jack/Deploy-Laboratory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

基本框架

Browse Source
This commit is contained in:
jack
2026-03-21 04:36:06 +08:00
commit de1be1dbe5
125 changed files with 10302 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ansible/files/01-08-haproxy/README.md Normal file
View File

@@ -0,0 +1,11 @@
# 01-08 HAProxy 配置
用于 `docs/01-08-openwrt-haproxy.md`,可与 Ansible 共用(复制到 OpenWrt 或通过 playbook 下发)。
| 文件 | 说明 |
|------|------|
| haproxy.cfg | 基础配置TCP 健康检查 |
| haproxy-proxy.cfg | 启用 send-proxy-v2Traefik 真实 IP |
| haproxy-proxy-http-tls.cfg | HTTP 检查 + TLS 检查 + PROXY 组合 |
按实际节点 IP 修改 `192.168.2.61``192.168.2.64`。80/443 被封时可将 `bind *:80` / `bind *:443` 改为 `*:18080` / `*:18443`

39
ansible/files/01-08-haproxy/haproxy-proxy-http-tls.cfg Normal file
View File

@@ -0,0 +1,39 @@
# 01-08 HAProxy - 健康检查升级HTTP+TLS+ PROXY Protocol
# 组合k3s_http 用 option httpchkk3s_https 用 ssl-hello-chk均带 send-proxy-v2
# 文档docs/01-08-openwrt-haproxy.md 第 5 节「健康检查与 PROXY 组合」
global
log /dev/log local0
maxconn 4096
defaults
mode http
option httplog
timeout connect 5s
timeout client 30s
timeout server 30s
frontend http_in
bind *:80
default_backend k3s_http
frontend https_in
bind *:443
mode tcp
default_backend k3s_https
backend k3s_http
option httpchk GET /
balance roundrobin
server ylc61 192.168.2.61:80 check send-proxy-v2
server ylc62 192.168.2.62:80 check send-proxy-v2
server ylc63 192.168.2.63:80 check send-proxy-v2
server ylc64 192.168.2.64:80 check send-proxy-v2
backend k3s_https
mode tcp
option ssl-hello-chk
balance roundrobin
server ylc61 192.168.2.61:443 check send-proxy-v2
server ylc62 192.168.2.62:443 check send-proxy-v2
server ylc63 192.168.2.63:443 check send-proxy-v2
server ylc64 192.168.2.64:443 check send-proxy-v2

37
ansible/files/01-08-haproxy/haproxy-proxy.cfg Normal file
View File

@@ -0,0 +1,37 @@
# 01-08 HAProxy - 启用 PROXY Protocolsend-proxy-v2
# 用于 Traefik 获取真实客户端 IP需配合 Traefik trustedIPs
# 文档docs/01-08-openwrt-haproxy.md 第 5 节
global
log /dev/log local0
maxconn 4096
defaults
mode http
option httplog
timeout connect 5s
timeout client 30s
timeout server 30s
frontend http_in
bind *:80
default_backend k3s_http
frontend https_in
bind *:443
mode tcp
default_backend k3s_https
backend k3s_http
balance roundrobin
server ylc61 192.168.2.61:80 check send-proxy-v2
server ylc62 192.168.2.62:80 check send-proxy-v2
server ylc63 192.168.2.63:80 check send-proxy-v2
server ylc64 192.168.2.64:80 check send-proxy-v2
backend k3s_https
mode tcp
balance roundrobin
server ylc61 192.168.2.61:443 check send-proxy-v2
server ylc62 192.168.2.62:443 check send-proxy-v2
server ylc63 192.168.2.63:443 check send-proxy-v2
server ylc64 192.168.2.64:443 check send-proxy-v2

38
ansible/files/01-08-haproxy/haproxy.cfg Normal file
View File

@@ -0,0 +1,38 @@
# 01-08 OpenWrt HAProxy 负载均衡 - 基础配置
# 文档docs/01-08-openwrt-haproxy.md
# 将 192.168.2.6164 按实际 K3s 节点 IP 修改
global
log /dev/log local0
maxconn 4096
# 部分 OpenWrt 需 daemon / pidfile按发行版调整若无 /dev/log 可改 log 127.0.0.1 local0
defaults
mode http
option httplog
timeout connect 5s
timeout client 30s
timeout server 30s
frontend http_in
bind *:80
default_backend k3s_http
frontend https_in
bind *:443
mode tcp
default_backend k3s_https
backend k3s_http
balance roundrobin
server ylc61 192.168.2.61:80 check
server ylc62 192.168.2.62:80 check
server ylc63 192.168.2.63:80 check
server ylc64 192.168.2.64:80 check
backend k3s_https
mode tcp
balance roundrobin
server ylc61 192.168.2.61:443 check
server ylc62 192.168.2.62:443 check
server ylc63 192.168.2.63:443 check
server ylc64 192.168.2.64:443 check

37
ansible/files/cloudflare-tunnel/cloudflared.yaml Normal file
View File

@@ -0,0 +1,37 @@
# docs/03-04-k3s-cloudflare-tunnel-配置接入.md — 替换 TUNNEL_TOKEN 后应用
apiVersion: v1
kind: Secret
metadata:
name: cloudflared-credentials
namespace: kube-system
type: Opaque
stringData:
TUNNEL_TOKEN: "<YOUR_TUNNEL_TOKEN>"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloudflared
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: cloudflared
template:
metadata:
labels:
app: cloudflared
spec:
containers:
- name: cloudflared
image: cloudflare/cloudflared:latest
args:
- tunnel
- run
env:
- name: TUNNEL_TOKEN
valueFrom:
secretKeyRef:
name: cloudflared-credentials
key: TUNNEL_TOKEN

9
ansible/files/gitlab/README.md Normal file
View File

@@ -0,0 +1,9 @@
# GitLab CI 示例(与 docs 对照)
| 文件 | 文档 |
|------|------|
| `gitlab-ci-minimal.example.yml` | `docs/05-04-k3s-配置gitlab-cicd.md` |
| `gitlab-ci-multi-arch-deploy.example.yml` | `docs/05-04-k3s-配置gitlab-cicd.md` |
| `gitlab-ci-runner-tags.example.yml` | `docs/05-03-k3s-安装gitlab-含runner.md` |
复制为 `.gitlab-ci.yml``include` 引用;变量与 Runner 以文档为准。

20
ansible/files/gitlab/gitlab-ci-minimal.example.yml Normal file
View File

@@ -0,0 +1,20 @@
# docs/05-04-k3s-配置gitlab-cicd.md — 最小 .gitlab-ci.yml 示例
stages:
- lint
- deploy
variables:
KUBECONFIG: "/builds/${CI_PROJECT_PATH}/kubeconfig"
lint:
stage: lint
script:
- yamllint manifests || true
deploy:
stage: deploy
script:
- echo "$KUBE_CONFIG_CONTENT" > "$KUBECONFIG"
- kubectl --kubeconfig="$KUBECONFIG" apply -f manifests/
only:
- main

14
ansible/files/gitlab/gitlab-ci-multi-arch-deploy.example.yml Normal file
View File

@@ -0,0 +1,14 @@
# docs/05-04-k3s-配置gitlab-cicd.md — 多架构 Runner tags 示例
deploy_x86:
stage: deploy
tags: [x86]
script:
- echo "$KUBE_CONFIG_CONTENT" > "$KUBECONFIG"
- kubectl --kubeconfig="$KUBECONFIG" apply -f manifests/x86/
deploy_arm64:
stage: deploy
tags: [arm64]
script:
- echo "$KUBE_CONFIG_CONTENT" > "$KUBECONFIG"
- kubectl --kubeconfig="$KUBECONFIG" apply -f manifests/arm64/

15
ansible/files/gitlab/gitlab-ci-runner-tags.example.yml Normal file
View File

@@ -0,0 +1,15 @@
# docs/05-03-k3s-安装gitlab-含runner.md — Runner tag 与 job 对应示例
build_x86:
tags: [x86]
script:
- echo "build for x86"
build_arm64:
tags: [arm64]
script:
- echo "build for arm64"
build_armv7:
tags: [armv7]
script:
- echo "build for armv7"

53
ansible/files/homer/homer.yaml Normal file
View File

@@ -0,0 +1,53 @@
# docs/05-01-k3s-部署homer首页面板.md — 按需修改 host
apiVersion: apps/v1
kind: Deployment
metadata:
name: homer
namespace: homer
spec:
replicas: 1
selector:
matchLabels:
app: homer
template:
metadata:
labels:
app: homer
spec:
containers:
- name: homer
image: b4bz/homer:latest
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: homer
namespace: homer
spec:
selector:
app: homer
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homer
namespace: homer
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: home.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homer
port:
number: 80

38
ansible/files/local-path-demo/local-path-pvc-demo.yaml Normal file
View File

@@ -0,0 +1,38 @@
# docs/03-05-k3s-local-path-pvc.md
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: local-pvc-demo
namespace: default
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-local-pvc-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx-local-pvc-demo
template:
metadata:
labels:
app: nginx-local-pvc-demo
spec:
containers:
- name: nginx
image: nginx:alpine
volumeMounts:
- name: data
mountPath: /usr/share/nginx/html
volumes:
- name: data
persistentVolumeClaim:
claimName: local-pvc-demo

27
ansible/files/nfs-demo/nfs-pv-pvc-demo.yaml Normal file
View File

@@ -0,0 +1,27 @@
# docs/03-06-k3s-使用nfs存储.md — 按环境修改 server/path
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfs-pv-demo
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
nfs:
server: 192.168.2.22
path: /data/nfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs-pvc-demo
namespace: default
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
volumeName: nfs-pv-demo

115
ansible/files/nginx-matrix-tls/01-control-ingress.yaml Normal file
View File

@@ -0,0 +1,115 @@
# 03-02 TLS: M1 控制节点 + Ingress路径 /(根路径),域名 test01.jackadam.top
# ConfigMap首页 + default.conf单文件 subPath 挂载,与 M2M4 一致)
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m1-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M1</title></head>
<body><h1>M1</h1><p>控制节点 + Ingress</p><p><strong>Backend: M1</strong></p></body></html>
default.conf: |
server { listen 80 default_server; server_name _; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M1"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m1
namespace: default
labels:
app: nginx-m1
matrix: "03-02-m1"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m1
template:
metadata:
labels:
app: nginx-m1
spec:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
volumes:
- name: html
configMap:
name: nginx-m1-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m1
namespace: default
spec:
selector:
app: nginx-m1
ports:
- port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-m1
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: cloudflare
spec:
tls:
- hosts:
- test01.jackadam.top
rules:
- host: test01.jackadam.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-m1
port:
number: 80
---
# 03-02 HTTP-onlyM1 路由(仅 web无 TLS与 nginx-m1 共用 Service
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-m1-http
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: test01.jackadam.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-m1
port:
number: 80

98
ansible/files/nginx-matrix-tls/02-control-ingressroute.yaml Normal file
View File

@@ -0,0 +1,98 @@
# 03-02 TLS: M2 控制节点 + IngressRoute路径 /(根路径),域名 test02.jackadam.top
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m2-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M2</title></head>
<body><h1>M2</h1><p>控制节点 + IngressRoute</p></body></html>
default.conf: |
server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M2"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m2
namespace: default
labels:
app: nginx-m2
matrix: "03-02-m2"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m2
template:
metadata:
labels:
app: nginx-m2
spec:
nodeSelector:
kubernetes.io/hostname: ylc61
volumes:
- name: html
configMap:
name: nginx-m2-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m2
namespace: default
spec:
selector:
app: nginx-m2
ports:
- port: 80
targetPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nginx-m2
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`test02.jackadam.top`)
kind: Rule
services:
- name: nginx-m2
port: 80
tls:
certResolver: cloudflare
---
# 03-02 HTTP-onlyM2 路由(仅 web无 TLS与 nginx-m2 共用 Service
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nginx-m2-http
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`test02.jackadam.top`)
kind: Rule
services:
- name: nginx-m2
port: 80

110
ansible/files/nginx-matrix-tls/03-worker-ingress.yaml Normal file
View File

@@ -0,0 +1,110 @@
# 03-02 TLS: M3 工作节点 + Ingress路径 /(根路径),域名 test03.jackadam.top
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m3-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M3</title></head>
<body><h1>M3</h1><p>工作节点 + Ingress</p></body></html>
default.conf: |
server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M3"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m3
namespace: default
labels:
app: nginx-m3
matrix: "03-02-m3"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m3
template:
metadata:
labels:
app: nginx-m3
spec:
nodeSelector:
node-role.kubernetes.io/worker: ""
volumes:
- name: html
configMap:
name: nginx-m3-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m3
namespace: default
spec:
selector:
app: nginx-m3
ports:
- port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-m3
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: cloudflare
spec:
tls:
- hosts:
- test03.jackadam.top
rules:
- host: test03.jackadam.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-m3
port:
number: 80
---
# 03-02 HTTP-onlyM3 路由(仅 web无 TLS与 nginx-m3 共用 Service
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-m3-http
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: test03.jackadam.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-m3
port:
number: 80

98
ansible/files/nginx-matrix-tls/04-worker-ingressroute.yaml Normal file
View File

@@ -0,0 +1,98 @@
# 03-02 TLS: M4 工作节点 + IngressRoute路径 /(根路径),域名 test04.jackadam.top
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m4-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M4</title></head>
<body><h1>M4</h1><p>工作节点 + IngressRoute</p></body></html>
default.conf: |
server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M4"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m4
namespace: default
labels:
app: nginx-m4
matrix: "03-02-m4"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m4
template:
metadata:
labels:
app: nginx-m4
spec:
nodeSelector:
kubernetes.io/hostname: ylc64
volumes:
- name: html
configMap:
name: nginx-m4-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m4
namespace: default
spec:
selector:
app: nginx-m4
ports:
- port: 80
targetPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nginx-m4
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`test04.jackadam.top`)
kind: Rule
services:
- name: nginx-m4
port: 80
tls:
certResolver: cloudflare
---
# 03-02 HTTP-onlyM4 路由(仅 web无 TLS与 nginx-m4 共用 Service
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nginx-m4-http
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`test04.jackadam.top`)
kind: Rule
services:
- name: nginx-m4
port: 80

100
ansible/files/nginx-matrix/01-control-ingress.yaml Normal file
View File

@@ -0,0 +1,100 @@
# 02-05: Nginx + 控制节点 + IngressM1
# 路径 /demo-m1随机一台控制节点nodeSelector + toleration控制节点常有 NoSchedule 污点)
# ConfigMap首页 + default.conf单文件 subPath 挂载,与 M2M4 一致,便于 nginx 后续扩展)
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m1-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M1</title></head>
<body><h1>M1</h1><p>控制节点 + Ingress</p><p><strong>Backend: M1</strong></p></body></html>
default.conf: |
server { listen 80 default_server; server_name _; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M1"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m1
namespace: default
labels:
app: nginx-m1
matrix: "02-05-m1"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m1
template:
metadata:
labels:
app: nginx-m1
spec:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
volumes:
- name: html
configMap:
name: nginx-m1-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m1
namespace: default
spec:
selector:
app: nginx-m1
ports:
- port: 80
targetPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: stripprefix-m1
namespace: default
spec:
stripPrefix:
prefixes:
- /demo-m1
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-m1
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-stripprefix-m1@kubernetescrd
spec:
rules:
- http:
paths:
- path: /demo-m1
pathType: Prefix
backend:
service:
name: nginx-m1
port:
number: 80

94
ansible/files/nginx-matrix/02-control-ingressroute.yaml Normal file
View File

@@ -0,0 +1,94 @@
# 03-02: Nginx + 控制节点 + IngressRouteM2
# 路径 /demo-m2指定一台控制节点按实际 FQDN 修改 kubernetes.io/hostname
# ConfigMap首页 + default.confX-Backend: M2 便于区分
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m2-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M2</title></head>
<body><h1>M2</h1><p>控制节点 + IngressRoute</p></body></html>
default.conf: |
server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M2"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m2
namespace: default
labels:
app: nginx-m2
matrix: "02-05-m2"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m2
template:
metadata:
labels:
app: nginx-m2
spec:
nodeSelector:
kubernetes.io/hostname: ylc61
volumes:
- name: html
configMap:
name: nginx-m2-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m2
namespace: default
spec:
selector:
app: nginx-m2
ports:
- port: 80
targetPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: stripprefix-m2
namespace: default
spec:
stripPrefix:
prefixes:
- /demo-m2
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nginx-m2
namespace: default
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/demo-m2`)
kind: Rule
middlewares:
- name: stripprefix-m2
services:
- name: nginx-m2
port: 80

96
ansible/files/nginx-matrix/03-worker-ingress.yaml Normal file
View File

@@ -0,0 +1,96 @@
# 03-03: Nginx + 工作节点 + IngressM3
# 路径 /demo-m3随机一台工作节点nodeSelector: node-role.kubernetes.io/worker
# ConfigMap首页 + default.confX-Backend: M3 便于区分
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m3-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M3</title></head>
<body><h1>M3</h1><p>工作节点 + Ingress</p></body></html>
default.conf: |
server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M3"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m3
namespace: default
labels:
app: nginx-m3
matrix: "02-05-m3"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m3
template:
metadata:
labels:
app: nginx-m3
spec:
nodeSelector:
node-role.kubernetes.io/worker: ""
volumes:
- name: html
configMap:
name: nginx-m3-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m3
namespace: default
spec:
selector:
app: nginx-m3
ports:
- port: 80
targetPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: stripprefix-m3
namespace: default
spec:
stripPrefix:
prefixes:
- /demo-m3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-m3
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-stripprefix-m3@kubernetescrd
spec:
rules:
- http:
paths:
- path: /demo-m3
pathType: Prefix
backend:
service:
name: nginx-m3
port:
number: 80

94
ansible/files/nginx-matrix/04-worker-ingressroute.yaml Normal file
View File

@@ -0,0 +1,94 @@
# 03-04: Nginx + 工作节点 + IngressRouteM4
# 路径 /demo-m4指定一台工作节点按实际 FQDN 修改 kubernetes.io/hostname
# ConfigMap首页 + default.confX-Backend: M4 便于区分
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-m4-html
namespace: default
data:
index.html: |
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>M4</title></head>
<body><h1>M4</h1><p>工作节点 + IngressRoute</p></body></html>
default.conf: |
server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M4"; try_files $uri $uri/ /index.html; } }
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-m4
namespace: default
labels:
app: nginx-m4
matrix: "02-05-m4"
spec:
replicas: 1
selector:
matchLabels:
app: nginx-m4
template:
metadata:
labels:
app: nginx-m4
spec:
nodeSelector:
kubernetes.io/hostname: ylc64
volumes:
- name: html
configMap:
name: nginx-m4-html
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: html
mountPath: /usr/share/nginx/html/index.html
subPath: index.html
readOnly: true
- name: html
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx-m4
namespace: default
spec:
selector:
app: nginx-m4
ports:
- port: 80
targetPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: stripprefix-m4
namespace: default
spec:
stripPrefix:
prefixes:
- /demo-m4
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nginx-m4
namespace: default
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/demo-m4`)
kind: Rule
middlewares:
- name: stripprefix-m4
services:
- name: nginx-m4
port: 80

12
ansible/files/nginx-matrix/README.md Normal file
View File

@@ -0,0 +1,12 @@
# Nginx 矩阵 manifests
用于 `ansible/playbooks/nginx-matrix-deploy.yml` 一键部署。
| 文件 | 场景 | 路径 | 节点 |
|------|------|------|------|
| 01-control-ingress.yaml | M1 控制+Ingress | /demo-m1 | 无 nodeSelector |
| 02-control-ingressroute.yaml | M2 控制+IngressRoute | /demo-m2 | 无 nodeSelector |
| 03-worker-ingress.yaml | M3 工作+Ingress | /demo-m3 | nodeSelector=worker随机 |
| 04-worker-ingressroute.yaml | M4 工作+IngressRoute | /demo-m4 | nodeSelector=ylc64 |
M4 默认指定 ylc64M3 随机工作节点;按实际修改。

54
ansible/files/nodejs-demo/04-01-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,54 @@
# 对应文档docs/04-01-k3s-nodejs-高级部署.md
# 累积基线Deployment + Service + Ingress
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
containers:
- name: nodejs-demo
image: node:18-alpine
command: ["node", "-e", "require('http').createServer((req,res)=>res.end('Hello World from Node.js')).listen(3000)"]
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

58
ansible/files/nodejs-demo/04-02-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,58 @@
# 对应文档docs/04-02-nodejs-镜像与运行命令.md
# 累积04-01 + 固定镜像 tag、imagePullPolicy、command/args
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
command: ["node"]
args:
- "-e"
- "require('http').createServer((req,res)=>res.end('Hello from pinned image')).listen(3000)"
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

75
ansible/files/nodejs-demo/04-03-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,75 @@
# 对应文档docs/04-03-nodejs-环境变量与配置注入.md
# 累积04-02 + ConfigMap + 通过 env 注入 APP_MSG镜像仍用 18.20-alpine 与 04-02 一致)
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(3000);
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

75
ansible/files/nodejs-demo/04-04-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,75 @@
# 对应文档docs/04-04-nodejs-端口与Service.md
# 累积04-03 + 容器与进程改监听 8080Service targetPort 对齐
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

82
ansible/files/nodejs-demo/04-05-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,82 @@
# 对应文档docs/04-05-nodejs-资源请求与限制.md
# 累积04-04 + resources.requests/limits
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

94
ansible/files/nodejs-demo/04-06-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,94 @@
# 对应文档docs/04-06-nodejs-探针与健康检查.md
# 累积04-05 + livenessProbe/readinessProbe端口 8080路径 /
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

96
ansible/files/nodejs-demo/04-07-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,96 @@
# 对应文档docs/04-07-nodejs-调度与亲和.md
# 累积04-06 + nodeSelector默认 ylc62请改为本集群节点短主机名
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
nodeSelector:
kubernetes.io/hostname: ylc62
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

109
ansible/files/nodejs-demo/04-08-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,109 @@
# 对应文档docs/04-08-nodejs-安全上下文.md
# 累积04-07 + pod securityContext.fsGroup、容器 securityContext、只读根、/tmp emptyDir
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
nodeSelector:
kubernetes.io/hostname: ylc62
securityContext:
fsGroup: 1000
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

127
ansible/files/nodejs-demo/04-09-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,127 @@
# 对应文档docs/04-09-nodejs-存储与卷.md
# 累积04-08 + PVC nodejs-demo-data默认 storageClassName: local-path可按集群改为 longhorn 等)+ 挂载 /data
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nodejs-demo-data
namespace: default
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
nodeSelector:
kubernetes.io/hostname: ylc62
securityContext:
fsGroup: 1000
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: data
mountPath: /data
volumes:
- name: tmp
emptyDir: {}
- name: data
persistentVolumeClaim:
claimName: nodejs-demo-data
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- http:
paths:
- path: /node
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

128
ansible/files/nodejs-demo/04-10-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,128 @@
# 对应文档docs/04-10-nodejs-Ingress与Traefik.md
# 累积04-09 + Ingress 增加 host、path 改为 /api访问需 Host: app.example.local
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nodejs-demo-data
namespace: default
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
nodeSelector:
kubernetes.io/hostname: ylc62
securityContext:
fsGroup: 1000
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: data
mountPath: /data
volumes:
- name: tmp
emptyDir: {}
- name: data
persistentVolumeClaim:
claimName: nodejs-demo-data
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: app.example.local
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

133
ansible/files/nodejs-demo/04-11-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,133 @@
# 对应文档docs/04-11-nodejs-副本与滚动发布.md
# 累积04-10 + replicas: 3 + RollingUpdatemaxSurge:1 maxUnavailable:0
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nodejs-demo-data
namespace: default
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
nodeSelector:
kubernetes.io/hostname: ylc62
securityContext:
fsGroup: 1000
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: data
mountPath: /data
volumes:
- name: tmp
emptyDir: {}
- name: data
persistentVolumeClaim:
claimName: nodejs-demo-data
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: app.example.local
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

140
ansible/files/nodejs-demo/04-12-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,140 @@
# 对应文档docs/04-12-nodejs-TLS与证书.md
# 累积04-11 + Ingress TLSwebsecure、secretName: nodejs-demo-tls
# 应用前请先创建 TLS Secret例如
# kubectl create secret tls nodejs-demo-tls --cert=fullchain.pem --key=privkey.pem -n default
# 证书 SAN 须覆盖 app.example.local与 rules.host / tls.hosts 一致)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nodejs-demo-data
namespace: default
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
nodeSelector:
kubernetes.io/hostname: ylc62
securityContext:
fsGroup: 1000
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: data
mountPath: /data
volumes:
- name: tmp
emptyDir: {}
- name: data
persistentVolumeClaim:
claimName: nodejs-demo-data
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- hosts:
- app.example.local
secretName: nodejs-demo-tls
rules:
- host: app.example.local
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80

157
ansible/files/nodejs-demo/04-13-nodejs-demo.yaml Normal file
View File

@@ -0,0 +1,157 @@
# 对应文档docs/04-13-nodejs-HPA.md
# 累积04-12 + HorizontalPodAutoscalerCPU 50%min 1 max 5
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nodejs-demo-data
namespace: default
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nodejs-demo-config
namespace: default
data:
APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nodejs-demo
namespace: default
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: nodejs-demo
template:
metadata:
labels:
app: nodejs-demo
spec:
nodeSelector:
kubernetes.io/hostname: ylc62
securityContext:
fsGroup: 1000
containers:
- name: nodejs-demo
image: node:18.20-alpine
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
env:
- name: APP_MSG
valueFrom:
configMapKeyRef:
name: nodejs-demo-config
key: APP_MSG
command:
- node
- "-e"
- |
const http=require('http');
const msg=process.env.APP_MSG||'no env';
http.createServer((q,s)=>s.end(msg)).listen(8080);
ports:
- containerPort: 8080
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 3
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 2
periodSeconds: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: data
mountPath: /data
volumes:
- name: tmp
emptyDir: {}
- name: data
persistentVolumeClaim:
claimName: nodejs-demo-data
---
apiVersion: v1
kind: Service
metadata:
name: nodejs-demo
namespace: default
spec:
selector:
app: nodejs-demo
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nodejs-demo
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- hosts:
- app.example.local
secretName: nodejs-demo-tls
rules:
- host: app.example.local
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: nodejs-demo
port:
number: 80
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nodejs-demo
namespace: default
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nodejs-demo
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50

42
ansible/files/nodejs-demo/README.md Normal file
View File

@@ -0,0 +1,42 @@
# Node.js demo 清单(与 docs/04-0104-14 对齐)
**唯一真源**:本目录下 YAML 与 `docs/` 中说明一致;文档内不重复贴全文,避免漂移。
## 累积规则
- `04-0N-nodejs-demo.yaml` 表示:从 `04-01` 起顺序做完 **04-0104-0N** 各篇能力后的 **一份**`kubectl apply -f` 的完整状态(多资源用 `---` 分隔)。
- **可直接跳到最后一份** 做实验,不必逐文件 apply若要理解每步增量可按编号顺序阅读文档并对照相邻两个 YAML 的差异。
- **04-14**GitOps/CI无独立清单`docs/04-14-nodejs-GitOps与CI流水线.md``docs/05-04-k3s-配置gitlab-cicd.md``docs/03-09-k3s-gitops-集群配置管理.md`
## 文件与文档对照
| 文件 | 文档 | 备注 |
|------|------|------|
| `04-01-nodejs-demo.yaml` | `docs/04-01-k3s-nodejs-高级部署.md` | 基线3000、`/node`、无 host |
| `04-02-nodejs-demo.yaml` | `docs/04-02-nodejs-镜像与运行命令.md` | 固定镜像 tag、`imagePullPolicy` |
| `04-03-nodejs-demo.yaml` | `docs/04-03-nodejs-环境变量与配置注入.md` | + ConfigMapSecret 示例见文末 `nodejs-demo-secret.example.yaml` |
| `04-04-nodejs-demo.yaml` | `docs/04-04-nodejs-端口与Service.md` | 监听改 **8080**(自 04-04 起探针与后续均用 8080 |
| `04-05-nodejs-demo.yaml` | `docs/04-05-nodejs-资源请求与限制.md` | + resources |
| `04-06-nodejs-demo.yaml` | `docs/04-06-nodejs-探针与健康检查.md` | + 探针 |
| `04-07-nodejs-demo.yaml` | `docs/04-07-nodejs-调度与亲和.md` | + `nodeSelector`(默认 **ylc62**,请改为本机节点名) |
| `04-08-nodejs-demo.yaml` | `docs/04-08-nodejs-安全上下文.md` | + 非 root、只读根、`/tmp` emptyDir |
| `04-09-nodejs-demo.yaml` | `docs/04-09-nodejs-存储与卷.md` | + PVC `nodejs-demo-data`(默认 **local-path** |
| `04-10-nodejs-demo.yaml` | `docs/04-10-nodejs-Ingress与Traefik.md` | Ingress`host` + `/api`curl 需 **Host** |
| `04-11-nodejs-demo.yaml` | `docs/04-11-nodejs-副本与滚动发布.md` | replicas=3 + RollingUpdate |
| `04-12-nodejs-demo.yaml` | `docs/04-12-nodejs-TLS与证书.md` | **websecure** + TLS须先创建 `nodejs-demo-tls` Secret |
| `04-13-nodejs-demo.yaml` | `docs/04-13-nodejs-HPA.md` | + HPA需 metrics-server |
## 应用方式
```bash
# 仓库根目录
kubectl apply -f ansible/files/nodejs-demo/04-01-nodejs-demo.yaml
```
或使用 Ansible`ansible/playbooks/nodejs-demo-apply.yml`,变量 `nodejs_demo_manifest` 指定文件名。
## dry-run
```bash
kubectl apply --dry-run=client -f ansible/files/nodejs-demo/04-01-nodejs-demo.yaml
```

8
ansible/files/nodejs-demo/nodejs-demo-secret.example.yaml Normal file
View File

@@ -0,0 +1,8 @@
# 示例:勿将真实密钥提交到公开仓库。对应 docs/04-03 Secret 示意。
apiVersion: v1
kind: Secret
metadata:
name: nodejs-demo-secret
namespace: default
stringData:
API_TOKEN: "replace-me"

43
ansible/files/onenav/onenav-proxy.yaml Normal file
View File

@@ -0,0 +1,43 @@
# docs/05-02-onenav首页面板.md — 修改 Endpoints IP 与 Ingress host
apiVersion: v1
kind: Service
metadata:
name: onenav-external
namespace: default
spec:
ports:
- name: http
port: 80
targetPort: 7070
---
apiVersion: v1
kind: Endpoints
metadata:
name: onenav-external
namespace: default
subsets:
- addresses:
- ip: 192.168.2.22
ports:
- port: 7070
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: onenav
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: onenav.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: onenav-external
port:
number: 80

74
ansible/files/openclaw/openclaw-k3s-experimental.yaml Normal file
View File

@@ -0,0 +1,74 @@
# docs/05-08-openclaw-k3s-实验部署.md — 实验用;替换镜像与域名
apiVersion: v1
kind: Namespace
metadata:
name: openclaw
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: openclaw-gateway
namespace: openclaw
spec:
replicas: 1
selector:
matchLabels:
app: openclaw-gateway
template:
metadata:
labels:
app: openclaw-gateway
spec:
containers:
- name: openclaw-gateway
image: registry.local/openclaw:local
imagePullPolicy: IfNotPresent
env:
- name: OPENCLAW_GATEWAY_MODE
value: "local"
ports:
- containerPort: 18789
volumeMounts:
- name: config
mountPath: /home/node/.openclaw
- name: workspace
mountPath: /home/node/.openclaw/workspace
volumes:
- name: config
emptyDir: {}
- name: workspace
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: openclaw-gateway
namespace: openclaw
spec:
selector:
app: openclaw-gateway
ports:
- port: 18789
targetPort: 18789
protocol: TCP
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openclaw-gateway
namespace: openclaw
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: openclaw-k3s.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openclaw-gateway
port:
number: 18789

43
ansible/files/openclaw/openclaw-proxy.yaml Normal file
View File

@@ -0,0 +1,43 @@
# docs/05-07-openclaw应用部署.md — 修改 IP / host
apiVersion: v1
kind: Service
metadata:
name: openclaw-external
namespace: default
spec:
ports:
- name: http
port: 80
targetPort: 18789
---
apiVersion: v1
kind: Endpoints
metadata:
name: openclaw-external
namespace: default
subsets:
- addresses:
- ip: 192.168.2.70
ports:
- port: 18789
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openclaw
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: openclaw.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openclaw-external
port:
number: 80

27
ansible/files/openlist/app-data-backup-cronjob.yaml Normal file
View File

@@ -0,0 +1,27 @@
# docs/06-03-k3s-自动备份与恢复-openlist-webdav.md — 替换镜像、hostPath、远端名
apiVersion: batch/v1
kind: CronJob
metadata:
name: app-data-backup
namespace: default
spec:
schedule: "0 3 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: app-data-backup
image: your-registry/app-backup:latest
args:
- /bin/sh
- -c
- rclone sync /data openlist-webdav:backups/app-data
volumeMounts:
- name: app-data
mountPath: /data
volumes:
- name: app-data
hostPath:
path: /data/app
restartPolicy: OnFailure

24
ansible/files/openlist/app-data-restore-job.yaml Normal file
View File

@@ -0,0 +1,24 @@
# docs/06-03-k3s-自动备份与恢复-openlist-webdav.md — 一次性恢复 Job
apiVersion: batch/v1
kind: Job
metadata:
name: app-data-restore
namespace: default
spec:
template:
spec:
containers:
- name: app-data-restore
image: your-registry/app-backup:latest
args:
- /bin/sh
- -c
- rclone sync openlist-webdav:backups/app-data /data
volumeMounts:
- name: app-data
mountPath: /data
volumes:
- name: app-data
hostPath:
path: /data/app
restartPolicy: OnFailure

27
ansible/files/openlist/openlist-backup-cronjob.yaml Normal file
View File

@@ -0,0 +1,27 @@
# docs/05-06-openlist挂载网盘与自动备份.md — 替换镜像与 PVC 名
apiVersion: batch/v1
kind: CronJob
metadata:
name: openlist-backup
namespace: default
spec:
schedule: "0 3 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: openlist-backup
image: your-registry/openlist-backup:latest
args:
- /bin/sh
- -c
- /backup.sh
volumeMounts:
- name: backup-target
mountPath: /backup
volumes:
- name: backup-target
persistentVolumeClaim:
claimName: openlist-backup-pvc
restartPolicy: OnFailure

38
ansible/files/traefik-acme/traefik-acme.yaml Normal file
View File

@@ -0,0 +1,38 @@
# 03-02 Traefik ACME 配置HelmChartConfig
# 含ACMECloudflare DNS-01、ping 健康检查websecure、PROXY protocol trustedIPs
# 使用前:替换 <YOUR_REAL_EMAIL>,创建 cloudflare-api-token Secret按实际修改 nodeSelector/trustedIPs
# 部署kubectl apply -f traefik-acme.yaml或复制到 K3s manifests 目录)
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
additionalArguments:
- "--log.level=INFO"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
- "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
# - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # 测试用,上线前删除
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"
# 健康检查GET /ping 在 443(HTTPS) 返回 200供 HAProxy 对 443 做 option httpchk + ssl
- "--ping=true"
- "--ping.entryPoint=websecure"
# PROXY protocoltrustedIPs 需包含 HAProxy 所在 IP/网段
- "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
- "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"
env:
- name: CF_DNS_API_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-api-token
key: api-token
nodeSelector:
kubernetes.io/hostname: ylc61

25
ansible/files/traefik-custom-ports/traefik-custom-ports.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ports:
web:
expose: true
websecure:
expose: true
# 自定义 HTTP 入口(示例 18080
web18080:
port: 18080
expose:
default: true
exposedPort: 18080
# 自定义 HTTPS 入口(示例 18443
websecure18443:
port: 18443
expose:
default: true
exposedPort: 18443

60
ansible/files/traefik-dashboard-acme/tomcat-acme-test05.yaml Normal file
View File

@@ -0,0 +1,60 @@
# docs/03-03 第 5 节Tomcat + test05.jackadam.top 验证 HTTPS请按需改域名
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-test05
namespace: default
labels:
app: tomcat-test05
spec:
replicas: 1
selector:
matchLabels:
app: tomcat-test05
template:
metadata:
labels:
app: tomcat-test05
spec:
containers:
- name: tomcat
image: tomcat:9.0
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-test05
namespace: default
spec:
selector:
app: tomcat-test05
ports:
- port: 8080
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tomcat-test05-acme
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls.certresolver: cloudflare
spec:
tls:
- hosts:
- test05.jackadam.top
rules:
- host: test05.jackadam.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-test05
port:
number: 8080

49
ansible/files/traefik-dashboard-acme/traefik-dashboard-acme.yaml Normal file
View File

@@ -0,0 +1,49 @@
# 03-03 Traefik Dashboard + ACME 合并配置HelmChartConfig
# 含Dashboard、ACMECloudflare DNS-01、ping、PROXY protocol与 03-02 一致)
# 使用前:替换 <YOUR_REAL_EMAIL>,创建 cloudflare-api-token Secret按实际修改 nodeSelector/trustedIPs
# 部署kubectl apply -f traefik-dashboard-acme.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ports:
web:
expose: true
websecure:
expose: true
additionalArguments:
- "--api.dashboard=true"
- "--api.insecure=true"
- "--log.level=INFO"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
- "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
- "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
# - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # 测试用,上线前删除
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"
- "--ping=true"
- "--ping.entryPoint=websecure"
- "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
- "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"
env:
- name: CF_DNS_API_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-api-token
key: api-token
nodeSelector:
kubernetes.io/hostname: ylc61
ingressRoute:
dashboard:
enabled: true

37
ansible/files/traefik-dashboard/traefik-dashboard.yaml Normal file
View File

@@ -0,0 +1,37 @@
# 03-01 Traefik DashboardHelmChartConfig + IngressRoute
# 部署kubectl apply -f traefik-dashboard.yaml或复制到 K3s server/manifests/
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ports:
web:
expose: true
websecure:
expose: true
traefik:
expose: true
additionalArguments:
- "--api.dashboard=true"
- "--api.insecure=true"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
kind: Rule
services:
- name: api@internal
kind: TraefikService