Skip to main content

values.yaml 完整配置示例

controller: # 以下配置将依赖镜像替换为了 docker hub 上的 mirror 镜像以保证在国内环境能正常拉取
  image:
    registry: docker.io
    image: k8smirror/ingress-nginx-controller
  admissionWebhooks:
    patch:
      image:
        registry: docker.io
        image: k8smirror/ingress-nginx-kube-webhook-certgen
  defaultBackend:
    image:
      registry: docker.io
      image: k8smirror/defaultbackend-amd64
  opentelemetry:
    image:
      registry: docker.io
      image: k8smirror/ingress-nginx-opentelemetry
  replicaCount: 2
  resources:
    requests:
      cpu: 4
      memory: 4Gi
    limits:
      cpu: 4
      memory: 4Gi
  # 安装多个 Nginx Ingress Controller:https://cloud.tencent.com/document/product/457/104863
  ingressClass: ingress-nginx
  ingressClassResource:
    name: ingress-nginx
    controllerValue: k8s.io/ingress-nginx
  # ingress-nginx 同时创建外网、内网CLB
  service:
    annotations:
      service.kubernetes.io/tke-existed-lbid: 'lb-xxxxxxxx'     # 指定已有 CLB 的实例 ID:https://cloud.tencent.com/document/product/457/104858    # 一个CLB的内外网同时接入:首先绑定内网 CLB,然后在控制台给 CLB 绑定一个 EIP
      service.cloud.tencent.com/direct-access: "true"           # 启用 CLB 直通:https://cloud.tencent.com/document/product/457/104866
  # 高并发场景优化:https://cloud.tencent.com/document/product/457/104859
  extraInitContainers:
    - name: sysctl
      image: busybox
      imagePullPolicy: IfNotPresent
      securityContext:
        privileged: true
      command:
        - sh
        - -c
        - |
          sysctl -w net.core.somaxconn=65535 # 调大链接队列,防止队列溢出
          sysctl -w net.ipv4.ip_local_port_range="1024 65535" # 扩大源端口范围,防止端口耗尽
          sysctl -w net.ipv4.tcp_tw_reuse=1 # TIME_WAIT 复用,避免端口耗尽后无法新建连接
          sysctl -w fs.file-max=1048576 # 调大文件句柄数,防止连接过多导致文件句柄耗尽
      resources:
        requests:
          cpu: 0.1
          memory: 100Mi
        limits:
          cpu: 0.1
          memory: 100Mi
  config:
    # nginx 与 client 保持的一个长连接能处理的请求数量,默认100,高并发场景建议调高,但过高也可能导致 nginx ingress 扩容后负载不均。
    # 参考: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#keep-alive-requests
    keep-alive-requests: "1000"
    # nginx 与 upstream 保持长连接的最大空闲连接数 (不是最大连接数),默认 320,在高并发下场景下调大,避免频繁建联导致 TIME_WAIT 飙升。
    # 参考: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#upstream-keepalive-connections
    upstream-keepalive-connections: "2000"
    # 每个 worker 进程可以打开的最大连接数,默认 16384。
    # 参考: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#max-worker-connections
    max-worker-connections: "65536"
    # nginx 日志落盘到日志文件,避免高并发下占用过多 CPU
    access-log-path: /var/log/nginx/nginx_access.log
    error-log-path: /var/log/nginx/nginx_error.log
    proxy-body-size: 100m
    proxy-connect-timeout: "60"
    proxy-read-timeout: "60"
    proxy-send-timeout: "60"
    log-format-upstream: 
      $remote_addr - $remote_user [$time_iso8601] $msec "$request"
      $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time
      [$proxy_upstream_name] [$proxy_alternative_upstream_name] [$upstream_addr] [$upstream_response_length]
      [$upstream_response_time] [$upstream_status] $req_id $namespace $ingress_name
      $service_name $service_port $http_x_forwarded_for $host
    compute-full-forwarded-for: "true"
    forwarded-for-header: "X-Forwarded-For"
    use-forwarded-headers: "true"
    large-client-header-buffers: "4 64k"
    allow-snippet-annotations: "true"
    ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    ssl-protocols: TLSv1.3 TLSv1.2 TLSv1.1 TLSv1
  extraEnvs:
    - name: TZ
      value: Asia/Shanghai
  extraVolumes:
    - name: log # controller 挂载日志目录
      emptyDir: {}
  extraVolumeMounts:
    - name: log # logratote 与 controller 共享日志目录
      mountPath: /var/log/nginx
  extraContainers: # logrotate sidecar 容器,用于轮转日志
    - name: logrotate
      image: imroc/logrotate:latest # https://github.com/imroc/docker-logrotate
      imagePullPolicy: IfNotPresent
      env:
        - name: LOGROTATE_FILE_PATTERN # 轮转的日志文件 pattern,与 nginx 配置的日志文件路径相匹配
          value: "/var/log/nginx/nginx_*.log"
        - name: LOGROTATE_FILESIZE # 日志文件超过多大后轮转
          value: "100M"
        - name: LOGROTATE_FILENUM # 每个日志文件轮转的数量
          value: "3"
        - name: CRON_EXPR # logrotate 周期性运行的 crontab 表达式,这里每分钟一次
          value: "*/1 * * * *"
        - name: CROND_LOGLEVEL # crond 日志级别,0~8,越小越详细
          value: "8"
      volumeMounts:
        - name: log
          mountPath: /var/log/nginx
      resources:
        requests:
          cpu: 0.1
          memory: 100Mi
        limits:
          cpu: 0.1
          memory: 100Mi
  # nodeSelector:
  #   tke.cloud.tencent.com/nodepool-id: np-xxxxxxxx    # 调度到包月的超级节点池
  # tolerations:
  #   - key: "eks.tke.cloud.tencent.com/eklet"
  #     operator: "Exists"
  #     effect: "NoSchedule"
  #   - key: "node"
  #     operator: "Equal"
  #     value: "devops"
  #     effect: "NoSchedule"
  autoscaling:
    enabled: true
    minReplicas: 2
    maxReplicas: 10
    targetCPUUtilizationPercentage: 50
    targetMemoryUtilizationPercentage: 50
    behavior: # 快速扩容应对流量洪峰,缓慢缩容预留 buffer 避免流量异常
      scaleUp:
        stabilizationWindowSeconds: 300
        policies:
          - type: Percent
            value: 900
            periodSeconds: 15 # 每 15s 最多允许扩容 9 倍于当前副本数
      scaleDown:
        stabilizationWindowSeconds: 300
        policies:
          - type: Pods
            value: 1
            periodSeconds: 600 # 每 10 分钟最多只允许缩掉 1 个 Pod