nginx/k8s/nginx-deployment.yaml

# Kubernetes 部署配置文件
# 用于从私有 Harbor 仓库拉取 NGINX 镜像并部署
# 
# 使用方法:
# 1. 设置环境变量:
#    export HARBOR_REGISTRY=<你的Harbor仓库地址>
#    export HARBOR_USERNAME=<Harbor用户名>
#    export HARBOR_PASSWORD=<Harbor密码>
#    export NGINX_IMAGE_TAG=<镜像标签>
# 
# 2. 运行部署脚本:
#    ./deploy.sh

---
# 1. ConfigMap - NGINX 配置
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
  namespace: default
data:
  nginx.conf: |
    user  nginx;
    worker_processes  auto;
    
    error_log  /var/log/nginx/error.log notice;
    pid        /var/run/nginx.pid;
    
    events {
      worker_connections  1024;
    }
    
    http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;
      
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
      
      access_log  /var/log/nginx/access.log  main;
      
      sendfile        on;
      keepalive_timeout  65;
      
      server {
        listen       80;
        server_name  localhost;
        
        location / {
          root   /usr/local/nginx/html;
          index  index.html index.htm;
        }
        
        # 健康检查端点
        location /health {
          return 200 'ok';
          add_header Content-Type text/plain;
        }
      }
    }

---
# 2. Deployment - NGINX 应用部署
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default
  labels:
    app: nginx
    version: v1
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
        version: v1
    spec:
      # 使用私有仓库凭据
      imagePullSecrets:
        - name: harbor-registry-secret
      
      # 安全上下文
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
        fsGroup: 65534
        
      containers:
        - name: nginx
          # 使用私有仓库中的镜像（需要根据实际情况修改）
          image: $HARBOR_REGISTRY/test/nginx:$NGINX_IMAGE_TAG
          imagePullPolicy: Always
          
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
              
          # 环境变量
          env:
            - name: TZ
              value: "Asia/Shanghai"
              
          # 资源限制
          resources:
            requests:
              memory: "64Mi"
              cpu: "50m"
            limits:
              memory: "128Mi"
              cpu: "200m"
              
          # 健康检查
          livenessProbe:
            httpGet:
              path: /health
              port: 80
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 3
            
          readinessProbe:
            httpGet:
              path: /health
              port: 80
            initialDelaySeconds: 5
            periodSeconds: 5
            timeoutSeconds: 3
            failureThreshold: 3
            
          # 启动探针
          startupProbe:
            httpGet:
              path: /health
              port: 80
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 5
            
          # 挂载配置文件
          volumeMounts:
            - name: nginx-config-volume
              mountPath: /etc/nginx/nginx.conf
              subPath: nginx.conf
              readOnly: true
            - name: nginx-cache
              mountPath: /var/cache/nginx
            - name: nginx-run
              mountPath: /var/run
              
      volumes:
        - name: nginx-config-volume
          configMap:
            name: nginx-config
            defaultMode: 0644
        - name: nginx-cache
          emptyDir: {}
        - name: nginx-run
          emptyDir: {}
          
      # 节点选择器（可选）
      nodeSelector:
        kubernetes.io/os: linux
        
      # 容忍度（可选）
      tolerations:
        - key: "node.kubernetes.io/not-ready"
          operator: "Exists"
          effect: "NoExecute"
          tolerationSeconds: 300
        - key: "node.kubernetes.io/unreachable"
          operator: "Exists"
          effect: "NoExecute"
          tolerationSeconds: 300

---
# 3. Service - 服务暴露
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  namespace: default
  labels:
    app: nginx
spec:
  type: ClusterIP
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
  selector:
    app: nginx

---
# 4. HorizontalPodAutoscaler - 自动扩缩容
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa
  namespace: default
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
  minReplicas: 2
  maxReplicas: 10
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 70
    - type: Resource
      resource:
        name: memory
        target:
          type: Utilization
          averageUtilization: 80
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
        - type: Percent
          value: 50
          periodSeconds: 60
    scaleUp:
      stabilizationWindowSeconds: 60
      policies:
        - type: Percent
          value: 100
          periodSeconds: 15

---
# 5. PodDisruptionBudget - Pod 中断预算
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb
  namespace: default
spec:
  minAvailable: 1
  selector:
    matchLabels:
      app: nginx