NGINX Plus Ingress Controller 설치 가이드 with BareMetal
- 구성 환경
- vCenter / 3 Master Node + 5 Worker Node
- Containerd
- k8s Version : 1.25
- NGINX Trial License 활용 (JWT)
- 설치 Flow
- NGINX Plus Ingress Deploy
- Ingress Resource 구성
- Connection Test
- 필요 항목
- Private Registry Access 용, JWT Token
NGINX Plus Ingress Deploy
- NGINX Plus Ingress Controller 설치용 Secret생성 (JWT Token)
k create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username=#NGINX_TRIAL_LICENSE_JWT_TOKEN --docker-password=none -n nginx-ingress
- Git Download
wget https://github.com/nginxinc/kubernetes-ingress/archive/refs/heads/main.zipgit clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.0.2
- Kubernetes Resource Deploy
unzip main.zip cd kubernetes-ingress/deployments # Basic kubectl apply -f common/ns-and-sa.yaml kubectl apply -f rbac/rbac.yaml kubectl apply -f rbac/ap-rbac.yaml # NAP Deploy #kubectl apply -f rbac/apdos-rbac.yaml # NAP-DOS Deploy # CRD kubectl apply -f common/default-server-secret.yaml kubectl apply -f common/nginx-config.yaml kubectl apply -f common/ingress-class.yaml kubectl apply -f common/crds/k8s.nginx.org_virtualservers.yaml kubectl apply -f common/crds/k8s.nginx.org_virtualserverroutes.yaml kubectl apply -f common/crds/k8s.nginx.org_transportservers.yaml kubectl apply -f common/crds/k8s.nginx.org_policies.yaml ## TCP/UDP LB # kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml ## CRD With NGINX App Protect kubectl apply -f common/crds/appprotect.f5.com_aplogconfs.yaml kubectl apply -f common/crds/appprotect.f5.com_appolicies.yaml kubectl apply -f common/crds/appprotect.f5.com_apusersigs.yaml
- NGINXPlus Ingress Controller Config Check
- cat deployments/nginx-plus-ingress.yaml
- Secret 추가
- 기타 상세 항목 수정 후 배포
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-ingress namespace: nginx-ingress spec: replicas: 1 selector: matchLabels: app: nginx-ingress template: metadata: labels: app: nginx-ingress #annotations: #prometheus.io/scrape: "true" #prometheus.io/port: "9113" #prometheus.io/scheme: http spec: serviceAccountName: nginx-ingress automountServiceAccountToken: trueimagePullSecrets:- name: regcredcontainers: - image: nginx-plus-ingress:3.0.2 ## Repository 설정 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: readiness-port containerPort: 8081 - name: prometheus containerPort: 9113 - name: service-insight containerPort: 9114 readinessProbe: httpGet: path: /nginx-ready port: readiness-port periodSeconds: 1 resources: requests: cpu: "100m" memory: "128Mi" #limits: # cpu: "1" # memory: "1Gi" securityContext: allowPrivilegeEscalation: true runAsUser: 101 #nginx runAsNonRoot: true capabilities: drop: - ALL add: - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: - -nginx-plus - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret #- -include-year #- -enable-cert-manager #- -enable-external-dns #- -enable-app-protect ## NGINX App Protect Enable 시 주석해제 #- -enable-app-protect-dos ## NGINX App Protect DoS Enable 시 주석해제 #- -v=3 # Enables extensive logging. Useful for troubleshooting. #- -report-ingress-status #- -external-service=nginx-ingress #- -enable-prometheus-metrics #- -enable-service-insight #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
- cat deployments/nginx-plus-ingress.yaml
- NGINX Plus Ingress Controller Deploy
kubectl apply -f deployment/nginx-plus-ingress.yaml # Checked [root@nginx-k8s-m1 deployments]# k get pod -n nginx-ingress NAME READY STATUS RESTARTS AGE nginx-ingress-5598448467-5zsw6 1/1 Running 0 36m [root@nginx-k8s-m1 deployments]#
- NGINX Plus Ingress Controller 용 서비스 생성
kubectl apply -f service/nodeport.yaml