From c59ad4b83f56219c5150b0c90c955ec8fc402047 Mon Sep 17 00:00:00 2001 From: abearxiong Date: Sun, 1 Mar 2026 00:13:45 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E5=A4=9A=E4=B8=AA=E5=BA=94?= =?UTF-8?q?=E7=94=A8=E7=9A=84=E9=95=9C=E5=83=8F=E5=9C=B0=E5=9D=80=EF=BC=8C?= =?UTF-8?q?=E8=B0=83=E6=95=B4=E6=95=B0=E6=8D=AE=E5=AD=98=E5=82=A8=E8=B7=AF?= =?UTF-8?q?=E5=BE=84=EF=BC=8C=E6=96=B0=E5=A2=9E=20Traefik=20=E9=85=8D?= =?UTF-8?q?=E7=BD=AE=EF=BC=8C=E5=88=A0=E9=99=A4=E6=97=A0=E7=94=A8=E7=9A=84?= =?UTF-8?q?=20Keycloak=20=E9=85=8D=E7=BD=AE=E6=96=87=E4=BB=B6=EF=BC=8C?= =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E5=BF=85=E9=A1=BB=E6=89=A7=E8=A1=8C=E7=9A=84?= =?UTF-8?q?=E8=84=9A=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- k8s/kevisual.cn/README.md | 41 +++++++++++++++++++ k8s/kevisual.cn/apps/esm.yaml | 4 +- k8s/kevisual.cn/apps/jimeng-api/app.yaml | 2 +- k8s/kevisual.cn/apps/keycloak/app.yaml | 45 --------------------- k8s/kevisual.cn/apps/nocodb.yaml | 8 ++-- k8s/kevisual.cn/apps/openlist/openlist.yaml | 4 +- k8s/kevisual.cn/config/master-token.md | 2 +- k8s/kevisual.cn/must.sh | 1 + k8s/kevisual.cn/pro/index.md | 4 +- k8s/kevisual.cn/sh/mirror/proxy-base.sh | 4 +- k8s/kevisual.cn/sh/mirror/proxy-jimeng.sh | 15 ------- k8s/kevisual.cn/traefik.yaml | 23 +++++++++-- 12 files changed, 75 insertions(+), 78 deletions(-) delete mode 100644 k8s/kevisual.cn/apps/keycloak/app.yaml create mode 100644 k8s/kevisual.cn/must.sh delete mode 100644 k8s/kevisual.cn/sh/mirror/proxy-jimeng.sh diff --git a/k8s/kevisual.cn/README.md b/k8s/kevisual.cn/README.md index cb6a5fb..7ee7908 100644 --- a/k8s/kevisual.cn/README.md +++ b/k8s/kevisual.cn/README.md @@ -33,4 +33,45 @@ sudo vim /etc/rancher/k3s/registries.yaml ```sh kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml +``` + +## let + +# 将访问宿主机 80 端口的流量转发到 30080 +```sh +sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 30080 +sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 30443 + +# 别忘了保存规则(Ubuntu 下) +sudo apt install iptables-persistent +sudo netfilter-persistent save +``` + +## let 2 + +```sh +#回路 +iptables -t nat -L PREROUTING -vn --line-numbers +### 删除 +sudo iptables -t nat -D PREROUTING 1 2>/dev/null +sudo iptables -t nat -I PREROUTING 1 -p tcp --dport 443 -j DNAT --to-destination 118.196.32.29:30443 + + +#去路(根据数据包判断顺序) +sudo iptables -t nat -L POSTROUTING -vn --line-numbers +## 删除 +sudo iptables -t nat -D POSTROUTING 1 +sudo iptables -t nat -A POSTROUTING -d 118.196.32.29 -p tcp --dport 30443 -j MASQUERADE + + +#强制刷新权限 +sudo iptables -I FORWARD 1 -j ACCEPT +sudo netfilter-persistent save +``` + + +``` +CLUSTER_IP=$(kubectl get svc traefik -n traefik -o jsonpath='{.spec.clusterIP}') +echo "Traefik 的固定 ClusterIP 是: $CLUSTER_IP" +Traefik 的固定 ClusterIP 是: 10.43.131.173 ``` \ No newline at end of file diff --git a/k8s/kevisual.cn/apps/esm.yaml b/k8s/kevisual.cn/apps/esm.yaml index 1655006..423dab3 100644 --- a/k8s/kevisual.cn/apps/esm.yaml +++ b/k8s/kevisual.cn/apps/esm.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: esm - image: ghcr.io/esm-dev/esm.sh:v136_1 + image: docker.cnb.cool/kevisual/dev-env/esm.sh:v137 ports: - containerPort: 12000 protocol: TCP @@ -27,7 +27,7 @@ spec: volumes: - name: esm-data hostPath: - path: /opt/docker/esm/data + path: /root/kevisual/k8s/esm/data type: Directory nodeSelector: machine: "kevisual" diff --git a/k8s/kevisual.cn/apps/jimeng-api/app.yaml b/k8s/kevisual.cn/apps/jimeng-api/app.yaml index 145f993..f0fe119 100644 --- a/k8s/kevisual.cn/apps/jimeng-api/app.yaml +++ b/k8s/kevisual.cn/apps/jimeng-api/app.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: jimeng-api - image: ghcr.io/iptag/jimeng-api:latest + image: docker.cnb.cool/kevisual/dev-env/jimeng-api:v1.9.5 imagePullPolicy: Always ports: - containerPort: 5100 diff --git a/k8s/kevisual.cn/apps/keycloak/app.yaml b/k8s/kevisual.cn/apps/keycloak/app.yaml deleted file mode 100644 index 82c00f0..0000000 --- a/k8s/kevisual.cn/apps/keycloak/app.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# Keycloak - keycloak.kevisual.cn -apiVersion: traefik.io/v1alpha1 -kind: IngressRoute -metadata: - name: keycloak-https - namespace: default -spec: - entryPoints: - - websecure - routes: - - match: Host(`keycloak.kevisual.cn`) - kind: Rule - services: - - name: keycloak-external - port: 8082 - tls: - certResolver: letsencrypt - ---- -# Keycloak 服务 (端口 8082, 本地) -apiVersion: v1 -kind: Service -metadata: - name: keycloak-external - namespace: default -spec: - type: ClusterIP - ports: - - port: 8082 - targetPort: 8082 - protocol: TCP - name: http ---- -apiVersion: v1 -kind: Endpoints -metadata: - name: keycloak-external - namespace: default -subsets: -- addresses: - - ip: 118.196.32.29 - ports: - - port: 8082 - name: http diff --git a/k8s/kevisual.cn/apps/nocodb.yaml b/k8s/kevisual.cn/apps/nocodb.yaml index cd4603c..7ae7c73 100644 --- a/k8s/kevisual.cn/apps/nocodb.yaml +++ b/k8s/kevisual.cn/apps/nocodb.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: postgres - image: postgres:17.6 + image: docker.cnb.cool/kevisual/dev-env/postgres:17.6 ports: - containerPort: 5432 env: @@ -59,7 +59,7 @@ spec: volumes: - name: postgres-storage hostPath: - path: /opt/docker/nocodb/postgres_data + path: /root/kevisual/k8s/nocodb/postgres_data type: Directory nodeSelector: machine: "kevisual" @@ -99,7 +99,7 @@ spec: spec: containers: - name: nocodb - image: nocodb/nocodb:latest + image: docker.cnb.cool/kevisual/dev-env/nocodb:0.301.3 ports: - containerPort: 8080 env: @@ -121,7 +121,7 @@ spec: volumes: - name: nc-data-storage hostPath: - path: /opt/docker/nocodb/nc_data + path: /root/kevisual/k8s/nocodb/nc_data type: Directory nodeSelector: machine: "kevisual" diff --git a/k8s/kevisual.cn/apps/openlist/openlist.yaml b/k8s/kevisual.cn/apps/openlist/openlist.yaml index ec46a06..ea1abd4 100644 --- a/k8s/kevisual.cn/apps/openlist/openlist.yaml +++ b/k8s/kevisual.cn/apps/openlist/openlist.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: openlist - image: docker.1ms.run/openlistteam/openlist:latest + image: docker.cnb.cool/kevisual/dev-env/openlist:v4.1.10 securityContext: runAsUser: 0 ports: @@ -31,7 +31,7 @@ spec: volumes: - name: openlist-data hostPath: - path: /opt/docker/openlist/data + path: /root/kevisual/k8s/openlist/data type: DirectoryOrCreate nodeSelector: machine: "kevisual" diff --git a/k8s/kevisual.cn/config/master-token.md b/k8s/kevisual.cn/config/master-token.md index 061fe1c..c9d0c07 100644 --- a/k8s/kevisual.cn/config/master-token.md +++ b/k8s/kevisual.cn/config/master-token.md @@ -4,7 +4,7 @@ K109668b353a17ff6ea9d68535255f880cf583c5c83c357d181ac5f963505033af4::server:f95b ```sh -curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn K3S_URL=https://kevisual.cn:6443 K3S_TOKEN=K109668b353a17ff6ea9d68535255f880cf583c5c83c357d181ac5f963505033af4::server:f95b219abcfe507760f04ff88be52ccd sh -s -- --pause-image=docker.1ms.run/rancher/mirrored-pause:3.9 +curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn K3S_URL=https://kevisual.cn:6443 K3S_TOKEN=K109668b353a17ff6ea9d68535255f880cf583c5c83c357d181ac5f963505033af4::server:f95b219abcfe507760f04ff88be52ccd sh -s -- --pause-image=docker.cnb.cool/kevisual/dev-env/mirrored-pause:3.9 ``` 会输出类似 diff --git a/k8s/kevisual.cn/must.sh b/k8s/kevisual.cn/must.sh new file mode 100644 index 0000000..aba8fb5 --- /dev/null +++ b/k8s/kevisual.cn/must.sh @@ -0,0 +1 @@ +echo "/dev/vdb1 /root/kevisual ext4 defaults 0 0" >> /etc/fstab \ No newline at end of file diff --git a/k8s/kevisual.cn/pro/index.md b/k8s/kevisual.cn/pro/index.md index 4fee631..eae4520 100644 --- a/k8s/kevisual.cn/pro/index.md +++ b/k8s/kevisual.cn/pro/index.md @@ -4,13 +4,13 @@ mirrors: docker.io: endpoint: - - "https://docker.1ms.run" - "https://docker.m.daocloud.io" - "https://dockerproxy.net/" + - "https://docker.cnb.cool/kevisual/dev-env" ``` ```sh -cat config.toml +#cat config.toml disabled_plugins = ["cri"] [plugins."io.containerd.grpc.v1.cri".registry] diff --git a/k8s/kevisual.cn/sh/mirror/proxy-base.sh b/k8s/kevisual.cn/sh/mirror/proxy-base.sh index 8469b2b..3ab8763 100644 --- a/k8s/kevisual.cn/sh/mirror/proxy-base.sh +++ b/k8s/kevisual.cn/sh/mirror/proxy-base.sh @@ -3,10 +3,10 @@ # 1. 使用 Docker pull 镜像 -docker pull docker.io/rancher/mirrored-pause:3.6 +docker pull docker.cnb.cool/kevisual/dev-env/mirrored-pause:3.6/rancher/mirrored-pause:3.6 # 2. 将 Docker 镜像保存为 tar 文件 -docker save docker.io/rancher/mirrored-pause:3.6 -o mirrored-pause-3.6.tar +docker save docker.cnb.cool/kevisual/dev-env/mirrored-pause:3.6/rancher/mirrored-pause:3.6 -o mirrored-pause-3.6.tar # 3. 使用 K3s 的 ctr 导入镜像 sudo k3s ctr images import mirrored-pause-3.6.tar diff --git a/k8s/kevisual.cn/sh/mirror/proxy-jimeng.sh b/k8s/kevisual.cn/sh/mirror/proxy-jimeng.sh deleted file mode 100644 index e5540f3..0000000 --- a/k8s/kevisual.cn/sh/mirror/proxy-jimeng.sh +++ /dev/null @@ -1,15 +0,0 @@ -## k3s ctr 直接下载不了镜像,用其他的方式下载然后导入 -# sudo k3s ctr images pull docker.io/ghcr.io/iptag/jimeng-api:latest - - -# 1. 使用 Docker pull 镜像 -docker pull docker.io/ghcr.io/iptag/jimeng-api:latest - -# 2. 将 Docker 镜像保存为 tar 文件 -docker save docker.io/ghcr.io/iptag/jimeng-api:latest -o mirrored-pause-3.6.tar - -# 3. 使用 K3s 的 ctr 导入镜像 -sudo k3s ctr images import mirrored-pause-3.6.tar - -# 4. 验证镜像是否导入成功 -sudo k3s ctr images ls | grep pause \ No newline at end of file diff --git a/k8s/kevisual.cn/traefik.yaml b/k8s/kevisual.cn/traefik.yaml index ef6b846..c1c718c 100644 --- a/k8s/kevisual.cn/traefik.yaml +++ b/k8s/kevisual.cn/traefik.yaml @@ -142,7 +142,12 @@ spec: kubernetes.io/hostname: kevisual # 节点主机名是 kevisual containers: - name: traefik - image: traefik:latest + image: docker.cnb.cool/kevisual/dev-env/traefik:v3.6.9 + # env: + # - name: HTTP_PROXY + # value: "http://kevisual.cn:7890" + # - name: HTTPS_PROXY + # value: "http://kevisual.cn:7890" args: - --api.insecure=true - --providers.kubernetescrd @@ -185,12 +190,10 @@ spec: port: 80 targetPort: 80 nodePort: 30080 # 外部通过 30080 访问 HTTP - # nodePort: 80 - name: websecure port: 443 targetPort: 443 nodePort: 30443 # 外部通过 30443 访问 HTTPS - # nodePort: 443 - name: admin port: 8080 targetPort: 8080 @@ -219,4 +222,16 @@ spec: - name: api@internal kind: TraefikService tls: - certResolver: letsencrypt \ No newline at end of file + certResolver: letsencrypt + +--- +# 处理443 端口被占用问题,将 Traefik Service 的 NodePort 修改为 30443,并添加 externalIPs +# kubectl edit svc traefik -n traefik +# spec: +# externalIPs: +# - 118.196.32.29 +# ports: +# - name: websecure +# port: 443 +# targetPort: 443 +# nodePort: 30443 \ No newline at end of file