K3s Practice
Contents
k3s
server
-
curl –sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -s - server \ --cluster-init \ --token=nigo8l0k6hjmaxyv curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -s - server \ --token=nigo8l0k6hjmaxyv \ --server https://172.17.63.200:6443 /usr/local/bin/k3s-uninstall.sh
agent
-
curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -s - agent \ --token=nigo8l0k6hjmaxyv \ --server https://172.17.63.200:6443 /usr/local/bin/k3s-agent-uninstall.sh镜像加速
# /etc/rancher/k3s/registries.yaml mirrors: docker.io: endpoint: - 'https://docker.1ms.run' - 'https://dytt.online' - 'https://docker.m.daocloud.io' - 'https://lispy.org' - 'https://docker.xuanyuan.me'
deploy
-
每个 agent 节点部署一个 pod
kubectl label nodes agent-1 role=agent kubectl label nodes agent-2 role=agent kubectl label nodes agent-3 role=agent# account-service-daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: account-service namespace: default spec: selector: matchLabels: app: account-service template: metadata: labels: app: account-service spec: containers: - name: account-service image: hejtao/account-service:latest ports: - containerPort: 8080 nodeSelector: role: agent# account-service-svc.yaml apiVersion: v1 kind: Service metadata: name: account-service namespace: default spec: type: NodePort selector: app: account-service ports: - protocol: TCP port: 8080 targetPort: 8080 nodePort: 30801kubectl apply -f account-service-svc.yaml
负载均衡
HAProxy
-
高可用的话使用阿里云的负载均衡吧。单机可以使用
HAProxyapt install haproxy# /etc/haproxy/haproxy.cfg # 新增下面的内容 # haproxy.pem 内容是 cert.key + full_chain.pem frontend https_frontend bind *:443 ssl crt /etc/ssl/private/haproxy.pem mode http option forwardfor option http-server-close redirect scheme https if !{ ssl_fc } default_backend agents_backend frontend http_frontend bind *:80 mode http redirect scheme https code 301 if !{ hdr(Host) -i yourdomain.com } !{ ssl_fc } backend agents_backend mode http option tcp-check balance roundrobin default-server inter 10s downinter 5s server agent-1 172.17.0.169:30801 check server agent-2 172.17.0.168:30801 check server agent-3 172.17.0.164:30801 check
Traefik Ingress
-
不再需要 nodeProt。默认为 ClusterIP
# account-service-svc.yaml apiVersion: v1 kind: Service metadata: name: account-service namespace: default spec: selector: app: account-service ports: - protocol: TCP port: 8080 targetPort: 8080 # pod 监听# account-service-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: account-service namespace: default annotations: traefik.ingress.kubernetes.io/router.entrypoints: web spec: rules: - http: paths: - path: / pathType: Prefix backend: service: name: account-service port: number: 8080 # 与 account-service-svc.yaml 的 port 一致 -
加上探针,traefix 健康检查
# account-service-daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: account-service namespace: default spec: selector: matchLabels: app: account-service template: metadata: labels: app: account-service spec: containers: - name: account-service image: hejtao/account-service:latest ports: - containerPort: 8080 readinessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 5 periodSeconds: 10 nodeSelector: role: agentkubectl apply -f account-service-daemonset.yaml kubectl rollout restart daemonset/account-service kubectl rollout status daemonset/account-service -
自动安装 SSL/TLS 证书
kubectl get storageclasses# traefik-values.yaml replicas: 1 additionalArguments: - '--certificatesresolvers.myresolver.acme.tlschallenge' - '--certificatesresolvers.myresolver.acme.email=hejtao@outlook.com' - '--certificatesresolvers.myresolver.acme.storage=/data/acme.json' persistence: enabled: true storageClass: 'local-path' accessMode: 'ReadWriteOnce' size: '128Mi' ports: web: port: 80 websecure: port: 443 service: type: 'LoadBalancer' ports: web: port: 80 websecure: port: 443helm repo add traefik https://helm.traefik.io/traefik # k3s 已经安装了 traefik,不用执行 helm repo update helm upgrade traefik traefik/traefik \ --namespace kube-system \ --values traefik-values.yaml kubectl get pods -o wide -n kube-system kubectl logs traefik789c78d896-55c9k -n kube-system # 查看日志是否有问题# account-service-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: account-service namespace: default annotations: traefik.ingress.kubernetes.io/router.entrypoints: 'web,websecure' traefik.ingress.kubernetes.io/router.tls: 'true' traefik.ingress.kubernetes.io/redirect-entrypoint: 'https' traefik.ingress.kubernetes.io/router.tls.certresolver: myresolver spec: tls: - hosts: - hejtao.site rules: - host: hejtao.site http: paths: - path: / pathType: Prefix backend: service: name: account-service port: number: 8080 - host: www.hejtao.site http: paths: - path: / pathType: Prefix backend: service: name: account-service port: number: 8080
微服务
grpc
-
brew install protobuf go install google.golang.org/protobuf/cmd/protoc-gen-go@latest go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest brew install buf
项目结构
- ├── Cargo.lock
├── Cargo.toml
├── account-service
├── buf.gen.yaml
├── buf.yaml
├── build.image.account-service.sh
├── build.image.order-service.sh
├── build.image.product-service.sh
├── go.work
├── go.work.sum
├── order-service
├── pb
├── product-service
└── proto