Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
система_kubernetes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
система_kubernetes [2025/12/17 14:18]
val [Ingress] 		система_kubernetes [2026/01/06 14:16] (current)
val [Ingress]
Line 882: Line 882:
 (доступны опции -f, --tail=2000,​ --previous) (доступны опции -f, --tail=2000,​ --previous)
  
-$ kubectl scale deployment my-webd --replicas=3 -n my-ns+$ kubectl scale deployment my-webd --replicas=3 -n my-ns   # 0 - остановка приложения
  
 $ kubectl delete pod/​my-webd-NNNNNNNNNN-NNNNN -n my-ns $ kubectl delete pod/​my-webd-NNNNNNNNNN-NNNNN -n my-ns
Line 1229: Line 1229:
 spec: spec:
   ingressClassName:​ nginx   ingressClassName:​ nginx
-#  tls: 
-#  - hosts: 
-#    - gowebd.corpX.un 
-#    secretName: gowebd-tls 
   rules:   rules:
   - host: webd.corpX.un   - host: webd.corpX.un
Line 1254: Line 1250:
         path: /         path: /
         pathType: Prefix         pathType: Prefix
 +#  tls:
 +#  - hosts:
 +#    - gowebd.corpX.un
 +#    - "​*.corpX.un"​
 +#    secretName: gowebd-tls
 +#  - hosts:
 +#    - webd.corpX.un
 +#    secretName: webd-tls
 </​code><​code>​ </​code><​code>​
 kube1# kubectl apply -f my-ingress.yaml -n my-ns kube1# kubectl apply -f my-ingress.yaml -n my-ns
Line 1288: Line 1292:
 $ ###kubectl delete secret/​gowebd-tls -n my-ns $ ###kubectl delete secret/​gowebd-tls -n my-ns
 </​code>​ </​code>​
-=== cert-manager === 
  
-  * [[Letsencrypt Certbot]] 
-  * [[https://​cert-manager.io/​docs/​installation/​|cert-manager Installation]] 
-  * [[https://​cert-manager.io/​docs/​tutorials/​acme/​nginx-ingress/​|cert-manager Securing NGINX-ingress]] 
- 
-  * [[https://​debuntu.ru/​manuals/​kubernetes/​tls-kerberos-in-kubernetes/​cert-manager_and_all_about_it/​installing-configuring-cert-manager/​| 
-  * [[https://​cert-manager.io/​docs/​configuration/​acme/#​private-acme-servers 
- 
-<​code>​ 
-student@vps:​~$ kubectl apply -f https://​github.com/​cert-manager/​cert-manager/​releases/​download/​v1.19.1/​cert-manager.yaml 
- 
-student@vps:​~$ kubectl -n cert-manager get all 
- 
-student@vps:​~$ cat issuer.yaml 
-</​code><​code>​ 
-apiVersion: cert-manager.io/​v1 
-#kind: Issuer 
-kind: ClusterIssuer 
-metadata: 
-  #name: letsencrypt-staging-issuer 
-  #name: letsencrypt-prod-issuer 
-  #name: freeipa-issuer 
-spec: 
-  acme: 
-    #server: https://​acme-staging-v02.api.letsencrypt.org/​directory 
-    #server: https://​acme-v02.api.letsencrypt.org/​directory 
- 
-    #server: https://​server.corpX.un/​acme/​directory 
-    #caBundle: # cat /​etc/​ipa/​ca.crt | base64 -w0 
- 
-    email: val@bmstu.ru 
-    profile: tlsserver 
-    privateKeySecretRef:​ 
-      name: issuer-secret 
-    solvers: 
-      - http01: 
-          ingress: 
-            ingressClassName:​ nginx 
-</​code><​code>​ 
-student@vps:​~$ kubectl apply -f issuer.yaml #-n my-ns 
- 
-student@vps:​~$ kubectl get secret issuer-secret -o yaml #-n my-ns 
- 
-student@vps:​~$ kubectl -n my-ns get certificate 
- 
-student@vps:​~$ kubectl -n my-ns events 
-... 
-Certificate fetched from issuer successfully 
- 
-student@vps:​~$ kubectl -n my-ns get secret webd-tls -o yaml 
-</​code>​ 
 ==== Volumes ==== ==== Volumes ====
  
Line 1914: Line 1867:
  
 <​code>​ <​code>​
-# wget https://​get.helm.sh/​helm-v3.16.4-linux-amd64.tar.gz+# ###wget https://​get.helm.sh/​helm-v3.16.4-linux-amd64.tar.gz 
 +# wget https://​get.helm.sh/​helm-v4.0.4-linux-amd64.tar.gz
  
 # tar -zxvf helm-*-linux-amd64.tar.gz # tar -zxvf helm-*-linux-amd64.tar.gz
Line 2538: Line 2492:
   ИЛИ   ИЛИ
 kube1:​~/​users#​ kubectl delete clusterrolebindings user1-cluster-admin kube1:​~/​users#​ kubectl delete clusterrolebindings user1-cluster-admin
 +</​code>​
 +
 +===== cert-manager =====
 +
 +  * [[Letsencrypt Certbot]]
 +  * [[https://​cert-manager.io/​docs/​installation/​|cert-manager Installation]]
 +  * [[https://​cert-manager.io/​docs/​tutorials/​acme/​nginx-ingress/​|cert-manager Securing NGINX-ingress]]
 +
 +  * [[https://​debuntu.ru/​manuals/​kubernetes/​tls-kerberos-in-kubernetes/​cert-manager_and_all_about_it/​installing-configuring-cert-manager/​|debuntu.ru Установка и настройка cert-manager]]
 +  * [[https://​habr.com/​ru/​companies/​nubes/​articles/​808035/​|Автоматический выпуск SSL-сертификатов. Используем Kubernetes и FreeIPA]]
 +  * [[https://​cert-manager.io/​docs/​configuration/​acme/#​private-acme-servers|Private ACME Servers]]
 +
 +<​code>​
 +student@vps:​~$ kubectl apply -f https://​github.com/​cert-manager/​cert-manager/​releases/​download/​v1.19.1/​cert-manager.yaml
 +
 +student@vps:​~$ kubectl -n cert-manager get all
 +
 +student@vps:​~$ #kubectl create secret generic cert-manager-tsig-secret --from-literal=tsig-secret-key="​NNN...NNN"​ -n cert-manager
 +
 +student@vps:​~$ cat ...issuer.yaml
 +</​code><​code>​
 +apiVersion: cert-manager.io/​v1
 +#kind: Issuer
 +kind: ClusterIssuer
 +metadata:
 +  #name: letsencrypt-staging-clusterissuer
 +  #name: letsencrypt-prod-clusterissuer
 +  #name: freeipa-clusterissuer
 +  #name: freeipa-dns-clusterissuer
 +spec:
 +  acme:
 +    #server: https://​acme-staging-v02.api.letsencrypt.org/​directory
 +    #server: https://​acme-v02.api.letsencrypt.org/​directory
 +    #profile: tlsserver
 +
 +    #server: https://​server.corpX.un/​acme/​directory
 +    #caBundle: # cat /​etc/​ipa/​ca.crt | base64 -w0
 +
 +    email: student@corpX.un
 +    privateKeySecretRef:​
 +      name: ...issuer-secret
 +    solvers:
 +    - http01:
 +        ingress:
 +          ingressClassName:​ nginx
 +    #- dns01:
 +        #rfc2136:
 +          #​nameserver:​ 192.168.X.10
 +          #​tsigKeyName:​ cert-manager
 +          #​tsigAlgorithm:​ HMACSHA256
 +          #​tsigSecretSecretRef:​
 +            #name: cert-manager-tsig-secret
 +            #key: tsig-secret-key
 +
 +</​code><​code>​
 +student@vps:​~$ kubectl apply -f ...issuer.yaml #-n my-ns
 +
 +student@vps:​~$ kubectl get secret -n cert-manager #-n my-ns
 +
 +student@vps:​~$ kubectl get clusterissuers.cert-manager.io
 +student@vps:​~$ kubectl get issuers.cert-manager.io #-n my-ns
 +NAME                    READY   AGE
 +...issuer ​              ​True ​   42s
 +</​code>​
 +
 +  * Запустить выпуск сертификата можно 2-мя способами:​
 +
 +1-й способ:​ annotations в [[#ingress example]]
 +
 +2-й способ (используется если для сайта нет ingress и негде указать annotations или для rfc2136)
 +<​code>​
 +student@vps:​~/​webd-k8s$ cat my-certificate.yaml
 +</​code><​code>​
 +apiVersion: cert-manager.io/​v1
 +kind: Certificate
 +metadata:
 +  name: webd-cert
 +spec:
 +  secretName: webd-tls
 +  dnsNames:
 +    #- siteN.mgtu.ru
 +    #- keycloak.corpX.un
 +    #- gitlab.corpX.un
 +  issuerRef:
 +    name: ...issuer
 +    #kind: ClusterIssuer
 +    #kind: Issuer
 +</​code>​
 +
 +<​code>​
 +student@vps:​~/​webd-k8s$ kubectl apply -f my-certificate.yaml -n my-ns
 +
 +student@vps:​~$ kubectl get certificate,​secrets -n my-ns
 +
 +student@vps:​~$ kubectl events -n my-ns
 +...
 +Certificate fetched from issuer successfully
 +
 +student@vps:​~$ kubectl get secret webd-tls -o yaml -n my-ns
 </​code>​ </​code>​
  
система_kubernetes.1765970317.txt.gz · Last modified: 2025/12/17 14:18 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki