搭建私有云盘NextCloud

1、创建sc, pvc关联sc,然后你的deployment关联pvc,最后service通过NodePort连出去

1)查看rook-ceph还有多少空间可用

  1. 找到 Ceph 工具箱 Pod:

    • 首先,需要找到运行 Ceph 工具箱的 Pod。可以使用以下命令:
      kubectl -n rook-ceph get pod -l "app=rook-ceph-tools"
      
    • 这将列出所有标记为 Ceph 工具箱的 Pod。通常只有一个。
  2. 进入工具箱 Pod:

    • 使用以下命令进入工具箱 Pod:
      kubectl -n rook-ceph exec -it [工具箱Pod名称] -- bash
      
    • 替换 [工具箱Pod名称] 为实际的 Pod 名称。
  3. 查看 Ceph 集群状态:

    • 在工具箱 Pod 内部,运行以下命令来获取集群状态:
      ceph status
      
    • 这将显示集群的当前状态,包括健康状态、监视器信息、OSD 状态等。
  4. 查看存储容量信息:

    • 要获取有关存储容量的详细信息,运行:
      ceph df
      
    • 这个命令将显示总容量、已使用容量和可用容量等信息。

2)

创建pool

执行以下命令创建一个名为 “opspool” 的存储池,并设置 64 个 placement groups:

ceph osd pool create opspool 64 64
  1. 创建存储池后,你可以使用 ceph osd lspools 命令来确认它已成功创建:
ceph osd lspools

创建nextcloud

block-sc.yaml

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: rook-ceph-block
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
  clusterID: "rook-ceph"
  csi.storage.k8s.io/controller-expand-secret-name: "rook-csi-rbd-provisioner"
  csi.storage.k8s.io/controller-expand-secret-namespace: "rook-ceph"
  csi.storage.k8s.io/fstype: "xfs"
  csi.storage.k8s.io/node-stage-secret-name: "rook-csi-rbd-node"
  csi.storage.k8s.io/node-stage-secret-namespace: "rook-ceph"
  csi.storage.k8s.io/provisioner-secret-name: "rook-csi-rbd-provisioner"
  csi.storage.k8s.io/provisioner-secret-namespace: "rook-ceph"
  imageFeatures: "layering"
  imageFormat: "2"
  pool: "opspool"
reclaimPolicy: Delete
allowVolumeExpansion: true

ncPVC.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextcloud-storage
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 250Gi
  storageClassName: rook-ceph-block

ncDeployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nextcloud
spec:
  selector:
    matchLabels:
      app: nextcloud
  template:
    metadata:
      labels:
        app: nextcloud
    spec:
      containers:
      - name: nextcloud
        image: nextcloud:latest
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /var/www/html
          name: nextcloud-storage
      volumes:
      - name: nextcloud-storage
        persistentVolumeClaim:
          claimName: nextcloud-storage

ncsvc.yaml

apiVersion: v1
kind: Service
metadata:
  name: nextcloud-service
spec:
  type: NodePort
  ports:
  - port: 80
    nodePort: 30080 # 可以选择其他端口
  selector:
    app: nextcloud

2、https配置,在上传下载文件的时候有问题,先不要用

1) 通过网页的https//域名 访问局域网内,k8s集群里面的svc时,ingress, ingress-nginx-controller, 流量是怎么流的呢?它们之间的关系是怎样的呢?

当您通过网页使用 HTTPS 访问位于局域网内 Kubernetes 集群中的服务时,流量流向和组件之间的关系大致如下:

  1. DNS 解析

    • 当您在浏览器中输入 https://your-domain.com,DNS 服务将域名解析为托管 Ingress Controller 的服务器(可能是 Kubernetes 集群的某个节点)的 IP 地址。
  2. 到达 Ingress Controller

    • HTTPS 请求通过网络到达这个 IP 地址。由于是 HTTPS 请求,它默认会寻找端口 443。
    • 如果您的 Ingress Controller(如 Nginx Ingress Controller)配置为在端口 443 上接收流量,它将接收这个请求。
  3. Ingress 资源处理

    • Ingress Controller 会根据配置的 Ingress 资源来处理请求。Ingress 定义了哪些请求应该被路由到哪些服务。
    • 例如,Ingress 资源可以指定,对于域名 your-domain.com 的请求应该被转发到 nextcloud-service
  4. 服务(Service)转发

    • 请求被转发到对应的 Kubernetes Service(例如 nextcloud-service),该 Service 根据其配置将请求进一步路由到后端的 Pod。
  5. Pod 处理请求

    • Pod 接收到请求,并根据您的应用逻辑进行处理。例如,如果 Pod 运行的是网页服务器,它将返回网页内容。
  6. 响应返回给用户

    • 处理后的响应沿相同路径返回给用户的浏览器。

在整个过程中,Ingress Controller 起到了关键角色,它是接收外部 HTTPS 流量并根据 Ingress 规则将流量路由到正确服务的组件。Ingress 资源定义了如何处理到达 Ingress Controller 的不同请求。

2)

nextcloud-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nextcloud-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - cvs-cloud.com
    - www.cvs-cloud.com
    secretName: mycert-secret
  rules:
  - host: cvs-cloud.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nextcloud-service
            port:
              number: 80

3) openssl

当然可以。以下是一个具体的例子,展示如何创建一个包含 SANs 的自签名 SSL 证书:

  1. 创建带 SANs 的自签名证书
    首先,创建一个包含 SANs(Subject Alternative Names)的 OpenSSL 配置文件。例如,创建一个名为 san.cnf 的文件,内容如下:

    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    x509_extensions    = v3_req
    prompt             = no
    
    [ req_distinguished_name ]
    C  = US
    ST = CA
    L  = San Francisco
    O  = My Company
    OU = My Division
    CN = cvs-cloud.com
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [ v3_req ]
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1   = cvs-cloud.com
    DNS.2   = www.cvs-cloud.com
    

    这里,CN 是您的主域名,而 DNS.1DNS.2 等是额外的域名,作为 SANs。

  2. 生成自签名证书和密钥
    使用 OpenSSL 生成证书和私钥:

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config san.cnf
    

    这将生成私钥 (mycert.key) 和证书 (mycert.crt)。

  3. 创建 Kubernetes Secret
    将证书和私钥作为 Secret 添加到 Kubernetes:

    kubectl create secret tls mycert-secret --cert=mycert.crt --key=mycert.key
    

    这个 Secret 可以在 Ingress 资源中使用。

4)Ingress

mandatory.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: default-http-backend
  labels:
    app.kubernetes.io/name: default-http-backend
    app.kubernetes.io/part-of: ingress-nginx
  namespace: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: default-http-backend
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: default-http-backend
        app.kubernetes.io/part-of: ingress-nginx
    spec:
      terminationGracePeriodSeconds: 60
      containers:
        - name: default-http-backend
          # Any image is permissible as long as:
          # 1. It serves a 404 page at /
          # 2. It serves 200 on a /healthz endpoint
          image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8080
              scheme: HTTP
            initialDelaySeconds: 30
            timeoutSeconds: 5
          ports:
            - containerPort: 8080
          resources:
            limits:
              cpu: 10m
              memory: 20Mi
            requests:
              cpu: 10m
              memory: 20Mi

---
apiVersion: v1
kind: Service
metadata:
  name: default-http-backend
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: default-http-backend
    app.kubernetes.io/part-of: ingress-nginx
spec:
  ports:
    - port: 80
      targetPort: 8080
  selector:
    app.kubernetes.io/name: default-http-backend
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0
          args:
            - /nginx-ingress-controller
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 33
            runAsUser: 33
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1

---

service-nodeport.yaml

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
      nodePort: 31725
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---

5)kubectl cp 改权限

kubectl cp [pod-name]:/var/www/html/config/config.php ./config.php
# 改完后
kubectl cp ./config.php [pod-name]:/var/www/html/config/config.php
# 修改文件权限
chown www-data config.php
chmod --reference=apps.config.php config.php

config.php

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'oczp30q1vsax',
  'passwordsalt' => '/Qa0r41zKcznIYcvycsOQrW8G4Ys+1',
  'secret' => 'hrn7q9aXZ/WbDXuhnNGJM5mlWDm75BcXFdMblS7eGd6DhFhe',
  'trusted_domains' =>
  array (
    0 => '192.168.1.11:30080',
    1 => 'cvs-cloud.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '23.0.0.10',
  'overwrite.cli.url' => 'https://cvs-cloud.com:31725',
  'dbname' => 'nextcloud_db',
  'dbhost' => '10.233.14.195:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_admin',
  'dbpassword' => 'uvfLRcCEpjX7G3FdM4AVgdivLRba6A',
  'installed' => true,
);

C:\Windows\System32\drivers\etc 里面的hosts配置下 <运行svc节点ip> cvs-cloud.com
在浏览器访问 https://cvs-cloud.com:31725 就能进去了

修改笔记本的hosts,添加31725可行嘛?

不,修改笔记本的 hosts 文件来添加端口号是不可行的。hosts 文件仅用于将域名映射到 IP 地址,它不支持端口号的映射。端口号是由应用层(例如浏览器或应用服务器)处理的,而不是由 DNS 或 hosts 文件处理的。

要通过 https://cvs-cloud.com(无端口号)访问您的服务,您需要在您的网络或云提供商那里设置端口转发或使用负载均衡器来将外部流量的 443 端口路由到 Ingress Controller 的对应 NodePort。

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值