gitea_admin/nginx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nginx/k8s/nginx-deployment.yaml
huangzhiqiang 5c7293be88
Some checks failed
Build NGINX on Ubuntu / build-nginx (push) Has been cancelled
Details
add action for k8s deploy
2025-06-07 17:40:01 +08:00

309 lines
7.5 KiB
YAML
Raw Blame History

# Kubernetes 部署配置文件
# 用于从私有 Harbor 仓库拉取 NGINX 镜像并部署
#
# 使用方法:
# 1. 设置环境变量:
# export HARBOR_REGISTRY=<你的Harbor仓库地址>
# export HARBOR_USERNAME=<Harbor用户名>
# export HARBOR_PASSWORD=<Harbor密码>
# export NGINX_IMAGE_TAG=<镜像标签>
#
# 2. 运行部署脚本:
# ./deploy.sh
#
# 或者手动执行:
# 1. kubectl create secret docker-registry harbor-registry-secret \
# --docker-server=$HARBOR_REGISTRY \
# --docker-username=$HARBOR_USERNAME \
# --docker-password=$HARBOR_PASSWORD
# 2. kubectl apply -f nginx-deployment.yaml
---
# 1. 私有仓库访问凭据 Secret (通过脚本自动创建)
# 如果需要手动创建,请使用以下命令:
# kubectl create secret docker-registry harbor-registry-secret \
# --docker-server=<HARBOR_REGISTRY> \
# --docker-username=<HARBOR_USERNAME> \
# --docker-password=<HARBOR_PASSWORD>
---
# 1. ConfigMap - NGINX 配置
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: default
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# 基本安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# Gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
index index.html index.htm;
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 状态监控端点
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
location / {
try_files $uri $uri/ =404;
}
# 错误页面
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
---
# 3. Deployment - NGINX 应用部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
labels:
app: nginx
version: v1
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
version: v1
spec:
# 使用私有仓库凭据
imagePullSecrets:
- name: harbor-registry-secret
# 安全上下文
securityContext:
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
containers:
- name: nginx
# 使用私有仓库中的镜像(需要根据实际情况修改)
image: ${HARBOR_REGISTRY}/test/nginx:latest
imagePullPolicy: Always
ports:
- name: http
containerPort: 80
protocol: TCP
# 环境变量
env:
- name: TZ
value: "Asia/Shanghai"
# 资源限制
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "200m"
# 健康检查
livenessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
# 启动探针
startupProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
# 挂载配置文件
volumeMounts:
- name: nginx-config-volume
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
- name: nginx-cache
mountPath: /var/cache/nginx
- name: nginx-run
mountPath: /var/run
volumes:
- name: nginx-config-volume
configMap:
name: nginx-config
defaultMode: 0644
- name: nginx-cache
emptyDir: {}
- name: nginx-run
emptyDir: {}
# 节点选择器(可选)
nodeSelector:
kubernetes.io/os: linux
# 容忍度(可选)
tolerations:
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 300
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationSeconds: 300
---
# 4. Service - 服务暴露
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: default
labels:
app: nginx
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
selector:
app: nginx
---
# 5. HorizontalPodAutoscaler - 自动扩缩容
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa
namespace: default
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 50
periodSeconds: 60
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 100
periodSeconds: 15
---
# 6. PodDisruptionBudget - Pod 中断预算
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb
namespace: default
spec:
minAvailable: 1
selector:
matchLabels:
app: nginx
Reference in New Issue View Git Blame Copy Permalink