~/kubespray# time ansible-playbook -i inventory/mycluster/hosts.yaml reset.yml ~/kubespray# git checkout origin/release-2.22 ~/kubespray# time pip3 install -r requirements.txt ~/kubespray# cp -rvfpT inventory/sample inventory/mycluster ~/kubespray# time ansible-playbook -i inventory/mycluster/hosts.yaml cluster.yml kube1:~# kubectl get nodes kube1:~# kubectl get ns
server# mkdir -p /var/www/html/ cp wild.crt /var/www/html/ca.crt bash -c ' scp /var/www/html/ca.crt kube1:/usr/local/share/ca-certificates/ ssh kube1 update-ca-certificates ssh kube1 systemctl restart containerd scp /var/www/html/ca.crt kube2:/usr/local/share/ca-certificates/ ssh kube2 update-ca-certificates ssh kube2 systemctl restart containerd scp /var/www/html/ca.crt kube3:/usr/local/share/ca-certificates/ ssh kube3 update-ca-certificates ssh kube3 systemctl restart containerd ' kubeN# crictl pull server.corp13.un:5000/student/gowebd crictl images crictl rmi server.corp13.un:5000/student/gowebd
server# ss -lnp | grep ':80' server# apt install apache2 server# rm /var/www/html/index.html
server# scp wild.crt gate:gowebd.crt; scp wild.key gate:gowebd.key
server# cat /etc/bind/corpX.un
... gowebd A 172.16.1.13
C:\Users\student>nslookup gowebd.corp13.un MSIE: https://gowebd.corp13.un
server# cat /etc/bind/corpX.un
... gate1 A 192.168.X.21 gate2 A 192.168.X.22
gate# hostnamectl set-hostname gate1.corp13.un gate# cat /etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.13.2N netmask 255.255.255.0 gateway 192.168.13.1 auto eth1 iface eth1 inet manual up ip link set eth1 up
gateN# cat /etc/keepalived/keepalived.conf
vrrp_instance KUBE_GATE { state MASTER # state BACKUP interface eth0 virtual_router_id 1 virtual_ipaddress { 172.16.1.13/24 dev eth1 192.168.13.1/24 dev eth0 } virtual_routes { 0.0.0.0/0 via 172.16.1.254 dev eth1 } }
gate# init 6 gate2# ifconfig eth0 inet 192.168.13.22 server# ssh-copy-id gate1 ssh-copy-id gate2 server# scp -3 gate1:/etc/network/interfaces gate2:/etc/network/ scp -3 gate1:/etc/resolv.conf gate2:/etc/ scp -3 gate1:/etc/sysctl.conf gate2:/etc/ scp -3 gate1:/etc/sysctl.d/* gate2:/etc/sysctl.d/ gate2# hostnamectl set-hostname gate2.corp13.un gate2# cat /etc/network/interfaces gate2# init 6 gate2# apt update && apt install keepalived nginx -y server# scp -3 gate1:/etc/keepalived/keepalived.conf gate2:/etc/keepalived/ scp -3 gate1:/etc/nginx/sites-available/gowebd gate2:/etc/nginx/sites-available/gowebd scp -3 gate1:/etc/nginx/sites-enabled/gowebd gate2:/etc/nginx/sites-enabled/gowebd scp -3 gate1:gowebd.* gate2: gate2# cat /etc/keepalived/keepalived.conf
server# ssh gate1 tail -f /var/log/nginx/access.log server# ssh gate2 tail -f /var/log/messages или server# ssh gate2 journalctl -f
gateN# apt install iptables conntrack iptables-persistent gateN#
!!! Скопируйте в блокнот и поправьте номер стенда X !!!
iptables -t nat --flush iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 172.16.1.X iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 53 -j DNAT --to-destination 192.168.X.10:53 iptables --flush iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT iptables -A FORWARD -j DROP conntrack -F netfilter-persistent save
gateN# systemctl disable nginx --now
server:~# scp wild.key kube1:gowebd.key; scp wild.crt kube1:gowebd.crt
$ curl --connect-to "":"":kubeN:443 https://gowebd.corpX.un #-vk
gateN# cat /etc/keepalived/keepalived.conf
... virtual_server 172.16.1.13 443 { protocol TCP lb_algo wlc lb_kind NAT real_server 192.168.13.221 443 {TCP_CHECK {}} real_server 192.168.13.222 443 {TCP_CHECK {}} real_server 192.168.13.223 443 {TCP_CHECK {}} }
kube1# kubectl delete ns my-ns
$ curl http://kubeN/ -H "Host: gowebd.corp13.un"
server# scp wild.* gate1:
server# ssh gate2 apt install haproxy server# scp -3 gate1:/etc/ssl/private/* gate2:/etc/ssl/private/ scp -3 gate1:/etc/haproxy/haproxy.cfg gate2:/etc/haproxy/haproxy.cfg ssh gate2 service haproxy restart server# ssh gateN tail -f /var/log/haproxy.log
kube1# kubectl delete ns my-ns
cmder> kubectl port-forward -n my-ns services/my-webd-webd-chart 1234:80
!!! В классе, если нет второго кластера, можно просто посмотреть !!!
gate1# cp /etc/ssl/private/wild.crtkey /etc/ssl/private/gowebd.crtkey cp /etc/ssl/private/wild.crtkey /etc/ssl/private/keycloak.crtkey gate1# cat /etc/haproxy/haproxy.cfg ... gate1# service haproxy restart server# scp -3 gate1:/etc/haproxy/haproxy.cfg gate2:/etc/haproxy/haproxy.cfg scp -3 gate1:/etc/ssl/private/* gate2:/etc/ssl/private/ ssh gate2 service haproxy restart
kube1:~# kubectl delete -f application.yaml kube1:~# kubectl delete ns my-ns kube1:~# rm application.yaml kube1:~# crictl rmi server.corp13.un:5000/student/gowebd:ver1.1 kube1:~# crictl rmi server.corp13.un:5000/student/gowebd:ver1.2
kube1:~# kubectl delete -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml kube1:~# kubectl delete ns argocd cmder> rm -rf ~/.kube/ cmder> rm /usr/bin/kubectl.exe
kube1:~# helm delete ingress-nginx --namespace ingress-nginx kube1:~# kubectl delete ns ingress-nginx kube1:~# rm -r helm* linux-amd64/ /usr/local/bin/helm kube1:~# rm -r gowebd/ ingress-nginx/
kubeN# rm /usr/local/share/ca-certificates/ca.crt /etc/ssl/certs/ca.pem update-ca-certificates systemctl restart containerd
kube1:~# rm gowebd.crt gowebd.key my-ingress.yaml my-webd-service.yaml my-webd-deployment.yaml
server# rm -rf /var/www/ server# rm server.key