meissa/c4k-website
6
5
Fork 0
Code Issues Pull requests Projects Releases 8 Packages Wiki Activity

Working nginx-webserver config

Browse source
This commit is contained in:
erik 2022-09-21 12:54:05 +02:00
parent 24da81f789
commit 0340b8d4e7
7 changed files with 107 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -1,6 +1,4 @@
# c4k-website # c4k-website README
# README
## Requirements ## Requirements

3
src/main/resources/website/ingress.yaml
View file

@ -21,4 +21,5 @@ spec:
service: service:
name: website-service name: website-service
port: port:
number: 3000 number: 80

15
src/main/resources/website/nginx-configmap.yaml
View file

@ -44,7 +44,7 @@ data:
# it might be a good idea to set a common reverse proxy # it might be a good idea to set a common reverse proxy
# which points to the ingress? # which points to the ingress?
include /etc/nginx/conf.d/repo.test.meissa.de.conf; # should be replaced by c4k include /etc/nginx/conf.d/FQDN.conf; # should be replaced by c4k
} }
mime.types: | mime.types: |
@ -96,14 +96,18 @@ data:
video/x-ms-asf asx asf; video/x-ms-asf asx asf;
video/x-mng mng; video/x-mng mng;
} }
repo.test.meissa.de.conf: | FQDN.conf: |
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
server_name repo.test.meissa.de www.repo.test.meissa.de; listen 443 ssl;
ssl_certificate /etc/certs/tls.crt;
ssl_certificate_key /etc/certs/tls.key;
server_name FQDN;
# security headers # security headers
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
@ -115,7 +119,8 @@ data:
# maybe need to add: # maybe need to add:
# add_header Permissions-Policy "permissions here"; # add_header Permissions-Policy "permissions here";
root /var/www/html/repo.test.meissa.de; root /var/www/html/FQDN;
# root /usr/share/nginx/html/; # testing purposes
index index.html; index index.html;

18
src/main/resources/website/nginx-deployment.yaml
View file

@ -24,8 +24,11 @@ spec:
name: nginx-conf name: nginx-conf
- mountPath: /var/log/nginx - mountPath: /var/log/nginx
name: log name: log
- mountPath: /var/www/html/repo.test.meissa.de - mountPath: /var/www/html/FQDN
name: website-content-volume name: website-content-volume
- mountPath: /etc/certs
name: website-cert
readOnly: true
volumes: volumes:
- name: nginx-conf - name: nginx-conf
configMap: configMap:
@ -33,8 +36,8 @@ spec:
items: items:
- key: nginx.conf - key: nginx.conf
path: nginx.conf path: nginx.conf
- key: repo.test.meissa.de.conf - key: FQDN.conf
path: conf.d/repo.test.meissa.de.conf path: conf.d/FQDN.conf
- key: mime.types - key: mime.types
path: mime.types # dig directory path: mime.types # dig directory
- name: log - name: log
@ -42,4 +45,11 @@ spec:
- name: website-content-volume - name: website-content-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: website-content-pvc claimName: website-content-pvc
--- - name: website-cert
secret:
secretName: website-cert
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key

11
src/main/resources/website/nginx-service.yaml
View file

@ -2,11 +2,18 @@ kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: nginx-service name: nginx-service
labels:
app: nginx
namespace: default namespace: default
spec: spec:
type: LoadBalancer type: LoadBalancer
ipFamilyPolicy: PreferDualStack
selector: selector:
app: nginx app: nginx
ports: ports:
- name: website - port: 80
port: 80 targetPort: 80
name: http
- port: 443
targetPort: 443
name: https

75
src/main/resources/website/testconfig.yaml
View file

@ -26,6 +26,9 @@ spec:
name: log name: log
- mountPath: /var/www/html/repo.test.meissa.de - mountPath: /var/www/html/repo.test.meissa.de
name: website-content-volume name: website-content-volume
- mountPath: /etc/certs
name: website-cert
readOnly: true
volumes: volumes:
- name: nginx-conf - name: nginx-conf
configMap: configMap:
@ -42,6 +45,14 @@ spec:
- name: website-content-volume - name: website-content-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: website-content-pvc claimName: website-content-pvc
- name: website-cert
secret:
secretName: website-cert
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -145,9 +156,13 @@ data:
server { server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /etc/certs/tls.crt;
ssl_certificate_key /etc/certs/tls.key;
server_name repo.test.meissa.de www.repo.test.meissa.de; server_name repo.test.meissa.de www.repo.test.meissa.de;
# security headers # security headers
@ -160,7 +175,8 @@ data:
# maybe need to add: # maybe need to add:
# add_header Permissions-Policy "permissions here"; # add_header Permissions-Policy "permissions here";
root /var/www/html/repo.test.meissa.de; # root /var/www/html/repo.test.meissa.de;
root /usr/share/nginx/html/;
index index.html; index index.html;
@ -172,14 +188,22 @@ kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: nginx-service name: nginx-service
labels:
app: nginx
namespace: default namespace: default
spec: spec:
type: LoadBalancer type: LoadBalancer
ipFamilyPolicy: PreferDualStack
selector: selector:
app: nginx app: nginx
ports: ports:
- name: websie - port: 80
port: 80 targetPort: 80
name: http
- port: 443
targetPort: 443
name: https
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
@ -194,4 +218,45 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 5Gi storage: 5Gi
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-website
namespace: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
tls:
- hosts:
- repo.test.meissa.de
secretName: website-cert
rules:
- host: repo.test.meissa.de
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: website-service
port:
number: 80
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: website-cert
namespace: default
spec:
secretName: website-cert
commonName: repo.test.meissa.de
duration: 2160h # 90d
renewBefore: 360h # 15d
dnsNames:
- repo.test.meissa.de
issuerRef:
name: staging
kind: ClusterIssuer

2
src/main/resources/website/website-content-volume.yaml
View file

@ -11,4 +11,4 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: DATASTORAGESIZE storage: WEBSITESTORAGESIZE