diff --git a/bin/docker_registry_catalog b/bin/docker_registry_catalog new file mode 100644 index 0000000..a7f8898 --- /dev/null +++ b/bin/docker_registry_catalog @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ "$#" -lt 2 ]; then + echo "Usage: $0 " + exit 1 +fi +curl -X GET --basic -u "$1" "$0/v2/_catalog" diff --git a/bin/htpasswd-entry b/bin/htpasswd-entry new file mode 100755 index 0000000..66f6cfb --- /dev/null +++ b/bin/htpasswd-entry @@ -0,0 +1,8 @@ +#!/bin/sh + +if [ -z "$1" ] || [ -z "$2" ]; then + echo "Usage: $0 " + exit 1 +fi +HASHED=$(openssl passwd -apr1 "$2") +echo "$1:$HASHED" diff --git a/devel/k3s.sh b/devel/k3s.sh new file mode 100755 index 0000000..d5db3cc --- /dev/null +++ b/devel/k3s.sh @@ -0,0 +1,135 @@ +#!/bin/sh + +if [ "$#" -lt 3 ]; then + echo "This script will try to setup k3s on a remote server which unfortunately located in YOUR COUNTRY!" + echo " Usage: $0 " + exit 0 +fi + + +DIR=$(dirname "$(readlink -f "$0")") +. "$DIR/../env.sh" + +SSH=$1 +IP=$2 +EMAIL=$3 +CERT_MANAGER=https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml + +#SHA_URL=https://github.com/k3s-io/k3s/releases/download/v1.20.0%2Bk3s2/sha256sum-amd64.txt +#K3S_URL=https://github.com/k3s-io/k3s/releases/download/v1.20.0%2Bk3s2/k3s +#INSTALL_URL=https://github.com/k3s-io/k3s/raw/v1.20.0%2Bk3s2/install.sh + +#verify_sha() { + #[ -f /tmp/k3s ] + #! [ -f /tmp/k3s_sha ] && curl -sL $SHA_URL | grep -oP '\w+\s+k3s$' | awk '{print $1}' > /tmp/k3s_sha + #if ! grep -qF "$(sha256sum /tmp/k3s | awk '{print $1}')" /tmp/k3s_sha ;then + #echo "invalid sha256sum" + #rm -f /tmp/k3s + #return 1 + #fi +#} + +#download_k3s() { + #if [ ! -f /tmp/k3s ] ; then + #echo "downloading k3s" + #curl -Lo /tmp/k3s "$K3S_URL" + #fi +#} + +if in_china && [ -z "$HTTPS_PROXY" ] ; then + echo "Please setup HTTPS_PROXY first! " + exit 1 +fi + +# download k3s binary and upload to server +#if ! ssh "$SSH" "command -v k3s >/dev/null" ;then + #while ! verify_sha ; do + #download_k3s + #done + #scp /tmp/k3s "$SSH:~/k3s" + #ssh "$SSH" "sudo mv k3s /usr/local/bin/ && sudo chmod +x /usr/local/bin/k3s" +#fi + +# install k3s +#if ! ssh "$SSH" "command -v crictl >/dev/null"; then + #! [ -f /tmp/k3s_install.sh ] && curl -Lo /tmp/k3s_install.sh "$INSTALL_URL" + #scp /tmp/k3s_install.sh "$SSH:~/k3s_install.sh" + #ssh "$SSH" ' + #export INSTALL_K3S_SKIP_DOWNLOAD=true + #export INSTALL_K3S_EXEC="--tls-san '"$IP"' --node-external-ip '"$IP"'" + #sh k3s_install.sh + #' +#fi + +# install ks3 +ssh "$SSH" ' +if ! command -v k3s >/dev/null ; then + export INSTALL_K3S_MIRROR=cn + export INSTALL_K3S_VERSION=v1.20.0-k3s2 + export INSTALL_K3S_EXEC="--tls-san '"$IP"' --node-external-ip '"$IP"' --disable traefik" + curl -sfL http://rancher-mirror.cnrancher.com/k3s/k3s-install.sh | sh - +fi +' + +# setup mirror +ssh "$SSH" ' +CFG_DIR=/var/lib/rancher/k3s/agent/etc/containerd + +while ! sudo stat $CFG_DIR/config.toml >/dev/null 2>&1; do + echo waiting k3s to startup $CFG_DIR/config.toml + sleep 3 +done + +if ! sudo grep -qF "mirrors" $CFG_DIR/config.toml; then + echo "[plugins.cri.registry.mirrors]" | sudo tee -a $CFG_DIR/config.toml + echo " [plugins.cri.registry.mirrors.\"docker.io\"]" | sudo tee -a $CFG_DIR/config.toml + echo " endpoint = [" | sudo tee -a $CFG_DIR/config.toml + echo " \"https://1nj0zren.mirror.aliyuncs.com\"," | sudo tee -a $CFG_DIR/config.toml + echo " \"https://docker.mirrors.ustc.edu.cn\"," | sudo tee -a $CFG_DIR/config.toml + echo " \"http://f1361db2.m.daocloud.io\"]" | sudo tee -a $CFG_DIR/config.toml +fi +sudo cp $CFG_DIR/config.toml $CFG_DIR/config.toml.tmpl +sudo systemctl restart k3s +' + +# setup https traefik +scp $DIR/k3s/*.yaml "$SSH:" +ssh "$SSH" ' +sudo kubectl apply -f traefik-crd.yaml +sed -i "s/EMAIL/'"$EMAIL"'/" traefik-dpy.yaml +sudo kubectl apply -f traefik-dpy.yaml +sudo kubectl wait --for=condition=available --timeout=600s deployment/traefik -n default +#sudo kubectl port-forward --address 0.0.0.0 service/traefik 80:80 8080:8080 443:443 -n default +' + + +# add more workers +echo +echo "add more workers with following command:" +echo " sudo k3s agent --server https://$IP:6443 --token $(ssh "$SSH" 'sudo cat /var/lib/rancher/k3s/server/node-token')" + +# copy kubctl config file content to clipboard +KUBECONFIG=$( +ssh "$SSH" ' +sudo sed "s|server:.*|server: https://'"$IP"':6443|" /etc/rancher/k3s/k3s.yaml +') +echo "$KUBECONFIG" | xsel -b +echo "kube config has been copy to clipboard, you can set it as your only k8s cluster with:" +echo "$KUBECONFIG" +echo " xsel -ob > ~/.kube/config" + + +# add private registry: +echo +echo "import private registry credentials to your k3s:" +echo " kubectl create secret generic regcred \\" +echo " --from-file=.dockerconfigjson=\$HOME/.docker/config.json \\" +echo " --type=kubernetes.io/dockerconfigjson" + +echo +echo "add private registry manually:" +echo " kubectl create secret docker-registry regcred \\" +echo " --docker-server= \\" +echo " --docker-username= \\" +echo " --docker-password= --docker-email=" + diff --git a/devel/k3s/traefik-crd.yaml b/devel/k3s/traefik-crd.yaml new file mode 100644 index 0000000..3d9044c --- /dev/null +++ b/devel/k3s/traefik-crd.yaml @@ -0,0 +1,164 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutes.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRoute + plural: ingressroutes + singular: ingressroute + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: middlewares.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: Middleware + plural: middlewares + singular: middleware + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressroutetcps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteTCP + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: traefikservices.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TraefikService + plural: traefikservices + singular: traefikservice + scope: Namespaced + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: default diff --git a/devel/k3s/traefik-dpy.yaml b/devel/k3s/traefik-dpy.yaml new file mode 100644 index 0000000..d0c0a74 --- /dev/null +++ b/devel/k3s/traefik-dpy.yaml @@ -0,0 +1,64 @@ +apiVersion: v1 +kind: Service +metadata: + name: traefik +spec: + ports: + - protocol: TCP + name: web + port: 80 + #- protocol: TCP + #name: admin + #port: 8080 + - protocol: TCP + name: websecure + port: 443 + type: LoadBalancer + selector: + app: traefik +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: default + name: traefik-ingress-controller + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: default + name: traefik + labels: + app: traefik + +spec: + replicas: 1 + selector: + matchLabels: + app: traefik + template: + metadata: + labels: + app: traefik + spec: + serviceAccountName: traefik-ingress-controller + containers: + - name: traefik + image: traefik:v2.2 + args: + - --api.insecure + - --accesslog + - --entrypoints.web.Address=:80 + - --entrypoints.websecure.Address=:443 + - --providers.kubernetescrd + - --certificatesresolvers.myresolver.acme.tlschallenge + - --certificatesresolvers.myresolver.acme.email=EMAIL + - --certificatesresolvers.myresolver.acme.storage=acme.json + ports: + - name: web + containerPort: 80 + - name: websecure + containerPort: 443 + - name: admin + containerPort: 8080