# 创建默认的Nginx Server证书,该证书用于针对404页面响应和默认TLS证书。nginx默认提供了自签名证书 common/default-server-secret.yaml, 但是更加推荐使用自己的公司证书。[root@maxiaoke nginxinc-ingress]# kubectl create secret -n nginx-ingress tls default-server-secret --cert=certs/server.crt --key=certs/server.key[root@maxiaoke nginxinc-ingress]# kubectl apply -f common/nginx-config.yaml[root@maxiaoke nginxinc-ingress]# kubectl apply -f common/ingress-class.yaml[root@maxiaoke nginxinc-ingress]# kubectl apply -f common/crds/k8s.nginx.org_virtualservers.yaml[root@maxiaoke nginxinc-ingress]# kubectl apply -f common/crds/k8s.nginx.org_virtualserverroutes.yaml[root@maxiaoke nginxinc-ingress]# kubectl apply -f common/crds/k8s.nginx.org_transportservers.yaml[root@maxiaoke nginxinc-ingress]# kubectl apply -f common/crds/k8s.nginx.org_policies.yaml[root@maxiaoke nginxinc-ingress]# kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml
common/nginx-config.yaml:
# nginx 的自定义配置项,默认data为空kind: ConfigMapapiVersion: v1metadata:name: nginx-confignamespace: nginx-ingressdata:client-max-body-size: 10merror-log-level: errorkeepalive: "8"server-tokens: "false"ssl-protocols: TLSv1.2worker-connections: "10240"worker-processes: "2"# 当前环境的ingress controller下游是使用Nginx L4负载均衡的,为了获取到源地址,使用了 proxy protocol协议# 因此打开了 proxy-protocol,并且日志中也指定了proxy_protocol_addr# 如果下游LB可以透传地址到当前控制器,可以取消 proxy_protocol配置proxy-protocol: "true"real-ip-header: "proxy_protocol"location-snippets: |proxy_set_header X-Real-IP $proxy_protocol_addr;log-format: '$time_local|$remote_addr|$proxy_protocol_addr|$http_x_real_ip|$http_x_forwarded_for|$resource_name|$resource_type|$resource_namespace|$service|$request_method|$server_protocol|$host|$request_uri|$http_referer|$http_user_agent|$body_bytes_sent|$status|$grpc_status'
common/ingress-class.yaml:
apiVersion: networking.k8s.io/v1kind: IngressClassmetadata:name: nginx# 设置为默认的ingress class,如果注释annotations,表示不会设置为默认的ingress controllerannotations:ingressclass.kubernetes.io/is-default-class: "true"spec:controller: nginx.org/ingress-controller
