dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

feat(deploy): 首次提交

浏览代码
这个提交包含在:
rohow
2024-04-07 19:42:51 +08:00
未验证
当前提交 baf810745e
修改 28 个文件,包含 859 行新增0 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件
apps/README.md
+20
查看文件
@@ -0,0 +1,20 @@
# postgresql-ha
helm instll postgresql-ha \
--set global.postgresql.username=rohow \
--set global.postgresql.password=XXX \
--set postgresql.postgresPassword=XXX \
--set namespaceOverride=infra-data \
oci://registry-1.docker.io/bitnamicharts/postgresql-ha --output-dir .
# redis
helm instll redis \
--set replica.replicaCount=0 \
--set global.redis.password=XXX \
--set namespaceOverride=infra-data \
oci://registry-1.docker.io/bitnamicharts/redis --output-dir .
# gitea
helm instll gitea \
--set redis-cluster.enabled=false \
--set postgresql-ha.enabled=false \
oci://registry-1.docker.io/giteacharts/gitea --output-dir .
apps/cert-manager/helmchart-dnspod.yaml
+35
查看文件
@@ -0,0 +1,35 @@
# 需要提前安装crds
# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager-webhook-dnspod
namespace: infra-cert
spec:
chart: oci://registry-1.docker.io/imroc/cert-manager-webhook-dnspod
targetNamespace: infra-cert
valuesContent: |-
namespace: infra-cert
certManager:
namespace: infra-cert
groupName: cert.dev.cm
clusterIssuer:
# cnameStrategy: Follow
staging: false
email: admin@dev.cm
secretId: AKIDzmKdvDSfonogKip55pIVR6h7ScjaBWcg
secretKey: zudDdtytkPr8HI9oKeniSxIRPCmCe0CD
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- "true"
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
apps/cert-manager/helmchart.yaml
+54
查看文件
@@ -0,0 +1,54 @@
# 需要提前安装crds
# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager
namespace: infra-cert
spec:
repo: https://charts.jetstack.io
chart: cert-manager
targetNamespace: infra-cert
version: v1.14.4
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- "true"
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
webhook:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- "true"
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
cainjector:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- "true"
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
apps/gitea/configmap-custom.yaml
+27
查看文件
@@ -0,0 +1,27 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-custom-templates
namespace: infra-devops
data:
home.tmpl: |-
{{template "base/head" .}}
<div class="page-content home">
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg"/>
</div>
<div class="hero">
<h1 class="ui icon header title">
{{AppName}}
</h1>
<h2><a href="https://git.dev.cm">dev.cm</a> - Git 仓库</h2>
</div>
</div>
</div>
</div>
{{template "base/footer" .}}
extra_links.tmpl: |-
<a class="item" href="https://ci.dev.cm" target="_blank">CI</a>
apps/gitea/helmchart.yaml
+61
查看文件
@@ -0,0 +1,61 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: gitea
namespace: infra-devops
spec:
repo: https://dl.gitea.com/charts
chart: gitea
targetNamespace: infra-devops
valuesContent: |-
redis-cluster:
enabled: false
postgresql-ha:
enabled: false
gitea:
config:
APP_NAME: Git.dev.cm
RUN_MODE: prod
server:
DOMAIN: git.dev.cm
ROOT_URL: https://git.dev.cm/
database:
DB_TYPE: postgres
HOST: postgresql-ha-pgpool.infra-data:5432
NAME: gitea
USER: rohow
PASSWD: L#GRtTR2QuL@20pm6+c~
session:
PROVIDER: redis
PROVIDER_CONFIG: redis://:ribiPwYQNU6GWxCYR0Nj@redis-master.infra-data:6379/0
cache:
ADAPTER: redis
HOST: redis://:ribiPwYQNU6GWxCYR0Nj@redis-master.infra-data:6379/0?pool_size=100&idle_timeout=180s
queue:
TYPE: redis
CONN_STR: redis://:ribiPwYQNU6GWxCYR0Nj@redis-master.infra-data:6379/0
service:
DISABLE_REGISTRATION: true
NO_REPLY_ADDRESS: noreply.dev.cm
picture:
GRAVATAR_SOURCE: https://cravatar.cn/avatar/
i18n:
LANGS: zh-CN,en-US
NAMES: 简体中文,English
extraVolumes:
- name: gitea-custom-templates-volume
configMap:
name: gitea-custom-templates
items:
- key: home.tmpl
path: home.tmpl
- key: extra_links.tmpl
path: custom/extra_links.tmpl
extraContainerVolumeMounts:
- name: gitea-custom-templates-volume
readOnly: true
mountPath: /data/gitea/templates
apps/gitea/ingressroute-http.yaml
+16
查看文件
@@ -0,0 +1,16 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: gitea-http
namespace: infra-devops
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`git.dev.cm`)
services:
- kind: Service
name: gitea-http
namespace: infra-devops
port: 3000
apps/gitea/ingressroute-ssh.yaml
+14
查看文件
@@ -0,0 +1,14 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitea-ssh
namespace: infra-devops
spec:
entryPoints:
- ssh
routes:
- match: HostSNI(`*`)
services:
- name: gitea-ssh
namespace: infra-devops
port: 22
apps/namespaces.yaml
+24
查看文件
@@ -0,0 +1,24 @@
apiVersion: v1
kind: Namespace
metadata:
name: apps
---
apiVersion: v1
kind: Namespace
metadata:
name: infra-data
---
apiVersion: v1
kind: Namespace
metadata:
name: infra-cert
---
apiVersion: v1
kind: Namespace
metadata:
name: infra-devops
---
apiVersion: v1
kind: Namespace
metadata:
name: infra-monitor
apps/nas/todo.yaml
+60
查看文件
@@ -0,0 +1,60 @@
http:
routers:
router:
entryPoints:
- websecure
rule: "Host(`router.dev.cm`)"
service: "router@file"
middlewares:
- web-base
vm:
entryPoints:
- websecure
rule: "Host(`vm.dev.cm`)"
service: "vm@file"
middlewares:
- web-base
nas:
entryPoints:
- websecure
rule: "Host(`nas.dev.cm`)"
service: "nas@file"
middlewares:
- web-base
download:
entryPoints:
- websecure
rule: "Host(`download.dev.cm`)"
service: "download@file"
middlewares:
- traefik-forward-auth
- web-base
downloadRpc:
entryPoints:
- websecure
rule: "Host(`download.dev.cm`) && PathPrefix(`/jsonrpc`)"
service: "downloadRpc@file"
middlewares:
- web-base
services:
router:
loadBalancer:
servers:
- url: "https://192.168.21.1/"
vm:
loadBalancer:
servers:
- url: "https://192.168.21.2:8006/"
nas:
loadBalancer:
servers:
- url: "http://192.168.21.3/"
download:
loadBalancer:
servers:
- url: "http://192.168.21.3:6880/"
downloadRpc:
loadBalancer:
servers:
- url: "http://192.168.21.3:6800/"
apps/postgresql-ha/helmchart.yaml
+37
查看文件
@@ -0,0 +1,37 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: postgresql-ha
namespace: infra-data
spec:
chart: oci://registry-1.docker.io/bitnamicharts/postgresql-ha
targetNamespace: infra-data
valuesContent: |-
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
global:
postgresql:
username: rohow
password: L#GRtTR2QuL@20pm6+c~
postgresql:
image:
debug: true
postgresPassword: L#GRtTR2QuL@20pm6+c~
nodeAffinityPreset:
type: "hard"
key: "topology.kubernetes.io/region"
values:
- "cn-sh"
pgpool:
image:
debug: true
nodeAffinityPreset:
type: "hard"
key: "topology.kubernetes.io/region"
values:
- "cn-sh"
apps/postgresql-ha/loadbalancer.yaml
+15
查看文件
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: postgresql-ha
namespace: infra-data
spec:
selector:
app.kubernetes.io/instance: postgresql-ha
app.kubernetes.io/name: postgresql-ha
app.kubernetes.io/component: pgpool
ports:
- protocol: TCP
port: 65432
targetPort: 5432
type: LoadBalancer
apps/redis/helmchart.yaml
+17
查看文件
@@ -0,0 +1,17 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: redis
namespace: infra-data
spec:
chart: oci://registry-1.docker.io/bitnamicharts/redis
targetNamespace: infra-data
valuesContent: |-
global:
redis:
password: ribiPwYQNU6GWxCYR0Nj
replica:
replicaCount: 0
core/README.md
+8
查看文件
@@ -0,0 +1,8 @@
### 调试
kubectl run -i --tty --rm --restart=Never \
--overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "tcc"}}}' \
--image=busybox:1.28 \
debug -- sh
### path core中服务的节点亲和性 使他们只运行在master节点上
kubectl patch -n kube-system deployment coredns --patch-file=patch-affinity.yaml
core/coredns/configmap.yaml
+19
查看文件
@@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
local.override: |
# 腾讯云内网DNS会将HINFO解析请求返回本机 造成循环 此处直接屏蔽处理
template ANY HINFO . {
rcode NXDOMAIN
}
# 不解析IPV6
template ANY AAAA {
rcode NXDOMAIN
}
local.server: |
#
core/coredns/nodelocaldns.yaml
+213
查看文件
@@ -0,0 +1,213 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-local-dns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: v1
kind: Service
metadata:
name: kube-dns-upstream
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "KubeDNSUpstream"
spec:
ports:
- name: dns
port: 53
protocol: UDP
targetPort: 53
- name: dns-tcp
port: 53
protocol: TCP
targetPort: 53
selector:
k8s-app: kube-dns
---
apiVersion: v1
kind: ConfigMap
metadata:
name: node-local-dns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: Reconcile
data:
Corefile: |
# 腾讯云内网DNS会将HINFO解析请求返回本机 造成循环 此处直接屏蔽处理
(disableHINFO) {
template ANY HINFO . {
rcode NXDOMAIN
}
}
cluster.local:53 {
errors
cache {
success 9984 30
denial 9984 5
}
reload
loop
bind 169.254.20.10 10.43.0.10
forward . __PILLAR__CLUSTER__DNS__ {
force_tcp
}
prometheus :9253
health 169.254.20.10:8080
import disableHINFO
}
in-addr.arpa:53 {
errors
cache 30
reload
loop
bind 169.254.20.10 10.43.0.10
forward . __PILLAR__CLUSTER__DNS__ {
force_tcp
}
prometheus :9253
import disableHINFO
}
ip6.arpa:53 {
errors
cache 30
reload
loop
bind 169.254.20.10 10.43.0.10
forward . __PILLAR__CLUSTER__DNS__ {
force_tcp
}
prometheus :9253
import disableHINFO
}
.:53 {
errors
cache 30
reload
loop
bind 169.254.20.10 10.43.0.10
forward . __PILLAR__UPSTREAM__SERVERS__
prometheus :9253
import disableHINFO
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-local-dns
namespace: kube-system
labels:
k8s-app: node-local-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
k8s-app: node-local-dns
template:
metadata:
labels:
k8s-app: node-local-dns
annotations:
prometheus.io/port: "9253"
prometheus.io/scrape: "true"
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: svccontroller.k3s.cattle.io/enablelb
operator: In
values:
- "true"
priorityClassName: system-node-critical
serviceAccountName: node-local-dns
hostNetwork: true
dnsPolicy: Default # Don't use cluster DNS.
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
- effect: "NoExecute"
operator: "Exists"
- effect: "NoSchedule"
operator: "Exists"
containers:
- name: node-cache
image: registry.k8s.io/dns/k8s-dns-node-cache:1.22.28
resources:
requests:
cpu: 25m
memory: 5Mi
args: [ "-localip", "169.254.20.10,10.43.0.10", "-conf", "/etc/Corefile", "-upstreamsvc", "kube-dns-upstream" ]
securityContext:
capabilities:
add:
- NET_ADMIN
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9253
name: metrics
protocol: TCP
livenessProbe:
httpGet:
host: 169.254.20.10
path: /health
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
volumeMounts:
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- name: config-volume
mountPath: /etc/coredns
- name: kube-dns-config
mountPath: /etc/kube-dns
volumes:
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
- name: kube-dns-config
configMap:
name: kube-dns
optional: true
- name: config-volume
configMap:
name: node-local-dns
items:
- key: Corefile
path: Corefile.base
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/port: "9253"
prometheus.io/scrape: "true"
labels:
k8s-app: node-local-dns
name: node-local-dns
namespace: kube-system
spec:
clusterIP: None
ports:
- name: metrics
port: 9253
targetPort: 9253
selector:
k8s-app: node-local-dns
core/patch-affinity.yaml
+13
查看文件
@@ -0,0 +1,13 @@
spec:
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- "true"
core/traefik/certs/certificate-dev-cm.yaml
+27
查看文件
@@ -0,0 +1,27 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dev-cm-crt
namespace: kube-system
spec:
secretName: dev-cm-crt
issuerRef:
name: dnspod
kind: ClusterIssuer
group: cert-manager.io
dnsNames:
- "dev.cm"
- "*.dev.cm"
- "*.node.dev.cm"
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: kube-system
spec:
certificates:
- secretName: dev-cm-crt
defaultCertificate:
secretName: dev-cm-crt
core/traefik/certs/certificate-fillcode-com.yaml
+14
查看文件
@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: fillcode-com-crt
namespace: kube-system
spec:
secretName: fillcode-com-crt
issuerRef:
name: dnspod
kind: ClusterIssuer
group: cert-manager.io
dnsNames:
- "fillcode.com"
- "*.fillcode.com"
core/traefik/helmchartconfig.yaml
+53
查看文件
@@ -0,0 +1,53 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: svccontroller.k3s.cattle.io/enablelb
operator: In
values:
- "true"
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
deployment:
kind: DaemonSet
dnsPolicy: None
dnsConfig:
nameservers:
- 169.254.20.10
- 10.43.0.10
hostNetwork: true
service:
spec:
externalTrafficPolicy: Local
ports:
web:
forwardedHeaders:
insecure: true
proxyProtocol:
insecure: true
websecure:
forwardedHeaders:
insecure: true
proxyProtocol:
insecure: true
http3:
enabled: false
ssh:
port: 8022
expose: true
exposedPort: 22
updateStrategy:
rollingUpdate:
maxUnavailable: 1
maxSurge: 0
core/traefik/ingressroute-https-only.yaml
+17
查看文件
@@ -0,0 +1,17 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: https-only
namespace: kube-system
spec:
entryPoints:
- web
routes:
- kind: Rule
match: PathPrefix(`/`)
priority: 1
middlewares:
- name: https-only
services:
- kind: TraefikService
name: noop@internal
core/traefik/ingressroute-internal.yaml
+29
查看文件
@@ -0,0 +1,29 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: gateway
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`gateway.dev.cm`)
services:
- kind: TraefikService
name: dashboard@internal
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: gateway-api
namespace: kube-system
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`gateway.dev.cm`) && PathPrefix(`/api`)
services:
- kind: TraefikService
name: api@internal
core/traefik/middleware/middleware-compress.yaml
+7
查看文件
@@ -0,0 +1,7 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: compress
namespace: kube-system
spec:
compress: {}
core/traefik/middleware/middleware-https-only.yaml
+9
查看文件
@@ -0,0 +1,9 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: https-only
namespace: kube-system
spec:
redirectScheme:
scheme: https
permanent: true
install/README.md
+38
查看文件
@@ -0,0 +1,38 @@
### 替换hostname
hostnamectl set-hostname node && reboot
### 安装tailscale
curl -fsSL https://tailscale.com/install.sh | sh
### 开启tailscale的自动更新
tailscale set --auto-update
### 开启ip转发
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
### 新建目录 将不同节点类型的config写入
mkdir -p /etc/rancher/k3s && nano /etc/rancher/k3s/config.yaml
### 安装k3s 此处注意安装类型 是server 还是 agent
curl -sfL https://get.k3s.io | \
INSTALL_K3S_MIRROR=cn \
sh -s - server
### 国内安装加速 & 镜像加速地址
https://rancher-mirror.rancher.cn/k3s/k3s-install.sh
nano /etc/rancher/k3s/registries.yaml
### 查看serverToken 记得在config中替换最新的token
cat /var/lib/rancher/k3s/server/node-token
### 查看api server config 需要替换到.kube/config中 注意将其中的server地址替换为高可用地址
cat /etc/rancher/k3s/k3s.yaml
### 给node添加地域标签
kubectl label nodes tca topology.kubernetes.io/region=cn-sh
kubectl label nodes tca svccontroller.k3s.cattle.io/enablelb="true"
### 给master节点添加污点
kubectl taint nodes tca node-role.kubernetes.io/master:NoSchedule
install/agent.config.yaml
+10
查看文件
@@ -0,0 +1,10 @@
# worker 工作节点
server: "https://k3s.dev.cm:6443"
token: "K10cdbe82226583b6e0c8f80c203f3a2d79580aaf9c2f61d0aebea4a28c1ff3897f::server:35e7d0dc0b8c2427fdb42bb90bb85d5a"
# 网络相关
vpn-auth: "name=tailscale,joinKey=tskey-auth-ksJXXH4CNTRL-4WRkX448yC6W6yhytK1FD68HMDK4zStw"
# 节点相关
# 保留节点资源 根据节点做不同配置 如不需要可以注释掉
kubelet-arg: kube-reserved=cpu=5000
install/master-init.config.yaml
+7
查看文件
@@ -0,0 +1,7 @@
# server 主节点
cluster-init: true
tls-san:
- "k3s.dev.cm,k3s.fillcode.com"
# 网络相关
vpn-auth: "name=tailscale,joinKey=tskey-auth-ksJXXH4CNTRL-4WRkX448yC6W6yhytK1FD68HMDK4zStw"
install/master.config.yaml
+8
查看文件
@@ -0,0 +1,8 @@
# server 从节点
server: "https://tca:6443"
token: "K10cdbe82226583b6e0c8f80c203f3a2d79580aaf9c2f61d0aebea4a28c1ff3897f::server:35e7d0dc0b8c2427fdb42bb90bb85d5a"
tls-san:
- "k3s.dev.cm,k3s.fillcode.com"
# 网络相关
vpn-auth: "name=tailscale,joinKey=tskey-auth-ksJXXH4CNTRL-4WRkX448yC6W6yhytK1FD68HMDK4zStw"
install/registries.yaml
+7
查看文件
@@ -0,0 +1,7 @@
mirrors:
"docker.io":
endpoint:
- "https://mirror.ccs.tencentyun.com"
"registry.k8s.io":
endpoint:
- "k8s.m.daocloud.io"