目录
[一. 域名重定向(HTTP→HTTPS/旧域名跳转)](#一. 域名重定向(HTTP→HTTPS/旧域名跳转))
[二. 前后端分离Rewrite(路径改写)](#二. 前后端分离Rewrite(路径改写))
[三. 混合配置示例(重定向+Rewrite)](#三. 混合配置示例(重定向+Rewrite))
[四. SSL/TLS配置(HTTPS加密)](#四. SSL/TLS配置(HTTPS加密))
[五. 基本认证(Basic Auth)](#五. 基本认证(Basic Auth))
一**. 域名重定向(HTTP→HTTPS/旧域名跳转)**
https-redirect.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: https-redirect
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: https://$host$request_uri
spec:
rules:
- host: old.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dummy-service
port:
number: 80
逐行解释:
nginx.ingress.kubernetes.io/permanent-redirect
:Nginx特有注解,返回301永久重定向$host$request_uri
:保留原始请求的域名和路径dummy-service
:虚拟服务(实际不会处理请求)
二**. 前后端分离Rewrite(路径改写)**
rewrite-frontend.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rewrite-demo
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- host: app.example.com
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 8080
逐行解释:
rewrite-target: /$2
:将捕获的(.*)
部分拼接到根路径path: /api(/|$)(.*)
:正则匹配/api
开头的路径,$2
对应第二个捕获组backend-service:8080
:实际处理请求的后端服务
三**. 混合配置示例(重定向+Rewrite)**
combined-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: combined-ingress
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($host = 'deprecated.com') {
return 301 https://new.example.com$request_uri;
}
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
- host: new.example.com
http:
paths:
- path: /static/(.*)
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 80
关键点说明:
configuration-snippet
:插入自定义Nginx代码片段实现复杂逻辑- 此配置同时完成旧域名跳转和静态资源路径改写
部署验证命令
# 应用配置
kubectl apply -f https-redirect.yaml
kubectl apply -f rewrite-frontend.yaml
# 检查注解是否生效
kubectl describe ingress combined-ingress | grep Annotations
# 测试重定向(返回301头)
curl -I http://old.example.com
注意事项:
- Rewrite规则需与后端服务路由规则匹配
- 生产环境建议使用
cert-manager
自动管理HTTPS证书 - 不同Ingress Controller(如Traefik)注解语法可能不同
四**. SSL/TLS配置(HTTPS加密)**
tls-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: default
type: kubernetes.io/tls
data:
tls.crt: <base64编码的证书>
tls.key: <base64编码的私钥>
证书需提前base64编码:cat cert.pem | base64 -w0
ssl-ingress.yaml
Version: networking.k8s.io/v1
kind: Ingress
metadata:
name: secure-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- secure.example.com
secretName: example-tls
rules:
- host: secure.example.com
http:
paths:
- path: /
backend:
service:
name: web-service
port:
number: 80
关键参数说明:
ssl-redirect: "true"
强制HTTP跳转到HTTPStls
块定义证书关联的域名和Secret
五**. 基本认证(Basic Auth)**
auth-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: basic-auth
namespace: default
type: Opaque
data:
auth: $(echo -n 'username:password' | openssl base64 -A)
生成命令:htpasswd -c auth foo
然后base64编码
auth-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-ingress
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: private.example.com
http:
paths:
- path: /
backend:
service:
name: private-service
port:
number: 8080
核心注解说明:
auth-type
指定认证方式为basicauth-secret
关联存储凭据的Secretauth-realm
浏览器弹出的认证提示文本
部署验证命令
# 应用配置
kubectl apply -f tls-secret.yaml
kubectl apply -f ssl-ingress.yaml
# 检查证书状态
kubectl describe ingress secure-ingress | grep -A3 'TLS'
# 测试认证(返回401未授权)
curl -v http://private.example.com
注意事项:
- 生产环境建议使用Let's Encrypt通过cert-manager自动签发证书
- Basic Auth需配合HTTPS使用避免密码泄露
- 不同Controller可能使用不同注解(如Traefik的auth注解前缀为traefik.ingress)