#!/usr/bin/env bash # 03-03 Traefik Dashboard + ACME 合并配置验证 # 用法:./scripts/03-verify-traefik-dashboard-acme.sh [--apply] # 默认:仅核对模板与当前集群状态;加 --apply 时尝试应用 traefik-dashboard-acme 并验证(可能触发 Traefik 重启,新 Pod 需重新获取证书) # 前置:03-02 ACME 已部署(含 cloudflare-api-token);ssh ylc61 可用 set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" REMOTE_HOST="${REMOTE_HOST:-ylc61}" REMOTE_USER="${REMOTE_USER:-root}" CFG_SRC="${ROOT_DIR}/ansible/files/traefik-dashboard-acme/traefik-dashboard-acme.yaml" ENTRY_IP="${ENTRY_IP:-192.168.2.61}" OPENWRT_IP="${OPENWRT_IP:-192.168.2.1}" HTTPS_PORT="${HTTPS_PORT:-18443}" DO_APPLY=0 [[ "${1:-}" == "--apply" ]] && DO_APPLY=1 SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=10" SSH_KEY="${ROOT_DIR}/.ssh/id_ed25519_k3s_192.168.2.61" [[ -f "$SSH_KEY" ]] && SSH_OPTS="$SSH_OPTS -i $SSH_KEY" SSH_CMD="ssh $SSH_OPTS ${REMOTE_USER}@${REMOTE_HOST}" KUBECONFIG="/etc/rancher/k3s/k3s.yaml" echo "=== 03-03 Traefik Dashboard + ACME 验证 ===" # 1. 核对 traefik-dashboard-acme 模板包含 03-01 + 03-02 要素 echo "[1/3] 核对模板(dashboard + ACME + ping + PROXY)..." grep -q "api.dashboard=true" "$CFG_SRC" && grep -q "api.insecure=true" "$CFG_SRC" || { echo " [FAIL] 缺少 dashboard 参数"; exit 1; } grep -q "certificatesresolvers.cloudflare" "$CFG_SRC" && grep -q "acme.dnschallenge" "$CFG_SRC" || { echo " [FAIL] 缺少 ACME 参数"; exit 1; } grep -q "ping.entryPoint=websecure" "$CFG_SRC" && grep -q "proxyProtocol.trustedIPs" "$CFG_SRC" || { echo " [FAIL] 缺少 ping/PROXY 参数"; exit 1; } grep -q "ingressRoute:" "$CFG_SRC" && grep -q "dashboard:" "$CFG_SRC" || true echo " [OK] 模板包含 03-01 + 03-02 合并要素" # 2. 当前集群 ACME 状态 echo "[2/3] 当前集群 ACME(test01.jackadam.top)..." CODE=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "https://test01.jackadam.top/" --resolve "test01.jackadam.top:443:${ENTRY_IP}" 2>/dev/null || echo "000") [[ "$CODE" != "200" ]] && CODE=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "https://test01.jackadam.top:${HTTPS_PORT}/" --resolve "test01.jackadam.top:${HTTPS_PORT}:${OPENWRT_IP}" 2>/dev/null || echo "000") [[ "$CODE" == "200" ]] && echo " [OK] ACME TLS 200" || echo " [WARN] ACME 返回 ${CODE}" # 3. 可选 apply if [[ $DO_APPLY -eq 1 ]]; then echo "[3/3] 应用 traefik-dashboard-acme(会触发 Traefik 重启)..." EMAIL=$($SSH_CMD "KUBECONFIG=${KUBECONFIG} kubectl get helmchartconfig traefik -n kube-system -o jsonpath='{.spec.valuesContent}' 2>/dev/null" | grep -oE 'acme\.email=[^[:space:]\"'"'"']+' | cut -d= -f2 | head -1) [[ -z "$EMAIL" ]] && EMAIL="" $SSH_CMD "mkdir -p /tmp/traefik-verify" scp -q $SSH_OPTS "$CFG_SRC" "${REMOTE_USER}@${REMOTE_HOST}:/tmp/traefik-verify/traefik-dashboard-acme.yaml" $SSH_CMD "sed -i 's||'"$EMAIL"'|g' /tmp/traefik-verify/traefik-dashboard-acme.yaml" $SSH_CMD "KUBECONFIG=${KUBECONFIG} kubectl apply -f /tmp/traefik-verify/traefik-dashboard-acme.yaml" $SSH_CMD "KUBECONFIG=${KUBECONFIG} kubectl -n kube-system rollout status deploy/traefik --timeout=180s" || echo " [WARN] rollout 超时,可检查 Pod 与 ACME 日志" CODE=$(curl -s -o /dev/null -w '%{http_code}' --max-time 10 "http://${ENTRY_IP}/dashboard/" 2>/dev/null || echo "000") [[ "$CODE" == "200" || "$CODE" == "307" ]] && echo " [OK] Dashboard 返回 ${CODE}" || echo " [WARN] Dashboard 返回 ${CODE}" else echo "[3/3] 跳过 apply(加 --apply 可尝试应用并验证 Dashboard)" fi echo "" echo "[PASS] 03-03 验证完成"