This article will teach you how to deploy K3S, Traefik, the CI/CD pipeline based on the coding platform, and obtain certificates using Let’s Encrypt

The preparatory work

  • One cloud host
  • Open coding Coding.net and set up the warehouse. Select three modules of continuous integration, continuous deployment and product management

Process: White whao Tencent cloud build ability, build image -> use deployment ability, deploy to self-built K3s

If you are not familiar with K8S during the process, it is recommended to check the official document. The document is quite complete and I mainly understand it

  • pods
  • deployments
  • configMaps
  • services
  • ingresses

That’s basically enough for you to look at, but what about the configuration file

Build the mirror

Create a repository on Your Github, or coding repository

Then go to Continuous Integration – Build Plan – New Build Plan

Docker image push

Github code is optional here, give an authorization can be

Fill in the image name, location, and directory

Mirror versions can be hand-written, and use latest for your own projects

Create a new product library when pushing

Try it out when you’re done. When you’re done, you can see the artifact in artifact Management

Find your plan in the Continuous Integration – Build Plan, click on it and turn on the trigger rule. Simple configuration is to build when the master has a push

Now that the image is built, k3S is built

K3s structures,

The installation

curl -sfL http://rancher-mirror.cnrancher.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn INSTALL_K3S_EXEC='server --tls-san xx.xx.xx.xx' sh -

Xx. Xx is your IP address. External network access requires K3s to generate a self-signed certificate for your server IP

Kubectl get Pods kubectl get Pods kubectl get Pods

And then download the/etc/rancher/k3s/k3s yaml if the inside of the server for 127.0.0.1, https:// server IP to: 6443

Open ports in Tencent cloud server security group

  • TCP: 3000-32768-K8S POD directly exposes the port of the extranet
  • UDP: 3000-32768-K8s POD directly exposes an extranet port
  • TCP:6443 K3S extranet access port

management

Open Lens (a k8S management tool, very useful, download yourself)

Select + in the lower right corner, add KubeconFig, paste k3s.yaml into it, Lens home page can see the new project, click the card, connect, theoretically can now connect.

This is the state after I have deployed the service

When the lens is attached to the machine, there is a + underneath it. Select Create Resource to deploy the file, which will be used later

The key

A key is required to pull the image

Refer to this article > help.coding.net/docs/cd/que…

Deploy the service

Continuous deployment – K8s – Immediate correlation

The next step is to jump to the deployment console

Select the cloud account on the left, bind the cloud account, select K8S, use Kubeconfig as the authentication mode, and paste the previous K3s.yaml into it

Check accept non-certified certificates & Allow continuous deployment of existing resources in the management cluster

Select Host Management on the left, add fortress, and execute the following command as required

Select an application on the left, create an application on the upper right, and create a flow using the blank flow

Manifest is used here. It is recommended to create a repository and put it on coding, only storing configuration files

Here are three examples

Deployment and Service are mandatory, and config is optional

ApiVersion: v1 kind: the Service metadata: name: backend annotations: app. Kubernetes. IO/version: 0.0.1 labels: app: Backend version: Backend1 spec: selector: app: backend version: backend1 ports: -port: 3000 HTTP targetPort: 3000 nodePort: 30008 # Exposed POD port type: nodePortCopy the code
apiVersion: apps/v1 kind: Deployment metadata: name: backend annotations: strategy.spinnaker.io/versioned: "False" app. Kubernetes. IO/version 0.0.1 labels: app: backend version: backend1 spec: replicas: 1 the selector: matchLabels: app: backend version: backend1 template: metadata: labels: app: backend version: backend1 spec: Containers: - name: xxx-backend image: xxx-backend:latest # Image address imagePullPolicy: Always ports: -containerport: 3000 name: HTTP volumeMounts: - mountPath: XXX /config.docker.yaml # config.docker.yaml resources: limits: cpu: 1000m memory: 2000Mi requests: cpu: 100m memory: 200Mi volumes: - name: Backendconfig configMap: name: backendConfig imagePullSecrets: - name: coding-docker # Pull container certificate, refer to the pull image key section aboveCopy the code
apiVersion: v1 kind: ConfigMap metadata: name: backendconfig annotations: app.kubernetes.io/version: 0.0.1 strategy. Spinnaker. IO/versioned: "false" labels: app: backend version: backend1 data: config. The docker. Yaml: | # redis configuration redis: db: 0 addr: 'xxx:30379' password: '' mysql: path: 'xxx:30060' config: 'charset=utf8mb4&parseTime=True&loc=Local' db-name: '' username: 'root' password: '' max-idle-conns: 0 max-open-conns: 0 log-mode: false log-zap: ""Copy the code

Click basic configuration to add a trigger to the menu on the right

Click + after basic configuration to add a process called Deploy configMap (if you need this process)

Annotations (Metadata. annotations) specifies the configuration of configMap

strategy.spinnaker.io/versioned: "false"

Otherwise, a random string will be added to the name during deployment and your service will not find the configMap

Create a new flow after the configMap flow and add the services configuration. The configuration is the same as the configMap flow, but the selected files are different

Deploy your service last

There should be automatic access to your mirror address

If you go back and try it out, you can see the corresponding service deployed in Lens

If an error occurs, you can find Pods in Lens, and select Logs three points to the right

If the deployment fails, delete the deployment from Lens and Deployments, and cancel the running deployment from coding

The service should be deployed at this point. Go see if you can connect

Here, if your image is set to latest in deployment, you need to add imagePullPolicy: Always to pull the image deployment Pod when it is updated

traefik ingress

Let’s build traefik

Doc. Traefik. IO/traefik/ref…

Throw these three files into lens and create it

Doc. Traefik. IO/traefik/use…

Then look at this article and deploy services and deployments

To deploy the dashboard

Note that XXX.xxx.com is your domain name

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefikingress
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`xxx.xxx.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
Copy the code

Once deployed, you should be able to access the Traefik Dashboard

Auth 2.0

Since Traefik’s built-in middleware has Auth2.0 capabilities, control access to the Traefik Dashboard first

After the lens is attached to the machine, there is a + underneath it. Select Create Resource

Select Select template-secret in the upper left corner

The name changed to the web – auth

Username specifies the username you want to use

Password is your password

And then I’m gonna add this

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: web-auth
spec:
  basicAuth:
    secret: web-secret
Copy the code

Try accessing the Traefik Dashboard again and you’ll be prompted for a username and password

Deleting Unnecessary Configurations

Traefik’s resource is at the bottom left of Lens, Custom resources-traefik.containo.us -ingressRouteTCP/UDP/TraefikServices/ ServersTransport/TLSOption Delete all Resources

certificate

For traefik, please refer to the following article, but I failed to deploy it, No ACME certificate generation required for Domains can be tried by yourself

zhuanlan.zhihu.com/p/431491328

www.qikqiak.com/post/traefi…

The certificate for DV is used directly here, and there is another way to get an automatic certificate.

Put your certificate on the server and execute the following command

kubectl create secret tls xxx-tls --cert=xxx.cn_bundle.crt --key=xxx.cn.key

Next configure the Router

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefikingress-web
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`xxx.cn`)
      middlewares:
        - name: redirect-https-middleware
      services:
        - kind: TraefikService
          name: api@internal
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefikingress-tls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`xxx.cn`)
      middlewares:
        - name: web-auth
      services:
        - kind: TraefikService
          name: api@internal
  tls:
    secretName: traefik-tls
Copy the code

Next, HTTP access should jump to HTTPS

Saving Automatic Certificates

Or want to save the automatic certificate, through the curve to save the way to achieve

The certificate issued by Let’s Encrypt is a very fragrant wildcard certificate *.xxx.com

But it’s only valid for three months, so he needs to renew it automatically

To install the helm

Helm. Sh/useful/docs/int…

curl https://baltocdn.com/helm/signing.asc | sudo apt-key add - sudo apt-get install apt-transport-https --yes echo "deb  https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list sudo apt-get update sudo apt-get install helmCopy the code

Install the cert – manager

Cert – manager. IO/next – docs/I…

Kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.2/cert-manager.yaml

It is recommended to download this file and throw it to the server for execution. The server may take a long time to access Github

If you are prompted

Kubernetes cluster unreachable:Get"http://localhost:8080/version? Timeout =32s": dial TCP 127.0.0.1:8080: connect: connection refused

Enter this before executing cert-manager.yaml above

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

Then look for the tutorial for your domain agent. Here I’m using dnspod

Imroc. Cc/k8s/was catnip/c…

Create a new file dnspod-webhook-values.yaml

ClusterIssuer: Namespace: Default Enabled: true Name: dnspod # Name of the clusterIssuer automatically created TTL: 600 staging: false secretId: "XXX" # replace with your SecretId secretKey: "XXX" # Replace with your secretKey email: [email protected] # Used to receive email alerts for certificate expiration. If both Cert-Manager and Webhook work properly, the certificate will be automatically renewed without expirationCopy the code

Here is a new namespace: default

helm repo add roc https://charts.imroc.cc

helm upgrade --install -f dnspod-webhook-values.yaml cert-manager-webhook-dnspod roc/cert-manager-webhook-dnspod -n cert-manager

Next issue the certificate certificate.yaml

apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: example-crt namespace: istio-system spec: secretName: IssuerRef: name: dnspod # ClusterIssuer type: ClusterIssuer group: Cert-manager. IO dnsNames: # Enter the list of domain names for which the certificate needs to be issued. Support generic domain names and ensure that the domain name is managed using dnspod - "example.com" - "*.example.com"Copy the code

Then check the issue status, the whole issue generally takes 3 minutes

kubectl get certificates.cert-manager.io

If that fails, view the log

kubectl describe certificates.cert-manager.io example-crt

The log to see

Issuing certificate as Secret does not exist

Wait a little longer

Failure can look at this

Cert – manager. IO/docs/FAQ/tr…

This is success

NAME            READY   SECRET                 AGE
xxx-cn-crt   True    xxx-cn-crt-secret   3m40s
Copy the code

For later use, go to Custom Resources – Traefik.containo.us – IngressRoute on the left side of the lens and change the TLS Settings to the following

TLS: secretName: xxx-tle # certificate.yamlCopy the code

And then access to see, should have a certificate

Attached with Mysql standalone/master-slave, Redis standalone deployment files

Fland.coding.net/public/mysq…