Skip to main content

2 posts tagged with "kubernetes"

View All Tags

· 2 min read
goblin

前提条件

  • 一个运行的kubernetes集群
  • 一个阿里云账号,并且已经创建了一个 DNS 域名
  • 阿里云的 AccessKey 和 SecretKey,用于 cert-manager 自动配置 DNS 记录

安装 Cert Manager

官网地址

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml

DNS01

官网地址, http01 不支持泛域名

helm repo add cert-manager-alidns-webhook https://devmachine-fr.github.io/cert-manager-alidns-webhook
helm repo update
helm install alidns-webhook cert-manager-alidns-webhook/alidns-webhook --set groupName=example.com
  • 创建阿里云 DNS 访问权限
  apiVersion: v1
kind: Secret
metadata:
name: alidns-secrets
namespace: cert-manager
stringData:
access-key: xxx
secret-key: xxx
  • 创建 ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory # 测试可以使用 staging (https://acme-staging-v02.api.letsencrypt.org/directory)
privateKeySecretRef:
name: letsencrypt
solvers:
- dns01:
webhook:
config:
accessTokenSecretRef:
key: access-key
name: alidns-secrets
regionId: cn-beijing # this value your aliyun region
secretKeySecretRef:
key: secret-key
name: alidns-secrets
groupName: example.com # groupName must match the one configured on webhook deployment (see Helm chart's values) !
solverName: alidns-solver
  • 创建 certification 使用 ClusterIssuer
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-tls
spec:
secretName: example-com-tls
dnsNames:
- example.com
- "*.example.com"
issuerRef:
name: letsencrypt
kind: ClusterIssuer

配置 Ingress 自动申请证书

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
backend:
serviceName: app
servicePort: 80
tls:
- hosts:
- app.example.com
secretName: example-com-tls

· One min read
goblin

查看集群状态

$ ETCDCTL_API=3 etcdctl --cacert=/opt/kubernetes/ssl/ca.pem --cert=/opt/kubernetes/ssl/server.pem --key=/opt/kubernetes/ssl/server-key.pem --endpoints=https://10.0.1.2:2379,https://10.0.1.3:2379,https://10.0.1.4:2379 endpoint health

https://10.0.1.2:2379 is healthy: successfully committed proposal: took = 1.698385ms
https://10.0.1.3:2379 is healthy: successfully committed proposal: took = 1.577913ms
https://10.0.1.4:2379 is healthy: successfully committed proposal: took = 5.616079ms

获取某个 Key 信息

ETCDCTL_API=3 etcdctl --cacert=/opt/kubernetes/ssl/ca.pem --cert=/opt/kubernetes/ssl/server.pem --key=/opt/kubernetes/ssl/server-key.pem --endpoints=https://10.0.1.2:2379,https://10.0.1.3:2379,https://10.0.1.4:2379 get /registry/apiregistration.k8s.io/apiservices/v1.apps

获取所有 Key

ETCDCTL_API=3 etcdctl --cacert=/opt/kubernetes/ssl/ca.pem --cert=/opt/kubernetes/ssl/server.pem --key=/opt/kubernetes/ssl/server-key.pem --endpoints=https://10.0.1.2:2379,https://10.0.1.3:2379,https://10.0.1.4:2379 get / --prefix --keys-only

使用 Snapshot Save 备份

ETCDCTL_API=3 etcdctl --cacert=/opt/kubernetes/ssl/ca.pem --cert=/opt/kubernetes/ssl/server.pem --key=/opt/kubernetes/ssl/server-key.pem --endpoints=https://10.0.1.2:2379,https://10.0.1.3:2379,https://10.0.1.4:2379 snapshot save /data/etcd_backup/etcd-snapshot-`date +%Y%m%d`.db

备份保留 10 天

find /data/etcd_backup/ -name *.db -mtime +10 -exec rm -f {} \;

恢复备份

拷贝etcd备份快照,停止集群所有kube-apiserver服务,停止集群所有ETCD服务

ETCDCTL_API=3 etcdctl snapshot restore /data/etcd_backup/etcd-snapshot-20231225.db \
--name etcd-0 \
--initial-cluster "etcd-0=https://10.0.1.2:2380,etcd-1=https://10.0.1.3:2380,etcd-2=https://10.0.1.4:2380" \
--initial-cluster-token etcd-cluster \
--initial-advertise-peer-urls https://10.0.1.2:2380 \
--data-dir=/var/lib/etcd/default.etcd