欧美bbbwbbbw肥妇,免费乱码人妻系列日韩,一级黄片

Kubernetes之安裝nginx-controller作為統(tǒng)一網(wǎng)關(guān)方式

 更新時間:2024年07月31日 11:27:19   作者:小小白鴿  
這篇文章主要介紹了Kubernetes之安裝nginx-controller作為統(tǒng)一網(wǎng)關(guān)方式,具有很好的參考價值,希望對大家有所幫助,如有錯誤或未考慮完全的地方,望不吝賜教

nginx-controller是什么呢?

  • 它是一個能調(diào)度nginx的一個kubernetes operator,它能監(jiān)聽用戶創(chuàng)建,更新,刪除NginxConf對象,來調(diào)度本地的nginx實現(xiàn)配置的動態(tài)更新。如添加新的代理(http,https,tcp,udp),緩存(瀏覽器緩存,本地緩存),ssl證書(配置本身,ConfigMap,Secret),更新,刪除等
  • 它使用nginx本身的配置文件(如nginx.conf)來作為配置參數(shù),使nginx配置更透明,易于維護(hù)

安裝之前準(zhǔn)備

  • 你得有一個k8s環(huán)境
  • 創(chuàng)建crd

如果你的版本是1.29以下的版本,請刪掉crd里面所有有關(guān)x-kubernetes-validations的部分

  • crd.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: nginxconfs.stable.lhstack.com
spec:
  names:
    kind: NginxConf
    plural: nginxconfs
    singular: nginxconf
    listKind: NginxConfList
    shortNames:
      - ncf
  group: stable.lhstack.com
  scope: Namespaced
  versions:
    - name: v1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          description: "nginx 對應(yīng)http/stream組中include哪一項引入的配置"
          x-kubernetes-validations:
            - rule: "has(self.spec) && has(self.spec.config)"
              message: "spec.config參數(shù)為必填項"
            - rule: "(self.spec.configType == 'custom' && size(self.spec.customConfigPath) > 0) || (has(self.spec.configType) && self.spec.configType != 'custom') || !has(self.spec.configType)"
              message: "spec.configType是custom時,spec.customConfigPath參數(shù)為必填項"
          properties:
            spec:
              type: object
              required:
                - config
              properties:
                additions:
                  type: object
                  description: "附加ConfigMap,Secret,文本內(nèi)容到指定路徑文件中,使用場景: 如tls證書"
                  properties:
                    values:
                      type: array
                      description: "將items.value中的內(nèi)容輸出到容器指定路徑"
                      items:
                        type: object
                        x-kubernetes-validations:
                          - rule: "size(self.value) != 0 && size(self.path) != 0"
                            message: "values.value,values.value參數(shù)為必填項"
                        properties:
                          value:
                            type: string
                            description: "要輸出到文件的內(nèi)容"
                          path:
                            type: string
                            description: "輸出目標(biāo)路徑"
                    secrets:
                      type: array
                      description: "將secret中的內(nèi)容輸出到容器指定路徑"
                      items:
                        type: object
                        x-kubernetes-validations:
                          - rule: "(has(self.name) && has(self.path)) || (has(self.name) && has(self.items))"
                            message: "(secrets.path,secrets.name)或者(secrets.items,secrets.name)參數(shù)為必填項"
                          - rule: "(has(self.path) && !has(self.items)) || (!has(self.path) && has(self.items))"
                            message: "secrets.path和secrets.items參數(shù)不能并存,只能二選一"
                        properties:
                          path:
                            type: string
                            description: "輸出目標(biāo)路徑,同items參數(shù)不能并存,此路徑必須是一個目錄,不存在即創(chuàng)建目錄(多級目錄會同時創(chuàng)建)"
                          name:
                            type: string
                            description: "secret名稱"
                          namespace:
                            type: string
                            description: "secret所在命名空間"
                          items:
                            type: array
                            description: "secret中每一項,同path參數(shù)不能并存"
                            items:
                              type: object
                              x-kubernetes-validations:
                                - rule: "size(self.key) != 0 && size(self.path) != 0"
                                  message: "items.key和items.path不能為空"
                              properties:
                                key:
                                  type: string
                                  description: "secret項中的key"
                                path:
                                  type: string
                                  description: "secret中key的value值需要輸出到的目標(biāo)文件路徑,此路徑必須是一個文件地址,不存在即創(chuàng)建文件(多級目錄會同時創(chuàng)建目錄)"
                    configMaps:
                      type: array
                      description: "將configMap中的內(nèi)容輸出到容器指定路徑"
                      items:
                        type: object
                        x-kubernetes-validations:
                          - rule: "(has(self.name) && has(self.path)) || (has(self.name) && has(self.items))"
                            message: "(configMaps.path,configMaps.name)或者(configMaps.items,configMaps.name)參數(shù)為必填項"
                          - rule: "(has(self.path) && !has(self.items)) || (!has(self.path) && has(self.items))"
                            message: "configMaps.path和configMaps.items參數(shù)不能并存,只能二選一"
                        properties:
                          path:
                            type: string
                            description: "輸出目標(biāo)路徑,同items參數(shù)不能并存,此路徑必須是一個目錄,不存在即創(chuàng)建目錄(多級目錄會同時創(chuàng)建)"
                          name:
                            type: string
                            description: "configMap名稱"
                          namespace:
                            type: string
                            description: "configMap所在命名空間"
                          items:
                            type: array
                            description: "configMap中每一項,同path參數(shù)不能并存"
                            items:
                              type: object
                              x-kubernetes-validations:
                                - rule: "size(self.key) != 0 && size(self.path) != 0"
                                  message: "items.key和items.path不能為空"
                              properties:
                                key:
                                  type: string
                                  description: "configMap項中的key"
                                path:
                                  type: string
                                  description: "configMap中key的value值需要輸出到的目標(biāo)文件路徑,此路徑必須是一個文件地址,不存在即創(chuàng)建文件(多級目錄會同時創(chuàng)建目錄)"
                customConfigPath:
                  type: string
                  description: "當(dāng)configType=custom時才生效,定義配置寫入到指定目錄下面"
                configType:
                  description: "配置類型,可選值 http,stream,custom,default: http"
                  enum:
                    - http
                    - stream
                    - custom
                  type: string
                config:
                  type: string
                  description: |
                    配置內(nèi)容:
                    server {
                        listen       80;
                        listen  [::]:80;
                        server_name  localhost;
                        #access_log  /var/log/nginx/host.access.log  main;
                        location / {
                            root   /usr/share/nginx/html;
                            index  index.html index.htm;
                        }
                        #error_page  404              /404.html;
                        # redirect server error pages to the static page /50x.html
                        #
                        error_page   500 502 503 504  /50x.html;
                        location = /50x.html {
                            root   /usr/share/nginx/html;
                        }
                        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
                        #
                        #location ~ \.php$ {
                        #    proxy_pass   http://127.0.0.1;
                        #}
                        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
                        #
                        #location ~ \.php$ {
                        #    root           html;
                        #    fastcgi_pass   127.0.0.1:9000;
                        #    fastcgi_index  index.php;
                        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
                        #    include        fastcgi_params;
                        #}
                        # deny access to .htaccess files, if Apache's document root
                        # concurs with nginx's one
                        #
                        #location ~ /\.ht {
                        #    deny  all;
                        #}
                    }
---
  • 執(zhí)行命令,創(chuàng)建crd 
kubectl apply -f crd.yaml
  • 然后就可以使用 kubectl explain NginxConf查看對應(yīng)的文檔了,如:

安裝nginx-controller

這里我使用deployment來部署nginx-controller

  • deployment.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-controller
  namespace: ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nginx-controller
  namespace: ingress
subjects:
  - kind: ServiceAccount
    name: nginx-controller
    namespace: ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-controller
  namespace: ingress
spec:
  replicas: 2
  selector:
    matchLabels:
      app: ingress
  template:
    metadata:
      labels:
        app: ingress
    spec:
      serviceAccountName: nginx-controller
      containers:
        - name: controller
          image: lhstack/nginx-controller:latest
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
              name: "http"
              protocol: "TCP"
            - containerPort: 443
              name: "https"
              protocol: "TCP"
          readinessProbe:
            httpGet:
              port: 9099
              path: /readyz
            successThreshold: 1
            failureThreshold: 3
            timeoutSeconds: 3 #請求超時
            periodSeconds: 30 #每隔30秒檢查一次
            initialDelaySeconds: 5 #5秒之后開始檢測
          livenessProbe:
            httpGet:
              port: 9099
              path: /healthz
            successThreshold: 1
            failureThreshold: 3
            timeoutSeconds: 3 #請求超時
            periodSeconds: 60 #每隔60秒檢查一次
            initialDelaySeconds: 5 #5秒之后開始檢測
          env:
            - name: KUBE_NAMESPACE
              value: "ingress" # 這里用命名空間隔離配置,意味著只有ingress命名空間下的NginxConf才會生效,如果不設(shè)置或者為空,就會監(jiān)聽所有命名空間下的配置
          resources:
            requests:
              memory: 32Mi
              cpu: 10m
            limits:
              memory: 64Mi
              cpu: 10m
---
apiVersion: v1
kind: Service
metadata:
  name: ingress
  namespace: ingress
spec:
  selector:
    app: ingress
  type: NodePort
  clusterIP: 10.43.80.80 #這里固定一下ip,方便使用dns指向指定ip,前提是需要安裝dns服務(wù)
  ports:
    - port: 80
      name: http
      protocol: TCP
      nodePort: 30080
    - port: 443
      name: https
      protocol: TCP
      nodePort: 30443

然后就可以通過命令看到啟動了兩個容器

由于我本地的環(huán)境和默認(rèn)的不太一樣,所以ip,type可能不相同,但是影響不大,我相信你們也能理解

添加一個http代理

這里代理百度試試,由于我已經(jīng)安裝了dns服務(wù),就可以通過域名直接訪問 

  • baidu-nginx-conf.yaml
apiVersion: stable.lhstack.com/v1
kind: NginxConf
metadata:
  name: baidu-web
  namespace: default #我本地配置監(jiān)聽的是default命名空間
spec:
  config: |
    server {
        server_name baidu.lhstack.com;
        listen 80;
        gzip on;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
        gzip_min_length 1000;
        gzip_comp_level 6;
        gzip_proxied any;
        gzip_vary on;
        location / {
          proxy_pass https://www.baidu.com;
          proxy_http_version 1.1;
        }
    }

可以看到創(chuàng)建成功了,日志也已經(jīng)檢測到了

現(xiàn)在訪問瀏覽器試試

增加tls證書支持

生成證書

這里我使用cfssl+cfssljson生成證書

  • 編寫ca-config.json
{
    "signing": {
        "default": {
            "expiry": "876000h"
        },
        "profiles": {
            "lhstack": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
  • 編寫ca-csr.json
{
    "CN": "lhstack",
    "key#34;: {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "ST": "ChengDu",
            "L": "ChengDu",
            "O":"nginxConf",
            "OU":"lhstack"
        }
    ]
}
  • 生成ca證書
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
  • 編寫server-crs.json配置
{
    "CN": "lhstack.com",
    "hosts":[
        "*.lhstack.com"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "ST": "ChengDu",
            "L": "ChengDu",
            "O":"nginxConf",
            "OU":"lhstack"
        }
    ]
}
  • 生成服務(wù)端證書
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=lhstack server-csr.json | cfssljson -bare server

瀏覽器導(dǎo)入ca證書

Google瀏覽器 設(shè)置->隱私和安全->安全->管理證書->受信任的根證書頒發(fā)機構(gòu)->導(dǎo)入->瀏覽->將文件類型選擇為所有類型->選擇ca.pem->導(dǎo)入即可

為代理服務(wù)添加證書

使用Value輸出證書

  • 編寫配置
apiVersion: stable.lhstack.com/v1
kind: NginxConf
metadata:
  name: baidu-web
  namespace: default #我本地配置監(jiān)聽的是default命名空間
spec:
  additions:
    values:
      - path: /opt/tls/baidu/tls.key
        value: | #復(fù)制server-key.pem的內(nèi)容
          -----BEGIN EC PRIVATE KEY-----
          MHcCAQEEIAT5gX3jgIEZS/ummtkAbNuazXZVjpm1g2huYRe1AAGeoAoGCCqGSM49
          AwEHoUQDQgAEqOSRM0QVMX/yT1WY6iDp1mTEqKncfDPN2hWLR8wtK8UrfsZdteC4
          tVq5qheqXpADlnXblDx8E88II/1L7mcgmg==
          -----END EC PRIVATE KEY-----
      - path: /opt/tls/baidu/tls.crt
        value: | #復(fù)制server.pem的內(nèi)容
          -----BEGIN CERTIFICATE-----
          MIICdjCCAhugAwIBAgIUbrgeVdgOzILZ0gBxHyWnApsTWn4wCgYIKoZIzj0EAwIw
          aTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0NoZW5nRHUxEDAOBgNVBAcTB0NoZW5n
          RHUxEjAQBgNVBAoTCW5naW54Q29uZjEQMA4GA1UECxMHbGhzdGFjazEQMA4GA1UE
          AxMHbGhzdGFjazAgFw0yNDAyMTkwNjE0MDBaGA8yMTI0MDEyNjA2MTQwMFowbTEL
          MAkGA1UEBhMCQ04xEDAOBgNVBAgTB0NoZW5nRHUxEDAOBgNVBAcTB0NoZW5nRHUx
          EjAQBgNVBAoTCW5naW54Q29uZjEQMA4GA1UECxMHbGhzdGFjazEUMBIGA1UEAxML
          bGhzdGFjay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASo5JEzRBUxf/JP
          VZjqIOnWZMSoqdx8M83aFYtHzC0rxSt+xl214Li1WrmqF6pekAOWdduUPHwTzwgj
          /UvuZyCao4GaMIGXMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
          AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUnxNd1Vf52CFI4Jnf
          mJdWJINRfkgwHwYDVR0jBBgwFoAUwt+oneC6wLTC+iMEYnhbxLrH7OAwGAYDVR0R
          BBEwD4INKi5saHN0YWNrLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAhBQbWHu/9F6d
          6E7s48ltk2Gv4Jhvfk27QPV1+e7GBdoCIQCyRc8+IgO7ejlpZIfIOoKkdFgSZ5CZ
          HUCQbhbgFgl0Bg==
          -----END CERTIFICATE-----
  config: |
    server {
        listen 80;
        #配置80端口永久重定向443
        server_name baidu.lhstack.com;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
    }
    server {
        server_name baidu.lhstack.com;
        listen 443 ssl http2;
        client_max_body_size 50m;
        ssl_certificate     /opt/tls/baidu/tls.crt;
        ssl_certificate_key  /opt/tls/baidu/tls.key;
        ssl_session_timeout  5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        gzip on;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
        gzip_min_length 1000;
        gzip_comp_level 6;
        gzip_proxied any;
        gzip_vary on;
        location / {
          proxy_pass https://www.baidu.com;
          proxy_http_version 1.1;
        }
    }
更新配置
kubectl apply -f baidu-nginx-conf.yaml

可以看到,更新成功了

瀏覽器訪問,可以看到,這里就變成https了

使用ConfigMap輸出證書刪除之前的配置

kubectl delete -f baidu-nginx-conf.yaml

瀏覽器也不可訪問,變成了我默認(rèn)的服務(wù)

證書文件也清理干凈了

  • 編寫配置
apiVersion: v1
kind: ConfigMap
metadata:
  name: baidu-nginx-conf
  namespace: kube-system
data:
  tls.key: |
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIAT5gX3jgIEZS/ummtkAbNuazXZVjpm1g2huYRe1AAGeoAoGCCqGSM49
    AwEHoUQDQgAEqOSRM0QVMX/yT1WY6iDp1mTEqKncfDPN2hWLR8wtK8UrfsZdteC4
    tVq5qheqXpADlnXblDx8E88II/1L7mcgmg==
    -----END EC PRIVATE KEY-----
  tls.crt: |
    -----BEGIN CERTIFICATE-----
    MIICdjCCAhugAwIBAgIUbrgeVdgOzILZ0gBxHyWnApsTWn4wCgYIKoZIzj0EAwIw
    aTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0NoZW5nRHUxEDAOBgNVBAcTB0NoZW5n
    RHUxEjAQBgNVBAoTCW5naW54Q29uZjEQMA4GA1UECxMHbGhzdGFjazEQMA4GA1UE
    AxMHbGhzdGFjazAgFw0yNDAyMTkwNjE0MDBaGA8yMTI0MDEyNjA2MTQwMFowbTEL
    MAkGA1UEBhMCQ04xEDAOBgNVBAgTB0NoZW5nRHUxEDAOBgNVBAcTB0NoZW5nRHUx
    EjAQBgNVBAoTCW5naW54Q29uZjEQMA4GA1UECxMHbGhzdGFjazEUMBIGA1UEAxML
    bGhzdGFjay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASo5JEzRBUxf/JP
    VZjqIOnWZMSoqdx8M83aFYtHzC0rxSt+xl214Li1WrmqF6pekAOWdduUPHwTzwgj
    /UvuZyCao4GaMIGXMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
    AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUnxNd1Vf52CFI4Jnf
    mJdWJINRfkgwHwYDVR0jBBgwFoAUwt+oneC6wLTC+iMEYnhbxLrH7OAwGAYDVR0R
    BBEwD4INKi5saHN0YWNrLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAhBQbWHu/9F6d
    6E7s48ltk2Gv4Jhvfk27QPV1+e7GBdoCIQCyRc8+IgO7ejlpZIfIOoKkdFgSZ5CZ
    HUCQbhbgFgl0Bg==
    -----END CERTIFICATE-----
---
apiVersion: stable.lhstack.com/v1
kind: NginxConf
metadata:
  name: baidu-web
  namespace: default #我本地配置監(jiān)聽的是default命名空間
spec:
  additions:
    configMaps:
      - name: baidu-nginx-conf
        namespace: kube-system #不填默認(rèn)使用default作為命名空間
        path: /opt/tls/baidu
  config: |
    server {
        listen 80;
        #配置80端口永久重定向443
        server_name baidu.lhstack.com;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
    }
    server {
        server_name baidu.lhstack.com;
        listen 443 ssl http2;
        client_max_body_size 50m;
        ssl_certificate     /opt/tls/baidu/tls.crt;
        ssl_certificate_key  /opt/tls/baidu/tls.key;
        ssl_session_timeout  5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        gzip on;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
        gzip_min_length 1000;
        gzip_comp_level 6;
        gzip_proxied any;
        gzip_vary on;
        location / {
          proxy_pass https://www.baidu.com;
          proxy_http_version 1.1;
        }
    }

  • 更新配置
kubectl apply -f baidu-nginx-conf.yaml

瀏覽器也可以訪問了

使用Secret輸出證書刪除之前的配置

kubectl delete -f baidu-nginx-conf.yaml

證書文件也被清理干凈

  • 編寫配置
apiVersion: v1
kind: Secret
metadata:
  name: baidu-nginx-conf
  namespace: kube-system
type: kubernetes/tls #data要求為base64格式
data:
  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFUNWdYM2pnSUVaUy91bW10a0FiTnVhelhaVmpwbTFnMmh1WVJlMUFBR2VvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcU9TUk0wUVZNWC95VDFXWTZpRHAxbVRFcUtuY2ZEUE4yaFdMUjh3dEs4VXJmc1pkdGVDNAp0VnE1cWhlcVhwQURsblhibER4OEU4OElJLzFMN21jZ21nPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNkakNDQWh1Z0F3SUJBZ0lVYnJnZVZkZ096SUxaMGdCeEh5V25BcHNUV240d0NnWUlLb1pJemowRUF3SXcKYVRFTE1Ba0dBMVVFQmhNQ1EwNHhFREFPQmdOVkJBZ1RCME5vWlc1blJIVXhFREFPQmdOVkJBY1RCME5vWlc1bgpSSFV4RWpBUUJnTlZCQW9UQ1c1bmFXNTRRMjl1WmpFUU1BNEdBMVVFQ3hNSGJHaHpkR0ZqYXpFUU1BNEdBMVVFCkF4TUhiR2h6ZEdGamF6QWdGdzB5TkRBeU1Ua3dOakUwTURCYUdBOHlNVEkwTURFeU5qQTJNVFF3TUZvd2JURUwKTUFrR0ExVUVCaE1DUTA0eEVEQU9CZ05WQkFnVEIwTm9aVzVuUkhVeEVEQU9CZ05WQkFjVEIwTm9aVzVuUkhVeApFakFRQmdOVkJBb1RDVzVuYVc1NFEyOXVaakVRTUE0R0ExVUVDeE1IYkdoemRHRmphekVVTUJJR0ExVUVBeE1MCmJHaHpkR0ZqYXk1amIyMHdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBU281SkV6UkJVeGYvSlAKVlpqcUlPbldaTVNvcWR4OE04M2FGWXRIekMwcnhTdCt4bDIxNExpMVdybXFGNnBla0FPV2RkdVVQSHdUendnagovVXZ1WnlDYW80R2FNSUdYTUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNECkFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFRmdRVW54TmQxVmY1MkNGSTRKbmYKbUpkV0pJTlJma2d3SHdZRFZSMGpCQmd3Rm9BVXd0K29uZUM2d0xUQytpTUVZbmhieExySDdPQXdHQVlEVlIwUgpCQkV3RDRJTktpNXNhSE4wWVdOckxtTnZiVEFLQmdncWhrak9QUVFEQWdOSkFEQkdBaUVBaEJRYldIdS85RjZkCjZFN3M0OGx0azJHdjRKaHZmazI3UVBWMStlN0dCZG9DSVFDeVJjOCtJZ083ZWpscFpJZklPb0trZEZnU1o1Q1oKSFVDUWJoYmdGZ2wwQmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
---
apiVersion: stable.lhstack.com/v1
kind: NginxConf
metadata:
  name: baidu-web
  namespace: default #我本地配置監(jiān)聽的是default命名空間
spec:
  additions:
    secrets:
      - name: baidu-nginx-conf
        namespace: kube-system #不填默認(rèn)使用default作為命名空間
        path: /opt/tls/baidu
  config: | 
    server {
        listen 80;
        #配置80端口永久重定向443
        server_name baidu.lhstack.com;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
    }
    server {
        server_name baidu.lhstack.com;
        listen 443 ssl http2;
        client_max_body_size 50m;
        ssl_certificate     /opt/tls/baidu/tls.crt;
        ssl_certificate_key  /opt/tls/baidu/tls.key;
        ssl_session_timeout  5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        gzip on;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
        gzip_min_length 1000;
        gzip_comp_level 6;
        gzip_proxied any;
        gzip_vary on;
        location / {
          proxy_pass https://www.baidu.com;
          proxy_http_version 1.1;
        }
    }

  • 更新配置
kubectl apply -f baidu-nginx-conf.yaml

瀏覽器也能正常訪問

如果證書過期了,需要更新證書內(nèi)容怎么辦?

如果使用的ConfigMap,Secret保存的證書,那么就需要手動更新ConfigMap,Secret,然后使用以下命令:

觸發(fā)所有NginxConf更新事件 

這個指令會觸發(fā)所有NginxConf事件,然后走更新流程,就會拉取最新的ConfigMap,Secret內(nèi)容輸出到指定路徑 

kubectl annotate NginxConf --all -A --overwrite updated=$(date +%s)

觸發(fā)一個NginxConf更新事件

如果已知需要更新的NginxConf配置,則使用此命令觸發(fā)更新事件即可

kubectl annotate -n {命名空間} NginxConf {NginxConf的名稱} --overwrite update=$(date +%s)

如果使用的Value輸出,則不需要,因為value本身是NginxConf對象中的某一個參數(shù),當(dāng)發(fā)生修改時,kubernetes會判定為NginxConf發(fā)生了改變,自然而然就會觸發(fā)更新事件

由于部分圖片違規(guī),所以對域名做了遮掩處理,相關(guān)域名通過配置可查看

總結(jié)

以上為個人經(jīng)驗,希望能給大家一個參考,也希望大家多多支持腳本之家。

相關(guān)文章

  • OpenResty中實現(xiàn)按QPS、時間范圍、來源IP進(jìn)行限流的方法

    OpenResty中實現(xiàn)按QPS、時間范圍、來源IP進(jìn)行限流的方法

    OpenResty是一個基于Nginx與Lua的高性能Web平臺,它通過LuaJIT在Nginx中運行高效的Lua腳本和模塊,可以用來處理復(fù)雜的網(wǎng)絡(luò)請求,并且支持各種流量控制和限制的功能,這篇文章主要介紹了OpenResty中實現(xiàn)按QPS、時間范圍、來源IP進(jìn)行限流,需要的朋友可以參考下
    2024-02-02
  • Nginx?403?forbidden錯誤的原因以及解決方法

    Nginx?403?forbidden錯誤的原因以及解決方法

    yum安裝nginx,安裝一切正常,但是訪問時報403 forbidden,下面這篇文章主要給大家介紹了關(guān)于Nginx?403?forbidden錯誤的原因以及解決方法,需要的朋友可以參考下
    2022-08-08
  • ubuntu nginx安裝及服務(wù)配置跨域問題處理方式

    ubuntu nginx安裝及服務(wù)配置跨域問題處理方式

    這篇文章主要介紹了ubuntu nginx安裝及服務(wù)配置跨域問題處理方式,具有很好的參考價值,希望對大家有所幫助,如有錯誤或未考慮完全的地方,望不吝賜教
    2024-07-07
  • Nginx下修改WordPress固定鏈接導(dǎo)致無法訪問的問題解決

    Nginx下修改WordPress固定鏈接導(dǎo)致無法訪問的問題解決

    這篇文章主要介紹了Nginx下修改WordPress固定鏈接導(dǎo)致無法訪問的問題解決,同時作者也給出了官方關(guān)于修改固定鏈接的方法,需要的朋友可以參考下
    2015-07-07
  • Nginx location匹配規(guī)則的方法示例

    Nginx location匹配規(guī)則的方法示例

    這篇文章主要介紹了Nginx location匹配規(guī)則的方法示例,小編覺得挺不錯的,現(xiàn)在分享給大家,也給大家做個參考。一起跟隨小編過來看看吧
    2018-10-10
  • 云服務(wù)器使用寶塔搭建Python環(huán)境,運行django程序

    云服務(wù)器使用寶塔搭建Python環(huán)境,運行django程序

    本文詳細(xì)講解了在云服務(wù)器使用寶塔搭建Python環(huán)境,運行django程序的方法。對大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價值,需要的朋友們下面隨著小編來一起學(xué)習(xí)學(xué)習(xí)吧
    2021-12-12
  • ubuntu上配置Nginx+PHP5 FastCGI服務(wù)器配置

    ubuntu上配置Nginx+PHP5 FastCGI服務(wù)器配置

    ubuntu上配置Nginx+PHP5 FastCGI服務(wù)器配置方法, 需要的朋友可以參考下。
    2010-06-06
  • 記錄一次nginx啟動失敗的解決過程

    記錄一次nginx啟動失敗的解決過程

    小編最近遇到這樣一個問題docker nginx起不來了,導(dǎo)致jira域名映射失敗,如何解決呢?下面小編給大家分享下nginx啟動失敗的解決過程,感興趣的朋友一起看看吧
    2022-02-02
  • nginx日志打印請求頭信息示例詳解

    nginx日志打印請求頭信息示例詳解

    這篇文章主要介紹了nginx日志打印請求頭信息的相關(guān)資料,文章介紹了如何在Nginx中打印請求頭中的自定義字段,并解決由于下劃線導(dǎo)致的字段無法正確打印的問題,需要的朋友可以參考下
    2024-11-11
  • Nginx配置文件解析

    Nginx配置文件解析

    Nginx 是一款常用的 Web 服務(wù)器軟件,其配置文件用于指定服務(wù)器的行為和功能,本文將給大家詳細(xì)的解析Nginx配置文件,文中有相關(guān)的代碼示例供大家參考,需要的朋友可以參考下
    2023-09-09

最新評論