TODO: 安装基于etcd的高可用k3s集群,部署Spring Boot应用。此文还未整理,暂时只是流水账。
最佳实践
保存离线安装文件
从https://get.k3s.io获取安装脚本并保存为install.sh,在github上下载离线文件(主要是k3s执行程序和镜像文件)。特别是install.sh,K3s每一次的版本升级都可能会修改这个文件。笔者暂时没有找到在线获取历史版本的方法,所以如果真要自己部署K3s,把这些文件都保存下来更“靠谱”。
aliyun linux 安装Docker
参考: https://help.aliyun.com/document_detail/264695.html?spm=a2c6h.12873639.article-detail.4.54a5146d4WimM7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| # 添加docker-ce的dnf源
dnf config-manager --add-repo=https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安装Alibaba Cloud Linux 3专用的dnf源兼容插件
dnf -y install dnf-plugin-releasever-adapter --repo alinux3-plus
# 安装docker-ce
dnf -y install docker-ce --nobest
# 验证
dnf list docker-ce
# 管理Docker守护进程
systemctl start docker #运行Docker守护进程
systemctl stop docker #停止Docker守护进程
systemctl restart docker #重启Docker守护进程
systemctl enable docker #设置Docker开机自启动
systemctl status docker #查看Docker的运行状态
|
安装K3s
单机
参考官网文档
国内加速安装1
| curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -
|
嵌入式etcd高可用
参考: https://docs.rancher.cn/docs/k3s/installation/ha-embedded/_index
–-docker: k3s server组件是以containerd作为容器运行时。k3s server节点默认也会启动一个agent节点,这个agent节点可以用–docker参数指定其用docker作为容器运行时。
–-disable-agent: 指定server节点不启动agent。
1
2
3
4
5
6
7
8
9
10
11
12
13
| # k3s-server-1(--docker 表示agent使用docker)
curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn K3S_TOKEN=SECRET sh -s - server --docker --cluster-init
systemctl enable k3s
# k3s-server-n
curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn K3S_TOKEN=SECRET sh -s - server --docker --server https://172.24.46.247:6443
systemctl enable k3s
# 移除节点
kubectl delete node 节点名称
|
Traefik v2
K3s 1.21 及更高版本默认安装 Traefik v2
启动Traefik Dashboard
出于安全考虑,默认没有公开 Dashboard
1
| kubectl -n kube-system port-forward $(kubectl -n kube-system get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
|
访问地址: http://localhost:9000/dashboard/
LetsEncrypt
参考:k3s使用Let‘s Encrypt配置https入口部署
1
| kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.1/cert-manager.yaml
|
letsencrypt.yml1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: cert-manager
name: letsencrypt
spec:
acme:
email: [email protected]
privateKeySecretRef:
name: prod-issuer-account-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: traefik
selector: {}
|
kubectl describe clusterissuer letsencrypt
ingress.yml1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- secretName: myapp-web-tls
hosts:
- myapp.mydomain.com
ingressClassName: traefik
rules:
- host: myapp.mydomain.com
http:
paths:
- path: /web
pathType: Prefix
backend:
service:
name: myapp-svc
port:
number: 8080
|
K3s离线安装
尝试用离线方式来安装
部署私有镜像仓库
1
2
3
4
5
6
| docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v $PWD/data:/var/lib/registry \
registry:2
|
修改hosts:
配置私有仓库为insecure(即http)
/etc/docker/daemon.json1
2
3
4
5
6
7
8
9
| {
"insecure-registries":[
"myregistry.com:5000"
],
"registry-mirrors": [
"https://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
]
}
|
docker tag demo:v1.2 myregistry.com:5000/deom:v1.2
docker push myregistry.com:5000/deom:v1.2
批量推送镜像到私有仓库
docker images | awk ‘{print $1”:”$2}’ | xargs -I {} docker push :/{}
查看私有仓库上的镜像:
http://localhost:5000/v2/_catalog
查看demo镜像的tags
http://localhost:5000/v2/demo/tags/list
docker –debug pull myregistry.com:5000/demo:v1.2
离线安装K3s
- 从
https://get.k3s.io下载install.sh
- 从
https://github.com/rancher/k3s/releases下载k3s执行文件,放到/usr/local/bin目录下
1
| INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh
|
确认k3s是否安装成功
配置k3s使用私有镜像仓库
启动时,K3s 会检查/etc/rancher/k3s/中是否存在registries.yaml文件,并指示 containerd 使用文件中定义的镜像仓库。如果你想使用一个私有的镜像仓库,那么你需要在每个使用镜像仓库的节点上以 root 身份创建这个文件。
registries.yaml1
2
3
4
5
6
| mirrors:
docker.io:
endpoint:
- "http://myregistry.com:5000"
rewrite:
"^rancher/(.*)": "mirrorproject/rancher-images/$1"
|
修改Host,添加myregistry.com的映射:
笔者测试的操作系统是Alibaba Cloud Linux 3.2 104 LTS,修改host就生效了,不需要重启网络。
让Docker支持http, 修改/etc/docker/daemon.json,如果没有则添加一个:
daemon.sh1
2
3
| {
"insecure-registries" : ["myregistry.com:5000"]
}
|
重启Docker生效:
1
| systemctl restart docker
|
添加镜像到私有镜像仓库#
首先,从https://github.com/rancher/k3s/releases下载获取你正在使用的版本的 k3s-images.txt 文件,然后从 docker.io 中拉取 k3s-images.txt 文件中列出的 K3s 镜像,再将这些镜像重新标记成私有镜像仓库,并推送到私有镜像仓库。
示例:
1
2
3
| docker pull docker.io/rancher/coredns-coredns:1.6.3
docker tag coredns-coredns:1.6.3 mycustomreg:5000/coredns-coredns
docker push mycustomreg.com:5000/coredns-coredns
|
查看私有镜像仓库:
1
| curl http://myregistry.com:5000/v2/_catalog
|
Helm
安装
1
| curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
|
添加chart仓库
1
2
3
| helm repo add stable https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
helm repo add azure http://mirror.azure.cn/kubernetes/charts
helm repo add bitnami https://charts.bitnami.com/bitnami
|
常用命令
helm repo list 查看chart仓库helm search repo zookeeper 搜索chart
安装zookeeper
1
2
| export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
helm install zookeeper bitnami/zookeeper --set replicaCount=3 --set auth.enabled=false --set allowAnonymousLogin=true
|
安装输出:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| NAME: zookeeper
LAST DEPLOYED: Wed May 31 16:03:48 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
CHART NAME: zookeeper
CHART VERSION: 11.4.2
APP VERSION: 3.8.1
** Please be patient while the chart is being deployed **
ZooKeeper can be accessed via port 2181 on the following DNS name from within your cluster:
zookeeper.default.svc.cluster.local
To connect to your ZooKeeper server run the following commands:
export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=zookeeper,app.kubernetes.io/instance=zookeeper,app.kubernetes.io/component=zookeeper" -o jsonpath="{.items[0].metadata.name}")
kubectl exec -it $POD_NAME -- zkCli.sh
To connect to your ZooKeeper server from outside the cluster execute the following commands:
kubectl port-forward --namespace default svc/zookeeper 2181:2181 &
zkCli.sh 127.0.0.1:2181
|