Перед установкой Ingress Nginx необходимо установить OpenStack Cloud Controller Manager для поддержки openstack loadbalancer.

Ingress Nginx

Рекомендуемый values.yaml

values.yaml

controller:

updateStrategy:

rollingUpdate:

maxUnavailable: 1

type: RollingUpdate

replicaCount: 2

resources:

requests:

cpu: 300m

memory: 150Mi

limits:

memory: 150Mi

ingressClass: nginx

ingressClassResource:

name: nginx

controllerValue: "k8s.io/nginx"

config:

proxy-real-ip-cidr: 10.0.0.0/8

use-proxy-protocol: "true"

server-tokens: "false"

log-format-escape-json: "true"

log-format-upstream:

'{"msec": "$msec", "connection": "$connection", "connection_requests": "$connection_requests", "pid": "$pid", "request_id": "$request_id", "request_length": "$request_length", "remote_addr": "$remote_addr", "remote_user": "$remote_user", "remote_port": "$remote_port", "time_local": "$time_local", "time_iso8601": "$time_iso8601", "request": "$request", "request_uri": "$request_uri", "args": "$args", "status": "$status", "body_bytes_sent": "$body_bytes_sent", "bytes_sent": "$bytes_sent", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "http_x_forwarded_for": "$http_x_forwarded_for", "http_host": "$http_host", "server_name": "$server_name", "request_time": "$request_time", "upstream": "$upstream_addr", "upstream_connect_time": "$upstream_connect_time", "upstream_header_time": "$upstream_header_time", "upstream_response_time": "$upstream_response_time", "upstream_response_length": "$upstream_response_length", "upstream_cache_status": "$upstream_cache_status", "ssl_protocol": "$ssl_protocol", "ssl_cipher": "$ssl_cipher", "scheme": "$scheme", "request_method": "$request_method", "server_protocol": "$server_protocol", "pipe": "$pipe", "gzip_ratio": "$gzip_ratio"}'

large-client-header-buffers: "4 16k"

allow-snippet-annotations: "true"

annotations-risk-level: "Critical"

affinity:

podAntiAffinity:

requiredDuringSchedulingIgnoredDuringExecution:

- labelSelector:

matchExpressions:

- key: app.kubernetes.io/component

operator: In

values:

- controller

topologyKey: "kubernetes.io/hostname"

service:

type: LoadBalancer

annotations:

loadbalancer.openstack.org/proxy-protocol: "true"

metrics:

enabled: false

serviceMonitor:

enabled: false

additionalLabels:

release: "prometheus"

podAnnotations:

prometheus.io/port: "10254"

prometheus.io/scrape: "false"

При необходимости отредактируйте параметры replicaCount: 2 (количество подов nginx), proxy-real-ip-cidr: 10.0.0.0/8 (должен соответствовать подсети вашего kubernetes), а так же секцию affinity, которая запрещает контейнерам запускаться на одной и той же ноде.

Установка

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

helm repo update

helm upgrade --install --namespace ingress-nginx --create-namespace --values values.yaml ingress ingress-nginx/ingress-nginx

CertManager

Базовый clusterissuer.yaml для простого HTTP-01 challenge

clusterissuer.yaml

apiVersion: cert-manager.io/v1

kind: ClusterIssuer

metadata:

name: letsencrypt-prod

namespace: cert-manager

spec:

acme:

server: https://acme-v02.api.letsencrypt.org/directory

email: admin@example.com

privateKeySecretRef:

name: letsencrypt-prod

solvers:

- http01:

ingress:

ingressClassName: nginx

Установка

# Установить CRD лучше отдельной командой

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.14.5/cert-manager.crds.yaml

# Установка чарта:

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm upgrade --install --namespace cert-manager --create-namespace --values values.yaml cert-manager jetstack/cert-manager --version v1.14.5

# Установка ClusterIssuer:

kubectl apply -f clusterissuer.yaml

Установка Ingress Nginx и CertManager

Ingress Nginx

Рекомендуемый values.yaml

Установка

CertManager

Рекомендуемый values.yaml

Базовый clusterissuer.yaml для простого HTTP-01 challenge

Установка