingress-nginx/ingress-nginx -l
NAME CHART VERSION APP VERSION DESCRIPTION
ingress-nginx/ingress-nginx 4.11.2 1.11.2 Ingress controller for Kubernetes using NGINX a...
ingress-nginx/ingress-nginx 4.11.1 1.11.1 Ingress controller for Kubernetes using NGINX a...
ingress-nginx/ingress-nginx 4.11.0 1.11.0 Ingress controller for Kubernetes using NGINX a...
ingress-nginx/ingress-nginx 4.10.4 1.10.4 Ingress controller for Kubernetes using NGINX a...
ingress-nginx/ingress-nginx 4.10.3 1.10.3 Ingress controller for Kubernetes using NGINX a...
ingress-nginx/ingress-nginx 4.10.2 1.10.2 Ingress controller for Kubernetes using NGINX a...
ingress-nginx/ingress-nginx 4.10.1 1.10.1 Ingress controller for Kubernetes using NGINX a...
ingress-nginx/ingress-nginx 4.10.0 1.10.0 Ingress controller for Kubernetes using NGINX a...
# helm 下载指定版本:4.11.2
helm fetch ingress-nginx/ingress-nginx --version 4.11.2
# 解压ingress-nginx4.11.2 版本安装包
tar -xvf ingress-nginx-4.11.2.tgz
# 编辑 ingress-nginx 配置 values.yaml
vi ingress-nginx/values.yaml
# 配置controller镜像
controller:
image:
chroot: false
registry: registry.k8s.io
image: ingress-nginx/controller
tag: "v1.11.2"
#digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
# digest 需配置为空才能拉取 registry.k8s.io/ingress-nginx/controller:v1.11.2 镜像
digest:
# 配置admissionWebhooks镜像
controller:
admissionWebhooks:
patch:
image:
digest: sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
# digest 需配置为空才能拉取 registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3 镜像
digest:
# ingress 暴露为NodePort
controller:
service:
#type: LoadBalancer
type: NodePort
# k8s 拉取镜像仓库验证secret
#imagePullSecrets: []
imagePullSecrets:
- name: scr
# helm chart 安装(存在就更新) ingress-nginx
cd /root/ingress-nginx && helm upgrade --install ingress-nginx . --namespace ingress-nginx --create-namespace
# 卸载 ingress-nginx
helm uninstall ingress-nginx -n ingress-nginx
# 查看安装 ingress
helm list -A|grep ingress
# 验证ingress 组件状态,是否正常拉起
kubectl get svc -A |grep ingress
kubectl get pod -A |grep ingress
kubectl get deploy -n ingress-nginx ingress-nginx-controller -oyaml
# ingress-nginx 成功安装效果
[root@bj-arm-master ingress-nginx]# helm upgrade --install ingress-nginx . --namespace ingress-nginx --create-namespace
Release "ingress-nginx" has been upgraded. Happy Helming!
NAME: ingress-nginx
LAST DEPLOYED: Fri Sep 6 11:20:42 2024
NAMESPACE: ingress-nginx
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
Get the application URL by running these commands:
export HTTP_NODE_PORT=$(kubectl get service --namespace ingress-nginx ingress-nginx-controller --output jsonpath="{.spec.ports[0].nodePort}")
export HTTPS_NODE_PORT=$(kubectl get service --namespace ingress-nginx ingress-nginx-controller --output jsonpath="{.spec.ports[1].nodePort}")
export NODE_IP="$(kubectl get nodes --output jsonpath="{.items[0].status.addresses[1].address}")"
echo "Visit http://${NODE_IP}:${HTTP_NODE_PORT} to access your application via HTTP."
echo "Visit https://${NODE_IP}:${HTTPS_NODE_PORT} to access your application via HTTPS."
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: foo
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- pathType: Prefix
backend:
service:
name: exampleService
port:
number: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
6.配置 ingress 转发规则:
-- ingress配置demo1: 访问 路径/ 转发到后端 namespace为default的 bte-service的8080端口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bte
namespace: default
#annotations:
# 无论客户端请求的是哪个路径,Ingress 控制器都会将目标请求路径重写为根路径 /
# 当用户访问 http://example.com/foo 时,NGINX Ingress Controller 会将请求重写为 http://my-service:80/。也就是说,任何通过 /foo 访问的请求都会转发到 my-service 服务,并且请求路径会被重写为根路径 /
#nginx.ingress.kubernetes.io/rewrite-target: /
spec:
# 指定 Ingress Controller 的类型 为 nginx 类型:告诉 Kubernetes,这个 Ingress 由 NGINX Ingress Controller 处理
ingressClassName: nginx
rules:
#- host: "*"
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bte-service
port:
number: 8080
-- ingress配置demo2: 访问 路径/layout 转发到后端 namespace为default的 layout-service的8080端口
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: layout
namespace: default
annotations:
# 无论客户端请求的是哪个路径,Ingress 控制器都会将目标请求路径重写为根路径 /
# 当用户访问 http://example.com/foo 时,NGINX Ingress Controller 会将请求重写为 http://my-service:80/。也就是说,任何通过 /foo 访问的请求都会转发到 my-service 服务,并且请求路径会被重写为根路径 /
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
# k8s 1.18版本后 指定 Ingress Controller 的类型 为 nginx 类型配置:告诉 Kubernetes,这个 Ingress 由 NGINX Ingress Controller 处理;
ingressClassName: nginx
rules:
#- host: "*"
- http:
paths:
- path: /layout
pathType: Prefix
backend:
service:
name: layout-service
port:
number: 8080
3.安装过程遇到安装失败问题处理
安装遇到问题: 无法正常拉取镜像ImagePullBackOff
# kubectl get pod -A |grep ingress
ingress-nginx ingress-nginx-admission-create-nz6hv 0/1 ImagePullBackOff 0 64s
# kubectl describe pod -n ingress-nginx ingress-nginx-admission-create-nz6hv
问题1: 报错: 无法正常拉取镜像 registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
image.png
image.png
此镜像版本比我们离线导入的image tag 多了 @sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 信息
image.png
查看helm chart 源码分析问题原因
无法正常拉取镜像 registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
vi /root/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml & job-patchWebhook.yaml
digest: sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
image.png
image.png
** fix: digest 设置为空即可 **
image.png
重启 ingress-nginx
helm upgrade --install ingress-nginx . --namespace ingress-nginx --create-namespace
问题2: 无法正常拉取镜像 registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
# kubectl get pod -A |grep ingress
ingress-nginx ingress-nginx-controller-5bddfb7dbf-gzjsx 0/1 ImagePullBackOff 0 49s 100.78.46.152 bj-arm-node1 <none> <none>
# kubectl describe pod -n ingress-nginx ingress-nginx-controller-5bddfb7dbf-gzjsx
Failed to pull image "registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce": Error response from daemon: Get "https://registry.k8s.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
此镜像版本比我们离线导入的image tag 多了 @sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce 信息
查看helm chart 源码分析问题原因
cat /root/ingress-nginx/templates/controller-deployment.yaml
image.png
###### 检查当前目录下所有yaml文件中包含 字符串 ingress-nginx.imageDigest
grep -o "ingress-nginx.imageDigest" ./*.*
# 输出
/root/ingress-nginx/templates/_helpers.tpl
image.png
image.png
image.png
fix: digest 设置为空即可
image.png
重启 ingress-nginx
helm upgrade --install ingress-nginx . --namespace ingress-nginx --create-namespace
ingress-nginx pod正常拉起,问题fix
# kubectl get pod -A |grep ingress
ingress-nginx ingress-nginx-controller-785fcc99b-2zdhx 1/1 Running 0 22s
image.png
image.png
-- 问题fix!
参考文档
https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress文档
https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ Ingress Controllers 文档
-- ingress-nginx相关文档
https://github.com/kubernetes/ingress-nginx/blob/main/README.md#readme ingres nginx controller github文档
https://github.com/kubernetes/ingress-nginx Ingress-nginx 文档(支持 helm chart部署) use
https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx ingress-nginx helm chart文档
https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx#values ingress-nginx helm chart values.yaml 配置说明
https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/index.md
https://kubernetes.github.io/ingress-nginx/user-guide/tls/ ngress-nginx 配置文档
网友评论