目录
一. 域名重定向(HTTP→HTTPS/旧域名跳转)
二. 前后端分离Rewrite(路径改写)
三. 混合配置示例(重定向+Rewrite)
四. SSL/TLS配置(HTTPS加密)
五. 基本认证(Basic Auth)
一. 域名重定向(HTTP→HTTPS/旧域名跳转)
https-redirect.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: https-redirectannotations:nginx.ingress.kubernetes.io/permanent-redirect: https://$host$request_uri
spec:rules:- host: old.example.comhttp:paths:- path: /pathType: Prefixbackend:service:name: dummy-serviceport:number: 80
逐行解释:
nginx.ingress.kubernetes.io/permanent-redirect:Nginx特有注解,返回301永久重定向$host$request_uri:保留原始请求的域名和路径dummy-service:虚拟服务(实际不会处理请求)
二. 前后端分离Rewrite(路径改写)
rewrite-frontend.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: rewrite-demoannotations:nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:rules:- host: app.example.comhttp:paths:- path: /api(/|$)(.*)pathType: Prefixbackend:service:name: backend-serviceport:number: 8080
逐行解释:
rewrite-target: /$2:将捕获的(.*)部分拼接到根路径path: /api(/|$)(.*):正则匹配/api开头的路径,$2对应第二个捕获组backend-service:8080:实际处理请求的后端服务
三. 混合配置示例(重定向+Rewrite)
combined-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: combined-ingressannotations:nginx.ingress.kubernetes.io/configuration-snippet: |if ($host = 'deprecated.com') {return 301 https://new.example.com$request_uri;}nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:rules:- host: new.example.comhttp:paths:- path: /static/(.*)pathType: Prefixbackend:service:name: frontend-serviceport:number: 80
关键点说明:
configuration-snippet:插入自定义Nginx代码片段实现复杂逻辑- 此配置同时完成旧域名跳转和静态资源路径改写
部署验证命令
# 应用配置
kubectl apply -f https-redirect.yaml
kubectl apply -f rewrite-frontend.yaml
# 检查注解是否生效
kubectl describe ingress combined-ingress | grep Annotations
# 测试重定向(返回301头)
curl -I http://old.example.com 注意事项:
- Rewrite规则需与后端服务路由规则匹配
- 生产环境建议使用
cert-manager自动管理HTTPS证书 - 不同Ingress Controller(如Traefik)注解语法可能不同
四. SSL/TLS配置(HTTPS加密)
tls-secret.yaml
apiVersion: v1
kind: Secret
metadata:name: example-tlsnamespace: default
type: kubernetes.io/tls
data:tls.crt: <base64编码的证书>tls.key: <base64编码的私钥>
证书需提前base64编码:cat cert.pem | base64 -w0
ssl-ingress.yaml
Version: networking.k8s.io/v1
kind: Ingress
metadata:name: secure-ingressannotations:nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:tls:- hosts:- secure.example.comsecretName: example-tlsrules:- host: secure.example.comhttp:paths:- path: /backend:service:name: web-serviceport: number: 80
关键参数说明:
ssl-redirect: "true"强制HTTP跳转到HTTPStls块定义证书关联的域名和Secret
五. 基本认证(Basic Auth)
auth-secret.yaml
apiVersion: v1
kind: Secret
metadata:name: basic-authnamespace: default
type: Opaque
data:auth: $(echo -n 'username:password' | openssl base64 -A)
生成命令:htpasswd -c auth foo 然后base64编码
auth-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: auth-ingressannotations:nginx.ingress.kubernetes.io/auth-type: basicnginx.ingress.kubernetes.io/auth-secret: basic-authnginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:rules:- host: private.example.comhttp:paths:- path: /backend:service:name: private-serviceport:number: 8080
核心注解说明:
auth-type指定认证方式为basicauth-secret关联存储凭据的Secretauth-realm浏览器弹出的认证提示文本
部署验证命令
# 应用配置
kubectl apply -f tls-secret.yaml
kubectl apply -f ssl-ingress.yaml
# 检查证书状态
kubectl describe ingress secure-ingress | grep -A3 'TLS'
# 测试认证(返回401未授权)
curl -v http://private.example.com 注意事项:
- 生产环境建议使用Let's Encrypt通过cert-manager自动签发证书
- Basic Auth需配合HTTPS使用避免密码泄露
- 不同Controller可能使用不同注解(如Traefik的auth注解前缀为traefik.ingress)
使用)
转以太网)
:视觉识别的革命性架构)
