expose services on k8s via nginx-ingress-controller, traefik, ambassador

k8s.md

httpbin, whoami, qotm (quote of the moment) 服务特别适合用来作为测试

kubectl create namespace httpbin
kubectl create deploy httpbin --image=citizenstig/httpbin --port=8000 -n httpbin
kubectl expose deployment httpbin --name=httpbin -n httpbin --port=80 --target-port=8000

kubectl create ns whoami
kubectl create deploy whoami --image=containous/whoami --port=80 -n whoami --replicas=3
kubectl expose deployment whoami --name=whoami -n whoami --port=80 --target-port=80

kubectl create ns qotm
kubectl create deploy qotm --image=datawire/qotm:1.7 --port=5000 -n qotm --replicas=3
kubectl expose deployment qotm --name=qotm -n qotm --port=80 --target-port=5000

// https://github.com/kubernetes-up-and-running/kuard
kubectl run --restart=Never --image=gcr.io/kuar-demo/kuard-amd64:blue kuard
kubectl port-forward kuard 8080:8080

tips:

1. docker for mac stable channel 比较新的版本支持kubernetes single node cluster了。也可试试edge channel.

2. 较新版本的docker for mac 或 minikube支持 type=LoadBalancer类型 的service了(通过vpnkit), minikube tunnel也支持. 因此mac中不需要 MetalLB的方案，除非线上vps的microk8s

3. mac 中 k3d 可以创建multi-nodes kubernetes cluster. 非常方便本地开发测试

k3d version
k3d version v1.7.0
k3s version v1.17.3-k3s1

tips: k3s 1.17 里自带的traefik是 1.xx版本的 非2.0的 

# 会自动安装traefik 1.x
k3d create --name="demo" --workers="2" --publish "80:80" --publish "443:443" --api-port=16443

# --server-arg "--no-deploy=traefik" 禁止自动安装traefik 1.x, 然后通过helm 3 安装 traefik 2.x
k3d create --name k3s-traefik-v2 --workers 2 --publish "80:80" --publish "443:443" --server-arg "--no-deploy=traefik"
helm install traefik traefik/traefik --set dashboard.ingressRoute=true

4. 需要添加相关的记录到 /etc/hosts

istio 1.5.4 通过 Ingress Gateway 和 VirtualService 可以实现同样的效果

文档链接
https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#accessing-ingress-services-using-a-browser

istioctl manifest apply --set profile=demo

kubectl apply -f samples/httpbin/httpbin.yaml

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "*"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - uri:
        prefix: "/headers"
    route:
    - destination:
        port:
          number: 8000
        host: httpbin
EOF

注解：
httpbin-gateway 的host 要设为 *，because you can’t pass the Host header to a browser like you did with curl

httpbin virtualservice 的host 设为 *， 表示不限定， localhost/headers 或 httpbin.example.io/headers 都可以打开

设置了match，那么只能打开 /headers 这个页面。 如果去掉 match 部分，就可以打开 httpbin.exmaple.io 的其他页面了

试试这个

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
  - "httpbin.example.io"
  gateways:
  - httpbin-gateway
  http:
  - route:
     - destination:
        port:
          number: 8000
        host: httpbin
EOF

Contour as ingress controller

https://blog.heptio.com/making-it-easy-to-use-envoy-as-a-kubernetes-load-balancer-dde82959f171

kubectl apply -f - << EOF
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: httpbin
  namespace: httpbin
spec:
  rules:
    - host: httpbin.example.io
      http:
        paths:
          - backend:
              serviceName: httpbin
              servicePort: 8000
            path: /
EOF

HTTPProxy

Note: IngressRoute is deprecated and will be removed after Contour 1.0 ships in November.

IngressRoute renamed to HTTPProxy

kubectl apply -f - << EOF
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: httpbin
  namespace: httpbin
spec:
  virtualhost:
    fqdn: httpbin.example.io
  routes:
    - conditions:
      - prefix: /
      services:
        - name: httpbin
          port: 8000
EOF