udpate

k8s/kevisual.cn/README.md

@@ -35,3 +35,7 @@ sudo cat /var/lib/rancher/k3s/server/node-token
 ```sh
 sudo vim /etc/rancher/k3s/registries.yaml
 ```
+
+```sh
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```

k8s/kevisual.cn/base.sh

@@ -0,0 +1 @@
+kubectl config use-context kevisual-context

k8s/kevisual.cn/config/nginx-stream-proxy.conf

@@ -0,0 +1,37 @@
+# HTTP 转发 (80 -> 30080)
+upstream traefik_http {
+    server 127.0.0.1:30080;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    proxy_pass traefik_http;
+
+    # 超时设置
+    proxy_timeout 300s;
+    proxy_connect_timeout 10s;
+}
+
+# HTTPS 转发 (443 -> 30443)
+upstream traefik_https {
+    server 127.0.0.1:30443;
+}
+
+server {
+    listen 443;
+    listen [::]:443;
+
+    # SNI 预读 - 让 Traefik 处理 SSL 证书选择
+    ssl_preread on;
+
+    proxy_pass traefik_https;
+
+    # 优化的超时设置
+    proxy_timeout 1h;
+    proxy_connect_timeout 5s;
+
+    # Stream 模块支持的选项
+    proxy_responses 1;
+    proxy_buffer_size 16k;
+}

k8s/kevisual.cn/docs/01-查看暴露.md

@@ -0,0 +1 @@
+kubectl get svc -n default | grep traefik

k8s/kevisual.cn/ingress/apps-ingressroute.yaml

@@ -0,0 +1,17 @@
+# Kevisual - kevisual.cn (支持 WebSocket)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kevisual-https
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`kevisual.cn`)
+      kind: Rule
+      services:
+        - name: kevisual-external
+          port: 3005
+  tls:
+    certResolver: letsencrypt

k8s/kevisual.cn/services/external-services.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kevisual-external
+  namespace: default
+spec:
+  type: ClusterIP
+  ports:
+  - port: 3005
+    targetPort: 3005
+    protocol: TCP
+    name: http
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: kevisual-external
+  namespace: default
+subsets:
+- addresses:
+  - ip: 121.4.112.18
+  ports:
+  - port: 3005
+    name: http

k8s/kevisual.cn/traefik.yaml

@@ -0,0 +1,216 @@
+---
+# Traefik 完整部署配置
+# kubectl create namespace traefik
+# 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL
+# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes, master-node
+# description: Traefik 反向代理完整配置,部署在 master 节点,包含自动 SSL 证书支持(Let's Encrypt)
+# title: Traefik 完整部署配置 - 含 SSL 证书(Master 节点部署)
+# createdAt: 2025-11-26
+---
+# PersistentVolume 用于存储 ACME 证书数据
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: traefik-acme-pv
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: /data/traefik-acme
+  storageClassName: local-storage
+---
+# PersistentVolumeClaim 用于申请证书存储空间
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik-acme-pvc
+  namespace: traefik
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: local-storage
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik
+  namespace: traefik
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik-ingress-controller
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+      - nodes
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - traefik.containo.us
+      - traefik.io
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+      - serverstransports
+      - serverstransporttcps
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik-ingress-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik-ingress-controller
+subjects:
+  - kind: ServiceAccount
+    name: traefik
+    namespace: traefik
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik
+  namespace: traefik
+  labels:
+    app: traefik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik
+      # hostNetwork: true  # 部署在主节点,使用 hostNetwork
+      containers:
+      - name: traefik
+        image: traefik:latest
+        args:
+          - --api.insecure=true
+          - --providers.kubernetescrd
+          - --entrypoints.web.address=:80
+          - --entrypoints.websecure.address=:443
+          # Let's Encrypt 配置
+          - --certificatesresolvers.letsencrypt.acme.email=root@kevisual.cn
+          - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
+          - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
+          - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
+          # 使用 Let's Encrypt 生产环境(如果测试,使用 caserver)
+          # - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+          - --log.level=DEBUG
+        ports:
+        - name: web
+          containerPort: 80
+        - name: websecure
+          containerPort: 443
+        - name: admin
+          containerPort: 8080
+        volumeMounts:
+        - name: acme-storage
+          mountPath: /acme
+      volumes:
+      - name: acme-storage
+        persistentVolumeClaim:
+          claimName: traefik-acme-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  type: NodePort
+  selector:
+    app: traefik
+  ports:
+  - name: web
+    port: 80
+    targetPort: 80
+    nodePort: 30080  # 外部通过 30080 访问 HTTP
+    # nodePort: 80 
+  - name: websecure
+    port: 443
+    targetPort: 443
+    nodePort: 30443  # 外部通过 30443 访问 HTTPS
+    # nodePort: 443  
+  - name: admin
+    port: 8080
+    targetPort: 8080
+    nodePort: 30808  # Dashboard
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: traefik
+spec:
+  controller: traefik.io/ingress-controller
+---
+# Traefik Dashboard IngressRoute - HTTPS only
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.kevisual.cn`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    certResolver: letsencrypt

k8s/xiongxiao.me/README.md

@@ -6,3 +6,18 @@
 
 ## 配置国内源
 
+## 禁用默认的traefik
+
+```bash
+vim /etc/rancher/k3s/config.yaml 
+# 添加以下内容禁用默认traefik
+disable: traefik
+# 重启k3s服务
+systemctl restart k3s
+
+# 删除默认traefik相关资源
+kubectl delete job -n kube-system helm-install-traefik helm-install-traefik-crd
+
+# 安装 Traefik CRD
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```

k8s/xiongxiao.me/nginx/nginx-stream-proxy.conf

@@ -1,4 +1,4 @@
-# HTTP 转发 (80 -> 30080) - Let's Encrypt HTTP Challenge 需要
+# HTTP 转发 (80 -> 30080)
 upstream traefik_http {
     server 127.0.0.1:30080;
 }
@@ -6,16 +6,11 @@ upstream traefik_http {
 server {
     listen 80;
     listen [::]:80;
-
     proxy_pass traefik_http;
 
-    # 优化的超时设置
-    proxy_timeout 1h;
-    proxy_connect_timeout 5s;
-
-    # Stream 模块支持的选项
-    proxy_responses 1;
-    proxy_buffer_size 16k;
+    # 超时设置
+    proxy_timeout 300s;
+    proxy_connect_timeout 10s;
 }
 
 # HTTPS 转发 (443 -> 30443)
@@ -40,5 +35,3 @@ server {
     proxy_responses 1;
     proxy_buffer_size 16k;
 }
-
-