[feature] k3s deployment
This commit is contained in:
parent
88338017d8
commit
1be791d917
7
bin/docker_registry_catalog
Normal file
7
bin/docker_registry_catalog
Normal file
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ "$#" -lt 2 ]; then
|
||||
echo "Usage: $0 <https://domain:port> <user>"
|
||||
exit 1
|
||||
fi
|
||||
curl -X GET --basic -u "$1" "$0/v2/_catalog"
|
8
bin/htpasswd-entry
Executable file
8
bin/htpasswd-entry
Executable file
|
@ -0,0 +1,8 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ -z "$1" ] || [ -z "$2" ]; then
|
||||
echo "Usage: $0 <username> <password>"
|
||||
exit 1
|
||||
fi
|
||||
HASHED=$(openssl passwd -apr1 "$2")
|
||||
echo "$1:$HASHED"
|
135
devel/k3s.sh
Executable file
135
devel/k3s.sh
Executable file
|
@ -0,0 +1,135 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ "$#" -lt 3 ]; then
|
||||
echo "This script will try to setup k3s on a remote server which unfortunately located in YOUR COUNTRY!"
|
||||
echo " Usage: $0 <user@host> <external-ip> <email>"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
|
||||
DIR=$(dirname "$(readlink -f "$0")")
|
||||
. "$DIR/../env.sh"
|
||||
|
||||
SSH=$1
|
||||
IP=$2
|
||||
EMAIL=$3
|
||||
CERT_MANAGER=https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml
|
||||
|
||||
#SHA_URL=https://github.com/k3s-io/k3s/releases/download/v1.20.0%2Bk3s2/sha256sum-amd64.txt
|
||||
#K3S_URL=https://github.com/k3s-io/k3s/releases/download/v1.20.0%2Bk3s2/k3s
|
||||
#INSTALL_URL=https://github.com/k3s-io/k3s/raw/v1.20.0%2Bk3s2/install.sh
|
||||
|
||||
#verify_sha() {
|
||||
#[ -f /tmp/k3s ]
|
||||
#! [ -f /tmp/k3s_sha ] && curl -sL $SHA_URL | grep -oP '\w+\s+k3s$' | awk '{print $1}' > /tmp/k3s_sha
|
||||
#if ! grep -qF "$(sha256sum /tmp/k3s | awk '{print $1}')" /tmp/k3s_sha ;then
|
||||
#echo "invalid sha256sum"
|
||||
#rm -f /tmp/k3s
|
||||
#return 1
|
||||
#fi
|
||||
#}
|
||||
|
||||
#download_k3s() {
|
||||
#if [ ! -f /tmp/k3s ] ; then
|
||||
#echo "downloading k3s"
|
||||
#curl -Lo /tmp/k3s "$K3S_URL"
|
||||
#fi
|
||||
#}
|
||||
|
||||
if in_china && [ -z "$HTTPS_PROXY" ] ; then
|
||||
echo "Please setup HTTPS_PROXY first! "
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# download k3s binary and upload to server
|
||||
#if ! ssh "$SSH" "command -v k3s >/dev/null" ;then
|
||||
#while ! verify_sha ; do
|
||||
#download_k3s
|
||||
#done
|
||||
#scp /tmp/k3s "$SSH:~/k3s"
|
||||
#ssh "$SSH" "sudo mv k3s /usr/local/bin/ && sudo chmod +x /usr/local/bin/k3s"
|
||||
#fi
|
||||
|
||||
# install k3s
|
||||
#if ! ssh "$SSH" "command -v crictl >/dev/null"; then
|
||||
#! [ -f /tmp/k3s_install.sh ] && curl -Lo /tmp/k3s_install.sh "$INSTALL_URL"
|
||||
#scp /tmp/k3s_install.sh "$SSH:~/k3s_install.sh"
|
||||
#ssh "$SSH" '
|
||||
#export INSTALL_K3S_SKIP_DOWNLOAD=true
|
||||
#export INSTALL_K3S_EXEC="--tls-san '"$IP"' --node-external-ip '"$IP"'"
|
||||
#sh k3s_install.sh
|
||||
#'
|
||||
#fi
|
||||
|
||||
# install ks3
|
||||
ssh "$SSH" '
|
||||
if ! command -v k3s >/dev/null ; then
|
||||
export INSTALL_K3S_MIRROR=cn
|
||||
export INSTALL_K3S_VERSION=v1.20.0-k3s2
|
||||
export INSTALL_K3S_EXEC="--tls-san '"$IP"' --node-external-ip '"$IP"' --disable traefik"
|
||||
curl -sfL http://rancher-mirror.cnrancher.com/k3s/k3s-install.sh | sh -
|
||||
fi
|
||||
'
|
||||
|
||||
# setup mirror
|
||||
ssh "$SSH" '
|
||||
CFG_DIR=/var/lib/rancher/k3s/agent/etc/containerd
|
||||
|
||||
while ! sudo stat $CFG_DIR/config.toml >/dev/null 2>&1; do
|
||||
echo waiting k3s to startup $CFG_DIR/config.toml
|
||||
sleep 3
|
||||
done
|
||||
|
||||
if ! sudo grep -qF "mirrors" $CFG_DIR/config.toml; then
|
||||
echo "[plugins.cri.registry.mirrors]" | sudo tee -a $CFG_DIR/config.toml
|
||||
echo " [plugins.cri.registry.mirrors.\"docker.io\"]" | sudo tee -a $CFG_DIR/config.toml
|
||||
echo " endpoint = [" | sudo tee -a $CFG_DIR/config.toml
|
||||
echo " \"https://1nj0zren.mirror.aliyuncs.com\"," | sudo tee -a $CFG_DIR/config.toml
|
||||
echo " \"https://docker.mirrors.ustc.edu.cn\"," | sudo tee -a $CFG_DIR/config.toml
|
||||
echo " \"http://f1361db2.m.daocloud.io\"]" | sudo tee -a $CFG_DIR/config.toml
|
||||
fi
|
||||
sudo cp $CFG_DIR/config.toml $CFG_DIR/config.toml.tmpl
|
||||
sudo systemctl restart k3s
|
||||
'
|
||||
|
||||
# setup https traefik
|
||||
scp $DIR/k3s/*.yaml "$SSH:"
|
||||
ssh "$SSH" '
|
||||
sudo kubectl apply -f traefik-crd.yaml
|
||||
sed -i "s/EMAIL/'"$EMAIL"'/" traefik-dpy.yaml
|
||||
sudo kubectl apply -f traefik-dpy.yaml
|
||||
sudo kubectl wait --for=condition=available --timeout=600s deployment/traefik -n default
|
||||
#sudo kubectl port-forward --address 0.0.0.0 service/traefik 80:80 8080:8080 443:443 -n default
|
||||
'
|
||||
|
||||
|
||||
# add more workers
|
||||
echo
|
||||
echo "add more workers with following command:"
|
||||
echo " sudo k3s agent --server https://$IP:6443 --token $(ssh "$SSH" 'sudo cat /var/lib/rancher/k3s/server/node-token')"
|
||||
|
||||
# copy kubctl config file content to clipboard
|
||||
KUBECONFIG=$(
|
||||
ssh "$SSH" '
|
||||
sudo sed "s|server:.*|server: https://'"$IP"':6443|" /etc/rancher/k3s/k3s.yaml
|
||||
')
|
||||
echo "$KUBECONFIG" | xsel -b
|
||||
echo "kube config has been copy to clipboard, you can set it as your only k8s cluster with:"
|
||||
echo "$KUBECONFIG"
|
||||
echo " xsel -ob > ~/.kube/config"
|
||||
|
||||
|
||||
# add private registry:
|
||||
echo
|
||||
echo "import private registry credentials to your k3s:"
|
||||
echo " kubectl create secret generic regcred \\"
|
||||
echo " --from-file=.dockerconfigjson=\$HOME/.docker/config.json \\"
|
||||
echo " --type=kubernetes.io/dockerconfigjson"
|
||||
|
||||
echo
|
||||
echo "add private registry manually:"
|
||||
echo " kubectl create secret docker-registry regcred \\"
|
||||
echo " --docker-server=<your-registry-server> \\"
|
||||
echo " --docker-username=<your-name> \\"
|
||||
echo " --docker-password=<your-pword> --docker-email=<your-email>"
|
||||
|
164
devel/k3s/traefik-crd.yaml
Normal file
164
devel/k3s/traefik-crd.yaml
Normal file
|
@ -0,0 +1,164 @@
|
|||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressroutes.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRoute
|
||||
plural: ingressroutes
|
||||
singular: ingressroute
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: middlewares.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: Middleware
|
||||
plural: middlewares
|
||||
singular: middleware
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressroutetcps.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRouteTCP
|
||||
plural: ingressroutetcps
|
||||
singular: ingressroutetcp
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: ingressrouteudps.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: IngressRouteUDP
|
||||
plural: ingressrouteudps
|
||||
singular: ingressrouteudp
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tlsoptions.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TLSOption
|
||||
plural: tlsoptions
|
||||
singular: tlsoption
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tlsstores.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TLSStore
|
||||
plural: tlsstores
|
||||
singular: tlsstore
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: traefikservices.traefik.containo.us
|
||||
|
||||
spec:
|
||||
group: traefik.containo.us
|
||||
version: v1alpha1
|
||||
names:
|
||||
kind: TraefikService
|
||||
plural: traefikservices
|
||||
singular: traefikservice
|
||||
scope: Namespaced
|
||||
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
resources:
|
||||
- ingresses/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- traefik.containo.us
|
||||
resources:
|
||||
- middlewares
|
||||
- ingressroutes
|
||||
- traefikservices
|
||||
- ingressroutetcps
|
||||
- ingressrouteudps
|
||||
- tlsoptions
|
||||
- tlsstores
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: traefik-ingress-controller
|
||||
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: traefik-ingress-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: traefik-ingress-controller
|
||||
namespace: default
|
64
devel/k3s/traefik-dpy.yaml
Normal file
64
devel/k3s/traefik-dpy.yaml
Normal file
|
@ -0,0 +1,64 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: traefik
|
||||
spec:
|
||||
ports:
|
||||
- protocol: TCP
|
||||
name: web
|
||||
port: 80
|
||||
#- protocol: TCP
|
||||
#name: admin
|
||||
#port: 8080
|
||||
- protocol: TCP
|
||||
name: websecure
|
||||
port: 443
|
||||
type: LoadBalancer
|
||||
selector:
|
||||
app: traefik
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
namespace: default
|
||||
name: traefik-ingress-controller
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: default
|
||||
name: traefik
|
||||
labels:
|
||||
app: traefik
|
||||
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: traefik
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: traefik
|
||||
spec:
|
||||
serviceAccountName: traefik-ingress-controller
|
||||
containers:
|
||||
- name: traefik
|
||||
image: traefik:v2.2
|
||||
args:
|
||||
- --api.insecure
|
||||
- --accesslog
|
||||
- --entrypoints.web.Address=:80
|
||||
- --entrypoints.websecure.Address=:443
|
||||
- --providers.kubernetescrd
|
||||
- --certificatesresolvers.myresolver.acme.tlschallenge
|
||||
- --certificatesresolvers.myresolver.acme.email=EMAIL
|
||||
- --certificatesresolvers.myresolver.acme.storage=acme.json
|
||||
ports:
|
||||
- name: web
|
||||
containerPort: 80
|
||||
- name: websecure
|
||||
containerPort: 443
|
||||
- name: admin
|
||||
containerPort: 8080
|
Loading…
Reference in New Issue
Block a user