jack/Deploy-Laboratory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: 清理调试脚本并收敛到 Ansible 流程

Browse Source 
移除已废弃的调试/验证脚本与空目录,统一文档与脚本说明到 ansible-playbook 的部署方式,避免失效引用和误用路径。

Made-with: Cursor
This commit is contained in:
jack
2026-03-23 19:18:55 +08:00
parent 8a54cac61f
commit be97836e0d
92 changed files with 3463 additions and 4855 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
ansible/files/traefik-dashboard-acme/tomcat-acme.yaml
View File

@@ -1,94 +1,94 @@
# docs/03-03 第 5 节Tomcat + test05.jackadam.top 验证 HTTPS请按需改域名
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-test05
namespace: default
labels:
app: tomcat-test05
spec:
replicas: 1
selector:
matchLabels:
app: tomcat-test05
template:
metadata:
labels:
app: tomcat-test05
spec:
containers:
- name: tomcat
image: tomcat:9.0
apiVersion: apps/v1 # Deployment API 版本
kind: Deployment # 工作负载Deployment
metadata: # Deployment 元信息
name: tomcat-test05 # Deployment 名称
namespace: default # 命名空间
labels: # 标签
app: tomcat-test05 # 应用标签
spec: # Deployment 规格
replicas: 1 # 副本数
selector: # Deployment 选择器
matchLabels: # 标签匹配集合
app: tomcat-test05 # 与模板标签对齐
template: # Pod 模板
metadata: # Pod 元信息
labels: # Pod 标签
app: tomcat-test05 # 与 selector.matchLabels 对齐
spec: # Pod 规格
containers: # 容器列表
- name: tomcat # 容器名
image: tomcat:9.0 # Tomcat 镜像版本
# 官方镜像默认 webapps 在 webapps.dist整目录复制到 webapps与 Docker Compose cp -a webapps.dist/* webapps 等价)
command:
- sh
- -c
- |
command: # 启动命令(覆盖默认 ENTRYPOINT/CMD
- sh # 使用 shell
- -c # shell 执行模式
- | # 多行脚本(内部内容保持原样)
set -e
CATALINA_HOME=/usr/local/tomcat
mkdir -p "${CATALINA_HOME}/webapps"
cp -a "${CATALINA_HOME}/webapps.dist/." "${CATALINA_HOME}/webapps/"
exec "${CATALINA_HOME}/bin/catalina.sh" run
ports:
- containerPort: 8080
ports: # 容器端口
- containerPort: 8080 # Tomcat HTTP 端口
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-test05
namespace: default
spec:
selector:
app: tomcat-test05
ports:
- port: 8080
targetPort: 8080
apiVersion: v1 # Service API 版本
kind: Service # Service 资源
metadata: # Service 元信息
name: tomcat-test05 # Service 名称
namespace: default # 命名空间
spec: # Service 规格
selector: # 后端 Pod 选择器
app: tomcat-test05 # 选中 app=tomcat-test05 的 Pod
ports: # 端口映射
- port: 8080 # Service 暴露端口
targetPort: 8080 # 转发到容器端口
---
# HTTPSwebsecure
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tomcat-test05-acme
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: cloudflare
spec:
ingressClassName: traefik
tls:
- hosts:
- test05.jackadam.top
rules:
- host: test05.jackadam.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-test05
port:
number: 8080
apiVersion: networking.k8s.io/v1 # Ingress API 版本
kind: Ingress # Ingress 资源HTTPS
metadata: # Ingress 元信息
name: tomcat-test05-acme # HTTPS Ingress 名称
namespace: default # 命名空间
annotations: # Traefik 注解
traefik.ingress.kubernetes.io/router.entrypoints: websecure # 使用 HTTPS 入口
traefik.ingress.kubernetes.io/router.tls.certresolver: cloudflare # 使用 Cloudflare certresolver
spec: # Ingress 规则
ingressClassName: traefik # 指定 IngressClass
tls: # TLS 配置
- hosts: # 证书覆盖域名
- test05.jackadam.top # 域名
rules: # 路由规则
- host: test05.jackadam.top # 主机匹配
http: # HTTP 路由定义
paths: # 路径列表
- path: / # 根路径
pathType: Prefix # 前缀匹配
backend: # 后端目标
service: # 后端 Service
name: tomcat-test05 # Service 名称
port: # Service 端口
number: 8080 # 端口号
---
# HTTPweb与 03-02 nginx-matrix-tls 一致:拆成两个 Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tomcat-test05-http
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
ingressClassName: traefik
rules:
- host: test05.jackadam.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-test05
port:
number: 8080
apiVersion: networking.k8s.io/v1 # Ingress API 版本
kind: Ingress # Ingress 资源HTTP
metadata: # Ingress 元信息
name: tomcat-test05-http # HTTP Ingress 名称
namespace: default # 命名空间
annotations: # Traefik 注解
traefik.ingress.kubernetes.io/router.entrypoints: web # 使用 HTTP 入口
spec: # Ingress 规则
ingressClassName: traefik # 指定 IngressClass
rules: # 路由规则
- host: test05.jackadam.top # 主机匹配
http: # HTTP 路由定义
paths: # 路径列表
- path: / # 根路径
pathType: Prefix # 前缀匹配
backend: # 后端目标
service: # 后端 Service
name: tomcat-test05 # Service 名称
port: # Service 端口
number: 8080 # 端口号

123
ansible/files/traefik-dashboard-acme/traefik-dashboard-acme.yaml
View File

@@ -1,62 +1,83 @@
# 03-03 Traefik Dashboard + ACME 合并配置HelmChartConfig
# Dashboard、ACMECloudflare DNS-01、ping、PROXY protocol与 03-02 一致)
# 使用前:替换 <YOUR_REAL_EMAIL>,创建 cloudflare-api-token Secret按实际修改 nodeSelector/trustedIPs
# 部署kubectl apply -f traefik-dashboard-acme.yaml
# 03-03 Traefik Dashboard + ACME(唯一清单,推荐
# =============================================================================
# HelmChartConfiglocal-path 持久化 /data + ACME Cloudflare DNS-01 + Dashboard
# + IngressRoute/dashboard、/api
# acme.json 与 chart persistence 均落在 /dataPod 重建后证书仍在nodeSelector 须固定单节点RWO
#
# 部署kubectl apply -f ansible/files/traefik-dashboard-acme/traefik-dashboard-acme.yaml
# 使用前:替换 <YOUR_REAL_EMAIL>、nodeSelector 主机名Secret cloudflare-api-token 已存在(见 03-02
# 全集群只能有一份 HelmChartConfig metadata.name=traefik
#
# --- 不要 Dashboard 时 ---
# 删除文末 IngressRoute 整段;并在 valuesContent 中删掉 ports可选、--api.dashboard、--api.insecure
#
# --- 临时不用持久化(不推荐)---
# 将 persistence.enabled 改为 false 并删掉 persistence 下其余字段(证书可能随 Pod 丢失)
# =============================================================================
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ports:
web:
expose: true
websecure:
expose: true
apiVersion: helm.cattle.io/v1 # HelmChartConfig 所在的 API 版本
kind: HelmChartConfig # HelmChartConfig给 K3s/Helm 注入 values 的资源
metadata: # 资源标识信息
name: traefik # chart 对应的 name需要与 Traefik chart/约定一致)
namespace: kube-system # Traefik 通常运行在 kube-system
spec: # 该资源要注入 chart 的配置
valuesContent: |- # 以“字符串形式的 YAML”注入到 Helm chart values由 chart 解析)
ports: # 暴露 entrypoints 给集群入口
web: # HTTP entrypoint
expose: true # 允许暴露 web
websecure: # HTTPS entrypoint
expose: true # 允许暴露 websecure
additionalArguments:
- "--api.dashboard=true"
- "--api.insecure=true"
persistence: # chart 持久化配置:为 /data 挂载 PVC
enabled: true # 开启持久卷
name: data # chart 创建/引用的卷名PVC 等)
accessMode: ReadWriteOnce # RWO同一时间只能在一个节点挂载
size: 512Mi # 请求容量local-path 会据此创建本地卷)
storageClass: local-path # 使用 K3s 的 local-path-provisioner
path: /data # 容器内挂载目录(与 acme.storage 一致)
- "--log.level=INFO"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
- "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
additionalArguments: # 额外传给 Traefik 的 CLI 参数
- "--api.dashboard=true" # 打开 dashboard 功能
- "--api.insecure=true" # k8s允许 dashboard 在入口可用(注意安全)
- "--log.level=INFO" # 日志级别
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" # DNS 解析器列表(用于 DNS-01
- "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>" # ACME 注册邮箱
- "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json" # 证书与账户存储(容器内 /data
# - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # 测试用,上线前删除
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare" # DNS-01 providercloudflare
- "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600" # DNS-01 propagation 等待秒数
- "--ping=true"
- "--ping.entryPoint=websecure"
- "--ping=true" # 开启 ping healthcheck
- "--ping.entryPoint=websecure" # ping 使用 websecure(HTTPS) entrypoint
- "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
- "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"
- "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24" # web entrypoint 信任的代理网段
- "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24" # websecure entrypoint 信任的代理网段
env:
- name: CF_DNS_API_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-api-token
key: api-token
env: # 环境变量注入
- name: CF_DNS_API_TOKEN # 供 Traefik 使用的 Cloudflare Token 环境变量名
valueFrom: # 从 Secret 挂载
secretKeyRef: # Secret 引用方式
name: cloudflare-api-token # Secret 名
key: api-token # Secret 内 key
nodeSelector:
kubernetes.io/hostname: ylc61
nodeSelector: # 将 Traefik Pod 固定到指定节点(避免 local-path RWO 迁移导致丢数据)
kubernetes.io/hostname: ylc61 # 目标节点主机名
---
# 显式 IngressRoute与 03-01 一致,确保 /dashboard 可达; Helm ingressRoute.dashboard 在 K3s chart 中未必生效)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
apiVersion: traefik.io/v1alpha1 # IngressRoute API 版本
kind: IngressRoute # Traefik 路由 CRD
metadata: # IngressRoute 元信息
name: traefik-dashboard # 路由名称
namespace: kube-system # 命名空间
spec: # IngressRoute 规则
entryPoints: # 入口点列表
- web # 使用 web(HTTP) 入口
routes: # 路由规则列表
- match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) # 匹配 Dashboard/API 路径前缀
kind: Rule # 规则类型
services: # 后端服务
- name: api@internal # Traefik 内置 API 服务
kind: TraefikService # 服务类型