Initial commit: k3s deployment configurations

2026-01-21 08:37:05 +00:00
commit 3616496b86
28 changed files with 1502 additions and 0 deletions
--- a/k3s/my-blog/01-mysql.yaml
+++ b/k3s/my-blog/01-mysql.yaml
@@ -0,0 +1,72 @@
+# 01-mysql.yaml (新版)
+
+# --- 第一部分：申请一张硬盘券 (PVC) ---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mysql-pvc           # 记住这个券的名字
+  namespace: demo-space
+spec:
+  accessModes:
+    - ReadWriteOnce         # 只能被一个节点读写
+  storageClassName: longhorn # K3s 默认的存储驱动，利用 VPS 本地硬盘
+  resources:
+    requests:
+      storage: 2Gi          # 申请 2GB 大小
+
+---
+
+# --- 第二部分：数据库服务 (不变) ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mysql-service
+  namespace: demo-space
+spec:
+  ports:
+  - port: 3306
+  selector:
+    app: wordpress-mysql
+
+---
+
+# --- 第三部分：部署数据库 (挂载硬盘) ---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wordpress-mysql
+  namespace: demo-space
+spec:
+  selector:
+    matchLabels:
+      app: wordpress-mysql
+  strategy:
+    type: Recreate # 有状态应用建议用 Recreate (先关旧的再开新的)
+  template:
+    metadata:
+      labels:
+        app: wordpress-mysql
+    spec:
+      containers:
+      - image: mariadb:10.6.4-focal
+        name: mysql
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          value: "password123"
+        - name: MYSQL_DATABASE
+          value: "wordpress"
+        - name: MYSQL_USER
+          value: "wordpress"
+        - name: MYSQL_PASSWORD
+          value: "wordpress"
+        ports:
+        - containerPort: 3306
+          name: mysql
+        # ▼▼▼ 重点变化在这里 ▼▼▼
+        volumeMounts:
+        - name: mysql-store
+          mountPath: /var/lib/mysql # 容器里数据库存文件的位置
+      volumes:
+      - name: mysql-store
+        persistentVolumeClaim:
+          claimName: mysql-pvc      # 使用上面定义的那张券
--- a/k3s/my-blog/02-wordpress.yaml
+++ b/k3s/my-blog/02-wordpress.yaml
@@ -0,0 +1,57 @@
+# 02-wordpress.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: wordpress-service
+  namespace: demo-space
+spec:
+  ports:
+  - port: 80
+  selector:
+    app: wordpress
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wordpress
+  namespace: demo-space
+spec:
+  replicas: 2  # 我们启动 2 个 WordPress 前台
+  selector:
+    matchLabels:
+      app: wordpress
+  template:
+    metadata:
+      labels:
+        app: wordpress
+    spec:
+      containers:
+      - image: wordpress:latest
+        name: wordpress
+        env:
+        - name: WORDPRESS_DB_HOST
+          value: "mysql-service"  # 魔法所在！直接填名字
+        - name: WORDPRESS_DB_USER
+          value: "wordpress"
+        - name: WORDPRESS_DB_PASSWORD
+          value: "wordpress"
+        - name: WORDPRESS_DB_NAME
+          value: "wordpress"
+        - name: WORDPRESS_CONFIG_EXTRA
+          value: |
+            /* HTTPS behind reverse proxy - Complete configuration */
+            if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
+              $_SERVER['HTTPS'] = 'on';
+            }
+            if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
+              $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
+            }
+            /* Force SSL for admin */
+            define('FORCE_SSL_ADMIN', true);
+            /* Fix cookie issues */
+            @ini_set('session.cookie_httponly', true);
+            @ini_set('session.cookie_secure', true);
+            @ini_set('session.use_only_cookies', true);
+        ports:
+        - containerPort: 80
+          name: wordpress
--- a/k3s/my-blog/03-ingress.yaml
+++ b/k3s/my-blog/03-ingress.yaml
@@ -0,0 +1,28 @@
+# 03-ingress.yaml
+
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wordpress-ingress
+  namespace: demo-space
+  annotations:
+    # ▼▼▼ 关键注解：我要申请证书 ▼▼▼
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  rules:
+  - host: blog.u9.net3w.com  # 您的域名
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: wordpress-service
+            port:
+              number: 80
+  # ▼▼▼ 关键配置：证书存放在这个 Secret 里 ▼▼▼
+  tls:
+  - hosts:
+    - blog.u9.net3w.com
+    secretName: blog-tls-secret  # K3s 会自动创建这个 secret 并填入证书
--- a/k3s/my-blog/fd_反代3100/external-app.yaml
+++ b/k3s/my-blog/fd_反代3100/external-app.yaml
@@ -0,0 +1,30 @@
+# 1. 定义一个“虚假”的服务，作为 K8s 内部的入口
+#
+
+# external-app.yaml (修正版)
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: host-app-service
+  namespace: demo-space
+spec:
+  ports:
+    - name: http          # <--- Service 这里叫 http
+      protocol: TCP
+      port: 80
+      targetPort: 3100
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: host-app-service
+  namespace: demo-space
+subsets:
+  - addresses:
+      - ip: 85.137.244.98
+    ports:
+      - port: 3100
+        name: http        # <--- 【关键修改】这里必须也叫 http，才能配对成功！
--- a/k3s/my-blog/fd_反代3100/external-ingress.yaml
+++ b/k3s/my-blog/fd_反代3100/external-ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: host-app-ingress
+  namespace: demo-space
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    # ▼▼▼ 核心修复：添加这一行 ▼▼▼
+    ingress.kubernetes.io/custom-response-headers: "Content-Security-Policy: upgrade-insecure-requests"
+spec:
+  rules:
+  - host: wt.u9.net3w.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: host-app-service
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - wt.u9.net3w.com
+    secretName: wt-tls-secret
--- a/k3s/my-blog/issuer.yaml
+++ b/k3s/my-blog/issuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # Let's Encrypt 的生产环境接口
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # 填您的真实邮箱，证书过期前会发邮件提醒（虽然它会自动续期）
+    email: fszy2021@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
--- a/k3s/my-blog/longhorn-ingress.yaml
+++ b/k3s/my-blog/longhorn-ingress.yaml
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-ingress
+  namespace: longhorn-system  # 注意：Longhorn 安装在这个命名空间
+  annotations:
+    # 1. 告诉 Cert-Manager：请用这个发证机构给我发证
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    # (可选) 强制 Traefik 使用 HTTPS 入口，但这行通常不需要，Traefik 会自动识别 TLS
+    # traefik.ingress.kubernetes.io/router.entrypoints: websecure 
+spec:
+  rules:
+  - host: storage.u9.net3w.com   # 您的域名
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: longhorn-frontend
+            port:
+              number: 80
+  # 2. 告诉 K3s：证书下载下来后，存在哪里
+  tls:
+  - hosts:
+    - storage.u9.net3w.com
+    secretName: longhorn-tls-secret  # 证书会自动保存在这个 Secret 里
--- a/k3s/my-blog/php-apache.yaml
+++ b/k3s/my-blog/php-apache.yaml
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: php-apache
+  namespace: demo-space
+spec:
+  selector:
+    matchLabels:
+      run: php-apache
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: php-apache
+    spec:
+      containers:
+      - name: php-apache
+        image: registry.k8s.io/hpa-example
+        ports:
+        - containerPort: 80
+        resources:
+          # 必须设置资源限制，HPA 才能计算百分比
+          limits:
+            cpu: 500m
+          requests:
+            cpu: 200m
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: php-apache
+  namespace: demo-space
+spec:
+  ports:
+  - port: 80
+  selector:
+    run: php-apache