apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:latest imagePullPolicy: "Always" ports: - containerPort: 80 volumeMounts: - mountPath: /etc/nginx # mount nginx volume to /etc/nginx readOnly: true name: nginx-conf - mountPath: /var/log/nginx name: log - mountPath: /var/www/html/repo.test.meissa.de name: website-content-volume - mountPath: /etc/certs name: website-cert readOnly: true volumes: - name: nginx-conf configMap: name: nginx-conf # place ConfigMap `nginx-conf` on /etc/nginx items: - key: nginx.conf path: nginx.conf - key: repo.test.meissa.de.conf path: conf.d/repo.test.meissa.de.conf - key: mime.types path: mime.types # dig directory - name: log emptyDir: {} - name: website-content-volume persistentVolumeClaim: claimName: website-content-pvc - name: website-cert secret: secretName: website-cert items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key --- apiVersion: v1 kind: ConfigMap metadata: name: nginx-conf namespace: default data: nginx.conf: | user nginx; worker_processes 3; error_log /var/log/nginx/error.log; pid /var/log/nginx/nginx.pid; worker_rlimit_nofile 8192; events { worker_connections 4096; ## Default: 1024 } # daemon off; # run in foreground http { include /etc/nginx/mime.types; # should be replaced by c4k default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; keepalive_timeout 65; server_names_hash_bucket_size 128; # this seems to be required for some vhosts # it might be a good idea to set a common reverse proxy # which points to the ingress? include /etc/nginx/conf.d/repo.test.meissa.de.conf; # should be replaced by c4k } mime.types: | types { text/html html htm shtml; text/css css; text/xml xml rss; image/gif gif; image/jpeg jpeg jpg; application/x-javascript js; text/plain txt; text/x-component htc; text/mathml mml; image/png png; image/x-icon ico; image/x-jng jng; image/vnd.wap.wbmp wbmp; application/java-archive jar war ear; application/mac-binhex40 hqx; application/pdf pdf; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/zip zip; application/octet-stream deb; application/octet-stream bin exe dll; application/octet-stream dmg; application/octet-stream eot; application/octet-stream iso img; application/octet-stream msi msp msm; audio/mpeg mp3; audio/x-realaudio ra; video/mpeg mpeg mpg; video/quicktime mov; video/x-flv flv; video/x-msvideo avi; video/x-ms-wmv wmv; video/x-ms-asf asx asf; video/x-mng mng; } repo.test.meissa.de.conf: | server { listen 80 default_server; listen [::]:80 default_server; listen 443 ssl; ssl_certificate /etc/certs/tls.crt; ssl_certificate_key /etc/certs/tls.key; server_name repo.test.meissa.de www.repo.test.meissa.de; # security headers add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy "strict-origin"; # maybe need to add: # add_header Permissions-Policy "permissions here"; # root /var/www/html/repo.test.meissa.de; root /usr/share/nginx/html/; index index.html; try_files $uri /index.html; } --- kind: Service apiVersion: v1 metadata: name: nginx-service labels: app: nginx namespace: default spec: type: LoadBalancer ipFamilyPolicy: PreferDualStack selector: app: nginx ports: - port: 80 targetPort: 80 name: http - port: 443 targetPort: 443 name: https --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: website-content-pvc namespace: default labels: app: nginx spec: storageClassName: local-path accessModes: - ReadWriteOnce resources: requests: storage: 5Gi --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-website namespace: default annotations: ingress.kubernetes.io/ssl-redirect: "true" traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd spec: tls: - hosts: - repo.test.meissa.de secretName: website-cert rules: - host: repo.test.meissa.de http: paths: - pathType: Prefix path: "/" backend: service: name: website-service port: number: 80 --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: website-cert namespace: default spec: secretName: website-cert commonName: repo.test.meissa.de duration: 2160h # 90d renewBefore: 360h # 15d dnsNames: - repo.test.meissa.de issuerRef: name: staging kind: ClusterIssuer