Working nginx-webserver config

This commit is contained in:
erik 2022-09-21 12:54:05 +02:00
parent 24da81f789
commit 0340b8d4e7
7 changed files with 107 additions and 21 deletions

View file

@ -1,6 +1,4 @@
# c4k-website
# README
# c4k-website README
## Requirements

View file

@ -21,4 +21,5 @@ spec:
service:
name: website-service
port:
number: 3000
number: 80

View file

@ -44,7 +44,7 @@ data:
# it might be a good idea to set a common reverse proxy
# which points to the ingress?
include /etc/nginx/conf.d/repo.test.meissa.de.conf; # should be replaced by c4k
include /etc/nginx/conf.d/FQDN.conf; # should be replaced by c4k
}
mime.types: |
@ -96,14 +96,18 @@ data:
video/x-ms-asf asx asf;
video/x-mng mng;
}
repo.test.meissa.de.conf: |
FQDN.conf: |
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name repo.test.meissa.de www.repo.test.meissa.de;
listen 443 ssl;
ssl_certificate /etc/certs/tls.crt;
ssl_certificate_key /etc/certs/tls.key;
server_name FQDN;
# security headers
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
@ -115,7 +119,8 @@ data:
# maybe need to add:
# add_header Permissions-Policy "permissions here";
root /var/www/html/repo.test.meissa.de;
root /var/www/html/FQDN;
# root /usr/share/nginx/html/; # testing purposes
index index.html;

View file

@ -24,8 +24,11 @@ spec:
name: nginx-conf
- mountPath: /var/log/nginx
name: log
- mountPath: /var/www/html/repo.test.meissa.de
- mountPath: /var/www/html/FQDN
name: website-content-volume
- mountPath: /etc/certs
name: website-cert
readOnly: true
volumes:
- name: nginx-conf
configMap:
@ -33,8 +36,8 @@ spec:
items:
- key: nginx.conf
path: nginx.conf
- key: repo.test.meissa.de.conf
path: conf.d/repo.test.meissa.de.conf
- key: FQDN.conf
path: conf.d/FQDN.conf
- key: mime.types
path: mime.types # dig directory
- name: log
@ -42,4 +45,11 @@ spec:
- name: website-content-volume
persistentVolumeClaim:
claimName: website-content-pvc
---
- name: website-cert
secret:
secretName: website-cert
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key

View file

@ -2,11 +2,18 @@ kind: Service
apiVersion: v1
metadata:
name: nginx-service
labels:
app: nginx
namespace: default
spec:
type: LoadBalancer
ipFamilyPolicy: PreferDualStack
selector:
app: nginx
ports:
- name: website
port: 80
- port: 80
targetPort: 80
name: http
- port: 443
targetPort: 443
name: https

View file

@ -26,6 +26,9 @@ spec:
name: log
- mountPath: /var/www/html/repo.test.meissa.de
name: website-content-volume
- mountPath: /etc/certs
name: website-cert
readOnly: true
volumes:
- name: nginx-conf
configMap:
@ -42,6 +45,14 @@ spec:
- name: website-content-volume
persistentVolumeClaim:
claimName: website-content-pvc
- name: website-cert
secret:
secretName: website-cert
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
---
apiVersion: v1
kind: ConfigMap
@ -145,9 +156,13 @@ data:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl;
ssl_certificate /etc/certs/tls.crt;
ssl_certificate_key /etc/certs/tls.key;
server_name repo.test.meissa.de www.repo.test.meissa.de;
# security headers
@ -160,7 +175,8 @@ data:
# maybe need to add:
# add_header Permissions-Policy "permissions here";
root /var/www/html/repo.test.meissa.de;
# root /var/www/html/repo.test.meissa.de;
root /usr/share/nginx/html/;
index index.html;
@ -172,14 +188,22 @@ kind: Service
apiVersion: v1
metadata:
name: nginx-service
labels:
app: nginx
namespace: default
spec:
type: LoadBalancer
ipFamilyPolicy: PreferDualStack
selector:
app: nginx
ports:
- name: websie
port: 80
- port: 80
targetPort: 80
name: http
- port: 443
targetPort: 443
name: https
---
apiVersion: v1
kind: PersistentVolumeClaim
@ -195,3 +219,44 @@ spec:
resources:
requests:
storage: 5Gi
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-website
namespace: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
tls:
- hosts:
- repo.test.meissa.de
secretName: website-cert
rules:
- host: repo.test.meissa.de
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: website-service
port:
number: 80
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: website-cert
namespace: default
spec:
secretName: website-cert
commonName: repo.test.meissa.de
duration: 2160h # 90d
renewBefore: 360h # 15d
dnsNames:
- repo.test.meissa.de
issuerRef:
name: staging
kind: ClusterIssuer

View file

@ -11,4 +11,4 @@ spec:
- ReadWriteOnce
resources:
requests:
storage: DATASTORAGESIZE
storage: WEBSITESTORAGESIZE