├── .gitignore
├── .travis.yml
├── LICENSE
├── README.md
├── docs
    ├── dashboard.md
    ├── ingress-nginx.md
    ├── ingress-traefik.md
    ├── join-k8s.md
    ├── kubeadm-k8s.md
    └── test-ingress.md
├── image.list
├── install
    ├── dashboard
    │   ├── dashboard-http.yaml
    │   ├── dashboard-https.yaml
    │   ├── k8s-ui-key.pem
    │   └── k8s-ui.pem
    ├── heapster
    │   ├── grafana.yaml
    │   ├── heapster-rbac.yaml
    │   ├── heapster.yaml
    │   └── influxdb.yaml
    ├── ingress-nginx
    │   └── ingress-nginx-controller.yaml
    ├── ingress-traefik
    │   ├── ingress-traefik-controller.yaml
    │   ├── traefik-ui-key.pem
    │   ├── traefik-ui.pem
    │   └── traefik.toml
    └── k8s-images.sh
└── mirror


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.suo
  8 | *.user
  9 | *.userosscache
 10 | *.sln.docstates
 11 | 
 12 | # User-specific files (MonoDevelop/Xamarin Studio)
 13 | *.userprefs
 14 | 
 15 | # Build results
 16 | [Dd]ebug/
 17 | [Dd]ebugPublic/
 18 | [Rr]elease/
 19 | [Rr]eleases/
 20 | x64/
 21 | x86/
 22 | bld/
 23 | [Bb]in/
 24 | [Oo]bj/
 25 | [Ll]og/
 26 | 
 27 | # Visual Studio 2015 cache/options directory
 28 | .vs/
 29 | # Uncomment if you have tasks that create the project's static files in wwwroot
 30 | #wwwroot/
 31 | 
 32 | # MSTest test Results
 33 | [Tt]est[Rr]esult*/
 34 | [Bb]uild[Ll]og.*
 35 | 
 36 | # NUNIT
 37 | *.VisualState.xml
 38 | TestResult.xml
 39 | 
 40 | # Build Results of an ATL Project
 41 | [Dd]ebugPS/
 42 | [Rr]eleasePS/
 43 | dlldata.c
 44 | 
 45 | # .NET Core
 46 | project.lock.json
 47 | project.fragment.lock.json
 48 | artifacts/
 49 | **/Properties/launchSettings.json
 50 | 
 51 | *_i.c
 52 | *_p.c
 53 | *_i.h
 54 | *.ilk
 55 | *.meta
 56 | *.obj
 57 | *.pch
 58 | *.pdb
 59 | *.pgc
 60 | *.pgd
 61 | *.rsp
 62 | *.sbr
 63 | *.tlb
 64 | *.tli
 65 | *.tlh
 66 | *.tmp
 67 | *.tmp_proj
 68 | *.log
 69 | *.vspscc
 70 | *.vssscc
 71 | .builds
 72 | *.pidb
 73 | *.svclog
 74 | *.scc
 75 | 
 76 | # Chutzpah Test files
 77 | _Chutzpah*
 78 | 
 79 | # Visual C++ cache files
 80 | ipch/
 81 | *.aps
 82 | *.ncb
 83 | *.opendb
 84 | *.opensdf
 85 | *.sdf
 86 | *.cachefile
 87 | *.VC.db
 88 | *.VC.VC.opendb
 89 | 
 90 | # Visual Studio profiler
 91 | *.psess
 92 | *.vsp
 93 | *.vspx
 94 | *.sap
 95 | 
 96 | # TFS 2012 Local Workspace
 97 | $tf/
 98 | 
 99 | # Guidance Automation Toolkit
100 | *.gpState
101 | 
102 | # ReSharper is a .NET coding add-in
103 | _ReSharper*/
104 | *.[Rr]e[Ss]harper
105 | *.DotSettings.user
106 | 
107 | # JustCode is a .NET coding add-in
108 | .JustCode
109 | 
110 | # TeamCity is a build add-in
111 | _TeamCity*
112 | 
113 | # DotCover is a Code Coverage Tool
114 | *.dotCover
115 | 
116 | # Visual Studio code coverage results
117 | *.coverage
118 | *.coveragexml
119 | 
120 | # NCrunch
121 | _NCrunch_*
122 | .*crunch*.local.xml
123 | nCrunchTemp_*
124 | 
125 | # MightyMoose
126 | *.mm.*
127 | AutoTest.Net/
128 | 
129 | # Web workbench (sass)
130 | .sass-cache/
131 | 
132 | # Installshield output folder
133 | [Ee]xpress/
134 | 
135 | # DocProject is a documentation generator add-in
136 | DocProject/buildhelp/
137 | DocProject/Help/*.HxT
138 | DocProject/Help/*.HxC
139 | DocProject/Help/*.hhc
140 | DocProject/Help/*.hhk
141 | DocProject/Help/*.hhp
142 | DocProject/Help/Html2
143 | DocProject/Help/html
144 | 
145 | # Click-Once directory
146 | publish/
147 | 
148 | # Publish Web Output
149 | *.[Pp]ublish.xml
150 | *.azurePubxml
151 | # TODO: Comment the next line if you want to checkin your web deploy settings
152 | # but database connection strings (with potential passwords) will be unencrypted
153 | *.pubxml
154 | *.publishproj
155 | 
156 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
157 | # checkin your Azure Web App publish settings, but sensitive information contained
158 | # in these scripts will be unencrypted
159 | PublishScripts/
160 | 
161 | # NuGet Packages
162 | *.nupkg
163 | # The packages folder can be ignored because of Package Restore
164 | **/packages/*
165 | # except build/, which is used as an MSBuild target.
166 | !**/packages/build/
167 | # Uncomment if necessary however generally it will be regenerated when needed
168 | #!**/packages/repositories.config
169 | # NuGet v3's project.json files produces more ignorable files
170 | *.nuget.props
171 | *.nuget.targets
172 | 
173 | # Microsoft Azure Build Output
174 | csx/
175 | *.build.csdef
176 | 
177 | # Microsoft Azure Emulator
178 | ecf/
179 | rcf/
180 | 
181 | # Windows Store app package directories and files
182 | AppPackages/
183 | BundleArtifacts/
184 | Package.StoreAssociation.xml
185 | _pkginfo.txt
186 | 
187 | # Visual Studio cache files
188 | # files ending in .cache can be ignored
189 | *.[Cc]ache
190 | # but keep track of directories ending in .cache
191 | !*.[Cc]ache/
192 | 
193 | # Others
194 | ClientBin/
195 | ~$*
196 | *~
197 | *.dbmdl
198 | *.dbproj.schemaview
199 | *.jfm
200 | *.pfx
201 | *.publishsettings
202 | orleans.codegen.cs
203 | 
204 | # Since there are multiple workflows, uncomment next line to ignore bower_components
205 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
206 | #bower_components/
207 | 
208 | # RIA/Silverlight projects
209 | Generated_Code/
210 | 
211 | # Backup & report files from converting an old project file
212 | # to a newer Visual Studio version. Backup files are not needed,
213 | # because we have git ;-)
214 | _UpgradeReport_Files/
215 | Backup*/
216 | UpgradeLog*.XML
217 | UpgradeLog*.htm
218 | 
219 | # SQL Server files
220 | *.mdf
221 | *.ldf
222 | *.ndf
223 | 
224 | # Business Intelligence projects
225 | *.rdl.data
226 | *.bim.layout
227 | *.bim_*.settings
228 | 
229 | # Microsoft Fakes
230 | FakesAssemblies/
231 | 
232 | # GhostDoc plugin setting file
233 | *.GhostDoc.xml
234 | 
235 | # Node.js Tools for Visual Studio
236 | .ntvs_analysis.dat
237 | node_modules/
238 | 
239 | # Typescript v1 declaration files
240 | typings/
241 | 
242 | # Visual Studio 6 build log
243 | *.plg
244 | 
245 | # Visual Studio 6 workspace options file
246 | *.opt
247 | 
248 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
249 | *.vbw
250 | 
251 | # Visual Studio LightSwitch build output
252 | **/*.HTMLClient/GeneratedArtifacts
253 | **/*.DesktopClient/GeneratedArtifacts
254 | **/*.DesktopClient/ModelManifest.xml
255 | **/*.Server/GeneratedArtifacts
256 | **/*.Server/ModelManifest.xml
257 | _Pvt_Extensions
258 | 
259 | # Paket dependency manager
260 | .paket/paket.exe
261 | paket-files/
262 | 
263 | # FAKE - F# Make
264 | .fake/
265 | 
266 | # JetBrains Rider
267 | .idea/
268 | *.sln.iml
269 | 
270 | # CodeRush
271 | .cr/
272 | 
273 | # Python Tools for Visual Studio (PTVS)
274 | __pycache__/
275 | *.pyc
276 | 
277 | # Cake - Uncomment if you are using it
278 | # tools/**
279 | # !tools/packages.config
280 | 
281 | # Telerik's JustMock configuration file
282 | *.jmconfig
283 | 
284 | # BizTalk build output
285 | *.btp.cs
286 | *.btm.cs
287 | *.odx.cs
288 | *.xsd.cs
289 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | services:
2 | - docker
3 | script:
4 | - chmod +x ./mirror && ./mirror
5 | branches:
6 |   only:
7 |   - master


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 RainingNight
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # google-containers
 2 | Google Containers Mirror
 3 | 
 4 | [![Build Status](https://travis-ci.org/RainingNight/google-containers.svg?branch=master)](https://travis-ci.org/RainingNight/google-containers)
 5 | 
 6 | ## k8s安装教程及学习笔记
 7 | 
 8 | 对于国内开发来说安装k8s环境是一场噩梦，本教程的目的是让国内开发者能够用最短的时间成功部署k8s。
 9 | 
10 | 由于k8s包涵的内容繁多，希望有更多的开发者来一起研究与完善k8s安装及使用教程。
11 | 
12 | ### 1. [使用安装kubeadm安装k8s](docs/kubeadm-k8s.md)
13 | ### 2. [部署k8s节点](docs/join-k8s.md)
14 | ### 3. [安装ingress-traefik](docs/ingress-traefik.md)
15 | ### 4. [安装ingress-nginx](docs/ingress-nginx.md)
16 | ### 5. [Dashboard UI](docs/dashboard.md)
17 | ### 6. [安装heapster](docs/dashboard.md)
18 | ## Doc
19 | 
20 | * [使用kubeadm初始化Kubernetes（1.10.2）集群教程（国内环境）](http://www.cnblogs.com/RainingNight/p/using-kubeadm-to-create-a-cluster.html)


--------------------------------------------------------------------------------
/docs/dashboard.md:
--------------------------------------------------------------------------------
 1 | ## 安装Dashboard UI
 2 | 
 3 | 本文的安装方式是使用ingress来暴露Dashboard UI服务，官网提供了4种访问方式，其中ingress最为合适，因为这种方式也是暴露应用的首选方式。
 4 | 
 5 | ### http方式安装dashboard
 6 | 
 7 | [下载dashboard-http.yaml](../install/dashboard/dashboard-http.yaml)
 8 | 
 9 | **安装**
10 | 
11 | 该配置文件已经加入了ingress配置，只要下载部署即可。
12 | 
13 | ```shell
14 | kubectl apply -f dashboard-http.yaml
15 | ```
16 | 
17 | ### https方式安装dashboard （经测试该部署只能本机访问，远程访问提示证书问题）
18 | 
19 |     http方式安装dashboar并不是官方推荐的方式，而官方推荐使用https安装dashboard，然而使用https方式安装需要使用证书文件才行，这里使用自签名证书进行安装。
20 | 
21 |     如果使用ingress-traefik或者ingress-nginx其实不需要dashboard ui服务启动https端口也可以开启https访问，具体情况还需要详细研究。
22 | 
23 | [`dashboard-https.yaml`](../install/dashboard/dashboard-https.yaml) k8s的配置文件
24 | 
25 | [`k8s-ui.pem`](../install/dashboard/k8s-ui.pem) 证书文件
26 | 
27 | [`k8s-ui-key.pem`](../install/dashboard/k8s-ui-key.pem) 证书秘钥
28 | 
29 | ```shell
30 | # 生成kubernetes-dashboard-certs
31 | kubectl create secret generic kubernetes-dashboard-certs --from-file=k8s-ui-key.pem --from-file=k8s-ui.pem -n kube-system
32 | 
33 | # 生成k8s-ui
34 | kubectl create secret tls k8s-ui --cert=k8s-ui.pem --key=k8s-ui-key.pem -n kube-system
35 | ```
36 | 
37 | ```shell
38 | kubectl apply -f dashboard-https.yaml
39 | ```
40 | 
41 | ## 安装heapster
42 | 
43 |     heapseter用于实时监控集群的运行状态。
44 | 
45 | [`grafana.yaml`](../install/heapster/grafana.yaml)
46 | [`heapster.yaml`](../install/heapster/heapster.yaml)
47 | [`heapster-rbac.yamll`](../install/heapster/heapster-rbac.yaml)
48 | [`influxdb.yaml`](../install/heapster/influxdb.yaml)
49 | 
50 | ```shell
51 | # 下载4个安装文件到任意目录中（我这里下载到heapster目录中），并对目录执行apply命令即可
52 | kubectl apply -f heapster/
53 | ```


--------------------------------------------------------------------------------
/docs/ingress-nginx.md:
--------------------------------------------------------------------------------
 1 | ## ingress-nginx安装
 2 | 
 3 |     这里假设你已经了解了ingress-nginx，如果你还没了解请询问搜索引擎。这篇文章只能让你快速的部署他们。
 4 | 
 5 | ### 安装之前
 6 | 
 7 | 安装之前需要确保你的集群正常运行或主节点再运行：
 8 | * 如果集群正常运行：你可以开始安装了。
 9 | * 如果只有master节点在运行：
10 |     则在主节点执行`kubectl taint nodes --all node-role.kubernetes.io/master-`命令，目的是master节点同时变成worker节点
11 | * 如果不满足上述情况，请您参考之前的文档重新部署。
12 | 
13 | ### 安装ingress-nginx
14 | 
15 | 所有的安装配置安装以及需要镜像我们都已经准备好了，只要你按照文档的步骤执行应该可以顺利的完成。
16 | 
17 | [下载ingress-nginx配置文件](../install/ingress-nginx/ingress-nginx-controller.yaml)，使用如下命令部署nginx-controller，命令执行后需要等一段时间（由你的网速决定），因为这需要去联网下载docker镜像。
18 | 
19 | ```shell
20 | kubectl apply -f ingress-nginx-controller.yaml
21 | ```
22 | 
23 | <font style="color:red;">如果你的网速实在太慢,请自行下载离线安装</font>
24 | 
25 | ```shell
26 | docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.15.0
27 | docker pull reg.qiniu.com/k8s/defaultbackend-amd64:1.4
28 | ```
29 | 
30 | **查看部署状态：**`kubectl get pods -n ingress-nginx -o wide --watch`
31 | 
32 |     NAMESPACE       NAME                                       READY     STATUS     RESTARTS   IP
33 |     ingress-nginx   default-http-backend-6f26b                 1/1       Running    0          192.168.168.154
34 |     ingress-nginx   nginx-ingress-controller-58b48898c-gdkgk   1/1       Running    0          194.168.1.15
35 | 
36 |     当状态变为`Running`时便是部署成功了,这里你会看到两个ip：
37 |     其中192.168.168.154是docker所在网络的ip，宿主机可以访问。
38 |     其中194.168.1.15是宿主机的ip，至于为什么这里显示的是宿主机的ip而不是docker容器的ip，这里不必深究，学习k8s还有很长的路要走。
39 | 
40 | ### 测试ingress-nginx是否安装成功
41 | 
42 | [测试教程](./test-ingress.md)


--------------------------------------------------------------------------------
/docs/ingress-traefik.md:
--------------------------------------------------------------------------------
 1 | ## ingress-traefik安装
 2 | 
 3 |     这里假设你已经了解了ngress-traefik分别是什么，如果你还没了解请询问搜索引擎。这篇文章只能让你快速的部署他们。
 4 | 
 5 | ### 安装之前
 6 | 
 7 | 安装之前需要确保你的集群正常运行或主节点再运行：
 8 | * 如果集群正常运行：你可以开始安装了。
 9 | * 如果只有master节点在运行：
10 |     则在主节点执行`kubectl taint nodes --all node-role.kubernetes.io/master-`命令，目的是master节点同时变成worker节点
11 | * 如果不满足上述情况，请您参考之前的文档重新部署。
12 | 
13 | ### ingress-Traefik安装
14 | 
15 | 所有的安装配置安装以及需要镜像我们都已经准备好了，只要你按照文档的步骤执行应该可以顺利的完成。
16 | 
17 | **首先，生成Sceret**
18 | 
19 | 生成Secret需要使用证书文件，所需的证书文件已经生成好了，你只需要下载即可使用，该证书绑定的域名是:`traefik-ui.local`
20 | 
21 | 证书：[traefik-ui.pem](../install/ingress-traefik/traefik-ui.pem)
22 | 秘钥：[traefik-ui-key.pem](../install/ingress-traefik/traefik-ui-key.pem)
23 | 
24 | 下面需要生成两个Secret，一个用于traefik绑定到https，一个用于traefik绑定到ingress上。
25 | 
26 | ```shell
27 | //生成treafik-cert
28 | kubectl create secret generic traefik-cert --from-file=traefik-ui-key.pem --from-file=traefik-ui.pem -n kube-system
29 | //生成traefik-ui-cert
30 | kubectl create secret tls traefik-ui-cert --cert=/root/certs/traefik-ui/traefik-ui.pem --key=/root/certs/traefik-ui/traefik-ui-key.pem -n kube-system
31 | ```
32 | 
33 | **然后，创建一个ConfigMap**
34 | 
35 | 这个配置文件用来将http跳转到https,[下载traefik.toml配置文件](../install/ingress-traefik/traefik.toml)，并执行创建命令：`kubectl create configmap traefik-conf --from-file=traefik.toml`,此时便可在`default`命名空间下创建`traefik-conf`配置,执行`kubectl get configmap | grep traefik-conf`命令查看结果。
36 | 
37 | **最后，安装ingress-traefik**
38 | 
39 | 
40 | [下载ingress-traefik配置文件](../install/ingress-traefik/ingress-traefik-controller.yaml)，使用如下命令部署traefik-controller，命令执行后需要等一段时间（由你的网速决定），因为这需要去联网下载docker镜像。
41 | 
42 | ```shell
43 | kubectl apply -f ingress-traefik-controller.yaml
44 | ```
45 | 
46 | <font style="color:red;">如果你的网速实在太慢,请自行下载离线安装</font>
47 | 
48 | ```shell
49 | docker pull traefik:latest
50 | ```
51 | 
52 | **查看部署状态：**`kubectl get pods -n kube-system -o wide --watch|grep traefik-ingress`
53 | 
54 |     NAMESPACE       NAME                                       READY     STATUS     RESTARTS   IP
55 |     kube-system   traefik-ingress-controller-7994d698d8-v7cr5   1/1       Running    0         192.168.169.182
56 | 
57 |     当状态变为`Running`时便是部署成功了,这里你只会看到一个ip（这也是与ingress-nginx不同的地方）：
58 |     其中192.168.169.182是docker所在网络的ip，宿主机可以访问。
59 | 
60 | ### 测试ingress-nginx是否安装成功
61 | 
62 |     因为traefik自带了服务界面，所以我们可以通过访问该服务界面来确认traefik是否安装成功。
63 | 
64 | **配置hosts**
65 | 
66 | k8s宿主机ip：194.168.1.15
67 | 
68 | 测试机ip：194.168.1.5
69 | 
70 | 修改测试机hosts文件，添加如下行：`traefik-ui.local  194.168.1.15`
71 | 
72 | 最后，打开浏览器访问：`http://traefik-ui.local`后会自动跳转到`https://traefik-ui.local`，至此你就能看到traefik的ui界面了 。
73 | 
74 | ### 接下来部署一个nginx，做更多的测试
75 | 
76 | [测试教程](./test-ingress.md)
77 | 


--------------------------------------------------------------------------------
/docs/join-k8s.md:
--------------------------------------------------------------------------------
 1 | ## 加入k8s集群
 2 | 
 3 | 在[使用kubeadm安装k8s](./使用kubeadm安装k8s.md)中介绍了如何安装k8s主节点，这篇文章我们来介绍如何加入k8s集群。
 4 | 
 5 | #### 环境要求
 6 | 
 7 | ​	同上一篇的环境要求
 8 | 
 9 | #### 首先，从我们的镜像服务器获取docker镜像
10 | 
11 | [获取镜像shell脚本](../install/k8s-images.sh)
12 | 
13 | #### 然后，获取加入k8s集群的授权码
14 | 
15 | ​	在上篇文章中，当执行`kubeadm init`命令成功后，会打印加入k8s集群需要的命令，如下：
16 | 
17 | ```sh
18 | kubeadm join 194.168.1.15:6443 --token ninsl0.hgnutou2p9f9u8d4 --discovery-token-ca-cert-hash sha256:ba73076c46a143260ba876d09174f558deb1941794621591cbc104d63c50adaa
19 | ```
20 | 
21 | ​	将这条命令复制到子节点，执行，以便加入k8s集群（如果发现docker版本错误的提示，可以忽略，或者去官网查找如何忽略版本检查）。
22 | 
23 | #### 执行命令后，等待节点启动
24 | 
25 | ​	在master节点上执行`kubectl get nodes`查看各节点的status，直到所有的状态均为Ready。
26 | 
27 | #### 在子节点上执行kubectl命令
28 | 
29 | ​	默认情况下，子节点执行kubectl命令几乎是不可用的，为了使kubectl命令正常，需要将master节点上的/etc/kubernetes/admin.conf文件复制到本地，命令如下：
30 | 
31 | ```shell
32 | //复制文件命令
33 | scp user@master-ip:/etc/kubernetes/admin.conf .
34 | 
35 | //vi .profile编辑改文件，加入环境变量
36 | export KUBECONFIG=/root/admin.conf
37 | //是配置生效
38 | source .profile
39 | ```
40 | 
41 | ​	此时就可以在该节点执行kubectl命令，执行`kubectl get nodes`命令查看效果。


--------------------------------------------------------------------------------
/docs/kubeadm-k8s.md:
--------------------------------------------------------------------------------
  1 | ## 使用Kubeadm部署k8s
  2 | 
  3 | 本文参考[官网教程](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/)，安装过程一波三折，几次想放弃，但又不甘心，一边翻着源码一边看着教程，最终才有了下面的内容。
  4 | 
  5 | ### 环境要求
  6 | 
  7 | #### 1. Ubuntu 16.04 2核4G
  8 | 
  9 |     注意这里最好是2核，部署安装时发现单核导致ingress-nginx部分pod无启动
 10 | 
 11 |     安装开始之前请确保使用的root账户，非root账户请自行添加sudo
 12 | 
 13 | #### 2. 安装docker
 14 | 
 15 |     我这里使用的是18.03.1
 16 | 
 17 | #### 3. 安装Kubeadm， kubelet，kubectl
 18 | ```bash
 19 | apt-get update && apt-get install -y apt-transport-https
 20 | curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
 21 | cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
 22 | deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
 23 | EOF
 24 | apt-get update
 25 | apt-get install -y kubelet kubeadm kubectl
 26 | ```
 27 | 
 28 | #### 4. 永久禁用交换分区
 29 | 
 30 | `打开/etc/fstab文件并找到包含swap文本行在开头注释，类似如下：`
 31 | 
 32 | ```bash
 33 | /dev/mapper/ubuntu--vg-root /               ext4    errors=remount-ro 0       1
 34 | UUID=d11aa7b5-457b-4bc1-80fd-c5e33f63ac04 /boot           ext2    defaults        0       2
 35 | ## 注释一下两行
 36 | #/dev/mapper/ubuntu--vg-swap_1 none            swap    sw              0       0
 37 | #/dev/mapper/cryptswap1 none swap sw 0 0
 38 | ```
 39 | 
 40 | #### 5. 禁用防火墙
 41 | 
 42 |     禁用防火墙并不是安全的做法，如果在真实的环境中请查看k8s文档开放指定的端口。
 43 |     我这里简单粗暴直接禁用防火墙：
 44 |     ufw disable
 45 | 
 46 | #### 6. 配置cgroup驱动类型
 47 | 
 48 | `docker中有两种cgroup驱动类型：cgroupfs，systemd`
 49 | 
 50 |     1. 查看docker使用的驱动类型：`docker info|grep -i cgroup`
 51 |     2. 修改/etc/systemd/system/kubelet.service.d/10-kubeadm.conf 配置文件中的cgroup类型与上一步执行结果对应
 52 |         //假如该文件中有如下这一行
 53 |         Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=systemd"
 54 |         //如果没有上面这行，需要添加，并修改cgroup-driver为docker使用的类型，我的安装环境正确的配置如下：
 55 |         Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=cgroupfs"
 56 |     3. 使上一步配置生效
 57 |         systemctl daemon-reload
 58 |         systemctl restart kubelet
 59 | 
 60 | ### 部署k8s
 61 | 
 62 |     执行kubeadm init命令之前需要提前准备一些docker镜像，因为这些镜像位于google服务器上，我们没有用办法正常获取，所以这里我们从自己的镜像服务器下载。
 63 | 
 64 |     我这里写了一个简单的脚本文件，便于你获取所需的docker镜像。
 65 | 
 66 | [下载镜像shell脚本](../install/k8s-images.sh)
 67 | 
 68 | ```bash
 69 | # --kubernetes-version=v1.10.2 指定我们要安装的k8s版本
 70 | # --feature-gates=CoreDNS=true 使用CoreDNS来做主机名到IP的对应关系
 71 | # --pod-network-cidr=192.168.0.0/16 这里使用的网络类型为Calico
 72 | kubeadm init --kubernetes-version=v1.10.2 --feature-gates=CoreDNS=true --pod-network-cidr=192.168.0.0/16
 73 | ```
 74 | 
 75 | `如果部署成功你会看到如下显示：`
 76 | 
 77 | ```
 78 | ......
 79 | Your Kubernetes master has initialized successfully!
 80 | 
 81 | To start using your cluster, you need to run the following as a regular user:
 82 | 
 83 |   mkdir -p $HOME/.kube
 84 |   sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
 85 |   sudo chown $(id -u):$(id -g) $HOME/.kube/config
 86 | 
 87 | You should now deploy a pod network to the cluster.
 88 | Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
 89 |   https://kubernetes.io/docs/concepts/cluster-administration/addons/
 90 | 
 91 | You can now join any number of machines by running the following on each node
 92 | as root:
 93 | 
 94 |   kubeadm join 194.168.1.15:6443 --token ninsl0.hgnutou2p9f9u8d4 --discovery-token-ca-cert-hash sha256:ba73076c46a143260ba876d09174f558deb1941794621591cbc104d63c50adaa
 95 | ```
 96 | 
 97 | `接下来在.profile文件中加入环境变量，使kubectl命令生效：`
 98 | 
 99 | ```sh
100 | //vi .profile
101 | export KUBECONFIG=/etc/kubernetes/admin.conf
102 | //使配置生效
103 | source .profile
104 | ```
105 | 
106 | `此时执行kubectl get nodes可以看到返回结果中master处于NotReady状态`
107 | 
108 | ```
109 | NAME        STATUS     ROLES     AGE       VERSION
110 | k8s-node   NotReady   master    26m       v1.10.2
111 | ```
112 | 
113 | ### 部署Calico网络插件
114 | 
115 | ```sh
116 | kubectl apply -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml
117 | ```
118 | 
119 | `稍等片刻后查看master节点的状态:kubectl get nodes`
120 | ```
121 | NAME        STATUS    ROLES     AGE       VERSION
122 | k8s-node2   Ready     master    40m       v1.10.2
123 | ```


--------------------------------------------------------------------------------
/docs/test-ingress.md:
--------------------------------------------------------------------------------
 1 | ### 测试ingress-nginx/ingress-traefik服务是否正常运行
 2 | 
 3 |     测试ingress-controller服务是否正常运行的办法有很多，这里部署一个真实的应用来确认该服务是可以正常运行的。
 4 | 
 5 | **首先，部署一个应用**
 6 | 
 7 | 创建`test-nginx.yaml`文件并输入以下内容，然后执行`kubectl apply -f test-nginx.yaml`
 8 | 
 9 | ```yaml
10 | apiVersion: v1
11 | kind: Namespace
12 | metadata:
13 |   name: test
14 | ---
15 | apiVersion: v1
16 | kind: ReplicationController
17 | metadata:
18 |   name: test-nginx
19 |   namespace: test
20 | spec:
21 |   replicas: 1
22 |   selector:
23 |     name: nginx-lib
24 |   template:
25 |     metadata:
26 |       labels:
27 |         name: nginx-lib
28 |     spec:
29 |       containers:
30 |         - name: nginx-lib
31 |           image: nginx:1.8
32 |           ports:
33 |             - containerPort: 80
34 | ```
35 | 
36 | 执行`kubectl get pods -n test -o wide --watch`命令等待nginx启动完成。
37 | 
38 | **然后，创建一个Service**
39 | 
40 | 创建`test-nginx-service.yaml`文件并输入以下内容，然后执行`kubectl apply -f test-nginx-service.yaml`
41 | ```yaml
42 | apiVersion: v1
43 | kind: Service
44 | metadata:
45 |   name: test-nginx
46 |   namespace: test
47 | spec:
48 |   ports:
49 |     - name: web
50 |       port: 80
51 |   selector:
52 |     name: nginx-lib
53 | ```
54 | 执行`kubectl get svc -n test`命令查看Service是否创建成功。
55 | 
56 | ***最后，创建一个Ingress***
57 | 
58 | 创建`test-nginx-ingress.yaml`文件并输入以下内容，然后执行`kubectl apply -f test-nginx-ingress.yaml`
59 | 
60 | ```yaml
61 | apiVersion: extensions/v1beta1
62 | kind: Ingress
63 | metadata:
64 |   name: test-nginx
65 |   namespace: test
66 | spec:
67 | #   tls:
68 | #     - secretName: test-nginx
69 |   rules:
70 |   - host: test-nginx.local
71 |     http:
72 |       paths:
73 |       - path: /
74 |         backend:
75 |           serviceName: test-nginx
76 |           servicePort: 80
77 | ```
78 | 执行`kubectl get ing -n test`命令查看Ingress是否创建成功。
79 | 
80 | **至此，我们已经部署了一个nginx应用，接下来验证应用有效性**
81 | 
82 | 环境说明：
83 | * 宿主机IP：194.168.1.15，也就是安装了k8s环境的机器
84 | * 测试有效性的主机IP：194.168.1.5，一台与宿主机同局域网的机器
85 | 
86 | 修改194.168.1.5这台机器的hosts，加入以下行：
87 | 
88 | ```hosts
89 | test-nginx.local      194.168.1.15
90 | ```
91 | 
92 | 打开浏览器，输入`http://test-nginx.local`，就可看见nginx的欢迎页面。


--------------------------------------------------------------------------------
/image.list:
--------------------------------------------------------------------------------
 1 | k8s.gcr.io/kube-apiserver-amd64:v1.10.2
 2 | k8s.gcr.io/kube-controller-manager-amd64:v1.10.2
 3 | k8s.gcr.io/kube-scheduler-amd64:v1.10.2
 4 | k8s.gcr.io/kube-proxy-amd64:v1.10.2
 5 | k8s.gcr.io/etcd-amd64:3.2.12
 6 | k8s.gcr.io/pause-amd64:3.1
 7 | k8s.gcr.io/k8s-dns-sidecar-amd64:1.14.10
 8 | k8s.gcr.io/k8s-dns-kube-dns-amd64:1.14.10
 9 | k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.10
10 | k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
11 | k8s.gcr.io/kube-aggregator-amd64:v1.10.2
12 | k8s.gcr.io/cloud-controller-manager-amd64:v1.10.2
13 | k8s.gcr.io/heapster-influxdb-amd64:v1.3.3
14 | k8s.gcr.io/heapster-grafana-amd64:v4.4.3
15 | k8s.gcr.io/heapster-amd64:v1.4.2
16 | k8s.gcr.io/defaultbackend-amd64:1.4


--------------------------------------------------------------------------------
/install/dashboard/dashboard-http.yaml:
--------------------------------------------------------------------------------
  1 | # ------------------- Dashboard Service Account ------------------- #
  2 | apiVersion: v1
  3 | kind: ServiceAccount
  4 | metadata:
  5 |   labels:
  6 |     k8s-app: kubernetes-dashboard
  7 |   name: kubernetes-dashboard
  8 |   namespace: kube-system
  9 | ---
 10 | # ------------------- Dashboard Role & Role Binding ------------------- #
 11 | kind: Role
 12 | apiVersion: rbac.authorization.k8s.io/v1
 13 | metadata:
 14 |   name: kubernetes-dashboard-minimal
 15 |   namespace: kube-system
 16 | rules:
 17 |   # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 18 | - apiGroups: [""]
 19 |   resources: ["secrets"]
 20 |   verbs: ["create"]
 21 |   # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
 22 | - apiGroups: [""]
 23 |   resources: ["configmaps"]
 24 |   verbs: ["create"]
 25 |   # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 26 | - apiGroups: [""]
 27 |   resources: ["secrets"]
 28 |   resourceNames: ["kubernetes-dashboard-key-holder"]
 29 |   verbs: ["get", "update", "delete"]
 30 |   # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
 31 | - apiGroups: [""]
 32 |   resources: ["configmaps"]
 33 |   resourceNames: ["kubernetes-dashboard-settings"]
 34 |   verbs: ["get", "update"]
 35 |   # Allow Dashboard to get metrics from heapster.
 36 | - apiGroups: [""]
 37 |   resources: ["services"]
 38 |   resourceNames: ["heapster"]
 39 |   verbs: ["proxy"]
 40 | - apiGroups: [""]
 41 |   resources: ["services/proxy"]
 42 |   resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
 43 |   verbs: ["get"]
 44 | ---
 45 | apiVersion: rbac.authorization.k8s.io/v1
 46 | kind: RoleBinding
 47 | metadata:
 48 |   name: kubernetes-dashboard-minimal
 49 |   namespace: kube-system
 50 | roleRef:
 51 |   apiGroup: rbac.authorization.k8s.io
 52 |   kind: Role
 53 |   name: kubernetes-dashboard-minimal
 54 | subjects:
 55 | - kind: ServiceAccount
 56 |   name: kubernetes-dashboard
 57 |   namespace: kube-system
 58 | ---
 59 | # ------------------- Dashboard Deployment ------------------- #
 60 | kind: Deployment
 61 | apiVersion: apps/v1beta2
 62 | metadata:
 63 |   labels:
 64 |     k8s-app: kubernetes-dashboard
 65 |   name: kubernetes-dashboard
 66 |   namespace: kube-system
 67 | spec:
 68 |   replicas: 1
 69 |   revisionHistoryLimit: 10
 70 |   selector:
 71 |     matchLabels:
 72 |       k8s-app: kubernetes-dashboard
 73 |   template:
 74 |     metadata:
 75 |       labels:
 76 |         k8s-app: kubernetes-dashboard
 77 |     spec:
 78 |       containers:
 79 |       - name: kubernetes-dashboard
 80 |         image: reg.qiniu.com/k8s/kubernetes-dashboard-amd64:v1.8.3
 81 |         ports:
 82 |         - containerPort: 9090
 83 |           protocol: TCP
 84 |         args:
 85 |           # Uncomment the following line to manually specify Kubernetes API server Host
 86 |           # If not specified, Dashboard will attempt to auto discover the API server and connect
 87 |           # to it. Uncomment only if the default does not work.
 88 |           # - --apiserver-host=http://my-address:port
 89 |           # - --authentication-mode=basic
 90 |         volumeMounts:
 91 |           # Create on-disk volume to store exec logs
 92 |         - mountPath: /tmp
 93 |           name: tmp-volume
 94 |         livenessProbe:
 95 |           httpGet:
 96 |             path: /
 97 |             port: 9090
 98 |           initialDelaySeconds: 30
 99 |           timeoutSeconds: 30
100 |       volumes:
101 |       - name: tmp-volume
102 |         emptyDir: {}
103 |       serviceAccountName: kubernetes-dashboard
104 |       # Comment the following tolerations if Dashboard must not be deployed on master
105 |       tolerations:
106 |       - key: node-role.kubernetes.io/master
107 |         effect: NoSchedule
108 | ---
109 | # ------------------- Dashboard Service ------------------- #
110 | kind: Service
111 | apiVersion: v1
112 | metadata:
113 |   labels:
114 |     k8s-app: kubernetes-dashboard
115 |   name: kubernetes-dashboard
116 |   namespace: kube-system
117 | spec:
118 |   ports:
119 |   - port: 80
120 |     targetPort: 9090
121 |   selector:
122 |     k8s-app: kubernetes-dashboard
123 | ---
124 | kind: Ingress
125 | apiVersion: extensions/v1beta1
126 | metadata:
127 |   name: k8s-dashoard
128 |   namespace: kube-system
129 | spec:
130 |   # tls:
131 |   #   - secretName: k8s-ui
132 |   rules:
133 |   - host: k8s-ui.local
134 |     http:
135 |       paths:
136 |       - path: /
137 |         backend:
138 |           serviceName: kubernetes-dashboard
139 |           servicePort: 80


--------------------------------------------------------------------------------
/install/dashboard/dashboard-https.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright 2017 The Kubernetes Authors.
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #     http://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | 
 15 | # Configuration to deploy release version of the Dashboard UI compatible with
 16 | # Kubernetes 1.8.
 17 | #
 18 | # Example usage: kubectl create -f <this_file>
 19 | 
 20 | ---
 21 | # ------------------- Dashboard Service Account ------------------- #
 22 | 
 23 | apiVersion: v1
 24 | kind: ServiceAccount
 25 | metadata:
 26 |   labels:
 27 |     k8s-app: kubernetes-dashboard
 28 |   name: kubernetes-dashboard
 29 |   namespace: kube-system
 30 | 
 31 | ---
 32 | # ------------------- Dashboard Role & Role Binding ------------------- #
 33 | 
 34 | kind: Role
 35 | apiVersion: rbac.authorization.k8s.io/v1
 36 | metadata:
 37 |   name: kubernetes-dashboard-minimal
 38 |   namespace: kube-system
 39 | rules:
 40 |   # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 41 | - apiGroups: [""]
 42 |   resources: ["secrets"]
 43 |   verbs: ["create"]
 44 |   # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
 45 | - apiGroups: [""]
 46 |   resources: ["configmaps"]
 47 |   verbs: ["create"]
 48 |   # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 49 | - apiGroups: [""]
 50 |   resources: ["secrets"]
 51 |   resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
 52 |   verbs: ["get", "update", "delete"]
 53 |   # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
 54 | - apiGroups: [""]
 55 |   resources: ["configmaps"]
 56 |   resourceNames: ["kubernetes-dashboard-settings"]
 57 |   verbs: ["get", "update"]
 58 |   # Allow Dashboard to get metrics from heapster.
 59 | - apiGroups: [""]
 60 |   resources: ["services"]
 61 |   resourceNames: ["heapster"]
 62 |   verbs: ["proxy"]
 63 | - apiGroups: [""]
 64 |   resources: ["services/proxy"]
 65 |   resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
 66 |   verbs: ["get"]
 67 | 
 68 | ---
 69 | apiVersion: rbac.authorization.k8s.io/v1
 70 | kind: RoleBinding
 71 | metadata:
 72 |   name: kubernetes-dashboard-minimal
 73 |   namespace: kube-system
 74 | roleRef:
 75 |   apiGroup: rbac.authorization.k8s.io
 76 |   kind: Role
 77 |   name: kubernetes-dashboard-minimal
 78 | subjects:
 79 | - kind: ServiceAccount
 80 |   name: kubernetes-dashboard
 81 |   namespace: kube-system
 82 | 
 83 | ---
 84 | # ------------------- Dashboard Deployment ------------------- #
 85 | 
 86 | kind: Deployment
 87 | apiVersion: apps/v1beta2
 88 | metadata:
 89 |   labels:
 90 |     k8s-app: kubernetes-dashboard
 91 |   name: kubernetes-dashboard
 92 |   namespace: kube-system
 93 | spec:
 94 |   replicas: 1
 95 |   revisionHistoryLimit: 10
 96 |   selector:
 97 |     matchLabels:
 98 |       k8s-app: kubernetes-dashboard
 99 |   template:
100 |     metadata:
101 |       labels:
102 |         k8s-app: kubernetes-dashboard
103 |     spec:
104 |       containers:
105 |       - name: kubernetes-dashboard
106 |         image: reg.qiniu.com/k8s/kubernetes-dashboard-amd64:v1.8.3
107 |         ports:
108 |         - containerPort: 8443
109 |           protocol: TCP
110 |         args:
111 |           #- --auto-generate-certificates
112 |           - --tls-cert-file=k8s-ui-key.pem
113 |           - --tls-key-file=k8s-ui.pem
114 |           # Uncomment the following line to manually specify Kubernetes API server Host
115 |           # If not specified, Dashboard will attempt to auto discover the API server and connect
116 |           # to it. Uncomment only if the default does not work.
117 |           # - --apiserver-host=http://my-address:port
118 |         volumeMounts:
119 |         - name: kubernetes-dashboard-certs
120 |           mountPath: /certs
121 |           # Create on-disk volume to store exec logs
122 |         - mountPath: /tmp
123 |           name: tmp-volume
124 |         livenessProbe:
125 |           httpGet:
126 |             scheme: HTTPS
127 |             path: /
128 |             port: 8443
129 |           initialDelaySeconds: 30
130 |           timeoutSeconds: 30
131 |       volumes:
132 |       - name: kubernetes-dashboard-certs
133 |         secret:
134 |           secretName: kubernetes-dashboard-certs
135 |       - name: tmp-volume
136 |         emptyDir: {}
137 |       serviceAccountName: kubernetes-dashboard
138 |       # Comment the following tolerations if Dashboard must not be deployed on master
139 |       tolerations:
140 |       - key: node-role.kubernetes.io/master
141 |         effect: NoSchedule
142 | 
143 | ---
144 | # ------------------- Dashboard Service ------------------- #
145 | 
146 | kind: Service
147 | apiVersion: v1
148 | metadata:
149 |   labels:
150 |     k8s-app: kubernetes-dashboard
151 |   name: kubernetes-dashboard
152 |   namespace: kube-system
153 | spec:
154 |   ports:
155 |     - port: 443
156 |       targetPort: 8443
157 |   selector:
158 |     k8s-app: kubernetes-dashboard
159 | ---
160 | kind: Ingress
161 | apiVersion: extensions/v1beta1
162 | metadata:
163 |   name: k8s-dashoard
164 |   namespace: kube-system
165 |   annotations:
166 |     kubernetes.io/ingress.class: traefik
167 | spec:
168 |   tls:
169 |     - secretName: k8s-ui
170 |   rules:
171 |   - host: k8s-ui.local
172 |     http:
173 |       paths:
174 |       - path: /
175 |         backend:
176 |           serviceName: kubernetes-dashboard
177 |           servicePort: 443


--------------------------------------------------------------------------------
/install/dashboard/k8s-ui-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN PRIVATE KEY-----
 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDQQb1XkMjsDP8q
 3 | TCiIIFi24nJFXtXxJ4IHFql9l+/9BhNrOzRpEyRCNe5cdn/NjMk6cbAg+8+9zgX2
 4 | aRtbqpmaOLCtZtzABOxBgWmadiB9i3PqVnud/gWSBHE7a5EoAiPxY+uIV8dQ5+/1
 5 | OZHkwsVbqHHNNEa/ebEi38gVEDhLb8hZVanBoe0SC2mKCL9HM0KJ5fnD0iGWHVWA
 6 | lXTd3S4Mp8jdn6Tyc41lHNad6zaXk96TEQSCnbv3dkFte3En9vfhPPJ+PsiKH9Nf
 7 | Kg4YQ1pF5fIEhbseZB2PzUcnrLYrp7MbsBQ2NAmTFOzUtAnphpcw8aho80eBN7ur
 8 | c8XG18AfAgMBAAECggEABCP6dr47MG5FuHqRJ7u059XyvaxYBpZpgGiT8BpQPDCd
 9 | vDkOHrSxuNtHpPD6M4UEDzRpcw5un/Bzr+WBFL58lVNhN+FerDas19SR2+9TUAuw
10 | v0z+4jJFvBR4h9zooun/+vGooipUnSgvXinJ28l/kQX1VUYfzfjGa9IVMU4EQIOs
11 | Qo2SjN6gS0LsUcM0DigQwEIdFIIOWvlfl55iEYNsRNag2TyhZ1EyPP82POZ/k02w
12 | Qwv3td2IKeZE8Jw0CdjSaLfMYiMUpEaVQxAtpDgC3OIQCyxHDQ0ZhHHKaRYMDJDy
13 | V9/Si+wzA2/oubTayhSARZ1iEVloFcYBIM6rqGCEcQKBgQDoczHUlIqOhUSIarqf
14 | CIKd8BGoR31nckyaTYUEBElpxJE1WPIRhj070KBOjdFJeouH4pUGgLNyATU+UcTz
15 | Leg26MvyM++8x6+irDFnXjYW8xyJ+NJwOtKqBjR0ypDmCjUSXBdLWwzvyjbhY4Lr
16 | on3uTZEwlAF5zCj5yf2cS16RGQKBgQDlWxKF6XiW9XPa5aMJYjownsSIxJrkxJSy
17 | XCGYXFRZjBY+q3wi2xmGZHWb4mArPJzCNdeYRN0ep2JxjEMJddxoQa8QznEUI0Du
18 | ju5L4TevNL3UQRO3FENXVd1rC3vcMPg+vsdD5WtJy2/LE1yjGpMaCC83cT3AgieI
19 | J9ZXQBrp9wKBgQCZdxQ7CSbBGXM5rV0wienSZCEEPM6qcWfpp6xeDoZ5cfF8ixCm
20 | ST48M2zi7/Zw0Js2R32kIWxXpDyGvG2PL4vUVLXxXiC1PhDTEWQ8npKPbEo3PTOS
21 | LQPQhPA0+1fWyH5pdKtccOyFk7fP7mcNMuZ5YnSs4cpno0aaQ6VQfuIcYQKBgQCP
22 | OQDnKLVKJ3qyfeYCrRlDVVHLSmKjavKkMo40E6wEw0r81Z9OMN3Oo5shvgpp1Y7a
23 | ZD7+cjpWsxXxbDJMjRIW9LV63D+W4LDih9TdA4X/XgMQsZa7I+cteYwsFV7CUL4k
24 | iIPsrS4DRgvIl42ouKaVgfjiOU/jkCNZje72SyzDXwKBgEHJFE1GNzXtNJfdr+ej
25 | +1BlGL7t4O04SO0MxN7XeA5zwN1xFwlYwr/NO52vDOne1xgQYhW39QQABpG33AjW
26 | uaUUPfhutKlIaPBzLjNYVjCGpi7FBmFMHhKlgXnrEgSey8B9RZv276LxmfvgHHNM
27 | 6dzYbdTrIJpNOKVtYAcaF+o3
28 | -----END PRIVATE KEY-----
29 | 


--------------------------------------------------------------------------------
/install/dashboard/k8s-ui.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDizCCAnOgAwIBAgIJAIM3AFXotfFUMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
 3 | BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
 4 | aWRnaXRzIFB0eSBMdGQxFTATBgNVBAMMDGs4cy11aS5sb2NhbDAeFw0xODA1MTcx
 5 | NjEwMzBaFw0yODA1MTQxNjEwMzBaMFwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApT
 6 | b21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFTAT
 7 | BgNVBAMMDGs4cy11aS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 8 | ggEBANBBvVeQyOwM/ypMKIggWLbickVe1fEnggcWqX2X7/0GE2s7NGkTJEI17lx2
 9 | f82MyTpxsCD7z73OBfZpG1uqmZo4sK1m3MAE7EGBaZp2IH2Lc+pWe53+BZIEcTtr
10 | kSgCI/Fj64hXx1Dn7/U5keTCxVuocc00Rr95sSLfyBUQOEtvyFlVqcGh7RILaYoI
11 | v0czQonl+cPSIZYdVYCVdN3dLgynyN2fpPJzjWUc1p3rNpeT3pMRBIKdu/d2QW17
12 | cSf29+E88n4+yIof018qDhhDWkXl8gSFux5kHY/NRyestiunsxuwFDY0CZMU7NS0
13 | CemGlzDxqGjzR4E3u6tzxcbXwB8CAwEAAaNQME4wHQYDVR0OBBYEFEc0OG4ZK8KJ
14 | +0Tp+a353C0NIIBqMB8GA1UdIwQYMBaAFEc0OG4ZK8KJ+0Tp+a353C0NIIBqMAwG
15 | A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGgzieMTx9CCELUCmqeU9jCN
16 | tMIWLD7lGTiMoL4JgD6hdzuSEg6+INpFcQdwLP+NfmcaIqEDLBMUJo57wc1VMMlX
17 | M2H/nniHUAloHKSMvylhJgzvqFI+x2vvSuQ8Z35r76cJ6VISe/53JxDIaDEv3scC
18 | 7JmEPHAohrzcZiTibZfSeYAtcFB0p9CLHeP/QASgzk7wrGvEVVBXUeN4TLoMM60I
19 | DvZQfrzC60Xt+S+pzWr0Cd7us8xebZZpZrYUS4a69Ov03z97H6CHOAlNgkpgRb9j
20 | awMa/5yUGMQdHIuLGbLdIUlLtw8grCrjwP34Xku5jxWPlBphQg+0VXRiOlgBbas=
21 | -----END CERTIFICATE-----
22 | 


--------------------------------------------------------------------------------
/install/heapster/grafana.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: monitoring-grafana
 5 |   namespace: kube-system
 6 | spec:
 7 |   replicas: 1
 8 |   template:
 9 |     metadata:
10 |       labels:
11 |         task: monitoring
12 |         k8s-app: grafana
13 |     spec:
14 |       containers:
15 |       - name: grafana
16 |         image: reg.qiniu.com/k8s/heapster-grafana-amd64:v4.4.3
17 |         ports:
18 |         - containerPort: 3000
19 |           protocol: TCP
20 |         volumeMounts:
21 |         - mountPath: /etc/ssl/certs
22 |           name: ca-certificates
23 |           readOnly: true
24 |         - mountPath: /var
25 |           name: grafana-storage
26 |         env:
27 |         - name: INFLUXDB_HOST
28 |           value: monitoring-influxdb
29 |         - name: GF_SERVER_HTTP_PORT
30 |           value: "3000"
31 |           # The following env variables are required to make Grafana accessible via
32 |           # the kubernetes api-server proxy. On production clusters, we recommend
33 |           # removing these env variables, setup auth for grafana, and expose the grafana
34 |           # service using a LoadBalancer or a public IP.
35 |         - name: GF_AUTH_BASIC_ENABLED
36 |           value: "false"
37 |         - name: GF_AUTH_ANONYMOUS_ENABLED
38 |           value: "true"
39 |         - name: GF_AUTH_ANONYMOUS_ORG_ROLE
40 |           value: Admin
41 |         - name: GF_SERVER_ROOT_URL
42 |           # If you're only using the API Server proxy, set this value instead:
43 |           # value: /api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
44 |           value: /
45 |       volumes:
46 |       - name: ca-certificates
47 |         hostPath:
48 |           path: /etc/ssl/certs
49 |       - name: grafana-storage
50 |         emptyDir: {}
51 | ---
52 | apiVersion: v1
53 | kind: Service
54 | metadata:
55 |   labels:
56 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
57 |     # If you are NOT using this as an addon, you should comment out this line.
58 |     kubernetes.io/cluster-service: 'true'
59 |     kubernetes.io/name: monitoring-grafana
60 |   name: monitoring-grafana
61 |   namespace: kube-system
62 | spec:
63 |   # In a production setup, we recommend accessing Grafana through an external Loadbalancer
64 |   # or through a public IP.
65 |   # type: LoadBalancer
66 |   # You could also use NodePort to expose the service at a randomly-generated port
67 |   # type: NodePort
68 |   ports:
69 |   - port: 80
70 |     targetPort: 3000
71 |   selector:
72 |     k8s-app: grafana
73 | 


--------------------------------------------------------------------------------
/install/heapster/heapster-rbac.yaml:
--------------------------------------------------------------------------------
 1 | kind: ClusterRoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   name: heapster
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: system:heapster
 9 | subjects:
10 | - kind: ServiceAccount
11 |   name: heapster
12 |   namespace: kube-system
13 | 


--------------------------------------------------------------------------------
/install/heapster/heapster.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ServiceAccount
 3 | metadata:
 4 |   name: heapster
 5 |   namespace: kube-system
 6 | ---
 7 | apiVersion: extensions/v1beta1
 8 | kind: Deployment
 9 | metadata:
10 |   name: heapster
11 |   namespace: kube-system
12 | spec:
13 |   replicas: 1
14 |   template:
15 |     metadata:
16 |       labels:
17 |         task: monitoring
18 |         k8s-app: heapster
19 |     spec:
20 |       serviceAccountName: heapster
21 |       containers:
22 |       - name: heapster
23 |         image: reg.qiniu.com/k8s/heapster-amd64:v1.4.2
24 |         imagePullPolicy: IfNotPresent
25 |         command:
26 |         - /heapster
27 |         - --source=kubernetes:https://kubernetes.default
28 |         - --sink=influxdb:http://monitoring-influxdb.kube-system.svc:8086
29 | ---
30 | apiVersion: v1
31 | kind: Service
32 | metadata:
33 |   labels:
34 |     task: monitoring
35 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
36 |     # If you are NOT using this as an addon, you should comment out this line.
37 |     kubernetes.io/cluster-service: 'true'
38 |     kubernetes.io/name: Heapster
39 |   name: heapster
40 |   namespace: kube-system
41 | spec:
42 |   ports:
43 |   - port: 80
44 |     targetPort: 8082
45 |   selector:
46 |     k8s-app: heapster
47 | 


--------------------------------------------------------------------------------
/install/heapster/influxdb.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: monitoring-influxdb
 5 |   namespace: kube-system
 6 | spec:
 7 |   replicas: 1
 8 |   template:
 9 |     metadata:
10 |       labels:
11 |         task: monitoring
12 |         k8s-app: influxdb
13 |     spec:
14 |       containers:
15 |       - name: influxdb
16 |         image: reg.qiniu.com/k8s/heapster-influxdb-amd64:v1.3.3
17 |         volumeMounts:
18 |         - mountPath: /data
19 |           name: influxdb-storage
20 |       volumes:
21 |       - name: influxdb-storage
22 |         emptyDir: {}
23 | ---
24 | apiVersion: v1
25 | kind: Service
26 | metadata:
27 |   labels:
28 |     task: monitoring
29 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
30 |     # If you are NOT using this as an addon, you should comment out this line.
31 |     kubernetes.io/cluster-service: 'true'
32 |     kubernetes.io/name: monitoring-influxdb
33 |   name: monitoring-influxdb
34 |   namespace: kube-system
35 | spec:
36 |   ports:
37 |   - port: 8086
38 |     targetPort: 8086
39 |   selector:
40 |     k8s-app: influxdb
41 | 


--------------------------------------------------------------------------------
/install/ingress-nginx/ingress-nginx-controller.yaml:
--------------------------------------------------------------------------------
  1 | #--------------------- namespaces -----------------------#
  2 | apiVersion: v1
  3 | kind: Namespace
  4 | metadata:
  5 |   name: ingress-nginx
  6 | ---
  7 | #--------------------- ConfigMap--------------------------#
  8 | kind: ConfigMap
  9 | apiVersion: v1
 10 | metadata:
 11 |   name: nginx-configuration
 12 |   namespace: ingress-nginx
 13 |   labels:
 14 |     app: ingress-nginx
 15 | ---
 16 | 
 17 | kind: ConfigMap
 18 | apiVersion: v1
 19 | metadata:
 20 |   name: tcp-services
 21 |   namespace: ingress-nginx
 22 | ---
 23 | 
 24 | kind: ConfigMap
 25 | apiVersion: v1
 26 | metadata:
 27 |   name: udp-services
 28 |   namespace: ingress-nginx
 29 | ---
 30 | 
 31 | apiVersion: v1
 32 | kind: ConfigMap
 33 | metadata:
 34 |   name: nginx-load-balancer-conf
 35 | data:
 36 |   enable-vts-status: "true"
 37 | ---
 38 | #---------------------------rbac--------------------------#
 39 | apiVersion: v1
 40 | kind: ServiceAccount
 41 | metadata:
 42 |   name: nginx-ingress-serviceaccount
 43 |   namespace: ingress-nginx
 44 | ---
 45 | apiVersion: rbac.authorization.k8s.io/v1beta1
 46 | kind: ClusterRole
 47 | metadata:
 48 |   name: nginx-ingress-clusterrole
 49 | rules:
 50 |   - apiGroups:
 51 |       - ""
 52 |     resources:
 53 |       - configmaps
 54 |       - endpoints
 55 |       - nodes
 56 |       - pods
 57 |       - secrets
 58 |     verbs:
 59 |       - list
 60 |       - watch
 61 |   - apiGroups:
 62 |       - ""
 63 |     resources:
 64 |       - nodes
 65 |     verbs:
 66 |       - get
 67 |   - apiGroups:
 68 |       - ""
 69 |     resources:
 70 |       - services
 71 |     verbs:
 72 |       - get
 73 |       - list
 74 |       - watch
 75 |   - apiGroups:
 76 |       - "extensions"
 77 |     resources:
 78 |       - ingresses
 79 |     verbs:
 80 |       - get
 81 |       - list
 82 |       - watch
 83 |   - apiGroups:
 84 |       - ""
 85 |     resources:
 86 |         - events
 87 |     verbs:
 88 |         - create
 89 |         - patch
 90 |   - apiGroups:
 91 |       - "extensions"
 92 |     resources:
 93 |       - ingresses/status
 94 |     verbs:
 95 |       - update
 96 | 
 97 | ---
 98 | 
 99 | apiVersion: rbac.authorization.k8s.io/v1beta1
100 | kind: Role
101 | metadata:
102 |   name: nginx-ingress-role
103 |   namespace: ingress-nginx
104 | rules:
105 |   - apiGroups:
106 |       - ""
107 |     resources:
108 |       - configmaps
109 |       - pods
110 |       - secrets
111 |       - namespaces
112 |     verbs:
113 |       - get
114 |   - apiGroups:
115 |       - ""
116 |     resources:
117 |       - configmaps
118 |     resourceNames:
119 |       # Defaults to "<election-id>-<ingress-class>"
120 |       # Here: "<ingress-controller-leader>-<nginx>"
121 |       # This has to be adapted if you change either parameter
122 |       # when launching the nginx-ingress-controller.
123 |       - "ingress-controller-leader-nginx"
124 |     verbs:
125 |       - get
126 |       - update
127 |   - apiGroups:
128 |       - ""
129 |     resources:
130 |       - configmaps
131 |     verbs:
132 |       - create
133 |   - apiGroups:
134 |       - ""
135 |     resources:
136 |       - endpoints
137 |     verbs:
138 |       - get
139 | 
140 | ---
141 | 
142 | apiVersion: rbac.authorization.k8s.io/v1beta1
143 | kind: RoleBinding
144 | metadata:
145 |   name: nginx-ingress-role-nisa-binding
146 |   namespace: ingress-nginx
147 | roleRef:
148 |   apiGroup: rbac.authorization.k8s.io
149 |   kind: Role
150 |   name: nginx-ingress-role
151 | subjects:
152 |   - kind: ServiceAccount
153 |     name: nginx-ingress-serviceaccount
154 |     namespace: ingress-nginx
155 | 
156 | ---
157 | 
158 | apiVersion: rbac.authorization.k8s.io/v1beta1
159 | kind: ClusterRoleBinding
160 | metadata:
161 |   name: nginx-ingress-clusterrole-nisa-binding
162 | roleRef:
163 |   apiGroup: rbac.authorization.k8s.io
164 |   kind: ClusterRole
165 |   name: nginx-ingress-clusterrole
166 | subjects:
167 |   - kind: ServiceAccount
168 |     name: nginx-ingress-serviceaccount
169 |     namespace: ingress-nginx
170 | ---
171 | #------------------------nginx-controller-----------------#
172 | apiVersion: extensions/v1beta1
173 | kind: Deployment
174 | metadata:
175 |   name: nginx-ingress-controller
176 |   namespace: ingress-nginx
177 | spec:
178 |   replicas: 1
179 |   selector:
180 |     matchLabels:
181 |       app: ingress-nginx
182 |   template:
183 |     metadata:
184 |       labels:
185 |         app: ingress-nginx
186 |       annotations:
187 |         prometheus.io/port: '10254'
188 |         prometheus.io/scrape: 'true'
189 |     spec:
190 |       serviceAccountName: nginx-ingress-serviceaccount
191 |       hostNetwork: true
192 |       containers:
193 |         - name: nginx-ingress-controller
194 |           image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.15.0
195 |           args:
196 |             - /nginx-ingress-controller
197 |             - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
198 |             - --configmap=$(POD_NAMESPACE)/nginx-configuration
199 |             - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
200 |             - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
201 |             - --publish-service=$(POD_NAMESPACE)/nginx-ingress-controller
202 |             - --annotations-prefix=nginx.ingress.kubernetes.io
203 |           env:
204 |             - name: POD_NAME
205 |               valueFrom:
206 |                 fieldRef:
207 |                   fieldPath: metadata.name
208 |             - name: POD_NAMESPACE
209 |               valueFrom:
210 |                 fieldRef:
211 |                   fieldPath: metadata.namespace
212 |           ports:
213 |           - name: http
214 |             containerPort: 80
215 |           - name: https
216 |             containerPort: 443
217 |           - containerPort: 8080
218 |             hostPort: 8080
219 |           livenessProbe:
220 |             failureThreshold: 3
221 |             httpGet:
222 |               path: /healthz
223 |               port: 10254
224 |               scheme: HTTP
225 |             initialDelaySeconds: 10
226 |             periodSeconds: 10
227 |             successThreshold: 1
228 |             timeoutSeconds: 1
229 |           readinessProbe:
230 |             failureThreshold: 3
231 |             httpGet:
232 |               path: /healthz
233 |               port: 10254
234 |               scheme: HTTP
235 |             periodSeconds: 10
236 |             successThreshold: 1
237 |             timeoutSeconds: 1
238 |           securityContext:
239 |             runAsNonRoot: false
240 | ---
241 | apiVersion: v1
242 | kind: Service
243 | metadata:
244 |   name: nginx-ingress-controller
245 |   namespace: ingress-nginx
246 | spec:
247 |   ports:
248 |   - port: 80
249 |     protocol: TCP
250 |     targetPort: 80
251 |     name: http
252 |   - port: 443
253 |     protocol: TCP
254 |     targetPort: 443
255 |     name: https
256 |   - port: 8080
257 |     protocol: TCP
258 |     name: nginx-status
259 |   selector:
260 |     k8s-app: nginx-ingress-controller
261 |   sessionAffinity: None
262 |   type: ClusterIP
263 | 
264 | ---
265 | 
266 | kind: Ingress
267 | apiVersion: extensions/v1beta1
268 | metadata:
269 |   name: nginx-status-ingress
270 |   namespace: ingress-nginx
271 | spec:
272 |   rules:
273 |   - host: nginx-ui.local
274 |     http:
275 |       paths:
276 |       - path:
277 |         backend:
278 |           serviceName: nginx-ingress-controller
279 |           servicePort: 8080
280 | #-----------------------default-http-backend--------------#
281 | apiVersion: v1
282 | kind: ReplicationController
283 | metadata:
284 |   name: default-http-backend
285 |   namespace: ingress-nginx
286 | spec:
287 |   replicas: 1
288 |   selector:
289 |     app: default-http-backend
290 |   template:
291 |     metadata:
292 |       labels:
293 |         app: default-http-backend
294 |     spec:
295 |       terminationGracePeriodSeconds: 60
296 |       containers:
297 |       - name: default-http-backend
298 |         # Any image is permissable as long as:
299 |         # 1. It serves a 404 page at /
300 |         # 2. It serves 200 on a /healthz endpoint
301 |         image: reg.qiniu.com/k8s/defaultbackend-amd64:1.4
302 |         livenessProbe:
303 |           httpGet:
304 |             path: /healthz
305 |             port: 8080
306 |             scheme: HTTP
307 |           initialDelaySeconds: 30
308 |           timeoutSeconds: 5
309 |         ports:
310 |         - containerPort: 8080
311 |         resources:
312 |           limits:
313 |             cpu: 10m
314 |             memory: 20Mi
315 |           requests:
316 |             cpu: 10m
317 |             memory: 20Mi
318 | ---
319 | 
320 | apiVersion: v1
321 | kind: Service
322 | metadata:
323 |   name: default-http-backend
324 |   namespace: ingress-nginx
325 |   labels:
326 |     app: default-http-backend
327 | spec:
328 |   ports:
329 |   - port: 80
330 |     targetPort: 8080
331 |   selector:
332 |     app: default-http-backend
333 | ---


--------------------------------------------------------------------------------
/install/ingress-traefik/ingress-traefik-controller.yaml:
--------------------------------------------------------------------------------
  1 | kind: ClusterRole
  2 | apiVersion: rbac.authorization.k8s.io/v1beta1
  3 | metadata:
  4 |   name: traefik-ingress-controller
  5 | rules:
  6 |   - apiGroups:
  7 |       - ""
  8 |     resources:
  9 |       - services
 10 |       - endpoints
 11 |       - secrets
 12 |     verbs:
 13 |       - get
 14 |       - list
 15 |       - watch
 16 |   - apiGroups:
 17 |       - extensions
 18 |     resources:
 19 |       - ingresses
 20 |     verbs:
 21 |       - get
 22 |       - list
 23 |       - watch
 24 | ---
 25 | kind: ClusterRoleBinding
 26 | apiVersion: rbac.authorization.k8s.io/v1beta1
 27 | metadata:
 28 |   name: traefik-ingress-controller
 29 | roleRef:
 30 |   apiGroup: rbac.authorization.k8s.io
 31 |   kind: ClusterRole
 32 |   name: traefik-ingress-controller
 33 | subjects:
 34 | - kind: ServiceAccount
 35 |   name: traefik-ingress-controller
 36 |   namespace: kube-system
 37 | ---
 38 | apiVersion: v1
 39 | kind: ServiceAccount
 40 | metadata:
 41 |   name: traefik-ingress-controller
 42 |   namespace: kube-system
 43 | ---
 44 | kind: Deployment
 45 | apiVersion: extensions/v1beta1
 46 | metadata:
 47 |   name: traefik-ingress-controller
 48 |   namespace: kube-system
 49 |   labels:
 50 |     k8s-app: traefik-ingress-lb
 51 | spec:
 52 |   replicas: 1
 53 |   selector:
 54 |     matchLabels:
 55 |       k8s-app: traefik-ingress-lb
 56 |   template:
 57 |     metadata:
 58 |       labels:
 59 |         k8s-app: traefik-ingress-lb
 60 |         name: traefik-ingress-lb
 61 |     spec:
 62 |       serviceAccountName: traefik-ingress-controller
 63 |       terminationGracePeriodSeconds: 60
 64 |       volumes:
 65 |       - name: ssl
 66 |         secret:
 67 |           secretName: traefik-cert
 68 |       - name: config
 69 |         configMap:
 70 |           name: traefik-conf
 71 |       containers:
 72 |       - image: traefik:latest
 73 |         name: traefik-ingress-lb
 74 |         volumeMounts:
 75 |         - name: ssl
 76 |           mountPath: "/ssl"
 77 |         - name: config
 78 |           mountPath: "/config"
 79 |         ports:
 80 |         - containerPort: 80
 81 |           hostPort: 80
 82 |         - containerPort: 8080
 83 |         - containerPort: 443
 84 |           hostPort: 443
 85 |         args:
 86 |         - --web
 87 |         - --kubernetes
 88 |         - --logLevel=info
 89 |         - --configfile=/config/traefik.toml
 90 | ---
 91 | apiVersion: v1
 92 | kind: Service
 93 | metadata:
 94 |   name: traefik-web-ui
 95 |   namespace: kube-system
 96 | spec:
 97 |   selector:
 98 |     k8s-app: traefik-ingress-lb
 99 |   ports:
100 |   - name: web
101 |     port: 80
102 |     targetPort: 8080
103 | ---
104 | apiVersion: extensions/v1beta1
105 | kind: Ingress
106 | metadata:
107 |   name: traefik-web-ui
108 |   namespace: kube-system
109 |   annotations:
110 |     kubernetes.io/ingress.class: traefik
111 | spec:
112 |   tls:
113 |     - secretName: traefik-ui-cert
114 |   rules:
115 |   - host: traefik-ui.local
116 |     http:
117 |       paths:
118 |       - path: /
119 |         backend:
120 |           serviceName: traefik-web-ui
121 |           servicePort: web


--------------------------------------------------------------------------------
/install/ingress-traefik/traefik-ui-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN PRIVATE KEY-----
 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLyI/2Cq4jDZ1P
 3 | bKpwPboo+ADhgFBKrdRyKPntgwO+6k+Agsr/908zrvf6TaIJ5KykQ88yfXF+mwwt
 4 | oXNMciciIPROB6a9Ed1lRPkibNnd24ZCoptmumVTPgKAaivJ83OD7PlZuhoC5Ob8
 5 | RPNKhj7j91SJb9xzMl9J8kaPAPcg5lLLt16hVCvf4/cF9roJlNeDVzclO8YWXSEU
 6 | ZtYRzFeLli2wW3FlxnknXJHp5Vq6mNBg4FVLbWLM3bRwE2gQHUU46KNDL8EV664K
 7 | /b15Fd8nAUUfGugE0Jz9PuchZ3sIiTCs+vTErj5B5FyDDHKKuNbnSovtlX6Yx8Bv
 8 | xmZ/DsYRAgMBAAECggEAXXkQt63sdD2xc5YHk9ZshpBDbyw5KBgWA4tSIKTg2fiG
 9 | IQ9daA2bcbyHGHP1qI4QtoQ4DRPHNGiQLHoK9fzCgIAXL5eI3t7L68C4ehbt1Dr2
10 | magWmgdTpNwjr52Dmm2mBdR0B7k6Zytx3DMQWZW8UTrItwXtW5W2aafMv5mUwayy
11 | QCNk1yyCa/ccAxGS9rbnrYcsmRn3+rlJHoLBTCgYAACXAUuYFCCGak6wHYwkEH2k
12 | d9RMommFCHSYXGoflpWRp+QWSzKM2uGO+qcBn+KEubUjVgPTAicjIpdlJix3IPIL
13 | 6iE2camGBT0NhvoLlE7Ln+twYLHB4y0Liv4v1Rx7MQKBgQDz0PiG9Y0ahQkk4mxd
14 | Dcp38Lil8tNQxezIH5H/TGt/qgI7J36TcRVsSKze0dGgtiXQ5OBdrk8U9No+qc8d
15 | 9nrN6oUUJrWLDI4HGbNScUZgT2RlNin2X78HczfkzB7quL0KXydskaAQTgigFGMn
16 | aGvK3pFbYK2kGOb0wLG1uma9rQKBgQDV93hHZ6NSLL6ZVeHW56jm7DEvtjJ1HveQ
17 | 7xNdfJR92VivMw8MeQIimqsDHffMIlNt8Q30ggK1WQJAmbLEiZOLPy51yDz/XC46
18 | RJGm95hFvYvig7frpCXQ1Hp4s3CYTgQgaM/+NPrz+kDU6mK5m/mBZU8aY/5bPJom
19 | LuzynrkudQKBgQCzD57mZwIZHuknSI7zDETNL2I8pghhwupx0xXDHFm6qZ332bqR
20 | CDUGkJ09C3VcBUnij6TjyDdWGbkK2mU9CR8JiZnwwbkEhNTuDAbxnjVkWApQdqX8
21 | xjaifxDmnK58De7v5hArIQwfzV9ySWbEs2Cu3iR8qpT79jnwOHCLGXmJBQKBgE2u
22 | 5Xp3RDKnkCO3rKELxqTgiBMcgUFIlvWF92/vtTHj4XDqhsIuhPnvUbt1++ufYs79
23 | v+VP9o/E2y59HwyALpNVwxZ8Nrk3zIjXMFKAfkaDxO/ehr4FAL3LBxQfgfeqC5GA
24 | vFM9BQfjifpDhsiAupuiHpAkUcrqO8U1ME3+FpmpAoGAYLdJDcQEXOH1bloJbVNg
25 | L6fpnLqbWguzQ/GZ2cpMpUAe1UoAGeNVhh2ONB1kaIt9H2TpE0RdQauWhB15Za6I
26 | IEKMlVfOFEWbjgLArd5mBrLkpouA7c/tQuFwiQdLgCTwCZkmXxpZhz2fdT25VJq2
27 | 6LZtlD3g4Jfi+jiLVbBCmsg=
28 | -----END PRIVATE KEY-----
29 | 


--------------------------------------------------------------------------------
/install/ingress-traefik/traefik-ui.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDkzCCAnugAwIBAgIJAKMwEhmKGQcTMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
 3 | BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
 4 | aWRnaXRzIFB0eSBMdGQxGTAXBgNVBAMMEHRyYWVmaWstdWkubG9jYWwwHhcNMTgw
 5 | NTE2MTYwMDE0WhcNMjgwNTEzMTYwMDE0WjBgMQswCQYDVQQGEwJBVTETMBEGA1UE
 6 | CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk
 7 | MRkwFwYDVQQDDBB0cmFlZmlrLXVpLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOC
 8 | AQ8AMIIBCgKCAQEAy8iP9gquIw2dT2yqcD26KPgA4YBQSq3Ucij57YMDvupPgILK
 9 | //dPM673+k2iCeSspEPPMn1xfpsMLaFzTHInIiD0TgemvRHdZUT5ImzZ3duGQqKb
10 | ZrplUz4CgGoryfNzg+z5WboaAuTm/ETzSoY+4/dUiW/cczJfSfJGjwD3IOZSy7de
11 | oVQr3+P3Bfa6CZTXg1c3JTvGFl0hFGbWEcxXi5YtsFtxZcZ5J1yR6eVaupjQYOBV
12 | S21izN20cBNoEB1FOOijQy/BFeuuCv29eRXfJwFFHxroBNCc/T7nIWd7CIkwrPr0
13 | xK4+QeRcgwxyirjW50qL7ZV+mMfAb8Zmfw7GEQIDAQABo1AwTjAdBgNVHQ4EFgQU
14 | SvSPbk/0qzaqeE3Fpi2V4FfWRuIwHwYDVR0jBBgwFoAUSvSPbk/0qzaqeE3Fpi2V
15 | 4FfWRuIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAgDIIkAwMtQNX
16 | GAnswtrR2B/ZEpJwMQcsBilPg/V0tw5xFZFDxxikI5C4CuTu7IVHOZoagyDZAYaT
17 | BgAcR7Io3N/SKWabisuyJUiTwtQ324S//jCHV4YccMRrFU8uBgFTzEVrAXx54Jl3
18 | phN6pscPrFCuDtNsLVIsJftNUOefFZLmhUp//jMBxHJeEMfQ00MYKnuN7GnwElUB
19 | rIFaVA3yESHdqGYHnolDRZymSqdyfbsRaaBjI+TzHjDWOcDz9OIJkl9FnDvTf5y+
20 | CMgNr5a25ugnKmd6w/Wd24GH5uV1YGLt3XrRmGyI7QntYoePHqa4c/IpTLVcr7Pz
21 | E2lo3z9SHQ==
22 | -----END CERTIFICATE-----
23 | 


--------------------------------------------------------------------------------
/install/ingress-traefik/traefik.toml:
--------------------------------------------------------------------------------
 1 | logLevel = "DEBUG"
 2 | defaultEntryPoints = ["http","https"]
 3 | 
 4 | [kubernetes]
 5 | namespaces = ["default","kube-system"]
 6 | 
 7 | [entryPoints]
 8 |   [entryPoints.http]
 9 |   address = ":80"
10 |     [entryPoints.http.redirect]
11 |     entryPoint = "https"
12 |   [entryPoints.https]
13 |   address = ":443"
14 |     [entryPoints.https.tls]
15 |       [[entryPoints.https.tls.certificates]]
16 |       CertFile = "/ssl/traefik-ui.pem"
17 |       KeyFile = "/ssl/traefik-ui-key.pem"


--------------------------------------------------------------------------------
/install/k8s-images.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | docker pull reg.qiniu.com/k8s/kube-apiserver-amd64:v1.10.2
 3 | docker pull reg.qiniu.com/k8s/kube-controller-manager-amd64:v1.10.2
 4 | docker pull reg.qiniu.com/k8s/kube-scheduler-amd64:v1.10.2
 5 | docker pull reg.qiniu.com/k8s/kube-proxy-amd64:v1.10.2
 6 | docker pull reg.qiniu.com/k8s/etcd-amd64:3.1.12
 7 | docker pull reg.qiniu.com/k8s/pause-amd64:3.1
 8 | 
 9 | docker pull quay.io/calico/node:v3.0.7
10 | docker pull quay.io/calico/kube-controllers:v2.0.4
11 | docker pull quay.io/calico/cni:v2.0.5
12 | docker pull coredns/coredns:1.0.6
13 | docker pull quay.io/coreos/etcd:v3.1.10
14 | 
15 | docker tag reg.qiniu.com/k8s/kube-apiserver-amd64:v1.10.2 k8s.gcr.io/kube-apiserver-amd64:v1.10.2
16 | docker tag reg.qiniu.com/k8s/kube-scheduler-amd64:v1.10.2 k8s.gcr.io/kube-scheduler-amd64:v1.10.2
17 | docker tag reg.qiniu.com/k8s/kube-controller-manager-amd64:v1.10.2 k8s.gcr.io/kube-controller-manager-amd64:v1.10.2
18 | docker tag reg.qiniu.com/k8s/kube-proxy-amd64:v1.10.2 k8s.gcr.io/kube-proxy-amd64:v1.10.2
19 | docker tag reg.qiniu.com/k8s/etcd-amd64:3.1.12 k8s.gcr.io/etcd-amd64:3.1.12
20 | docker tag reg.qiniu.com/k8s/pause-amd64:3.1 k8s.gcr.io/pause-amd64:3.1
21 | 
22 | docker rmi reg.qiniu.com/k8s/kube-apiserver-amd64:v1.10.2
23 | docker rmi reg.qiniu.com/k8s/kube-controller-manager-amd64:v1.10.2
24 | docker rmi reg.qiniu.com/k8s/kube-scheduler-amd64:v1.10.2
25 | docker rmi reg.qiniu.com/k8s/kube-proxy-amd64:v1.10.2
26 | docker rmi reg.qiniu.com/k8s/etcd-amd64:3.1.12
27 | docker rmi reg.qiniu.com/k8s/pause-amd64:3.1


--------------------------------------------------------------------------------
/mirror:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bash
 2 | 
 3 | docker login reg.qiniu.com -u="${USERNAME}" -p="${PASSWORD}"
 4 | for i in $(cat ./image.list); do
 5 |   o="reg.qiniu.com/k8s/$(echo ${i} | awk -F '/' '{ print $NF }')"
 6 | 
 7 |   docker image pull "${i}"
 8 |   docker image tag "${i}" "${o}"
 9 |   docker image push "${o}"
10 | done
11 | docker logout
12 | 


--------------------------------------------------------------------------------