CI/CD(六) helm部署ingress-nginx（阿里云）

零、修改iptable为ipvs（可选）

1. 修改 kube-proxy 配置 ：

   kubectl edit cm kube-proxy -n kube-system 
   # 将 mode 字段改为 "ipvs"

2. 重启 kube-proxy ：

   kubectl delete pod -l k8s-app=kube-proxy -n kube-system

3. 验证 IPVS 状态 ：

   ipvsadm -Ln 
   # 查看负载均衡规则

一、github下载最新的包（4.12.0）

Releases · kubernetes/ingress-nginx · GitHub

二、解压

tar -zxvf ingress-nginx-4.12.0.tgz
cd ingress-nginx

三、修改values.ymal

#如果是在集群中部署项目使用ingress-nginx，需要提前在工作节点下载docker或者containerd，手动拉取从而测试该仓库和镜像是否可用，手动拉取的命令是
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.12.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.5.0

cd ingress-nginx

[root@k8s-master ingress-nginx]# vim values.yaml 


# 第一处：修改全局仓库为阿里云仓库
global:
  image:
    # -- Registry host to pull images from.
    registry: registry.cn-hangzhou.aliyuncs.com

# 第二处：修改controller的image名称和注释digest
controller:
  name: controller
  enableAnnotationValidations: true
  image:
    ## Keep false as default for now!
    chroot: false
    # registry: registry.k8s.io
#    image: google_containers/ingress-nginx/controller
    image: google_containers/nginx-ingress-controller
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
    tag: "v1.12.0"
 #   digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
#    digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3


# 第三处：修改patch附近的镜像名称，以及注释digest
    patch:
      enabled: true
      image:
        # registry: registry.k8s.io
        image: google_containers/kube-webhook-certgen
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
        ## repository:
        tag: v1.5.0
#        digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4

# 第四处：修改hostNetwork：
 # false 改成 true
  hostNetwork: true
  
# 第五处：修改dnsPolicy
 # ClusterFirst 改成 
  dnsPolicy: ClusterFirstWithHostNet
    
# 第六处：修改kind（可选）
  # -- Use a `DaemonSet` or `Deployment`
  # Deployment 改成 DaemonSet
  kind: DaemonSet

# 第七处：添加标签（可选，由于我两台从节点都部署了单机nginx，80端口被占用，想让他部署到master）。记得在节点上打上标签。kubectl label node k8s-node1 ingress=true
 nodeSelector:
    kubernetes.io/os: linux
	# 增加
    ingress: "true"

# 第八处：（可选。我没改）enabled要改为false

  admissionWebhooks:
    name: admission
    annotations: {}
    # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".

    ## Additional annotations to the admission webhooks.
    ## These annotations will be added to the ValidatingWebhookConfiguration and
    ## the Jobs Spec of the admission webhooks.
    enabled: false

# 第九处（本地化），找到controller.service.type,修改为NodePort，这是由于要向外部暴露服务。该type的缩进在controller.service下，一定要找到正确的进行修改。
controller service.
    annotations: {}
    # -- Labels to be added to both controller services.
    labels: {}
    # -- Type of the external controller service.
    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: NodePort

#第10处（可选，如果上面的第四处改为了true，这里的配置不生效，因为用的宿主机的80与443），顺便把暴露的端口固定
    appProtocol: true
    nodePorts:
      # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
      http: "30080"
      # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
      https: "30443"

三、部署

退出到上一层

helm install ingress-nginx ./ingress-nginx   --namespace ingress-nginx   --create-namespace   -f ./ingress-nginx/values.yaml

四、主节点部署（因从节点都部署了nginx。80等端口被占用）

1、给主节点打标签

# 给主节点打标签（标签名可自定义）k8s-master为ip也可以
kubectl label node k8s-master ingress-node=true

# 确认标签是否生效
kubectl get node k8s-master --show-labels

2、修改values.yaml，让其容忍主节点的污点

controller:
  nodeSelector:
    ingress-node: "true"  # 匹配主节点的标签
  tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"  # 容忍主节点的污点
      effect: "NoSchedule"

3、若主节点的 80/443 端口已被占用，需调整 ingress-nginx 的端口映射：

controller:
  hostNetwork: false       # 禁用宿主机网络模式
  service:
    type: NodePort         # 使用 NodePort 暴露服务
    ports:
      http: 30080          # 自定义外部访问端口（避免与节点 Nginx 冲突）
      https: 30443
    targetPorts:
      http: 80             # 容器内部端口保持默认
      https: 443

4、部署验证

# 更新 Helm 配置
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
  -n ingress-nginx \
  -f values.yaml

# 检查 Pod 是否调度到主节点
kubectl get pods -n ingress-nginx -o wide

# 查看 Service 端口映射
kubectl get svc -n ingress-nginx