Kubernetes部署nginx服务器

GitHub: https://github.com/kubernetes/examples/tree/master/staging/https-nginx

https

自动检测配置文件更改

部署

下面是我自己写的http服务器的yaml文件

nginx-deploy.yml

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: nginx
  namespace: rollouts-valid
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.17
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /etc/nginx/nginx.conf 
          readOnly: true
          subPath: nginx.conf
          name: nginx-conf
        - mountPath: /etc/nginx/conf.d
          name: ro-content-conf
        - mountPath: /var/log/nginx
          name: log
        resources:
          limits:
            cpu: 200m
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 0.5Gi
      volumes:
      - name: nginx-conf
        configMap:
          name: nginx-conf # place ConfigMap `nginx-conf` on /etc/nginx
          items:
            - key: nginx.conf
              path: nginx.conf
      - name: ro-content-conf
        configMap:
          name: nginx-conf # place ConfigMap `nginx-conf` on /etc/nginx
          items:
            - key: ro-content.conf
              path: ro-content.conf
      - name: log
        emptyDir: {}

nginx-config.yml

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: nginx
  namespace: rollouts-valid
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: swr.cn-east-2.myhuaweicloud.com/bosch-test/ro-static-content-nginx:1.0
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /etc/nginx/nginx.conf 
          readOnly: true
          subPath: nginx.conf
          name: nginx-conf
        - mountPath: /etc/nginx/conf.d
          name: ro-content-conf
        - mountPath: /var/log/nginx
          name: log
        resources:
          limits:
            cpu: 200m
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 0.5Gi
      volumes:
      - name: nginx-conf
        configMap:
          name: nginx-conf # place ConfigMap `nginx-conf` on /etc/nginx
          items:
            - key: nginx.conf
              path: nginx.conf
      - name: ro-content-conf
        configMap:
          name: nginx-conf # place ConfigMap `nginx-conf` on /etc/nginx
          items:
            - key: ro-content.conf
              path: ro-content.conf
      - name: log
        emptyDir: {}
      imagePullSecrets:
      - name: default-secret

nginx-svc.yml

---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: rollouts-valid
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: nginx

用户认证配置

ngx_http_auth_basic_module模块实现让访问着，只有输入正确的用户密码才允许访问web内容。web上的一些内容不想被其他人知道，但是又想让部分人看到。nginx的http auth模块以及Apache http auth都是很好的解决方案。

默认情况下nginx已经安装了ngx_http_auth_basic_module模块，如果不需要这个模块，可以加上 –without-http_auth_basic_module 。

nginx basic auth指令

语法: auth_basic string | off;
默认值: auth_basic off;
配置段: http, server, location, limit_except

默认表示不开启认证，后面如果跟上字符，这些字符会在弹窗中显示。

语法: auth_basic_user_file file;
默认值: —
配置段: http, server, location, limit_except

用户密码文件，文件内容类似如下：

ttlsauser1:password1
ttlsauser2:password2

nginx认证配置实例

server{
    server_name www.ttlsa.com ttlsa.com;
    
    index index.html index.php;
    root /data/site/www.ttlsa.com;
    
    location /{
        auth_basic "nginx bastic auth";
        auth_basic_user_file /etc/nginx/conf.d/htpasswd;
        autoindex on;
    }
}

一定要注意auth_basic_user_file路径，否则会不厌其烦的出现403。

生成密码

可以使用htpasswd，或者使用openssl

#printf "ttlsa:$(openssl passwd -crypt 123456)\n" >>conf/htpasswd

#cat conf/htpasswd 
ttlsa:xyJkVhXGAZ8tM

账号：ttlsa
密码：123456

reload nginx

nginx -s reload