From 9668342be5fd01731d169e03a5959dcdbbeac427 Mon Sep 17 00:00:00 2001 From: abearxiong Date: Wed, 26 Nov 2025 20:55:43 +0800 Subject: [PATCH] temp --- k8s/xiongxiao.me/README.md | 276 +----------------- k8s/xiongxiao.me/config/master-token.md | 10 +- k8s/xiongxiao.me/config/registry.md | 77 +++-- k8s/xiongxiao.me/docs/09-ipv6-dualstack.md | 32 ++ .../ingress/apps-ingressroute.yaml | 33 +++ k8s/xiongxiao.me/ingress/home-ingress.yaml | 39 +++ k8s/xiongxiao.me/ingress/rancher-ingress.yaml | 36 +-- k8s/xiongxiao.me/restart.sh | 4 - .../traefik/traefik-complete.yaml | 40 ++- 9 files changed, 221 insertions(+), 326 deletions(-) create mode 100644 k8s/xiongxiao.me/docs/09-ipv6-dualstack.md create mode 100644 k8s/xiongxiao.me/ingress/home-ingress.yaml delete mode 100755 k8s/xiongxiao.me/restart.sh diff --git a/k8s/xiongxiao.me/README.md b/k8s/xiongxiao.me/README.md index aa33b0f..7d654f8 100644 --- a/k8s/xiongxiao.me/README.md +++ b/k8s/xiongxiao.me/README.md @@ -1,274 +1,8 @@ -# Nginx 到 K3s Traefik 迁移总结 +# k3 安装大纲 ---- -tags: kubernetes, k3s, traefik, nginx, migration, summary -description: Nginx 配置迁移到 K3s + Traefik 的完整总结和快速参考 -title: 迁移总结和快速参考 -createdAt: 2025-11-26 ---- +- 安装 k3s +- agent k3s 节点加入集群 +- 设置节点 label -## 快速开始 +## 配置国内源 -### 一键部署 -```bash -cd /Users/xion/kevisual/k8s-docs/k8s/xiongxiao.me -./deploy-apps.sh -``` - -### 测试服务 -```bash -./test-services.sh -``` - -### 卸载 -```bash -./undeploy-apps.sh -``` - -## 文件结构 - -``` -k8s/xiongxiao.me/ -├── services/ -│ └── external-services.yaml # 外部服务定义 (18个服务) -├── ingress/ -│ └── apps-ingressroute.yaml # Traefik 路由配置 (18个域名) -├── docs/ -│ └── 07-nginx-migration.md # 详细迁移文档 -├── deploy-apps.sh # 自动部署脚本 -├── undeploy-apps.sh # 自动卸载脚本 -└── test-services.sh # 服务测试脚本 -``` - -## 迁移的服务 (18个) - -| # | 域名 | 服务 | 端口 | 位置 | -|---|------|------|------|------| -| 1 | blinko.xiongxiao.me | 笔记 | 3111 | 10.0.32.6 | -| 2 | chat.xiongxiao.me | 聊天 | 3000 | 本地 | -| 3 | kevisual.xiongxiao.me | Kevisual | 3005 | 本地 | -| 4 | www.xiongxiao.me | 主站 | 3005 | 本地 | -| 5 | immich.xiongxiao.me | 图片 | 2283 | 本地 | -| 6 | cloud.xiongxiao.me | 云盘 | 5212 | 本地 | -| 7 | docmost.xiongxiao.me | 文档 | 3011 | 本地 | -| 8 | drawio.xiongxiao.me | 绘图 | 13000 | 本地 | -| 9 | minio.xiongxiao.me | 存储 | 9000 | 本地 | -| 10 | npm.xiongxiao.me | NPM | 30001 | 10.0.32.6 | -| 11 | gist.xiongxiao.me | 代码 | 6157 | 本地 | -| 12 | webdav.xiongxiao.me | WebDAV | 6060 | 本地 | -| 13 | esm.xiongxiao.me | CDN | 12000 | 本地 | -| 14 | umami.xiongxiao.me | 分析 | 4004 | 本地 | -| 15 | pwd.xiongxiao.me | 密码 | 8180 | 本地 | -| 16 | meilisearch.xiongxiao.me | 搜索 | 7700 | 本地 | -| 17 | memos.xiongxiao.me | Memos | 8181 | 10.0.32.6 | -| 18 | git.xiongxiao.me | Gitea | 3000 | 10.0.32.6 | - -## 关键特性 - -### ✅ 自动 HTTPS -- 使用 Let's Encrypt 自动申请证书 -- 自动续期,无需手动干预 -- HTTP 自动重定向到 HTTPS - -### ✅ WebSocket 支持 -- 原生支持 WebSocket 连接 -- 无需额外配置 - -### ✅ 灵活扩展 -- 轻松添加新服务 -- 支持多种后端类型 -- 可配置中间件 - -## 常用命令 - -### 查看服务状态 -```bash -# 查看所有外部服务 -kubectl get svc -n default | grep external - -# 查看 Endpoints -kubectl get endpoints -n default | grep external - -# 查看 IngressRoute -kubectl get ingressroute -n default -``` - -### 查看日志 -```bash -# Traefik 日志 -kubectl logs -n traefik -l app=traefik -f - -# 查看特定服务的 Endpoints -kubectl describe endpoints blinko-external -n default -``` - -### Traefik Dashboard -```bash -# 端口转发 -kubectl port-forward svc/traefik 8080:8080 -n traefik - -# 访问 http://localhost:8080/dashboard/ -``` - -### 调试服务 -```bash -# 测试单个服务 -curl -k -v https://blinko.xiongxiao.me - -# 查看 DNS 解析 -nslookup blinko.xiongxiao.me - -# 查看证书 -openssl s_client -connect blinko.xiongxiao.me:443 -servername blinko.xiongxiao.me -``` - -## 添加新服务 - -### 1. 添加 Service 和 Endpoint - -在 `services/external-services.yaml` 中添加: - -```yaml ---- -# 新服务 -apiVersion: v1 -kind: Service -metadata: - name: newapp-external - namespace: default -spec: - type: ClusterIP - ports: - - port: 8080 - targetPort: 8080 - protocol: TCP - name: http ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: newapp-external - namespace: default -subsets: -- addresses: - - ip: 127.0.0.1 # 或实际 IP - ports: - - port: 8080 - name: http -``` - -### 2. 添加 IngressRoute - -在 `ingress/apps-ingressroute.yaml` 中添加: - -```yaml ---- -# 新应用 - newapp.xiongxiao.me -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: newapp-https - namespace: default -spec: - entryPoints: - - websecure - routes: - - match: Host(`newapp.xiongxiao.me`) - kind: Rule - services: - - name: newapp-external - port: 8080 - tls: - certResolver: letsencrypt -``` - -### 3. 应用配置 - -```bash -kubectl apply -f services/external-services.yaml -kubectl apply -f ingress/apps-ingressroute.yaml -``` - -## 故障排查清单 - -### 服务无法访问 - -- [ ] DNS 是否指向正确的 IP (Traefik NodePort 30443) -- [ ] Service 是否存在: `kubectl get svc -n default` -- [ ] Endpoints 是否有地址: `kubectl get endpoints -n default` -- [ ] IngressRoute 是否正确: `kubectl get ingressroute -n default` -- [ ] 后端服务是否运行 -- [ ] 网络是否互通: `ping 10.0.32.6` -- [ ] Traefik 是否正常: `kubectl get pods -n traefik` - -### SSL 证书问题 - -- [ ] 域名是否可以公网访问 (Let's Encrypt 验证) -- [ ] 端口 80 是否开放 (HTTP Challenge) -- [ ] ACME 存储是否正常: `kubectl get pvc -n traefik` -- [ ] 查看证书申请日志: `kubectl logs -n traefik -l app=traefik | grep acme` - -### WebSocket 连接失败 - -- [ ] 检查后端服务是否支持 WebSocket -- [ ] 查看 Traefik 日志是否有错误 -- [ ] 测试直接连接后端服务 - -## 性能优化 - -### 启用压缩 - -```yaml -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: compress - namespace: default -spec: - compress: {} -``` - -### 限流 - -```yaml -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: rate-limit - namespace: default -spec: - rateLimit: - average: 100 - burst: 50 -``` - -### 添加到 IngressRoute - -```yaml -spec: - routes: - - match: Host(`example.xiongxiao.me`) - kind: Rule - middlewares: - - name: compress - - name: rate-limit - services: - - name: example-external - port: 8080 -``` - -## 安全建议 - -1. **限制访问源**: 使用 IP 白名单中间件 -2. **启用认证**: BasicAuth 或 OAuth 中间件 -3. **定期更新**: 保持 Traefik 和 K3s 最新版本 -4. **监控告警**: 集成 Prometheus 监控 -5. **日志审计**: 保留访问日志 - -## 下一步 - -- [ ] 将服务逐步迁移到容器化部署 -- [ ] 配置自动扩展 (HPA) -- [ ] 集成监控和告警 -- [ ] 配置备份策略 -- [ ] 文档化运维流程 diff --git a/k8s/xiongxiao.me/config/master-token.md b/k8s/xiongxiao.me/config/master-token.md index a1f42b3..48cc184 100644 --- a/k8s/xiongxiao.me/config/master-token.md +++ b/k8s/xiongxiao.me/config/master-token.md @@ -16,4 +16,12 @@ Created symlink /etc/systemd/system/multi-user.target.wants/k3s-agent.service kubectl label nodes vm-32-6-ubuntu machine=library --overwrite 删除label -kubectl label nodes vm-32-6-ubuntu machine- --overwrite \ No newline at end of file +kubectl label nodes vm-32-6-ubuntu machine- --overwrite + + +### on +kubectl label nodes vm-16-2-ubuntu machine=on --overwrite + +### light + +kubectl label nodes vm-12-6-ubuntu machine=light --overwrite \ No newline at end of file diff --git a/k8s/xiongxiao.me/config/registry.md b/k8s/xiongxiao.me/config/registry.md index ca9c25a..3a8a9a5 100644 --- a/k8s/xiongxiao.me/config/registry.md +++ b/k8s/xiongxiao.me/config/registry.md @@ -4,30 +4,33 @@ sudo vim /etc/rancher/k3s/registries.yaml mirrors: docker.io: endpoint: - - "https://docker.1ms.run" - - "https://docker.m.daocloud.io" - - "https://docker.1panel.live" - - "https://docker-0.unsee.tech" - - "https://dytt.online" - - "https://lispy.org" - - "https://docker.xiaogenban1993.com" - - "https://666860.xyz" - - "https://hub.rat.dev" - - "https://demo.52013120.xyz" - - "https://proxy.vvvv.ee" - - "https://registry.cyou" - - "http://hub-mirror.c.163.com" - - # rancher 镜像加速 - "rancher": + - 'https://docker.1ms.run' + - 'https://docker.m.daocloud.io' + - 'https://docker.1panel.live' + - 'https://docker-0.unsee.tech' + - 'https://dytt.online' + - 'https://lispy.org' + - 'https://docker.xiaogenban1993.com' + - 'https://666860.xyz' + - 'https://hub.rat.dev' + - 'https://demo.52013120.xyz' + - 'https://proxy.vvvv.ee' + - 'https://registry.cyou' + - 'http://hub-mirror.c.163.com' + + "registry.k8s.io": endpoint: - - "https://docker.1ms.run/rancher" + - 'https://k8s.m.daocloud.io' + - 'https://docker.m.daocloud.io' + # rancher 镜像加速 + 'rancher': + endpoint: + - 'https://docker.1ms.run/rancher' configs: - "docker.1ms.run": + 'docker.1ms.run': tls: insecure_skip_verify: true - ``` ```bash @@ -44,25 +47,37 @@ sudo systemctl restart k3s-agent vim /etc/containerd/config.toml +disabled_plugins = ["cri"] + [plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = [ - "https://docker.1panel.live", "https://docker.1ms.run", + "https://docker.m.daocloud.io", + "https://docker.1panel.live", "https://dytt.online", "https://docker-0.unsee.tech", "https://lispy.org", "https://docker.xiaogenban1993.com", "https://666860.xyz", "https://hub.rat.dev", - "https://docker.m.daocloud.io", "https://demo.52013120.xyz", "https://proxy.vvvv.ee", "https://registry.cyou" ] +[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"] + endpoint = [ + "https://k8s.m.daocloud.io" + "https://docker.m.daocloud.io", + ] +``` + +# 重启 containerd + +```bash sudo systemctl restart containerd sudo ctr image pull docker.io/library/verdaccio:latest @@ -75,4 +90,22 @@ sudo ctr -n k8s.io images delete docker.m.daocloud.io/rancher/mirrored-pause:3.6 # 查看镜像 sudo ctr -n k8s.io images ls | grep pause -``` \ No newline at end of file +``` + +## 安装 cluster-api-controller + +```bash +registry.k8s.io/cluster-api/cluster-api-controller:v1.10.6 + +sudo ctr image pull registry.k8s.io/cluster-api/cluster-api-controller:v1.10.6 + +# proxy 镜像 +sudo ctr -n k8s.io image pull k8s.m.daocloud.io/cluster-api/cluster-api-controller:v1.10.6 + +# 打标签 +sudo ctr -n k8s.io images tag k8s.m.daocloud.io/cluster-api/cluster-api-controller:v1.10.6 registry.k8s.io/cluster-api/cluster-api-controller:v1.10.6 + +# 删除镜像 +sudo ctr -n k8s.io images delete k8s.m.daocloud.io/cluster-api/cluster-api-controller:v1.10.6 + +``` diff --git a/k8s/xiongxiao.me/docs/09-ipv6-dualstack.md b/k8s/xiongxiao.me/docs/09-ipv6-dualstack.md new file mode 100644 index 0000000..17d5d0b --- /dev/null +++ b/k8s/xiongxiao.me/docs/09-ipv6-dualstack.md @@ -0,0 +1,32 @@ +--- +title: "K8s 升级为 IPv4/IPv6 双栈配置" +description: "详细介绍如何将 K3s 集群从单栈 IPv4 升级为 IPv4/IPv6 双栈模式,包括系统准备、K3s 配置修改、服务验证和常见问题排查。" +tags: ["k8s", "k3s", "ipv6", "dual-stack", "network", "upgrade"] +createdAt: "2025-11-26" +--- + +# K8s 升级为 IPv4/IPv6 双栈配置 + +本文档介绍如何将 K3s 集群升级为支持 IPv4/IPv6 双栈网络。 + +## 前置条件检查 + +### 1. SSH 连接到远程服务器 + +```sh +# 连接到主节点 +ssh user@your-master-node + +# 或使用别名(如果已配置) +ssh light +``` + +默认配置 + +```yaml +tls-san: + - "rancher.xiongxiao.me" # 你的域名 + - "121.4.112.18" # 你的公网 IP +``` + +systemctl restart k3s \ No newline at end of file diff --git a/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml b/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml index 1657b3b..36789cf 100644 --- a/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml +++ b/k8s/xiongxiao.me/ingress/apps-ingressroute.yaml @@ -310,3 +310,36 @@ spec: port: 3000 tls: certResolver: letsencrypt +--- +# RBAC 配置 +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: traefik-ingressroute-role +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: ["traefik.io"] + resources: ["ingressroutes"] + verbs: ["get", "list", "watch", "create", "update", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: traefik-ingressroute-rolebinding + namespace: default +subjects: + - kind: ServiceAccount + name: traefik-ingressroute-sa + namespace: kube-system +roleRef: + kind: Role + name: traefik-ingressroute-role + apiGroup: rbac.authorization.k8s.io diff --git a/k8s/xiongxiao.me/ingress/home-ingress.yaml b/k8s/xiongxiao.me/ingress/home-ingress.yaml new file mode 100644 index 0000000..98a825b --- /dev/null +++ b/k8s/xiongxiao.me/ingress/home-ingress.yaml @@ -0,0 +1,39 @@ +--- +# Traefik IngressRoute 配置 - Home Assistant +# tags: traefik, ingressroute, https, ssl, home-assistant, websocket, ipv6 +# description: Home Assistant 服务的 Traefik IngressRoute 配置,支持 IPv6、HTTPS、WebSocket +# title: Home Assistant IngressRoute 配置 +# createdAt: 2025-11-26 +--- +# Home Assistant HTTPS 入口 +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: home-https + namespace: default +spec: + entryPoints: + - websecure + routes: + - match: Host(`home.mz.xiongxiao.me`) + kind: Rule + services: + - name: home-external + port: 8123 + scheme: http + tls: + certResolver: letsencrypt +--- +# Home Assistant 外部服务 (通过域名解析 IPv6) +apiVersion: v1 +kind: Service +metadata: + name: home-external + namespace: default +spec: + type: ExternalName + externalName: xionmi.mz.zxj.im +--- + +# kubectl run test-ipv6 --image=curlimages/curl:latest -it --rm -- sh +# curl -6 http://home.mz.xiongxiao.me:8123 \ No newline at end of file diff --git a/k8s/xiongxiao.me/ingress/rancher-ingress.yaml b/k8s/xiongxiao.me/ingress/rancher-ingress.yaml index 681ee14..a7a3a5c 100644 --- a/k8s/xiongxiao.me/ingress/rancher-ingress.yaml +++ b/k8s/xiongxiao.me/ingress/rancher-ingress.yaml @@ -1,27 +1,19 @@ --- -apiVersion: networking.k8s.io/v1 -kind: Ingress +# Rancher - rancher.xiongxiao.me +# 使用 IngressRoute 以便正确使用 Let's Encrypt 证书 +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute metadata: - name: rancher + name: rancher-https namespace: cattle-system - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt # 使用 Let's Encrypt spec: - ingressClassName: traefik - rules: - - host: rancher.xiongxiao.me - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: rancher - port: - number: 80 + entryPoints: + - websecure + routes: + - match: Host(`rancher.xiongxiao.me`) + kind: Rule + services: + - name: rancher + port: 80 tls: - - hosts: - - rancher.xiongxiao.me - # secretName: tls-rancher-ingress # 使用自动证书,不需要手动指定 secret + certResolver: letsencrypt diff --git a/k8s/xiongxiao.me/restart.sh b/k8s/xiongxiao.me/restart.sh deleted file mode 100755 index 48c51cd..0000000 --- a/k8s/xiongxiao.me/restart.sh +++ /dev/null @@ -1,4 +0,0 @@ -kubectl rollout restart deployment/traefik -n traefik - - -kubectl logs -n traefik -l app=traefik -f diff --git a/k8s/xiongxiao.me/traefik/traefik-complete.yaml b/k8s/xiongxiao.me/traefik/traefik-complete.yaml index 113a585..fef8d46 100644 --- a/k8s/xiongxiao.me/traefik/traefik-complete.yaml +++ b/k8s/xiongxiao.me/traefik/traefik-complete.yaml @@ -1,9 +1,9 @@ --- # Traefik 完整部署配置 # 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL -# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes -# description: Traefik 反向代理完整配置,包含自动 SSL 证书支持(Let's Encrypt) -# title: Traefik 完整部署配置 - 含 SSL 证书 +# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes, master-node +# description: Traefik 反向代理完整配置,部署在 master 节点,包含自动 SSL 证书支持(Let's Encrypt) +# title: Traefik 完整部署配置 - 含 SSL 证书(Master 节点部署) # createdAt: 2025-11-26 --- # PersistentVolume 用于存储 ACME 证书数据 @@ -131,12 +131,22 @@ spec: app: traefik spec: serviceAccountName: traefik + # 节点选择器:选择 master 节点(已注释,允许在任意节点调度) + # nodeSelector: + # node-role.kubernetes.io/control-plane: "" + # 容忍 master 节点的污点 + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule containers: - name: traefik - image: traefik:v3.2 + image: traefik:latest args: - --api.insecure=true - - --providers.kubernetesingress - --providers.kubernetescrd - --entrypoints.web.address=:80 - --entrypoints.websecure.address=:443 @@ -191,4 +201,22 @@ kind: IngressClass metadata: name: traefik spec: - controller: traefik.io/ingress-controller \ No newline at end of file + controller: traefik.io/ingress-controller +--- +# Traefik Dashboard IngressRoute - HTTPS only +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: traefik-dashboard + namespace: traefik +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.xiongxiao.me`) + kind: Rule + services: + - name: api@internal + kind: TraefikService + tls: + certResolver: letsencrypt \ No newline at end of file