首次提交：初始化项目

2026-02-05 00:11:05 +08:00
commit 26eaf8110b
171 changed files with 17105 additions and 0 deletions
--- a/009-基础设施/005-ingress/Caddyfile
+++ b/009-基础设施/005-ingress/Caddyfile
@@ -0,0 +1,43 @@
+{
+    email admin@u6.net3w.com
+}
+
+# 示例域名配置
+test.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
+
+# MinIO S3 API
+s3.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
+
+# MinIO Console
+console.s3.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
+
+# Longhorn 存储管理
+longhorn.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
+
+# Grafana 监控仪表板
+grafana.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
+
+# Prometheus 监控
+prometheus.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
+
+# Alertmanager 告警管理
+alertmanager.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
+
+# 导航页面
+dh.u6.net3w.com {
+    reverse_proxy traefik.kube-system.svc.cluster.local:80
+}
--- a/009-基础设施/005-ingress/deploy-longhorn-ingress.sh
+++ b/009-基础设施/005-ingress/deploy-longhorn-ingress.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# 应用 Longhorn Ingress
+echo "创建 Longhorn Ingress..."
+kubectl apply -f longhorn-ingress.yaml
+
+# 显示 Ingress 状态
+echo ""
+echo "Ingress 状态："
+kubectl get ingress -n longhorn-system
+
+echo ""
+echo "访问 Longhorn UI："
+echo "  URL: http://longhorn.local"
+echo "  需要在 /etc/hosts 中添加："
+echo "  <节点IP> longhorn.local"
--- a/009-基础设施/005-ingress/longhorn-ingress.yaml
+++ b/009-基础设施/005-ingress/longhorn-ingress.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-ingress
+  namespace: longhorn-system
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+  - host: longhorn.u6.net3w.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: longhorn-frontend
+            port:
+              number: 80
--- a/009-基础设施/005-ingress/readme.md
+++ b/009-基础设施/005-ingress/readme.md
@@ -0,0 +1,202 @@
+# Traefik Ingress 控制器配置
+
+## 当前状态
+
+K3s 默认已安装 Traefik 作为 Ingress 控制器。
+
+- **命名空间**: kube-system
+- **服务类型**: ClusterIP
+- **端口**: 80 (HTTP), 443 (HTTPS)
+
+## Traefik 配置信息
+
+查看 Traefik 配置：
+```bash
+kubectl get deployment traefik -n kube-system -o yaml
+```
+
+查看 Traefik 服务：
+```bash
+kubectl get svc traefik -n kube-system
+```
+
+## 使用 Ingress
+
+### 基本 HTTP Ingress 示例
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: example-ingress
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: example-service
+            port:
+              number: 80
+```
+
+### HTTPS Ingress 示例（使用 TLS）
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: example-ingress-tls
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  tls:
+  - hosts:
+    - example.com
+    secretName: example-tls-secret
+  rules:
+  - host: example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: example-service
+            port:
+              number: 80
+```
+
+## 创建 TLS 证书
+
+### 使用 Let's Encrypt (cert-manager)
+
+1. 安装 cert-manager：
+```bash
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
+```
+
+2. 创建 ClusterIssuer：
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: your-email@example.com
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
+```
+
+### 使用自签名证书
+
+```bash
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout tls.key -out tls.crt \
+  -subj "/CN=example.com/O=example"
+
+kubectl create secret tls example-tls-secret \
+  --key tls.key --cert tls.crt -n default
+```
+
+## Traefik Dashboard
+
+访问 Traefik Dashboard：
+
+```bash
+kubectl port-forward -n kube-system $(kubectl get pods -n kube-system -l app.kubernetes.io/name=traefik -o name) 9000:9000
+```
+
+然后访问: http://localhost:9000/dashboard/
+
+## 常用注解
+
+### 重定向 HTTP 到 HTTPS
+```yaml
+annotations:
+  traefik.ingress.kubernetes.io/redirect-entry-point: https
+  traefik.ingress.kubernetes.io/redirect-permanent: "true"
+```
+
+### 设置超时
+```yaml
+annotations:
+  traefik.ingress.kubernetes.io/router.middlewares: default-timeout@kubernetescrd
+```
+
+### 启用 CORS
+```yaml
+annotations:
+  traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd
+```
+
+## 中间件示例
+
+### 创建超时中间件
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: timeout
+  namespace: default
+spec:
+  forwardAuth:
+    address: http://auth-service
+    trustForwardHeader: true
+```
+
+## 监控和日志
+
+查看 Traefik 日志：
+```bash
+kubectl logs -n kube-system -l app.kubernetes.io/name=traefik -f
+```
+
+## 故障排查
+
+### 检查 Ingress 状态
+```bash
+kubectl get ingress -A
+kubectl describe ingress <ingress-name> -n <namespace>
+```
+
+### 检查 Traefik 配置
+```bash
+kubectl get ingressroute -A
+kubectl get middleware -A
+```
+
+## 外部访问配置
+
+如果需要从外部访问，可以：
+
+1. **使用 NodePort**：
+```bash
+kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"NodePort"}}'
+```
+
+2. **使用 LoadBalancer**（需要云环境或 MetalLB）：
+```bash
+kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"LoadBalancer"}}'
+```
+
+3. **使用 HostPort**（直接绑定到节点端口 80/443）
+
+## 参考资源
+
+- Traefik 官方文档: https://doc.traefik.io/traefik/
+- K3s Traefik 配置: https://docs.k3s.io/networking#traefik-ingress-controller