gitea_admin/k3s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

首次提交:初始化项目

Browse Source
This commit is contained in:
fei
2026-02-05 00:11:05 +08:00
commit 26eaf8110b
171 changed files with 17105 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
009-基础设施/005-ingress/readme.md Normal file
View File

@@ -0,0 +1,202 @@
# Traefik Ingress 控制器配置
## 当前状态
K3s 默认已安装 Traefik 作为 Ingress 控制器。
- **命名空间**: kube-system
- **服务类型**: ClusterIP
- **端口**: 80 (HTTP), 443 (HTTPS)
## Traefik 配置信息
查看 Traefik 配置:
```bash
kubectl get deployment traefik -n kube-system -o yaml
```
查看 Traefik 服务:
```bash
kubectl get svc traefik -n kube-system
```
## 使用 Ingress
### 基本 HTTP Ingress 示例
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
```
### HTTPS Ingress 示例(使用 TLS
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress-tls
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- example.com
secretName: example-tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
```
## 创建 TLS 证书
### 使用 Let's Encrypt (cert-manager)
1. 安装 cert-manager
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
```
2. 创建 ClusterIssuer
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
```
### 使用自签名证书
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=example.com/O=example"
kubectl create secret tls example-tls-secret \
--key tls.key --cert tls.crt -n default
```
## Traefik Dashboard
访问 Traefik Dashboard
```bash
kubectl port-forward -n kube-system $(kubectl get pods -n kube-system -l app.kubernetes.io/name=traefik -o name) 9000:9000
```
然后访问: http://localhost:9000/dashboard/
## 常用注解
### 重定向 HTTP 到 HTTPS
```yaml
annotations:
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"
```
### 设置超时
```yaml
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-timeout@kubernetescrd
```
### 启用 CORS
```yaml
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd
```
## 中间件示例
### 创建超时中间件
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: timeout
namespace: default
spec:
forwardAuth:
address: http://auth-service
trustForwardHeader: true
```
## 监控和日志
查看 Traefik 日志:
```bash
kubectl logs -n kube-system -l app.kubernetes.io/name=traefik -f
```
## 故障排查
### 检查 Ingress 状态
```bash
kubectl get ingress -A
kubectl describe ingress <ingress-name> -n <namespace>
```
### 检查 Traefik 配置
```bash
kubectl get ingressroute -A
kubectl get middleware -A
```
## 外部访问配置
如果需要从外部访问,可以:
1. **使用 NodePort**
```bash
kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"NodePort"}}'
```
2. **使用 LoadBalancer**(需要云环境或 MetalLB
```bash
kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"LoadBalancer"}}'
```
3. **使用 HostPort**(直接绑定到节点端口 80/443
## 参考资源
- Traefik 官方文档: https://doc.traefik.io/traefik/
- K3s Traefik 配置: https://docs.k3s.io/networking#traefik-ingress-controller