jack
8a54cac61f
- Ansible: 部署时自动配置 CoreDNS forward 为 IPv4,避免 ACME 解析失败 - 01-01/01-07: 文档增加 CoreDNS 设置说明 - 03-03: Tomcat webapps.dist 复制、HTTP/HTTPS 双 Ingress、显式 Dashboard IngressRoute - traefik-dashboard-acme: tomcat-acme.yaml、404 排查说明 - HAProxy: 健康检查与 PROXY 配置拆分,18080/18443 部署与验证脚本 Made-with: Cursor
58 lines
3.6 KiB
Bash
58 lines
3.6 KiB
Bash
#!/usr/bin/env bash
|
||
# 03-03 Traefik Dashboard + ACME 合并配置验证
|
||
# 用法:./scripts/03-verify-traefik-dashboard-acme.sh [--apply]
|
||
# 默认:仅核对模板与当前集群状态;加 --apply 时尝试应用 traefik-dashboard-acme 并验证(可能触发 Traefik 重启,新 Pod 需重新获取证书)
|
||
# 前置:03-02 ACME 已部署(含 cloudflare-api-token);ssh ylc61 可用
|
||
set -euo pipefail
|
||
|
||
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||
REMOTE_HOST="${REMOTE_HOST:-ylc61}"
|
||
REMOTE_USER="${REMOTE_USER:-root}"
|
||
CFG_SRC="${ROOT_DIR}/ansible/files/traefik-dashboard-acme/traefik-dashboard-acme.yaml"
|
||
ENTRY_IP="${ENTRY_IP:-192.168.2.61}"
|
||
OPENWRT_IP="${OPENWRT_IP:-192.168.2.1}"
|
||
HTTPS_PORT="${HTTPS_PORT:-18443}"
|
||
DO_APPLY=0
|
||
[[ "${1:-}" == "--apply" ]] && DO_APPLY=1
|
||
|
||
SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=10"
|
||
SSH_KEY="${ROOT_DIR}/.ssh/id_ed25519_k3s_192.168.2.61"
|
||
[[ -f "$SSH_KEY" ]] && SSH_OPTS="$SSH_OPTS -i $SSH_KEY"
|
||
SSH_CMD="ssh $SSH_OPTS ${REMOTE_USER}@${REMOTE_HOST}"
|
||
KUBECONFIG="/etc/rancher/k3s/k3s.yaml"
|
||
|
||
echo "=== 03-03 Traefik Dashboard + ACME 验证 ==="
|
||
|
||
# 1. 核对 traefik-dashboard-acme 模板包含 03-01 + 03-02 要素
|
||
echo "[1/3] 核对模板(dashboard + ACME + ping + PROXY)..."
|
||
grep -q "api.dashboard=true" "$CFG_SRC" && grep -q "api.insecure=true" "$CFG_SRC" || { echo " [FAIL] 缺少 dashboard 参数"; exit 1; }
|
||
grep -q "certificatesresolvers.cloudflare" "$CFG_SRC" && grep -q "acme.dnschallenge" "$CFG_SRC" || { echo " [FAIL] 缺少 ACME 参数"; exit 1; }
|
||
grep -q "ping.entryPoint=websecure" "$CFG_SRC" && grep -q "proxyProtocol.trustedIPs" "$CFG_SRC" || { echo " [FAIL] 缺少 ping/PROXY 参数"; exit 1; }
|
||
grep -q "ingressRoute:" "$CFG_SRC" && grep -q "dashboard:" "$CFG_SRC" || true
|
||
echo " [OK] 模板包含 03-01 + 03-02 合并要素"
|
||
|
||
# 2. 当前集群 ACME 状态
|
||
echo "[2/3] 当前集群 ACME(test01.jackadam.top)..."
|
||
CODE=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "https://test01.jackadam.top/" --resolve "test01.jackadam.top:443:${ENTRY_IP}" 2>/dev/null || echo "000")
|
||
[[ "$CODE" != "200" ]] && CODE=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "https://test01.jackadam.top:${HTTPS_PORT}/" --resolve "test01.jackadam.top:${HTTPS_PORT}:${OPENWRT_IP}" 2>/dev/null || echo "000")
|
||
[[ "$CODE" == "200" ]] && echo " [OK] ACME TLS 200" || echo " [WARN] ACME 返回 ${CODE}"
|
||
|
||
# 3. 可选 apply
|
||
if [[ $DO_APPLY -eq 1 ]]; then
|
||
echo "[3/3] 应用 traefik-dashboard-acme(会触发 Traefik 重启)..."
|
||
EMAIL=$($SSH_CMD "KUBECONFIG=${KUBECONFIG} kubectl get helmchartconfig traefik -n kube-system -o jsonpath='{.spec.valuesContent}' 2>/dev/null" | grep -oE 'acme\.email=[^[:space:]\"'"'"']+' | cut -d= -f2 | head -1)
|
||
[[ -z "$EMAIL" ]] && EMAIL="<YOUR_REAL_EMAIL>"
|
||
$SSH_CMD "mkdir -p /tmp/traefik-verify"
|
||
scp -q $SSH_OPTS "$CFG_SRC" "${REMOTE_USER}@${REMOTE_HOST}:/tmp/traefik-verify/traefik-dashboard-acme.yaml"
|
||
$SSH_CMD "sed -i 's|<YOUR_REAL_EMAIL>|'"$EMAIL"'|g' /tmp/traefik-verify/traefik-dashboard-acme.yaml"
|
||
$SSH_CMD "KUBECONFIG=${KUBECONFIG} kubectl apply -f /tmp/traefik-verify/traefik-dashboard-acme.yaml"
|
||
$SSH_CMD "KUBECONFIG=${KUBECONFIG} kubectl -n kube-system rollout status deploy/traefik --timeout=180s" || echo " [WARN] rollout 超时,可检查 Pod 与 ACME 日志"
|
||
CODE=$(curl -s -o /dev/null -w '%{http_code}' --max-time 10 "http://${ENTRY_IP}/dashboard/" 2>/dev/null || echo "000")
|
||
[[ "$CODE" == "200" || "$CODE" == "307" ]] && echo " [OK] Dashboard 返回 ${CODE}" || echo " [WARN] Dashboard 返回 ${CODE}"
|
||
else
|
||
echo "[3/3] 跳过 apply(加 --apply 可尝试应用并验证 Dashboard)"
|
||
fi
|
||
|
||
echo ""
|
||
echo "[PASS] 03-03 验证完成"
|