安装ingress-controller

1. 部署在k8s中的服务默认只能在集群内部方法，如果需要集群外部访问可以通过:NodePort、LoadBalance和Ingress进行处理

   nginx-ingress

2. 工作流程：

   1. The Ingress controller can then automatically program a frontend load balancer to enable Ingress configuration.
   2. Users who need to provide external access to their Kubernetes services create an Ingress resource that defines rules, including the URI path, backing service name, and other information

3. 原理：ingress在向ingress-controller注册的时候，会将服务信息注册到ingress-controller的nginx的配置中

   1. ingress-controller：实质就是一个方向代理，不同的实现对ingress的配置规则不一样
   2. ingress：实质就是定义代理的规则，如何进行跳转

4. 下载deployment

    curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
   

5. 修改镜像和deployment的容器参数，并对Role中设置configmaps的添加update权限

     containers:
    - name: nginx-ingress-controller
      image: wistiaanders/nginx-ingress-controller:0.25.1
      args:
        - /nginx-ingress-controller
        - --configmap=$(POD_NAMESPACE)/nginx-configuration
        - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
        - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx
        - --annotations-prefix=nginx.ingress.kubernetes.io
        - --ingress-class=k8s-nginx-ingress # 设置唯一表示，用于ingress resource的注册
        - --enable-ssl-passthrough          # 使用https时如果证书部署在server端这必须在启动参数设置--enable-ssl-passthrough
   

6. 安装deployment

    kubectl apply -f mandatory.yaml
   

7. 下载和部署service

    curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/cloud-generic.yaml
    # 安装
    kubectl apply -f cloud-generic.yaml
   

部署dashboard

kubernetes-dashboard必须通过https协议进行访问，所以先生成证书。

1. 创建目录

    mkdir dashboard
   

2. 生成密钥

    mkdir certs
    cd certs
    openssl genrsa -des3 -passout pass:x -out tls.pass.key 2048
    ...
    openssl rsa -passin pass:x -in tls.pass.key -out tls.key
    # Writing RSA key
    rm tls.pass.key
    openssl req -new -key tls.key -out tls.csr
    # 密码留空，提示设置域名填写  dashboard.tlh.com 也可以自行修改，其他信息更具自己的需求填写
   
    # 生成证书
    openssl x509 -req -sha256 -days 365 -in tls.csr -signkey tls.key -out tls.crt
    # 将生成的tls.crt证书安装到浏览器
   

3. 创建namespace和secrets

    # 创建namespace
    kubectl create namespace kubernetes-dashboard
    # 创建secrets，from-file为上面生成的密钥文件的路径
    kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kubernetes-dashboard
    # 查看密钥
    kubectl describe secret kubernetes-dashboard-certs -n kubernetes-dashboard
   

4. 下载dashboard的部署文件

    curl -O https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
   

5. 修改部署文件，设置启动参数配置密钥文件

     containers:
    - name: kubernetes-dashboard
      image: kubernetesui/dashboard:v2.0.0-beta4
      imagePullPolicy: Always
      ports:
        - containerPort: 8443
          protocol: TCP
      args:
        - --namespace=kubernetes-dashboard
        - --tls-key-file=tls.key    # 配置密钥文件
        - --tls-cert-file=tls.crt
   

6. 应用部署

    kubectl apply -f recommended.yaml
   

7. 创建ingress

   1. 编写ingress文件

       apiVersion: networking.k8s.io/v1beta1
       kind: Ingress
       metadata:
         labels:
           k8s-app: kubernetes-dashboard
         annotations:
           kubernetes.io/ingress.class: "k8s-nginx-ingress" # 选择指定的ingress-controller
           nginx.ingress.kubernetes.io/ssl-redirect: "true" # 强制重定向到https
           nginx.ingress.kubernetes.io/ssl-passthrough: "true" # 配置不在nginx进行https的解密，强制转发到server端进行处理，需要在ingress-controller的deployment启动参数添加enable-ssl-passthrough才生效
         name: kubernetes-dashboard
         namespace: kubernetes-dashboard
       spec:
         rules:
         - host: dashboard.tlh.com     # 为在创建自签名密钥时填写的域名
           http:
             paths:
             - path: /
               backend:
                 servicePort: 443
                 serviceName: kubernetes-dashboard
         tls:
         - hosts:
           - dashboard.tlh.com
           secretName: kubernetes-dashboard-certs
      

   2. 应用

       kubectl apply -f ingress.yaml
      

8. 查看ingress信息，将metallb分配的IP地址到本机的hosts文件中

    # 查看分配的IP地址
    kubectl describe ingress -n kubernetes-dashboard
    # 配置到宿主机的hosts文件
    查询到的IP  dashboard.tlh.com
   

9. 通过浏览器访问

    https://dashboard.tlh.com
   

10. 创建admin用户

    1. 创建dashboard-adminuser.yaml文件

        apiVersion: v1
        kind: ServiceAccount
        metadata:
          name: admin-user
          namespace: kubernetes-dashboard
        ---
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        metadata:
          name: admin-user
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: cluster-admin
        subjects:
        - kind: ServiceAccount
          name: admin-user
          namespace: kubernetes-dashboard
       

    2. 创建用户

        kubectl apply -f dashboard-adminuser.yaml
       

11. 获取登陆的token

    kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')