基本框架

2026-03-21 04:36:06 +08:00
commit de1be1dbe5
125 changed files with 10302 additions and 0 deletions
--- a/ansible/files/nginx-matrix-tls/01-control-ingress.yaml
+++ b/ansible/files/nginx-matrix-tls/01-control-ingress.yaml
@@ -0,0 +1,115 @@
+# 03-02 TLS: M1 控制节点 + Ingress，路径 /（根路径），域名 test01.jackadam.top
+# ConfigMap：首页 + default.conf（单文件 subPath 挂载，与 M2～M4 一致）
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-m1-html
+  namespace: default
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html><head><meta charset="utf-8"><title>M1</title></head>
+    <body><h1>M1</h1><p>控制节点 + Ingress</p><p><strong>Backend: M1</strong></p></body></html>
+  default.conf: |
+    server { listen 80 default_server; server_name _; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M1"; try_files $uri $uri/ /index.html; } }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-m1
+  namespace: default
+  labels:
+    app: nginx-m1
+    matrix: "03-02-m1"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-m1
+  template:
+    metadata:
+      labels:
+        app: nginx-m1
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+      volumes:
+        - name: html
+          configMap:
+            name: nginx-m1-html
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: html
+              mountPath: /usr/share/nginx/html/index.html
+              subPath: index.html
+              readOnly: true
+            - name: html
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+              readOnly: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-m1
+  namespace: default
+spec:
+  selector:
+    app: nginx-m1
+  ports:
+    - port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-m1
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls.certresolver: cloudflare
+spec:
+  tls:
+    - hosts:
+        - test01.jackadam.top
+  rules:
+    - host: test01.jackadam.top
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nginx-m1
+                port:
+                  number: 80
+---
+# 03-02 HTTP-only：M1 路由（仅 web，无 TLS），与 nginx-m1 共用 Service
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-m1-http
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+    - host: test01.jackadam.top
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nginx-m1
+                port:
+                  number: 80
--- a/ansible/files/nginx-matrix-tls/02-control-ingressroute.yaml
+++ b/ansible/files/nginx-matrix-tls/02-control-ingressroute.yaml
@@ -0,0 +1,98 @@
+# 03-02 TLS: M2 控制节点 + IngressRoute，路径 /（根路径），域名 test02.jackadam.top
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-m2-html
+  namespace: default
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html><head><meta charset="utf-8"><title>M2</title></head>
+    <body><h1>M2</h1><p>控制节点 + IngressRoute</p></body></html>
+  default.conf: |
+    server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M2"; try_files $uri $uri/ /index.html; } }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-m2
+  namespace: default
+  labels:
+    app: nginx-m2
+    matrix: "03-02-m2"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-m2
+  template:
+    metadata:
+      labels:
+        app: nginx-m2
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: ylc61
+      volumes:
+        - name: html
+          configMap:
+            name: nginx-m2-html
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: html
+              mountPath: /usr/share/nginx/html/index.html
+              subPath: index.html
+              readOnly: true
+            - name: html
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+              readOnly: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-m2
+  namespace: default
+spec:
+  selector:
+    app: nginx-m2
+  ports:
+    - port: 80
+      targetPort: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-m2
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`test02.jackadam.top`)
+      kind: Rule
+      services:
+        - name: nginx-m2
+          port: 80
+  tls:
+    certResolver: cloudflare
+---
+# 03-02 HTTP-only：M2 路由（仅 web，无 TLS），与 nginx-m2 共用 Service
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-m2-http
+  namespace: default
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`test02.jackadam.top`)
+      kind: Rule
+      services:
+        - name: nginx-m2
+          port: 80
--- a/ansible/files/nginx-matrix-tls/03-worker-ingress.yaml
+++ b/ansible/files/nginx-matrix-tls/03-worker-ingress.yaml
@@ -0,0 +1,110 @@
+# 03-02 TLS: M3 工作节点 + Ingress，路径 /（根路径），域名 test03.jackadam.top
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-m3-html
+  namespace: default
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html><head><meta charset="utf-8"><title>M3</title></head>
+    <body><h1>M3</h1><p>工作节点 + Ingress</p></body></html>
+  default.conf: |
+    server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M3"; try_files $uri $uri/ /index.html; } }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-m3
+  namespace: default
+  labels:
+    app: nginx-m3
+    matrix: "03-02-m3"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-m3
+  template:
+    metadata:
+      labels:
+        app: nginx-m3
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/worker: ""
+      volumes:
+        - name: html
+          configMap:
+            name: nginx-m3-html
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: html
+              mountPath: /usr/share/nginx/html/index.html
+              subPath: index.html
+              readOnly: true
+            - name: html
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+              readOnly: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-m3
+  namespace: default
+spec:
+  selector:
+    app: nginx-m3
+  ports:
+    - port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-m3
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls.certresolver: cloudflare
+spec:
+  tls:
+    - hosts:
+        - test03.jackadam.top
+  rules:
+    - host: test03.jackadam.top
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nginx-m3
+                port:
+                  number: 80
+---
+# 03-02 HTTP-only：M3 路由（仅 web，无 TLS），与 nginx-m3 共用 Service
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-m3-http
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+    - host: test03.jackadam.top
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nginx-m3
+                port:
+                  number: 80
--- a/ansible/files/nginx-matrix-tls/04-worker-ingressroute.yaml
+++ b/ansible/files/nginx-matrix-tls/04-worker-ingressroute.yaml
@@ -0,0 +1,98 @@
+# 03-02 TLS: M4 工作节点 + IngressRoute，路径 /（根路径），域名 test04.jackadam.top
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-m4-html
+  namespace: default
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html><head><meta charset="utf-8"><title>M4</title></head>
+    <body><h1>M4</h1><p>工作节点 + IngressRoute</p></body></html>
+  default.conf: |
+    server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; location / { add_header X-Backend "M4"; try_files $uri $uri/ /index.html; } }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-m4
+  namespace: default
+  labels:
+    app: nginx-m4
+    matrix: "03-02-m4"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-m4
+  template:
+    metadata:
+      labels:
+        app: nginx-m4
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: ylc64
+      volumes:
+        - name: html
+          configMap:
+            name: nginx-m4-html
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: html
+              mountPath: /usr/share/nginx/html/index.html
+              subPath: index.html
+              readOnly: true
+            - name: html
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: default.conf
+              readOnly: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-m4
+  namespace: default
+spec:
+  selector:
+    app: nginx-m4
+  ports:
+    - port: 80
+      targetPort: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-m4
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`test04.jackadam.top`) 
+      kind: Rule
+      services:
+        - name: nginx-m4
+          port: 80
+  tls:
+    certResolver: cloudflare
+---
+# 03-02 HTTP-only：M4 路由（仅 web，无 TLS），与 nginx-m4 共用 Service
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-m4-http
+  namespace: default
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`test04.jackadam.top`)
+      kind: Rule
+      services:
+        - name: nginx-m4
+          port: 80