CI/CD(六) helm部署ingress-nginx(阿里云)

零、修改iptable为ipvs(可选)

  1. 修改 kube-proxy 配置

    bash 复制代码
    kubectl edit cm kube-proxy -n kube-system 
    # 将 mode 字段改为 "ipvs"
  2. 重启 kube-proxy

    bash 复制代码
    kubectl delete pod -l k8s-app=kube-proxy -n kube-system
  3. 验证 IPVS 状态

    bash 复制代码
    ipvsadm -Ln 
    # 查看负载均衡规则

一、github下载最新的包(4.12.0)

Releases · kubernetes/ingress-nginx · GitHub

二、解压

bash 复制代码
tar -zxvf ingress-nginx-4.12.0.tgz
cd ingress-nginx

三、修改values.ymal

bash 复制代码
#如果是在集群中部署项目使用ingress-nginx,需要提前在工作节点下载docker或者containerd,手动拉取从而测试该仓库和镜像是否可用,手动拉取的命令是
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.12.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.5.0

cd ingress-nginx

bash 复制代码
[root@k8s-master ingress-nginx]# vim values.yaml 


# 第一处:修改全局仓库为阿里云仓库
global:
  image:
    # -- Registry host to pull images from.
    registry: registry.cn-hangzhou.aliyuncs.com

# 第二处:修改controller的image名称和注释digest
controller:
  name: controller
  enableAnnotationValidations: true
  image:
    ## Keep false as default for now!
    chroot: false
    # registry: registry.k8s.io
#    image: google_containers/ingress-nginx/controller
    image: google_containers/nginx-ingress-controller
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
    tag: "v1.12.0"
 #   digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
#    digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3


# 第三处:修改patch附近的镜像名称,以及注释digest
    patch:
      enabled: true
      image:
        # registry: registry.k8s.io
        image: google_containers/kube-webhook-certgen
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
        ## repository:
        tag: v1.5.0
#        digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4

# 第四处:修改hostNetwork:
 # false 改成 true
  hostNetwork: true
  
# 第五处:修改dnsPolicy
 # ClusterFirst 改成 
  dnsPolicy: ClusterFirstWithHostNet
    
# 第六处:修改kind(可选)
  # -- Use a `DaemonSet` or `Deployment`
  # Deployment 改成 DaemonSet
  kind: DaemonSet

# 第七处:添加标签(可选,由于我两台从节点都部署了单机nginx,80端口被占用,想让他部署到master)。记得在节点上打上标签。kubectl label node k8s-node1 ingress=true
 nodeSelector:
    kubernetes.io/os: linux
	# 增加
    ingress: "true"

# 第八处:(可选。我没改)enabled要改为false

  admissionWebhooks:
    name: admission
    annotations: {}
    # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".

    ## Additional annotations to the admission webhooks.
    ## These annotations will be added to the ValidatingWebhookConfiguration and
    ## the Jobs Spec of the admission webhooks.
    enabled: false

# 第九处(本地化),找到controller.service.type,修改为NodePort,这是由于要向外部暴露服务。该type的缩进在controller.service下,一定要找到正确的进行修改。
controller service.
    annotations: {}
    # -- Labels to be added to both controller services.
    labels: {}
    # -- Type of the external controller service.
    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: NodePort

#第10处(可选,如果上面的第四处改为了true,这里的配置不生效,因为用的宿主机的80与443),顺便把暴露的端口固定
    appProtocol: true
    nodePorts:
      # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
      http: "30080"
      # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
      https: "30443"

三、部署

退出到上一层

bash 复制代码
helm install ingress-nginx ./ingress-nginx   --namespace ingress-nginx   --create-namespace   -f ./ingress-nginx/values.yaml

四、主节点部署(因从节点都部署了nginx。80等端口被占用)

1、给主节点打标签

bash 复制代码
# 给主节点打标签(标签名可自定义)k8s-master为ip也可以
kubectl label node k8s-master ingress-node=true

# 确认标签是否生效
kubectl get node k8s-master --show-labels

2、修改values.yaml,让其容忍主节点的污点

bash 复制代码
controller:
  nodeSelector:
    ingress-node: "true"  # 匹配主节点的标签
  tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"  # 容忍主节点的污点
      effect: "NoSchedule"

3、若主节点的 80/443 端口已被占用,需调整 ingress-nginx 的端口映射:

bash 复制代码
controller:
  hostNetwork: false       # 禁用宿主机网络模式
  service:
    type: NodePort         # 使用 NodePort 暴露服务
    ports:
      http: 30080          # 自定义外部访问端口(避免与节点 Nginx 冲突)
      https: 30443
    targetPorts:
      http: 80             # 容器内部端口保持默认
      https: 443

4、部署验证

bash 复制代码
# 更新 Helm 配置
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
  -n ingress-nginx \
  -f values.yaml

# 检查 Pod 是否调度到主节点
kubectl get pods -n ingress-nginx -o wide

# 查看 Service 端口映射
kubectl get svc -n ingress-nginx
相关推荐
Sonetto19991 小时前
Nginx 反向代理,啥是“反向代理“啊,为啥叫“反向“代理?而不叫“正向”代理?它能干哈?
运维·前端·nginx
我的作业错错错11 小时前
搭建私人网站
服务器·阿里云·私人网站
朴拙数科13 小时前
艺术字体AI生成阿里云WordArt锦书、通义万相、SiliconFlow、Pillow+OpenCV本地生成艺术字体
人工智能·阿里云·pillow
中云时代-防御可测试-小余13 小时前
高防IP是如何防护DDoS攻击和CC攻击的
运维·服务器·tcp/ip·安全·阿里云·ddos·宽度优先
白总Server16 小时前
Nginx 中间件
大数据·linux·运维·服务器·nginx·bash·web
异常君20 小时前
HTTP头中的Accept-Encoding与Content-Encoding深度剖析
后端·nginx·http
Serverless社区21 小时前
MCP云托管最优解,揭秘国内最大MCP中文社区背后的运行时
阿里云·云原生·serverless·函数计算
生命有所坚持而生存可以随遇而安1 天前
https nginx 负载均衡配置
服务器·nginx·负载均衡
Python私教1 天前
CentOS 7 基于 Nginx 的 HTML 部署全流程指南
nginx·centos·html