From 6220dd6b70ccff47f41d77a46cc7ff23401903d1 Mon Sep 17 00:00:00 2001 From: abearxiong Date: Thu, 27 Nov 2025 12:51:11 +0800 Subject: [PATCH] udpate --- k8s/kevisual.cn/README.md | 4 + k8s/kevisual.cn/base.sh | 1 + .../config/nginx-stream-proxy.conf | 37 +++ k8s/kevisual.cn/docs/01-查看暴露.md | 1 + .../ingress/apps-ingressroute.yaml | 17 ++ .../services/external-services.yaml | 24 ++ k8s/kevisual.cn/traefik.yaml | 216 ++++++++++++++++++ k8s/xiongxiao.me/README.md | 15 ++ .../nginx/nginx-stream-proxy.conf | 17 +- 9 files changed, 320 insertions(+), 12 deletions(-) create mode 100644 k8s/kevisual.cn/base.sh create mode 100644 k8s/kevisual.cn/config/nginx-stream-proxy.conf create mode 100644 k8s/kevisual.cn/docs/01-查看暴露.md create mode 100644 k8s/kevisual.cn/ingress/apps-ingressroute.yaml create mode 100644 k8s/kevisual.cn/services/external-services.yaml create mode 100644 k8s/kevisual.cn/traefik.yaml diff --git a/k8s/kevisual.cn/README.md b/k8s/kevisual.cn/README.md index fac90b5..a389475 100644 --- a/k8s/kevisual.cn/README.md +++ b/k8s/kevisual.cn/README.md @@ -34,4 +34,8 @@ sudo cat /var/lib/rancher/k3s/server/node-token ```sh sudo vim /etc/rancher/k3s/registries.yaml +``` + +```sh +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml ``` \ No newline at end of file diff --git a/k8s/kevisual.cn/base.sh b/k8s/kevisual.cn/base.sh new file mode 100644 index 0000000..2b49021 --- /dev/null +++ b/k8s/kevisual.cn/base.sh @@ -0,0 +1 @@ +kubectl config use-context kevisual-context \ No newline at end of file diff --git a/k8s/kevisual.cn/config/nginx-stream-proxy.conf b/k8s/kevisual.cn/config/nginx-stream-proxy.conf new file mode 100644 index 0000000..6db24f6 --- /dev/null +++ b/k8s/kevisual.cn/config/nginx-stream-proxy.conf @@ -0,0 +1,37 @@ +# HTTP 转发 (80 -> 30080) +upstream traefik_http { + server 127.0.0.1:30080; +} + +server { + listen 80; + listen [::]:80; + proxy_pass traefik_http; + + # 超时设置 + proxy_timeout 300s; + proxy_connect_timeout 10s; +} + +# HTTPS 转发 (443 -> 30443) +upstream traefik_https { + server 127.0.0.1:30443; +} + +server { + listen 443; + listen [::]:443; + + # SNI 预读 - 让 Traefik 处理 SSL 证书选择 + ssl_preread on; + + proxy_pass traefik_https; + + # 优化的超时设置 + proxy_timeout 1h; + proxy_connect_timeout 5s; + + # Stream 模块支持的选项 + proxy_responses 1; + proxy_buffer_size 16k; +} \ No newline at end of file diff --git a/k8s/kevisual.cn/docs/01-查看暴露.md b/k8s/kevisual.cn/docs/01-查看暴露.md new file mode 100644 index 0000000..ea40cfc --- /dev/null +++ b/k8s/kevisual.cn/docs/01-查看暴露.md @@ -0,0 +1 @@ +kubectl get svc -n default | grep traefik \ No newline at end of file diff --git a/k8s/kevisual.cn/ingress/apps-ingressroute.yaml b/k8s/kevisual.cn/ingress/apps-ingressroute.yaml new file mode 100644 index 0000000..27c12b5 --- /dev/null +++ b/k8s/kevisual.cn/ingress/apps-ingressroute.yaml @@ -0,0 +1,17 @@ +# Kevisual - kevisual.cn (支持 WebSocket) +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: kevisual-https + namespace: default +spec: + entryPoints: + - websecure + routes: + - match: Host(`kevisual.cn`) + kind: Rule + services: + - name: kevisual-external + port: 3005 + tls: + certResolver: letsencrypt \ No newline at end of file diff --git a/k8s/kevisual.cn/services/external-services.yaml b/k8s/kevisual.cn/services/external-services.yaml new file mode 100644 index 0000000..90c7d5a --- /dev/null +++ b/k8s/kevisual.cn/services/external-services.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: kevisual-external + namespace: default +spec: + type: ClusterIP + ports: + - port: 3005 + targetPort: 3005 + protocol: TCP + name: http +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: kevisual-external + namespace: default +subsets: +- addresses: + - ip: 121.4.112.18 + ports: + - port: 3005 + name: http \ No newline at end of file diff --git a/k8s/kevisual.cn/traefik.yaml b/k8s/kevisual.cn/traefik.yaml new file mode 100644 index 0000000..374181d --- /dev/null +++ b/k8s/kevisual.cn/traefik.yaml @@ -0,0 +1,216 @@ +--- +# Traefik 完整部署配置 +# kubectl create namespace traefik +# 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL +# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes, master-node +# description: Traefik 反向代理完整配置,部署在 master 节点,包含自动 SSL 证书支持(Let's Encrypt) +# title: Traefik 完整部署配置 - 含 SSL 证书(Master 节点部署) +# createdAt: 2025-11-26 +--- +# PersistentVolume 用于存储 ACME 证书数据 +apiVersion: v1 +kind: PersistentVolume +metadata: + name: traefik-acme-pv +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + hostPath: + path: /data/traefik-acme + storageClassName: local-storage +--- +# PersistentVolumeClaim 用于申请证书存储空间 +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: traefik-acme-pvc + namespace: traefik +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: local-storage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: traefik + namespace: traefik +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: traefik-ingress-controller +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + - nodes + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + - serverstransporttcps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: traefik-ingress-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik + namespace: traefik +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik + namespace: traefik + labels: + app: traefik +spec: + replicas: 1 + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik + # hostNetwork: true # 部署在主节点,使用 hostNetwork + containers: + - name: traefik + image: traefik:latest + args: + - --api.insecure=true + - --providers.kubernetescrd + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + # Let's Encrypt 配置 + - --certificatesresolvers.letsencrypt.acme.email=root@kevisual.cn + - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json + - --certificatesresolvers.letsencrypt.acme.httpchallenge=true + - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web + # 使用 Let's Encrypt 生产环境(如果测试,使用 caserver) + # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory + - --log.level=DEBUG + ports: + - name: web + containerPort: 80 + - name: websecure + containerPort: 443 + - name: admin + containerPort: 8080 + volumeMounts: + - name: acme-storage + mountPath: /acme + volumes: + - name: acme-storage + persistentVolumeClaim: + claimName: traefik-acme-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: traefik + namespace: traefik +spec: + type: NodePort + selector: + app: traefik + ports: + - name: web + port: 80 + targetPort: 80 + nodePort: 30080 # 外部通过 30080 访问 HTTP + # nodePort: 80 + - name: websecure + port: 443 + targetPort: 443 + nodePort: 30443 # 外部通过 30443 访问 HTTPS + # nodePort: 443 + - name: admin + port: 8080 + targetPort: 8080 + nodePort: 30808 # Dashboard +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: traefik +spec: + controller: traefik.io/ingress-controller +--- +# Traefik Dashboard IngressRoute - HTTPS only +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + namespace: traefik +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.kevisual.cn`) + kind: Rule + services: + - name: api@internal + kind: TraefikService + tls: + certResolver: letsencrypt \ No newline at end of file diff --git a/k8s/xiongxiao.me/README.md b/k8s/xiongxiao.me/README.md index 7d654f8..b0c1ecd 100644 --- a/k8s/xiongxiao.me/README.md +++ b/k8s/xiongxiao.me/README.md @@ -6,3 +6,18 @@ ## 配置国内源 +## 禁用默认的traefik + +```bash +vim /etc/rancher/k3s/config.yaml +# 添加以下内容禁用默认traefik +disable: traefik +# 重启k3s服务 +systemctl restart k3s + +# 删除默认traefik相关资源 +kubectl delete job -n kube-system helm-install-traefik helm-install-traefik-crd + +# 安装 Traefik CRD +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml +``` \ No newline at end of file diff --git a/k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf b/k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf index 861a677..6db24f6 100644 --- a/k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf +++ b/k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf @@ -1,4 +1,4 @@ -# HTTP 转发 (80 -> 30080) - Let's Encrypt HTTP Challenge 需要 +# HTTP 转发 (80 -> 30080) upstream traefik_http { server 127.0.0.1:30080; } @@ -6,16 +6,11 @@ upstream traefik_http { server { listen 80; listen [::]:80; - proxy_pass traefik_http; - # 优化的超时设置 - proxy_timeout 1h; - proxy_connect_timeout 5s; - - # Stream 模块支持的选项 - proxy_responses 1; - proxy_buffer_size 16k; + # 超时设置 + proxy_timeout 300s; + proxy_connect_timeout 10s; } # HTTPS 转发 (443 -> 30443) @@ -39,6 +34,4 @@ server { # Stream 模块支持的选项 proxy_responses 1; proxy_buffer_size 16k; -} - - \ No newline at end of file +} \ No newline at end of file