Merge branch 'main' of git.xiongxiao.me:abearxiong/k8s-docs

k8s/xiongxiao.me/README.md

@@ -28,4 +28,20 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/con
 kubectl config use-context dev-context  
 # ls context
 kubectl config use-context kevisual-context
-```
+```
+## dns fix
+
+
+```bash
+
+resolvectl status
+echo "nameserver 1.1.1.1" > /etc/resolv.conf
+
+kubectl rollout restart deployment/coredns -n kube-system
+```
+
+## log traefik pod
+
+```bash
+kubectl logs -n traefik deploy/traefik -f
+```

k8s/xiongxiao.me/apps/blog/app.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: blog
+  labels:
+    app: blog
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: blog
+  template:
+    metadata:
+      labels:
+        app: blog
+    spec:
+      containers:
+      - name: blog
+        image: docker.cnb.cool/abearxiong/blog:latest
+        ports:
+        - containerPort: 80
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "256Mi"
+            cpu: "200m"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 3
+          failureThreshold: 3
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: blog
+  labels:
+    app: blog
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: blog
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blog-https
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`blog.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: blog
+          port: 80
+  tls:
+    certResolver: letsencrypt

k8s/xiongxiao.me/apps/blog/compose.yml

@@ -0,0 +1,7 @@
+services:
+  blog:
+    image: docker.cnb.cool/abearxiong/blog:latest
+    container_name: blog
+    restart: unless-stopped
+    ports:
+      - "80:80"

k8s/xiongxiao.me/apps/blog/log.sh

@@ -0,0 +1,4 @@
+# kubectl logs openlist-869ffbc74f-kjmbs
+
+# uplate
+kubectl rollout restart deployment blog

k8s/xiongxiao.me/apps/clash/clash.yaml

@@ -0,0 +1,45 @@
+---
+# clash - clash.xiongxiao.me (支持 WebSocket)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: clash-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`clash.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: clash-external
+          port: 9090
+  tls:
+    certResolver: letsencrypt
+
+---
+# clash 服务 (端口 9090, 本地)
+apiVersion: v1
+kind: Service
+metadata:
+  name: clash-external
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - port: 9090
+    targetPort: 9090
+    protocol: TCP
+    name: http
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: clash-external
+  namespace: default
+subsets:
+- addresses:
+  - ip: 121.4.112.18
+  ports:
+  - port: 9090
+    name: http

k8s/xiongxiao.me/apps/convex/convex.yaml

@@ -0,0 +1,45 @@
+---
+# Convex - convex.xiongxiao.me
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: convex-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`convex.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: convex-external
+          port: 3210
+  tls:
+    certResolver: letsencrypt
+
+---
+# Convex 服务 (端口 3210, 本地)
+apiVersion: v1
+kind: Service
+metadata:
+  name: convex-external
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - port: 3210
+    targetPort: 3210
+    protocol: TCP
+    name: http
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: convex-external
+  namespace: default
+subsets:
+- addresses:
+  - ip: 121.4.112.18
+  ports:
+  - port: 3210
+    name: http

k8s/xiongxiao.me/apps/convex/dash.yaml

@@ -0,0 +1,45 @@
+---
+# Dash Convex - dash-convex.xiongxiao.me
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dash-convex-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`dash-convex.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: dash-convex-external
+          port: 6791
+  tls:
+    certResolver: letsencrypt
+
+---
+# Dash Convex 服务 (端口 6791, 本地)
+apiVersion: v1
+kind: Service
+metadata:
+  name: dash-convex-external
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - port: 6791
+    targetPort: 6791
+    protocol: TCP
+    name: http
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: dash-convex-external
+  namespace: default
+subsets:
+- addresses:
+  - ip: 121.4.112.18
+  ports:
+  - port: 6791
+    name: http

k8s/xiongxiao.me/apps/convex/readme.md

@@ -0,0 +1,3 @@
+dashboard: http://127.0.0.1:6791
+backend: http://127.0.0.1:3210
+<!-- site: http://127.0.0.1:3211 -->

k8s/xiongxiao.me/apps/my-secrets.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secrets
+  namespace: default
+type: Opaque
+data:
+  # Base64 编码的值 
+  # Ov23littcejmbA5iKrhK -> T3YyM2xpdHRjZWptYUE1aUtyaEs=
+  # af67c4cdbc37367a69258d798e06641e51445315 -> YWY2N2M0Y2RiYzM3MzY3YTY5MjU4ZDc5OGUwNjY0MWU1MTQ0NTMxNQ==
+  # abc123 ->YWJjMTIz
+  g-client-id: T3YyM2xpdHRjZWptYkE1aUtyaEs=
+  g-client-secret: YWY2N2M0Y2RiYzM3MzY3YTY5MjU4ZDc5OGUwNjY0MWU1MTQ0NTMxNQ==
+  jwt-secret: YWJjMTIz

k8s/xiongxiao.me/apps/newsnow.yaml

@@ -0,0 +1,110 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: newsnow
+  labels:
+    app: newsnow
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: newsnow
+  template:
+    metadata:
+      labels:
+        app: newsnow
+    spec:
+      containers:
+      - name: newsnow
+        image: ghcr.io/ourongxing/newsnow:latest
+        ports:
+        - containerPort: 4444
+        env:
+        - name: HOST
+          value: "0.0.0.0"
+        - name: PORT
+          value: "4444"
+        - name: NODE_ENV
+          value: "production"
+        - name: G_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: my-secrets
+              key: g-client-id
+        - name: G_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: my-secrets
+              key: g-client-secret
+        - name: JWT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: my-secrets
+              key: jwt-secret
+        - name: INIT_TABLE
+          value: "true"
+        - name: ENABLE_CACHE
+          value: "true"
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 4444
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 4444
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 3
+          failureThreshold: 3
+        volumeMounts:
+        - name: data-volume
+          mountPath: /usr/app/.data
+      volumes:
+      - name: data-volume
+        hostPath:
+          path: /opt/docker/newsnow/data
+          type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: newsnow
+  labels:
+    app: newsnow
+spec:
+  type: ClusterIP
+  ports:
+  - port: 4444
+    targetPort: 4444
+    protocol: TCP
+    name: http
+  selector:
+    app: newsnow
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: newsnow-https
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`newsnow.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: newsnow
+          port: 4444
+  tls:
+    certResolver: letsencrypt

k8s/xiongxiao.me/apps/rsshub/app.yaml

@@ -0,0 +1,45 @@
+---
+# RSSHub - rsshub.xiongxiao.me (端口 1200)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: rsshub-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`rsshub.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: rsshub-external
+          port: 1200
+  tls:
+    certResolver: letsencrypt
+
+---
+# RSSHub 服务 (端口 1200, 本地)
+apiVersion: v1
+kind: Service
+metadata:
+  name: rsshub-external
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - port: 1200
+    targetPort: 1200
+    protocol: TCP
+    name: http
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: rsshub-external
+  namespace: default
+subsets:
+- addresses:
+  - ip: 121.4.112.18
+  ports:
+  - port: 1200
+    name: http

k8s/xiongxiao.me/apps/umami/app.yaml

@@ -0,0 +1,45 @@
+---
+# Umami - umami.xiongxiao.me
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: umami-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`umami.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: umami-external
+          port: 3001
+  tls:
+    certResolver: letsencrypt
+
+---
+# Umami 服务 (端口 3001, 本地)
+apiVersion: v1
+kind: Service
+metadata:
+  name: umami-external
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - port: 3001
+    targetPort: 3001
+    protocol: TCP
+    name: http
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: umami-external
+  namespace: default
+subsets:
+- addresses:
+  - ip: 121.4.112.18
+  ports:
+  - port: 3001
+    name: http

k8s/xiongxiao.me/apps/uptime-kuma/app.yml

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: uptime-kuma
+  labels:
+    app: uptime-kuma
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: uptime-kuma
+  template:
+    metadata:
+      labels:
+        app: uptime-kuma
+    spec:
+      nodeSelector:
+        machine: "on"
+      containers:
+      - name: uptime-kuma
+        image: louislam/uptime-kuma:2
+        ports:
+        - containerPort: 3001
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 3001
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 3001
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 3
+          failureThreshold: 3
+        volumeMounts:
+        - name: data-volume
+          mountPath: /app/data
+      volumes:
+      - name: data-volume
+        hostPath:
+          path: /opt/docker/uptime-kuma
+          type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: uptime-kuma
+  labels:
+    app: uptime-kuma
+spec:
+  type: ClusterIP
+  ports:
+  - port: 3001
+    targetPort: 3001
+    protocol: TCP
+    name: http
+  selector:
+    app: uptime-kuma
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: uptime-kuma-https
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`uptime.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: uptime-kuma
+          port: 3001
+  tls:
+    certResolver: letsencrypt

k8s/xiongxiao.me/apps/uptime-kuma/compose.yml

@@ -0,0 +1,9 @@
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:2
+    restart: unless-stopped
+    volumes:
+      - ./data:/app/data
+    ports:
+      # <Host Port>:<Container Port>
+      - "3001:3001"

k8s/xiongxiao.me/apps/waline/app.yaml

@@ -0,0 +1,45 @@
+---
+# Waline - waline.xiongxiao.me
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: waline-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`waline.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: waline-external
+          port: 8360
+  tls:
+    certResolver: letsencrypt
+
+---
+# Waline 服务 (端口 8360, 本地)
+apiVersion: v1
+kind: Service
+metadata:
+  name: waline-external
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8360
+    targetPort: 8360
+    protocol: TCP
+    name: http
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: waline-external
+  namespace: default
+subsets:
+- addresses:
+  - ip: 121.4.112.18
+  ports:
+  - port: 8360
+    name: http

k8s/xiongxiao.me/config/env.md

@@ -0,0 +1,3 @@
+```sh
+cat /etc/systemd/system/k3s.service.env
+```

k8s/xiongxiao.me/config/master-token.md

@@ -13,15 +13,43 @@ Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service
 
 ## 设置label
 
-kubectl label nodes vm-32-6-ubuntu machine=library --overwrite
+
+kubectl label nodes library machine=library --overwrite
 
 删除label
 kubectl label nodes vm-32-6-ubuntu machine- --overwrite
 
 
 ### on
-kubectl label nodes vm-16-2-ubuntu machine=on --overwrite
-
+kubectl label nodes on machine=on --overwrite
 ### light
 
-kubectl label nodes vm-12-6-ubuntu machine=light --overwrite
+kubectl label nodes light machine=light --overwrite
+
+
+## 关于非内网需要设置实际ip地址
+
+```sh
+# aliyun, ip: 121.199.37.154
+curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn  K3S_NODE_IP=121.199.37.154 K3S_NODE_EXTERNAL_IP=121.199.37.154 K3S_URL=https://light.xiongxiao.me:6443 K3S_TOKEN=K1035ea36d4925cfd0a7f7938fb3eff1225e458c1aee4fb99bda40bb95f529913bf::server:03e3ef7d17dadc2471b0f2369248250d sh -
+-- --pause-image=docker.1ms.run/rancher/mirrored-pause:3.9
+
+
+kubectl label nodes aliyun machine=aliyun --overwrite
+
+```
+
+手动创建配置文件
+```sh
+# 停止 k3s-agent 服务
+sudo systemctl stop k3s-agent
+
+# 编辑配置文件
+sudo vim /etc/systemd/system/k3s-agent.service.env
+
+# 重新加载 systemd 配置
+sudo systemctl daemon-reload
+
+# 启动服务
+sudo systemctl start k3s-agent
+```

k8s/xiongxiao.me/docs/00-master.md

@@ -10,7 +10,9 @@ sudo cat /var/lib/rancher/k3s/server/node-token
 
 ## 2. 安装 node
 ```sh
-curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh -
+curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh |
+ INSTALL_K3S_MIRROR=cn K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken sh - - \
+ --system-default-registry=registry.cn-hangzhou.aliyuncs.com
 ```
 
 ## 3. 删除 

k8s/xiongxiao.me/kevisual-ingress/apps.yaml

@@ -0,0 +1,19 @@
+# services全使用kevisual-external服务
+
+# Kevisual - tale-theme.xiongxiao.me (支持 WebSocket)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: tale-theme-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`tale-theme.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: kevisual-external
+          port: 3005
+  tls:
+    certResolver: letsencrypt

k8s/xiongxiao.me/test/hello/hello.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-world
+  labels:
+    app: hello-world
+spec:
+  selector:
+    matchLabels:
+      app: hello-world
+  template:
+    metadata:
+      labels:
+        app: hello-world
+    spec:
+      nodeSelector:
+        machine: aliyun
+      containers:
+      - name: hello
+        image: docker.cnb.cool/kevisual/hello
+        ports:
+        - containerPort: 80
+          protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-world
+  labels:
+    app: hello-world
+spec:
+  selector:
+    app: hello-world
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+      nodePort: 30081
+  type: NodePort
+
+# http://121.199.37.154:30081/
+
+#  1.查看 Deployment 状态：
+# kubectl get deployment hello-world
+# kubectl logs deployment/hello-world
+# 2. 查看 Pod 状态：
+# kubectl get pods -l app=hello-world
+
+# 3.查看 Pod 详细信息（包括事件）：
+# kubectl describe pod -l app=hello-world
+
+# 4. delete all
+# kubectl delete -f hello.yaml
+
+# 5. delete pod
+# kubectl delete pod -l app=hello-world
+
+# 6. rollupdate
+# kubectl set image deployment/hello-world hello=docker.cnb.cool/kevisual/hello:latest
+
+# 7. 进入 Pod
+# kubectl exec -it deployment/hello-world -- /bin/sh

k8s/xiongxiao.me/traefik/traefik-complete.yaml

@@ -145,7 +145,7 @@ spec:
         effect: NoSchedule
       containers:
       - name: traefik
-        image: traefik:latest
+        image: docker.1ms.run/library/traefik:v3.6.7
         args:
           - --api.insecure=true
           - --providers.kubernetescrd

k8s/xiongxiao.me/update/rancher/update.md

@@ -0,0 +1,67 @@
+# Rancher 更新指南
+
+当前版本 2.13.0 最新版本2.13.1
+
+## 1. 备份当前 Rancher
+
+```bash
+# 备份 Rancher Deployment 配置
+kubectl get deployment rancher -n cattle-system -o yaml > rancher-backup.yaml
+
+# 备份重要数据 (如果是 PVC 存储)
+kubectl get pvc -n cattle-system
+```
+
+## 2. 添加/更新 Rancher Helm 仓库
+
+```bash
+# 添加 Rancher Helm 仓库
+helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
+
+# 更新 Helm 仓库
+helm repo update
+
+# 查看可用的 Rancher 版本
+helm search repo rancher-latest/rancher -l | head -20
+```
+
+## 3. 执行更新
+
+```bash
+# 执行更新 (将 v2.x.x 替换为目标版本)
+helm upgrade rancher rancher-latest/rancher \
+  --namespace cattle-system \
+  --set hostname=rancher.xiongxiao.me \
+  --set replicas=3 \
+  --set bootstrapPassword="your-secure-password"
+
+# 如果有自定义 values.yaml 文件
+# helm upgrade rancher rancher-latest/rancher -f values.yaml --namespace cattle-system
+```
+
+## 4. 验证更新状态
+
+```bash
+# 监控 Pod 状态
+kubectl get pods -n cattle-system -w
+
+# 检查 Deployment 滚动更新状态
+kubectl rollout status deployment/rancher -n cattle-system
+
+# 查看日志确认正常启动
+kubectl logs -f deploy/rancher -n cattle-system
+```
+
+## 5. 验证 Rancher 功能
+
+- 访问 https://rancher.xiongxiao.me
+- 检查集群状态
+- 检查用户、角色、设置是否正常
+
+## 注意事项
+
+- **版本兼容性**: 确保新版本与 Kubernetes 集群版本兼容
+- **升级路径**: Rancher 升级需要按版本逐步升级 (如 2.6 → 2.7 → 2.8)
+- **备份**: 升级前务必备份 Rancher 数据
+- **自定义配置**: 使用自定义 values.yaml 时确保包含所有必要配置
+- **回滚**: 如遇到问题，可使用 `helm rollback rancher <revision> --namespace cattle-system`