目錄
?一. 域名重定向(HTTP→HTTPS/舊域名跳轉)?
?二. 前后端分離Rewrite(路徑改寫)?
?三. 混合配置示例(重定向+Rewrite)?
?四. SSL/TLS配置(HTTPS加密)?
?五. 基本認證(Basic Auth)?
?一. 域名重定向(HTTP→HTTPS/舊域名跳轉)?
https-redirect.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: https-redirectannotations:nginx.ingress.kubernetes.io/permanent-redirect: https://$host$request_uri
spec:rules:- host: old.example.comhttp:paths:- path: /pathType: Prefixbackend:service:name: dummy-serviceport:number: 80
?逐行解釋?:
nginx.ingress.kubernetes.io/permanent-redirect:Nginx特有注解,返回301永久重定向$host$request_uri:保留原始請求的域名和路徑dummy-service:虛擬服務(實際不會處理請求)
?二. 前后端分離Rewrite(路徑改寫)?
rewrite-frontend.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: rewrite-demoannotations:nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:rules:- host: app.example.comhttp:paths:- path: /api(/|$)(.*)pathType: Prefixbackend:service:name: backend-serviceport:number: 8080
?逐行解釋?:
rewrite-target: /$2:將捕獲的(.*)部分拼接到根路徑path: /api(/|$)(.*):正則匹配/api開頭的路徑,$2對應第二個捕獲組backend-service:8080:實際處理請求的后端服務
?三. 混合配置示例(重定向+Rewrite)?
combined-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: combined-ingressannotations:nginx.ingress.kubernetes.io/configuration-snippet: |if ($host = 'deprecated.com') {return 301 https://new.example.com$request_uri;}nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:rules:- host: new.example.comhttp:paths:- path: /static/(.*)pathType: Prefixbackend:service:name: frontend-serviceport:number: 80
?關鍵點說明?:
configuration-snippet:插入自定義Nginx代碼片段實現復雜邏輯- 此配置同時完成舊域名跳轉和靜態資源路徑改寫
?部署驗證命令?
# 應用配置
kubectl apply -f https-redirect.yaml
kubectl apply -f rewrite-frontend.yaml
# 檢查注解是否生效
kubectl describe ingress combined-ingress | grep Annotations
# 測試重定向(返回301頭)
curl -I http://old.example.com ?注意事項?:
- Rewrite規則需與后端服務路由規則匹配
- 生產環境建議使用
cert-manager自動管理HTTPS證書 - 不同Ingress Controller(如Traefik)注解語法可能不同
?四. SSL/TLS配置(HTTPS加密)?
tls-secret.yaml
apiVersion: v1
kind: Secret
metadata:name: example-tlsnamespace: default
type: kubernetes.io/tls
data:tls.crt: <base64編碼的證書>tls.key: <base64編碼的私鑰>
證書需提前base64編碼:cat cert.pem | base64 -w0
ssl-ingress.yaml
Version: networking.k8s.io/v1
kind: Ingress
metadata:name: secure-ingressannotations:nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:tls:- hosts:- secure.example.comsecretName: example-tlsrules:- host: secure.example.comhttp:paths:- path: /backend:service:name: web-serviceport: number: 80
關鍵參數說明:
ssl-redirect: "true"?強制HTTP跳轉到HTTPStls塊定義證書關聯的域名和Secret
?五. 基本認證(Basic Auth)?
auth-secret.yaml
apiVersion: v1
kind: Secret
metadata:name: basic-authnamespace: default
type: Opaque
data:auth: $(echo -n 'username:password' | openssl base64 -A)
生成命令:htpasswd -c auth foo?然后base64編碼
auth-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: auth-ingressannotations:nginx.ingress.kubernetes.io/auth-type: basicnginx.ingress.kubernetes.io/auth-secret: basic-authnginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:rules:- host: private.example.comhttp:paths:- path: /backend:service:name: private-serviceport:number: 8080
核心注解說明:
auth-type?指定認證方式為basicauth-secret?關聯存儲憑據的Secretauth-realm?瀏覽器彈出的認證提示文本
?部署驗證命令?
# 應用配置
kubectl apply -f tls-secret.yaml
kubectl apply -f ssl-ingress.yaml
# 檢查證書狀態
kubectl describe ingress secure-ingress | grep -A3 'TLS'
# 測試認證(返回401未授權)
curl -v http://private.example.com 注意事項:
- 生產環境建議使用Let's Encrypt通過cert-manager自動簽發證書
- Basic Auth需配合HTTPS使用避免密碼泄露
- 不同Controller可能使用不同注解(如Traefik的auth注解前綴為traefik.ingress)
使用)
轉以太網)
:視覺識別的革命性架構)
