kevisual/k8s-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

temp

Browse Source
This commit is contained in:
熊潇
2025-11-26 20:55:43 +08:00
parent ba1f52996f
commit 9668342be5
9 changed files with 221 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

276
k8s/xiongxiao.me/README.md
View File

@@ -1,274 +1,8 @@
# Nginx 到 K3s Traefik 迁移总结 # k3 安装大纲
--- - 安装 k3s
tags: kubernetes, k3s, traefik, nginx, migration, summary - agent k3s 节点加入集群
description: Nginx 配置迁移到 K3s + Traefik 的完整总结和快速参考 - 设置节点 label
title: 迁移总结和快速参考
createdAt: 2025-11-26
---
## 快速开始 ## 配置国内源
### 一键部署
```bash
cd /Users/xion/kevisual/k8s-docs/k8s/xiongxiao.me
./deploy-apps.sh
```
### 测试服务
```bash
./test-services.sh
```
### 卸载
```bash
./undeploy-apps.sh
```
## 文件结构
```
k8s/xiongxiao.me/
├── services/
│ └── external-services.yaml # 外部服务定义 (18个服务)
├── ingress/
│ └── apps-ingressroute.yaml # Traefik 路由配置 (18个域名)
├── docs/
│ └── 07-nginx-migration.md # 详细迁移文档
├── deploy-apps.sh # 自动部署脚本
├── undeploy-apps.sh # 自动卸载脚本
└── test-services.sh # 服务测试脚本
```
## 迁移的服务 (18个)
| # | 域名 | 服务 | 端口 | 位置 |
|---|------|------|------|------|
| 1 | blinko.xiongxiao.me | 笔记 | 3111 | 10.0.32.6 |
| 2 | chat.xiongxiao.me | 聊天 | 3000 | 本地 |
| 3 | kevisual.xiongxiao.me | Kevisual | 3005 | 本地 |
| 4 | www.xiongxiao.me | 主站 | 3005 | 本地 |
| 5 | immich.xiongxiao.me | 图片 | 2283 | 本地 |
| 6 | cloud.xiongxiao.me | 云盘 | 5212 | 本地 |
| 7 | docmost.xiongxiao.me | 文档 | 3011 | 本地 |
| 8 | drawio.xiongxiao.me | 绘图 | 13000 | 本地 |
| 9 | minio.xiongxiao.me | 存储 | 9000 | 本地 |
| 10 | npm.xiongxiao.me | NPM | 30001 | 10.0.32.6 |
| 11 | gist.xiongxiao.me | 代码 | 6157 | 本地 |
| 12 | webdav.xiongxiao.me | WebDAV | 6060 | 本地 |
| 13 | esm.xiongxiao.me | CDN | 12000 | 本地 |
| 14 | umami.xiongxiao.me | 分析 | 4004 | 本地 |
| 15 | pwd.xiongxiao.me | 密码 | 8180 | 本地 |
| 16 | meilisearch.xiongxiao.me | 搜索 | 7700 | 本地 |
| 17 | memos.xiongxiao.me | Memos | 8181 | 10.0.32.6 |
| 18 | git.xiongxiao.me | Gitea | 3000 | 10.0.32.6 |
## 关键特性
### ✅ 自动 HTTPS
- 使用 Let's Encrypt 自动申请证书
- 自动续期,无需手动干预
- HTTP 自动重定向到 HTTPS
### ✅ WebSocket 支持
- 原生支持 WebSocket 连接
- 无需额外配置
### ✅ 灵活扩展
- 轻松添加新服务
- 支持多种后端类型
- 可配置中间件
## 常用命令
### 查看服务状态
```bash
# 查看所有外部服务
kubectl get svc -n default | grep external
# 查看 Endpoints
kubectl get endpoints -n default | grep external
# 查看 IngressRoute
kubectl get ingressroute -n default
```
### 查看日志
```bash
# Traefik 日志
kubectl logs -n traefik -l app=traefik -f
# 查看特定服务的 Endpoints
kubectl describe endpoints blinko-external -n default
```
### Traefik Dashboard
```bash
# 端口转发
kubectl port-forward svc/traefik 8080:8080 -n traefik
# 访问 http://localhost:8080/dashboard/
```
### 调试服务
```bash
# 测试单个服务
curl -k -v https://blinko.xiongxiao.me
# 查看 DNS 解析
nslookup blinko.xiongxiao.me
# 查看证书
openssl s_client -connect blinko.xiongxiao.me:443 -servername blinko.xiongxiao.me
```
## 添加新服务
### 1. 添加 Service 和 Endpoint
`services/external-services.yaml` 中添加:
```yaml
---
# 新服务
apiVersion: v1
kind: Service
metadata:
name: newapp-external
namespace: default
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http
---
apiVersion: v1
kind: Endpoints
metadata:
name: newapp-external
namespace: default
subsets:
- addresses:
- ip: 127.0.0.1 # 或实际 IP
ports:
- port: 8080
name: http
```
### 2. 添加 IngressRoute
`ingress/apps-ingressroute.yaml` 中添加:
```yaml
---
# 新应用 - newapp.xiongxiao.me
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: newapp-https
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`newapp.xiongxiao.me`)
kind: Rule
services:
- name: newapp-external
port: 8080
tls:
certResolver: letsencrypt
```
### 3. 应用配置
```bash
kubectl apply -f services/external-services.yaml
kubectl apply -f ingress/apps-ingressroute.yaml
```
## 故障排查清单
### 服务无法访问
- [ ] DNS 是否指向正确的 IP (Traefik NodePort 30443)
- [ ] Service 是否存在: `kubectl get svc -n default`
- [ ] Endpoints 是否有地址: `kubectl get endpoints -n default`
- [ ] IngressRoute 是否正确: `kubectl get ingressroute -n default`
- [ ] 后端服务是否运行
- [ ] 网络是否互通: `ping 10.0.32.6`
- [ ] Traefik 是否正常: `kubectl get pods -n traefik`
### SSL 证书问题
- [ ] 域名是否可以公网访问 (Let's Encrypt 验证)
- [ ] 端口 80 是否开放 (HTTP Challenge)
- [ ] ACME 存储是否正常: `kubectl get pvc -n traefik`
- [ ] 查看证书申请日志: `kubectl logs -n traefik -l app=traefik | grep acme`
### WebSocket 连接失败
- [ ] 检查后端服务是否支持 WebSocket
- [ ] 查看 Traefik 日志是否有错误
- [ ] 测试直接连接后端服务
## 性能优化
### 启用压缩
```yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: compress
namespace: default
spec:
compress: {}
```
### 限流
```yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
namespace: default
spec:
rateLimit:
average: 100
burst: 50
```
### 添加到 IngressRoute
```yaml
spec:
routes:
- match: Host(`example.xiongxiao.me`)
kind: Rule
middlewares:
- name: compress
- name: rate-limit
services:
- name: example-external
port: 8080
```
## 安全建议
1. **限制访问源**: 使用 IP 白名单中间件
2. **启用认证**: BasicAuth 或 OAuth 中间件
3. **定期更新**: 保持 Traefik 和 K3s 最新版本
4. **监控告警**: 集成 Prometheus 监控
5. **日志审计**: 保留访问日志
## 下一步
- [ ] 将服务逐步迁移到容器化部署
- [ ] 配置自动扩展 (HPA)
- [ ] 集成监控和告警
- [ ] 配置备份策略
- [ ] 文档化运维流程

8
k8s/xiongxiao.me/config/master-token.md
View File

@@ -17,3 +17,11 @@ kubectl label nodes vm-32-6-ubuntu machine=library --overwrite
删除label 删除label
kubectl label nodes vm-32-6-ubuntu machine- --overwrite kubectl label nodes vm-32-6-ubuntu machine- --overwrite
### on
kubectl label nodes vm-16-2-ubuntu machine=on --overwrite
### light
kubectl label nodes vm-12-6-ubuntu machine=light --overwrite

73
k8s/xiongxiao.me/config/registry.md
View File

@@ -4,30 +4,33 @@ sudo vim /etc/rancher/k3s/registries.yaml
mirrors: mirrors:
docker.io: docker.io:
endpoint: endpoint:
- "https://docker.1ms.run" - 'https://docker.1ms.run'
- "https://docker.m.daocloud.io" - 'https://docker.m.daocloud.io'
- "https://docker.1panel.live" - 'https://docker.1panel.live'
- "https://docker-0.unsee.tech" - 'https://docker-0.unsee.tech'
- "https://dytt.online" - 'https://dytt.online'
- "https://lispy.org" - 'https://lispy.org'
- "https://docker.xiaogenban1993.com" - 'https://docker.xiaogenban1993.com'
- "https://666860.xyz" - 'https://666860.xyz'
- "https://hub.rat.dev" - 'https://hub.rat.dev'
- "https://demo.52013120.xyz" - 'https://demo.52013120.xyz'
- "https://proxy.vvvv.ee" - 'https://proxy.vvvv.ee'
- "https://registry.cyou" - 'https://registry.cyou'
- "http://hub-mirror.c.163.com" - 'http://hub-mirror.c.163.com'
# rancher 镜像加速 "registry.k8s.io":
"rancher":
endpoint: endpoint:
- "https://docker.1ms.run/rancher" - 'https://k8s.m.daocloud.io'
- 'https://docker.m.daocloud.io'
# rancher 镜像加速
'rancher':
endpoint:
- 'https://docker.1ms.run/rancher'
configs: configs:
"docker.1ms.run": 'docker.1ms.run':
tls: tls:
insecure_skip_verify: true insecure_skip_verify: true
``` ```
```bash ```bash
@@ -44,25 +47,37 @@ sudo systemctl restart k3s-agent
vim /etc/containerd/config.toml vim /etc/containerd/config.toml
disabled_plugins = ["cri"]
[plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = [ endpoint = [
"https://docker.1panel.live",
"https://docker.1ms.run", "https://docker.1ms.run",
"https://docker.m.daocloud.io",
"https://docker.1panel.live",
"https://dytt.online", "https://dytt.online",
"https://docker-0.unsee.tech", "https://docker-0.unsee.tech",
"https://lispy.org", "https://lispy.org",
"https://docker.xiaogenban1993.com", "https://docker.xiaogenban1993.com",
"https://666860.xyz", "https://666860.xyz",
"https://hub.rat.dev", "https://hub.rat.dev",
"https://docker.m.daocloud.io",
"https://demo.52013120.xyz", "https://demo.52013120.xyz",
"https://proxy.vvvv.ee", "https://proxy.vvvv.ee",
"https://registry.cyou" "https://registry.cyou"
] ]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]
endpoint = [
"https://k8s.m.daocloud.io"
"https://docker.m.daocloud.io",
]
```
# 重启 containerd
```bash
sudo systemctl restart containerd sudo systemctl restart containerd
sudo ctr image pull docker.io/library/verdaccio:latest sudo ctr image pull docker.io/library/verdaccio:latest
@@ -76,3 +91,21 @@ sudo ctr -n k8s.io images delete docker.m.daocloud.io/rancher/mirrored-pause:3.6
# 查看镜像 # 查看镜像
sudo ctr -n k8s.io images ls | grep pause sudo ctr -n k8s.io images ls | grep pause
``` ```
## 安装 cluster-api-controller
```bash
registry.k8s.io/cluster-api/cluster-api-controller:v1.10.6
sudo ctr image pull registry.k8s.io/cluster-api/cluster-api-controller:v1.10.6
# proxy 镜像
sudo ctr -n k8s.io image pull k8s.m.daocloud.io/cluster-api/cluster-api-controller:v1.10.6
# 打标签
sudo ctr -n k8s.io images tag k8s.m.daocloud.io/cluster-api/cluster-api-controller:v1.10.6 registry.k8s.io/cluster-api/cluster-api-controller:v1.10.6
# 删除镜像
sudo ctr -n k8s.io images delete k8s.m.daocloud.io/cluster-api/cluster-api-controller:v1.10.6
```

32
k8s/xiongxiao.me/docs/09-ipv6-dualstack.md Normal file
View File

@@ -0,0 +1,32 @@
---
title: "K8s 升级为 IPv4/IPv6 双栈配置"
description: "详细介绍如何将 K3s 集群从单栈 IPv4 升级为 IPv4/IPv6 双栈模式包括系统准备、K3s 配置修改、服务验证和常见问题排查。"
tags: ["k8s", "k3s", "ipv6", "dual-stack", "network", "upgrade"]
createdAt: "2025-11-26"
---
# K8s 升级为 IPv4/IPv6 双栈配置
本文档介绍如何将 K3s 集群升级为支持 IPv4/IPv6 双栈网络。
## 前置条件检查
### 1. SSH 连接到远程服务器
```sh
# 连接到主节点
ssh user@your-master-node
# 或使用别名(如果已配置)
ssh light
```
默认配置
```yaml
tls-san:
- "rancher.xiongxiao.me" # 你的域名
- "121.4.112.18" # 你的公网 IP
```
systemctl restart k3s

33
k8s/xiongxiao.me/ingress/apps-ingressroute.yaml
View File

@@ -310,3 +310,36 @@ spec:
port: 3000 port: 3000
tls: tls:
certResolver: letsencrypt certResolver: letsencrypt
---
# RBAC 配置
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: traefik-ingressroute-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups: ["traefik.io"]
resources: ["ingressroutes"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: traefik-ingressroute-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: traefik-ingressroute-sa
namespace: kube-system
roleRef:
kind: Role
name: traefik-ingressroute-role
apiGroup: rbac.authorization.k8s.io

39
k8s/xiongxiao.me/ingress/home-ingress.yaml Normal file
View File

@@ -0,0 +1,39 @@
---
# Traefik IngressRoute 配置 - Home Assistant
# tags: traefik, ingressroute, https, ssl, home-assistant, websocket, ipv6
# description: Home Assistant 服务的 Traefik IngressRoute 配置,支持 IPv6、HTTPS、WebSocket
# title: Home Assistant IngressRoute 配置
# createdAt: 2025-11-26
---
# Home Assistant HTTPS 入口
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: home-https
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`home.mz.xiongxiao.me`)
kind: Rule
services:
- name: home-external
port: 8123
scheme: http
tls:
certResolver: letsencrypt
---
# Home Assistant 外部服务 (通过域名解析 IPv6)
apiVersion: v1
kind: Service
metadata:
name: home-external
namespace: default
spec:
type: ExternalName
externalName: xionmi.mz.zxj.im
---
# kubectl run test-ipv6 --image=curlimages/curl:latest -it --rm -- sh
# curl -6 http://home.mz.xiongxiao.me:8123

36
k8s/xiongxiao.me/ingress/rancher-ingress.yaml
View File

@@ -1,27 +1,19 @@
--- ---
apiVersion: networking.k8s.io/v1 # Rancher - rancher.xiongxiao.me
kind: Ingress # 使用 IngressRoute 以便正确使用 Let's Encrypt 证书
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata: metadata:
name: rancher name: rancher-https
namespace: cattle-system namespace: cattle-system
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt # 使用 Let's Encrypt
spec: spec:
ingressClassName: traefik entryPoints:
rules: - websecure
- host: rancher.xiongxiao.me routes:
http: - match: Host(`rancher.xiongxiao.me`)
paths: kind: Rule
- path: / services:
pathType: Prefix - name: rancher
backend: port: 80
service:
name: rancher
port:
number: 80
tls: tls:
- hosts: certResolver: letsencrypt
- rancher.xiongxiao.me
# secretName: tls-rancher-ingress # 使用自动证书,不需要手动指定 secret

4
k8s/xiongxiao.me/restart.sh
View File

@@ -1,4 +0,0 @@
kubectl rollout restart deployment/traefik -n traefik
kubectl logs -n traefik -l app=traefik -f

38
k8s/xiongxiao.me/traefik/traefik-complete.yaml
View File

@@ -1,9 +1,9 @@
--- ---
# Traefik 完整部署配置 # Traefik 完整部署配置
# 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL # 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL
# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes # tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes, master-node
# description: Traefik 反向代理完整配置,包含自动 SSL 证书支持(Let's Encrypt) # description: Traefik 反向代理完整配置,部署在 master 节点,包含自动 SSL 证书支持(Let's Encrypt)
# title: Traefik 完整部署配置 - 含 SSL 证书 # title: Traefik 完整部署配置 - 含 SSL 证书(Master 节点部署)
# createdAt: 2025-11-26 # createdAt: 2025-11-26
--- ---
# PersistentVolume 用于存储 ACME 证书数据 # PersistentVolume 用于存储 ACME 证书数据
@@ -131,12 +131,22 @@ spec:
app: traefik app: traefik
spec: spec:
serviceAccountName: traefik serviceAccountName: traefik
# 节点选择器:选择 master 节点(已注释,允许在任意节点调度)
# nodeSelector:
# node-role.kubernetes.io/control-plane: ""
# 容忍 master 节点的污点
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
containers: containers:
- name: traefik - name: traefik
image: traefik:v3.2 image: traefik:latest
args: args:
- --api.insecure=true - --api.insecure=true
- --providers.kubernetesingress
- --providers.kubernetescrd - --providers.kubernetescrd
- --entrypoints.web.address=:80 - --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443 - --entrypoints.websecure.address=:443
@@ -192,3 +202,21 @@ metadata:
name: traefik name: traefik
spec: spec:
controller: traefik.io/ingress-controller controller: traefik.io/ingress-controller
---
# Traefik Dashboard IngressRoute - HTTPS only
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.xiongxiao.me`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls:
certResolver: letsencrypt