CI/CD(六) helm部署ingress-nginx(阿里云)

零、修改iptable为ipvs(可选)

  1. 修改 kube-proxy 配置

    bash 复制代码
    kubectl edit cm kube-proxy -n kube-system 
    # 将 mode 字段改为 "ipvs"
  2. 重启 kube-proxy

    bash 复制代码
    kubectl delete pod -l k8s-app=kube-proxy -n kube-system
  3. 验证 IPVS 状态

    bash 复制代码
    ipvsadm -Ln 
    # 查看负载均衡规则

一、github下载最新的包(4.12.0)

Releases · kubernetes/ingress-nginx · GitHub

二、解压

bash 复制代码
tar -zxvf ingress-nginx-4.12.0.tgz
cd ingress-nginx

三、修改values.ymal

bash 复制代码
#如果是在集群中部署项目使用ingress-nginx,需要提前在工作节点下载docker或者containerd,手动拉取从而测试该仓库和镜像是否可用,手动拉取的命令是
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.12.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.5.0

cd ingress-nginx

bash 复制代码
[root@k8s-master ingress-nginx]# vim values.yaml 


# 第一处:修改全局仓库为阿里云仓库
global:
  image:
    # -- Registry host to pull images from.
    registry: registry.cn-hangzhou.aliyuncs.com

# 第二处:修改controller的image名称和注释digest
controller:
  name: controller
  enableAnnotationValidations: true
  image:
    ## Keep false as default for now!
    chroot: false
    # registry: registry.k8s.io
#    image: google_containers/ingress-nginx/controller
    image: google_containers/nginx-ingress-controller
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
    tag: "v1.12.0"
 #   digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
#    digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3


# 第三处:修改patch附近的镜像名称,以及注释digest
    patch:
      enabled: true
      image:
        # registry: registry.k8s.io
        image: google_containers/kube-webhook-certgen
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
        ## repository:
        tag: v1.5.0
#        digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4

# 第四处:修改hostNetwork:
 # false 改成 true
  hostNetwork: true
  
# 第五处:修改dnsPolicy
 # ClusterFirst 改成 
  dnsPolicy: ClusterFirstWithHostNet
    
# 第六处:修改kind(可选)
  # -- Use a `DaemonSet` or `Deployment`
  # Deployment 改成 DaemonSet
  kind: DaemonSet

# 第七处:添加标签(可选,由于我两台从节点都部署了单机nginx,80端口被占用,想让他部署到master)。记得在节点上打上标签。kubectl label node k8s-node1 ingress=true
 nodeSelector:
    kubernetes.io/os: linux
	# 增加
    ingress: "true"

# 第八处:(可选。我没改)enabled要改为false

  admissionWebhooks:
    name: admission
    annotations: {}
    # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".

    ## Additional annotations to the admission webhooks.
    ## These annotations will be added to the ValidatingWebhookConfiguration and
    ## the Jobs Spec of the admission webhooks.
    enabled: false

# 第九处(本地化),找到controller.service.type,修改为NodePort,这是由于要向外部暴露服务。该type的缩进在controller.service下,一定要找到正确的进行修改。
controller service.
    annotations: {}
    # -- Labels to be added to both controller services.
    labels: {}
    # -- Type of the external controller service.
    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: NodePort

#第10处(可选,如果上面的第四处改为了true,这里的配置不生效,因为用的宿主机的80与443),顺便把暴露的端口固定
    appProtocol: true
    nodePorts:
      # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
      http: "30080"
      # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
      https: "30443"

三、部署

退出到上一层

bash 复制代码
helm install ingress-nginx ./ingress-nginx   --namespace ingress-nginx   --create-namespace   -f ./ingress-nginx/values.yaml

四、主节点部署(因从节点都部署了nginx。80等端口被占用)

1、给主节点打标签

bash 复制代码
# 给主节点打标签(标签名可自定义)k8s-master为ip也可以
kubectl label node k8s-master ingress-node=true

# 确认标签是否生效
kubectl get node k8s-master --show-labels

2、修改values.yaml,让其容忍主节点的污点

bash 复制代码
controller:
  nodeSelector:
    ingress-node: "true"  # 匹配主节点的标签
  tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"  # 容忍主节点的污点
      effect: "NoSchedule"

3、若主节点的 80/443 端口已被占用,需调整 ingress-nginx 的端口映射:

bash 复制代码
controller:
  hostNetwork: false       # 禁用宿主机网络模式
  service:
    type: NodePort         # 使用 NodePort 暴露服务
    ports:
      http: 30080          # 自定义外部访问端口(避免与节点 Nginx 冲突)
      https: 30443
    targetPorts:
      http: 80             # 容器内部端口保持默认
      https: 443

4、部署验证

bash 复制代码
# 更新 Helm 配置
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
  -n ingress-nginx \
  -f values.yaml

# 检查 Pod 是否调度到主节点
kubectl get pods -n ingress-nginx -o wide

# 查看 Service 端口映射
kubectl get svc -n ingress-nginx
相关推荐
007php0073 小时前
服务器上PHP环境安装与更新版本和扩展(安装PHP、Nginx、Redis、Swoole和OPcache)
运维·服务器·后端·nginx·golang·测试用例·php
core5129 小时前
prometheus+grafana接入nginx实战
nginx·grafana·prometheus·监控·接入·vts·vtx
mCell11 小时前
Webhook:连接、自动化与系统集成的新范式
ci/cd·go·github
Gold Steps.19 小时前
基于 Gitlab、Jenkins与Jenkins分布式、SonarQube 、Nexus 的 CiCd 全流程打造
运维·ci/cd·gitlab·jenkins
冬夜戏雪1 天前
阿里云ubuntu安装mysql docker容器(拉,运行,测试完整版)
mysql·ubuntu·阿里云
xian_wwq2 天前
【学习笔记】Nginx常用安全配置
笔记·学习·nginx
LCG元2 天前
基于MCP的CI/CD流水线:自动化部署到云平台的实践
运维·ci/cd·自动化
鼠鼠我捏,要死了捏2 天前
生产环境CI/CD流水线构建与优化实践指南
ci/cd·devops·流水线
mapengpeng1999@163.c2 天前
持续集成持续发布CICD
ci/cd
不知疲倦的仄仄2 天前
2025Nginx最新版讲解/面试
nginx·代理模式·proxy模式