kevisual/k8s-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

udpate

Browse Source
This commit is contained in:
熊潇
2025-11-27 12:51:11 +08:00
parent 5d788be63d
commit 6220dd6b70
9 changed files with 320 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
k8s/kevisual.cn/README.md
View File

@@ -35,3 +35,7 @@ sudo cat /var/lib/rancher/k3s/server/node-token
```sh ```sh
sudo vim /etc/rancher/k3s/registries.yaml sudo vim /etc/rancher/k3s/registries.yaml
``` ```
```sh
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```

1
k8s/kevisual.cn/base.sh Normal file
View File

@@ -0,0 +1 @@
kubectl config use-context kevisual-context

37
k8s/kevisual.cn/config/nginx-stream-proxy.conf Normal file
View File

@@ -0,0 +1,37 @@
# HTTP 转发 (80 -> 30080)
upstream traefik_http {
server 127.0.0.1:30080;
}
server {
listen 80;
listen [::]:80;
proxy_pass traefik_http;
# 超时设置
proxy_timeout 300s;
proxy_connect_timeout 10s;
}
# HTTPS 转发 (443 -> 30443)
upstream traefik_https {
server 127.0.0.1:30443;
}
server {
listen 443;
listen [::]:443;
# SNI 预读 - 让 Traefik 处理 SSL 证书选择
ssl_preread on;
proxy_pass traefik_https;
# 优化的超时设置
proxy_timeout 1h;
proxy_connect_timeout 5s;
# Stream 模块支持的选项
proxy_responses 1;
proxy_buffer_size 16k;
}

1
k8s/kevisual.cn/docs/01-查看暴露.md Normal file
View File

@@ -0,0 +1 @@
kubectl get svc -n default | grep traefik

17
k8s/kevisual.cn/ingress/apps-ingressroute.yaml Normal file
View File

@@ -0,0 +1,17 @@
# Kevisual - kevisual.cn (支持 WebSocket)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: kevisual-https
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`kevisual.cn`)
kind: Rule
services:
- name: kevisual-external
port: 3005
tls:
certResolver: letsencrypt

24
k8s/kevisual.cn/services/external-services.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: kevisual-external
namespace: default
spec:
type: ClusterIP
ports:
- port: 3005
targetPort: 3005
protocol: TCP
name: http
---
apiVersion: v1
kind: Endpoints
metadata:
name: kevisual-external
namespace: default
subsets:
- addresses:
- ip: 121.4.112.18
ports:
- port: 3005
name: http

216
k8s/kevisual.cn/traefik.yaml Normal file
View File

@@ -0,0 +1,216 @@
---
# Traefik 完整部署配置
# kubectl create namespace traefik
# 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL
# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes, master-node
# description: Traefik 反向代理完整配置,部署在 master 节点,包含自动 SSL 证书支持(Let's Encrypt)
# title: Traefik 完整部署配置 - 含 SSL 证书(Master 节点部署)
# createdAt: 2025-11-26
---
# PersistentVolume 用于存储 ACME 证书数据
apiVersion: v1
kind: PersistentVolume
metadata:
name: traefik-acme-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
hostPath:
path: /data/traefik-acme
storageClassName: local-storage
---
# PersistentVolumeClaim 用于申请证书存储空间
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik-acme-pvc
namespace: traefik
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: local-storage
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik
namespace: traefik
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
- nodes
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik
namespace: traefik
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
namespace: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik
# hostNetwork: true # 部署在主节点,使用 hostNetwork
containers:
- name: traefik
image: traefik:latest
args:
- --api.insecure=true
- --providers.kubernetescrd
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# Let's Encrypt 配置
- --certificatesresolvers.letsencrypt.acme.email=root@kevisual.cn
- --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
# 使用 Let's Encrypt 生产环境(如果测试,使用 caserver)
# - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- --log.level=DEBUG
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- name: admin
containerPort: 8080
volumeMounts:
- name: acme-storage
mountPath: /acme
volumes:
- name: acme-storage
persistentVolumeClaim:
claimName: traefik-acme-pvc
---
apiVersion: v1
kind: Service
metadata:
name: traefik
namespace: traefik
spec:
type: NodePort
selector:
app: traefik
ports:
- name: web
port: 80
targetPort: 80
nodePort: 30080 # 外部通过 30080 访问 HTTP
# nodePort: 80
- name: websecure
port: 443
targetPort: 443
nodePort: 30443 # 外部通过 30443 访问 HTTPS
# nodePort: 443
- name: admin
port: 8080
targetPort: 8080
nodePort: 30808 # Dashboard
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: traefik
spec:
controller: traefik.io/ingress-controller
---
# Traefik Dashboard IngressRoute - HTTPS only
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.kevisual.cn`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls:
certResolver: letsencrypt

15
k8s/xiongxiao.me/README.md
View File

@@ -6,3 +6,18 @@
## 配置国内源 ## 配置国内源
## 禁用默认的traefik
```bash
vim /etc/rancher/k3s/config.yaml
# 添加以下内容禁用默认traefik
disable: traefik
# 重启k3s服务
systemctl restart k3s
# 删除默认traefik相关资源
kubectl delete job -n kube-system helm-install-traefik helm-install-traefik-crd
# 安装 Traefik CRD
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```

15
k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf
View File

@@ -1,4 +1,4 @@
# HTTP 转发 (80 -> 30080) - Let's Encrypt HTTP Challenge 需要 # HTTP 转发 (80 -> 30080)
upstream traefik_http { upstream traefik_http {
server 127.0.0.1:30080; server 127.0.0.1:30080;
} }
@@ -6,16 +6,11 @@ upstream traefik_http {
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
proxy_pass traefik_http; proxy_pass traefik_http;
# 优化的超时设置 # 超时设置
proxy_timeout 1h; proxy_timeout 300s;
proxy_connect_timeout 5s; proxy_connect_timeout 10s;
# Stream 模块支持的选项
proxy_responses 1;
proxy_buffer_size 16k;
} }
# HTTPS 转发 (443 -> 30443) # HTTPS 转发 (443 -> 30443)
@@ -40,5 +35,3 @@ server {
proxy_responses 1; proxy_responses 1;
proxy_buffer_size 16k; proxy_buffer_size 16k;
} }