# ============================================================================= # Nginx 部署配置 # Namespace: cpte-wms # ============================================================================= --- # 1. ConfigMap apiVersion: v1 kind: ConfigMap metadata: name: nginx-conf namespace: cpte-wms annotations: kubesphere.io/creator: admin kubesphere.io/description: Nginx 配置文件 data: nginx.conf: | worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; charset utf-8; # Gzip 压缩配置 gzip on; gzip_static on; gzip_buffers 4 16k; gzip_comp_level 5; gzip_types text/plain application/javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png; server { listen 80; listen [::]:80; server_name 101.35.253.46; # Gzip 压缩配置 gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 3; gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png; gzip_vary on; gzip_disable "MSIE [1-6]\."; # 禁用 OPTIONS 请求 if ($request_method ~* OPTIONS) { return 403; } # 前端配置 location / { root /html/dist; try_files $uri $uri/ /index.html last; index index.html; expires -1; } # 后端系统服务配置 location /cpte-wms/ { proxy_pass http://cpte-wms-system:8000/cpte-wms/; proxy_redirect off; # 设置代理消息头 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; # 禁用缓存 expires -1; # 安全配置 add_header Set-Cookie "Path=/; HttpOnly; Secure"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "ALLOW-FROM 101.35.253.46"; add_header Content-Security-Policy "frame-ancestors 101.35.253.46"; } # 后端基础服务配置 location /cpte-wms-basic/ { proxy_pass http://cpte-wms-basic:8001/cpte-wms-basic/; proxy_redirect off; # 设置代理消息头 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; # 禁用缓存 expires -1; # 安全配置 add_header Set-Cookie "Path=/; HttpOnly; Secure"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "ALLOW-FROM 101.35.253.46"; add_header Content-Security-Policy "frame-ancestors 101.35.253.46"; } # 后端入库服务配置 location /cpte-wms-inbound/ { proxy_pass http://cpte-wms-inbound:8002/cpte-wms-inbound/; proxy_redirect off; # 设置代理消息头 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; # 禁用缓存 expires -1; # 安全配置 add_header Set-Cookie "Path=/; HttpOnly; Secure"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "ALLOW-FROM 101.35.253.46"; add_header Content-Security-Policy "frame-ancestors 101.35.253.46"; } # 健康检查端点 location /health { return 200 'OK'; add_header Content-Type text/plain; } location /ready { return 200 'Ready'; add_header Content-Type text/plain; } } } --- # 2. Deployment apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: cpte-wms labels: app: nginx annotations: kubesphere.io/description: "WEB服务" spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: app: nginx template: metadata: labels: app: nginx version: v1 annotations: prometheus.io/scrape: "true" prometheus.io/port: "80" spec: containers: - name: nginx image: docker.io/library/nginx:1.0 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 protocol: TCP resources: requests: cpu: "50m" memory: "64Mi" limits: cpu: "500m" memory: "256Mi" livenessProbe: httpGet: path: /health port: 80 initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /ready port: 80 initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 startupProbe: httpGet: path: /health port: 80 initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 30 volumeMounts: - name: nginx-conf mountPath: /etc/nginx/nginx.conf subPath: nginx.conf readOnly: true - name: nginx-cache mountPath: /var/cache/nginx - name: nginx-log mountPath: /var/log/nginx volumes: - name: nginx-conf configMap: name: nginx-conf items: - key: nginx.conf path: nginx.conf - name: nginx-cache emptyDir: {} - name: nginx-log emptyDir: {} restartPolicy: Always --- # 3. Service apiVersion: v1 kind: Service metadata: name: nginx-service namespace: cpte-wms labels: app: nginx spec: ports: - name: nginx protocol: TCP port: 80 targetPort: 80 nodePort: 30575 selector: app: nginx type: NodePort sessionAffinity: None externalTrafficPolicy: Cluster