1、创建sc, pvc关联sc,然后你的deployment关联pvc,最后service通过NodePort连出去
1)查看rook-ceph还有多少空间可用
-
找到 Ceph 工具箱 Pod:
- 首先,需要找到运行 Ceph 工具箱的 Pod。可以使用以下命令:
kubectl -n rook-ceph get pod -l "app=rook-ceph-tools"
- 这将列出所有标记为 Ceph 工具箱的 Pod。通常只有一个。
- 首先,需要找到运行 Ceph 工具箱的 Pod。可以使用以下命令:
-
进入工具箱 Pod:
- 使用以下命令进入工具箱 Pod:
kubectl -n rook-ceph exec -it [工具箱Pod名称] -- bash
- 替换
[工具箱Pod名称]
为实际的 Pod 名称。
- 使用以下命令进入工具箱 Pod:
-
查看 Ceph 集群状态:
- 在工具箱 Pod 内部,运行以下命令来获取集群状态:
ceph status
- 这将显示集群的当前状态,包括健康状态、监视器信息、OSD 状态等。
- 在工具箱 Pod 内部,运行以下命令来获取集群状态:
-
查看存储容量信息:
- 要获取有关存储容量的详细信息,运行:
ceph df
- 这个命令将显示总容量、已使用容量和可用容量等信息。
- 要获取有关存储容量的详细信息,运行:
2)
创建pool
执行以下命令创建一个名为 “opspool” 的存储池,并设置 64 个 placement groups:
ceph osd pool create opspool 64 64
- 创建存储池后,你可以使用
ceph osd lspools
命令来确认它已成功创建:
ceph osd lspools
创建nextcloud
block-sc.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rook-ceph-block
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: "rook-ceph"
csi.storage.k8s.io/controller-expand-secret-name: "rook-csi-rbd-provisioner"
csi.storage.k8s.io/controller-expand-secret-namespace: "rook-ceph"
csi.storage.k8s.io/fstype: "xfs"
csi.storage.k8s.io/node-stage-secret-name: "rook-csi-rbd-node"
csi.storage.k8s.io/node-stage-secret-namespace: "rook-ceph"
csi.storage.k8s.io/provisioner-secret-name: "rook-csi-rbd-provisioner"
csi.storage.k8s.io/provisioner-secret-namespace: "rook-ceph"
imageFeatures: "layering"
imageFormat: "2"
pool: "opspool"
reclaimPolicy: Delete
allowVolumeExpansion: true
ncPVC.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-storage
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 250Gi
storageClassName: rook-ceph-block
ncDeployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud
spec:
selector:
matchLabels:
app: nextcloud
template:
metadata:
labels:
app: nextcloud
spec:
containers:
- name: nextcloud
image: nextcloud:latest
ports:
- containerPort: 80
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-storage
volumes:
- name: nextcloud-storage
persistentVolumeClaim:
claimName: nextcloud-storage
ncsvc.yaml
apiVersion: v1
kind: Service
metadata:
name: nextcloud-service
spec:
type: NodePort
ports:
- port: 80
nodePort: 30080 # 可以选择其他端口
selector:
app: nextcloud
2、https配置,在上传下载文件的时候有问题,先不要用
1) 通过网页的https//域名 访问局域网内,k8s集群里面的svc时,ingress, ingress-nginx-controller, 流量是怎么流的呢?它们之间的关系是怎样的呢?
当您通过网页使用 HTTPS 访问位于局域网内 Kubernetes 集群中的服务时,流量流向和组件之间的关系大致如下:
-
DNS 解析:
- 当您在浏览器中输入
https://your-domain.com
,DNS 服务将域名解析为托管 Ingress Controller 的服务器(可能是 Kubernetes 集群的某个节点)的 IP 地址。
- 当您在浏览器中输入
-
到达 Ingress Controller:
- HTTPS 请求通过网络到达这个 IP 地址。由于是 HTTPS 请求,它默认会寻找端口 443。
- 如果您的 Ingress Controller(如 Nginx Ingress Controller)配置为在端口 443 上接收流量,它将接收这个请求。
-
Ingress 资源处理:
- Ingress Controller 会根据配置的 Ingress 资源来处理请求。Ingress 定义了哪些请求应该被路由到哪些服务。
- 例如,Ingress 资源可以指定,对于域名
your-domain.com
的请求应该被转发到nextcloud-service
。
-
服务(Service)转发:
- 请求被转发到对应的 Kubernetes Service(例如
nextcloud-service
),该 Service 根据其配置将请求进一步路由到后端的 Pod。
- 请求被转发到对应的 Kubernetes Service(例如
-
Pod 处理请求:
- Pod 接收到请求,并根据您的应用逻辑进行处理。例如,如果 Pod 运行的是网页服务器,它将返回网页内容。
-
响应返回给用户:
- 处理后的响应沿相同路径返回给用户的浏览器。
在整个过程中,Ingress Controller 起到了关键角色,它是接收外部 HTTPS 流量并根据 Ingress 规则将流量路由到正确服务的组件。Ingress 资源定义了如何处理到达 Ingress Controller 的不同请求。
2)
nextcloud-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nextcloud-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- cvs-cloud.com
- www.cvs-cloud.com
secretName: mycert-secret
rules:
- host: cvs-cloud.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nextcloud-service
port:
number: 80
3) openssl
当然可以。以下是一个具体的例子,展示如何创建一个包含 SANs 的自签名 SSL 证书:
-
创建带 SANs 的自签名证书:
首先,创建一个包含 SANs(Subject Alternative Names)的 OpenSSL 配置文件。例如,创建一个名为san.cnf
的文件,内容如下:[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [ req_distinguished_name ] C = US ST = CA L = San Francisco O = My Company OU = My Division CN = cvs-cloud.com [ req_ext ] subjectAltName = @alt_names [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = cvs-cloud.com DNS.2 = www.cvs-cloud.com
这里,
CN
是您的主域名,而DNS.1
、DNS.2
等是额外的域名,作为 SANs。 -
生成自签名证书和密钥:
使用 OpenSSL 生成证书和私钥:openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config san.cnf
这将生成私钥 (
mycert.key
) 和证书 (mycert.crt
)。 -
创建 Kubernetes Secret:
将证书和私钥作为 Secret 添加到 Kubernetes:kubectl create secret tls mycert-secret --cert=mycert.crt --key=mycert.key
这个 Secret 可以在 Ingress 资源中使用。
4)Ingress
mandatory.yaml
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: default-http-backend
labels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissible as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: ingress-nginx
labels:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
spec:
ports:
- port: 80
targetPort: 8080
selector:
app.kubernetes.io/name: default-http-backend
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
---
service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 31725
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
5)kubectl cp 改权限
kubectl cp [pod-name]:/var/www/html/config/config.php ./config.php
# 改完后
kubectl cp ./config.php [pod-name]:/var/www/html/config/config.php
# 修改文件权限
chown www-data config.php
chmod --reference=apps.config.php config.php
config.php
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => 'oczp30q1vsax',
'passwordsalt' => '/Qa0r41zKcznIYcvycsOQrW8G4Ys+1',
'secret' => 'hrn7q9aXZ/WbDXuhnNGJM5mlWDm75BcXFdMblS7eGd6DhFhe',
'trusted_domains' =>
array (
0 => '192.168.1.11:30080',
1 => 'cvs-cloud.com',
),
'datadirectory' => '/var/www/html/data',
'dbtype' => 'mysql',
'version' => '23.0.0.10',
'overwrite.cli.url' => 'https://cvs-cloud.com:31725',
'dbname' => 'nextcloud_db',
'dbhost' => '10.233.14.195:3306',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'oc_admin',
'dbpassword' => 'uvfLRcCEpjX7G3FdM4AVgdivLRba6A',
'installed' => true,
);
C:\Windows\System32\drivers\etc 里面的hosts配置下 <运行svc节点ip> cvs-cloud.com
在浏览器访问 https://cvs-cloud.com:31725 就能进去了
修改笔记本的hosts,添加31725可行嘛?
不,修改笔记本的 hosts 文件来添加端口号是不可行的。hosts 文件仅用于将域名映射到 IP 地址,它不支持端口号的映射。端口号是由应用层(例如浏览器或应用服务器)处理的,而不是由 DNS 或 hosts 文件处理的。
要通过 https://cvs-cloud.com(无端口号)访问您的服务,您需要在您的网络或云提供商那里设置端口转发或使用负载均衡器来将外部流量的 443 端口路由到 Ingress Controller 的对应 NodePort。