标签:name kubernetes master01 002 nfs wordpress k8s root
6、添加NFS存储卷
[root@k8s-master01 ~]#vim mydb-nfs.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
app: mydb
name: mydb
spec:
containers:
- image: mysql:8.0
name: mydb
env:
# - name: MYSQL_RANDOM_ROOT_PASSWORD
- name: MYSQL_ROOT_PASSWORD
value: "123456"
- name: MYSQL_DATABASE
value: "wpdb"
- name: MYSQL_USER
value: "wordpress"
- name: MYSQL_PASSWORD
value: "123456"
ports:
- name: mysqlport
containerPort: 3306
volumeMounts:
- name: mysqlnfs
mountPath: /var/lib/mysql
volumes:
- name: mysqlnfs
nfs:
server: 10.0.0.106
path: /data/mysql
[root@k8s-master01 ~]#vim wordpress-nfs.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
app: wordpress
name: wordpress
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/gtsre/wordpress:6.0.2
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: "mydb"
- name: WORDPRESS_DB_NAME
value: "wpdb"
- name: WORDPRESS_DB_USER
value: "wordpress"
- name: WORDPRESS_DB_PASSWORD
value: "123456"
ports:
# - name: http
- containerPort: 80
volumeMounts:
- name: wordnfs
mountPath: /var/www/html
volumes:
- name: wordnfs
nfs:
server: 10.0.0.106
path: /data/wordpress
[root@k8s-master01 ~]#kubectl apply -f wordpress-nfs.yaml
#测试:
[root@k8s-master01 ~]#kubectl delete -f wordpress-nfs.yaml --force
[root@k8s-master01 ~]#kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-httpget-demo 1/1 Running 2 (21m ago) 4h28m
mydb 1/1 Running 0 13m
[root@k8s-master01 ~]#kubectl apply -f wordpress-nfs.yaml
pod/wordpress created
[root@k8s-master01 ~]#kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-httpget-demo 1/1 Running 2 (21m ago) 4h28m
mydb 1/1 Running 0 13m
wordpress 1/1 Running 0 6s
7、mysql添加PV静态置备和PVC卷
#创建pv
[root@k8s-master01 ~]#vim pv-nfs-mydb.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-mydb
spec:
capacity:
storage: 5Gi
volumeMode: Filesystem
accessModes:
- ReadOnlyMany
- ReadWriteMany
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- nfsvers=4.1
nfs:
path: "/data/mysql"
server: 10.0.0.106
[root@k8s-master01 ~]#kubectl apply -f pv-nfs-mydb.yaml
#创建pvc
[root@k8s-master01 ~]#vim pvc-nfs-mydb.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-nfs-mydb
spec:
accessModes: ["ReadWriteMany"]
volumeMode: Filesystem
resources:
requests:
storage: 3Gi
limits:
storage: 10Gi
[root@k8s-master01 ~]#kubectl apply -f pvc-nfs-mydb.yaml
#挂载pvc卷
[root@k8s-master01 ~]#vim mydb-pvc.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
app: mydb
name: mydb
spec:
containers:
- image: mysql:8.0
name: mydb
env:
# - name: MYSQL_RANDOM_ROOT_PASSWORD
- name: MYSQL_ROOT_PASSWORD
value: "123456"
- name: MYSQL_DATABASE
value: "wpdb"
- name: MYSQL_USER
value: "wordpress"
- name: MYSQL_PASSWORD
value: "123456"
ports:
- name: mysqlport
containerPort: 3306
volumeMounts:
- name: mysqlnfs
mountPath: /var/lib/mysql
volumes:
- name: mysqlnfs
persistentVolumeClaim:
claimName: pvc-nfs-mydb
[root@k8s-master01 ~]#kubectl apply -f mydb-pvc.yaml
#测试验证:
#进入容器内创建一个文件
[root@k8s-master01 ~]#kubectl exec -it mydb -- /bin/bash
bash-4.4# cd /var/lib/mysql
bash-4.4# ls
'#ib_16384_0.dblwr' binlog.000001 ca-key.pem ibdata1 performance_schema sys
'#ib_16384_1.dblwr' binlog.000002 ca.pem ibtmp1 private_key.pem test.txt
'#innodb_redo' binlog.000003 client-cert.pem mysql public_key.pem undo_001
'#innodb_temp' binlog.000004 client-key.pem mysql.ibd server-cert.pem undo_002
auto.cnf binlog.index ib_buffer_pool mysql.sock server-key.pem wpdb
bash-4.4# touch mydb-test.txt
#NFS服务器查看:
[root@ubuntu2004 ~]#ll /data/mysql/mydb*
-rw-r--r-- 1 root root 0 11月 11 16:14 /data/mysql/mydb-test.txt
8、wordpress添加PV静态置备和PVC卷
#创建pv
[root@k8s-master01 ~]#vim pv-nfs-word.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nfs-word
spec:
capacity:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
- ReadOnlyMany
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- nfsvers=4.1
nfs:
path: "/data/wordpress"
server: 10.0.0.106
[root@k8s-master01 ~]#kubectl apply -f pv-nfs-word.yaml
#创建pvc
[root@k8s-master01 ~]#vim pvc-nfs-word.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-nfs-word
spec:
accessModes: ["ReadWriteMany"]
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
limits:
storage: 20Gi
[root@k8s-master01 ~]#kubectl apply -f pvc-nfs-word.yaml
#挂载pvc卷
[root@k8s-master01 ~]#vim wordpress-pvc.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
app: wordpress
name: wordpress
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/gtsre/wordpress:6.0.2
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: "mydb"
- name: WORDPRESS_DB_NAME
value: "wpdb"
- name: WORDPRESS_DB_USER
value: "wordpress"
- name: WORDPRESS_DB_PASSWORD
value: "123456"
ports:
# - name: http
- containerPort: 80
volumeMounts:
- name: wordnfs
mountPath: /var/www/html
volumes:
- name: wordnfs
persistentVolumeClaim:
claimName: pvc-nfs-word
[root@k8s-master01 ~]#kubectl apply -f wordpress-pvc.yaml
#测试验证:
[root@k8s-master01 ~]#kubectl exec -it wordpress -- /bin/bash
root@wordpress:/var/www/html# ls
index.php wp-admin wp-config.php wp-load.php wp-trackback.php
license.txt wp-blog-header.php wp-content wp-login.php xmlrpc.php
readme.html wp-comments-post.php wp-cron.php wp-mail.php
test-word.txt wp-config-docker.php wp-includes wp-settings.php
wp-activate.php wp-config-sample.php wp-links-opml.php wp-signup.php
root@wordpress:/var/www/html# touch test-word.txt
#NFS服务器查看:
[root@ubuntu2004 ~]#ll /data/wordpress/test-word.txt
-rw-r--r-- 1 root root 0 11月 11 16:10 /data/wordpress/test-word.txt
8-1、动态置备
nfs支持动态置备需要安装nfs-csi:
参考链接:https://github.com/iKubernetes/learning-k8s/tree/master/csi-driver-nfs
部署NFS CSI:
1、部署nfs server;
2、部署nfs csi driver;
3、创建storageclass,配置CSI Driver引用前面部署的nfs server为存储后端;
4、测试,创建storageclass内部,创建一个PVC,验证PVC的动态置备功能;
#192.168.100.207:创建nfs服务器挂载路径
[root@mysql ~]#vim /etc/exports
/data/wordpress 192.168.100.0/24(rw,no_subtree_check,no_root_squash)
[root@mysql ~]#exportfs -ar
[root@mysql ~]#showmount -e 192.168.100.207
Export list for 192.168.100.207:
/data/wordpress 192.168.100.0/24
[root@k8s-master01 ~]#kubectl create namespace nfs
namespace/nfs created
[root@k8s-master01 ~]#kubectl get ns
NAME STATUS AGE
default Active 26h
kube-node-lease Active 26h
kube-public Active 26h
kube-system Active 26h
nfs Active 2m3s
[root@k8s-master01 ~]#vim nfs-server.yaml
---
kind: Service
apiVersion: v1
metadata:
name: nfs-server
labels:
app: nfs-server
spec:
type: ClusterIP # use "LoadBalancer" to get a public ip
selector:
app: nfs-server
ports:
- name: tcp-2049
port: 2049
protocol: TCP
- name: udp-111
port: 111
protocol: UDP
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: nfs-server
spec:
replicas: 1
selector:
matchLabels:
app: nfs-server
template:
metadata:
name: nfs-server
labels:
app: nfs-server
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: nfs-server
image: itsthenetwork/nfs-server-alpine:latest
env:
- name: SHARED_DIRECTORY
value: "/exports"
volumeMounts:
- mountPath: /exports
name: nfs-vol
securityContext:
privileged: true
ports:
- name: tcp-2049
containerPort: 2049
protocol: TCP
- name: udp-111
containerPort: 111
protocol: UDP
volumes:
- name: nfs-vol
hostPath:
path: /nfs-vol # modify this to specify another path to store nfs share data
type: DirectoryOrCreate
[root@k8s-master01 ~]#kubectl apply -f nfs-server.yaml --namespace nfs
service/nfs-server created
deployment.apps/nfs-server created
[root@k8s-master01 ~]#kubectl get svc -n nfs -owide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
nfs-server ClusterIP 10.110.173.179 <none> 2049/TCP,111/UDP 4m6s app=nfs-server
#下载NFS CSI驱动
[root@k8s-master01 ~]#curl -skSL https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/v3.1.0/deploy/install-driver.sh | bash -s v3.1.0 --
Installing NFS CSI driver, version: v3.1.0 ...
serviceaccount/csi-nfs-controller-sa created
clusterrole.rbac.authorization.k8s.io/nfs-external-provisioner-role created
clusterrolebinding.rbac.authorization.k8s.io/nfs-csi-provisioner-binding created
csidriver.storage.k8s.io/nfs.csi.k8s.io created
deployment.apps/csi-nfs-controller created
daemonset.apps/csi-nfs-node created
NFS CSI driver installed successfully.
#=============================== 温 馨 提 示 =====================================#
#如果无法下载NFS CSI驱动,建议先下载yaml文件,并修改csi-nfs-controller.yaml,里的镜像为阿里云,如下:
[root@k8s-master01 ~]#vim csi-nfs-controller.yaml
....
containers:
- name: csi-provisioner
image: registry.cn-hangzhou.aliyuncs.com/gtsre/csi-provisioner:v2.2.2
......
- name: liveness-probe
image: registry.cn-hangzhou.aliyuncs.com/gtsre/livenessprobe:v2.5.0
args:
......
- name: nfs
image: registry.cn-hangzhou.aliyuncs.com/gtsre/nfsplugin:v3.1.0
......
[root@k8s-master01 ~]#kubectl apply -f rbac-csi-nfs-controller.yaml -f csi-nfs-driverinfo.yaml -f csi-nfs-controller.yaml -f csi-nfs-node.yaml #修改完阿里云地址后执行此步骤即可
=================================================================================
#检查容器状态:
[root@k8s-master01 ~]#kubectl -n kube-system get pod -owide -l 'app in (csi-nfs-node,csi-nfs-controller)'
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
csi-nfs-controller-58dbf48c7b-nw4sp 3/3 Running 0 13m 192.168.100.204 k8s-node01 <none> <none>
csi-nfs-controller-58dbf48c7b-pmw6s 3/3 Running 0 13m 192.168.100.205 k8s-node02 <none> <none>
csi-nfs-node-82h7s 3/3 Running 0 13m 192.168.100.204 k8s-node01 <none> <none>
csi-nfs-node-bjdj7 3/3 Running 0 13m 192.168.100.205 k8s-node02 <none> <none>
csi-nfs-node-f6cb5 3/3 Running 0 13m 192.168.100.201 k8s-master01.wang.org <none> <none>
csi-nfs-node-mqzsv 3/3 Running 0 13m 192.168.100.206 k8s-node03 <none> <none>
csi-nfs-node-t7585 3/3 Running 0 13m 192.168.100.203 k8s-master03 <none> <none>
csi-nfs-node-wvsqw 3/3 Running 0 13m 192.168.100.202 k8s-master02 <none> <none>
[root@k8s-master01 ~]#mv sc.yaml wordpress-sc.yaml
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: nfs-csi-wordpress
provisioner: nfs.csi.k8s.io
parameters:
#server: nfs-server.default.svc.cluster.local
server: 192.168.100.207
share: /data/wordpress
#reclaimPolicy: Delete
reclaimPolicy: Retain
volumeBindingMode: Immediate
mountOptions:
- hard
- nfsvers=4.1
[root@k8s-master01 ~]#vim wordpress-pvc.yaml
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs-csi-wordpress-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: nfs-csi-wordpress
[root@k8s-master01 ~]#kubectl apply -f wordpress-sc.yaml
storageclass.storage.k8s.io/nfs-csi-wordpress created
[root@k8s-master01 ~]#kubectl apply -f wordpress-pvc.yaml
persistentvolumeclaim/nfs-csi-wordpress-pvc created
[root@k8s-master01 ~]#kubectl get sc
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
nfs-csi-wordpress nfs.csi.k8s.io Retain Immediate false 34s
[root@k8s-master01 ~]#kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
nfs-csi-wordpress-pvc Bound pvc-b7085636-0b20-4884-9fb4-8bfb9ade4ff9 10Gi RWX nfs-csi-wordpress 18s
#mysql、svc等延用上边创建好的。
[root@k8s-master01 ~]#vim wordpress.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
app: wordpress
name: wordpress
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/gtsre/wordpress:6.0.2
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: mysql-external
- name: WORDPRESS_DB_NAME
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.name
- name: WORDPRESS_DB_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.name
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.passwd
volumeMounts:
- name: wordpress-nfs
mountPath: /var/www/html
ports:
- containerPort: 80
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
volumes:
- name: wordpress-nfs
persistentVolumeClaim:
claimName: nfs-csi-wordpress-pvc
status: {}
[root@k8s-master01 ~]#kubectl apply -f wordpress.yaml
#验证:nfs服务器192.168.100.207:
[root@mysql ~]#cd /data/wordpress/
[root@mysql wordpress]#ls
pvc-b7085636-0b20-4884-9fb4-8bfb9ade4ff9
[root@mysql wordpress]#cd pvc-b7085636-0b20-4884-9fb4-8bfb9ade4ff9/
[root@mysql pvc-b7085636-0b20-4884-9fb4-8bfb9ade4ff9]#ls
index.php wp-activate.php wp-comments-post.php wp-cron.php
license.txt wp-admin wp-config-sample.php wp-includes
readme.html wp-blog-header.php wp-content
9、基于secret部署mysql、wordpress
#请把上边nfs里保存的数据删除,否则此时创建的用户名密码会被pvc卷保存的账号密码覆盖
[root@k8s-master01 ~]#kubectl create secret generic mysql-secret --from-literal=root.pass=123456 --from-literal=db.name=wpdb --from-literal=db.user.name=wpuser --from-literal=db.user.pass=123456 --dry-run=client -o yaml > secret-mysql.yaml
[root@k8s-master01 ~]#vim secret-mysql.yaml
apiVersion: v1
data:
db.name: d3BkYg==
db.user.name: d3B1c2Vy
db.user.pass: MTIzNDU2
root.pass: MTIzNDU2
kind: Secret
metadata:
creationTimestamp: null
name: mysql-secret
[root@k8s-master01 ~]#kubectl apply -f secret-mysql.yaml
[root@k8s-master01 ~]#kubectl get secret
NAME TYPE DATA AGE
mysql-secret Opaque 4 130m
#mysql引用secret:
[root@k8s-master01 ~]#vim mydb-crt.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
app: mydb
name: mydb
spec:
containers:
- image: mysql:8.0
imagePullPolicy: IfNotPresent
name: mydb
env:
# - name: MYSQL_RANDOM_ROOT_PASSWORD
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: root.pass
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.name
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.name
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.pass
ports:
- name: mysqlport
containerPort: 3306
volumeMounts:
- name: mysqlnfs
mountPath: /var/lib/mysql
volumes:
- name: mysqlnfs
persistentVolumeClaim:
claimName: pvc-nfs-mydb
[root@k8s-master01 ~]#kubectl apply -f mydb-crt.yaml
#wordpress引用secret:
[root@k8s-master01 ~]#vim wordpress-crt.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
app: wordpress
name: wordpress
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/gtsre/wordpress:6.0.2
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: "mydb"
# - name: WORDPRESS_DB_NAME
# value: "wpdb"
# - name: WORDPRESS_DB_USER
# value: "wordpress"
# - name: WORDPRESS_DB_PASSWORD
# value: "123456"
- name: WORDPRESS_DB_NAME
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.name
- name: WORDPRESS_DB_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.name
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.pass
ports:
# - name: http
- containerPort: 80
volumeMounts:
- name: wordnfs
mountPath: /var/www/html
volumes:
- name: wordnfs
persistentVolumeClaim:
claimName: pvc-nfs-word
[root@k8s-master01 ~]#kubectl apply -f wordpress-crt.yaml
[root@k8s-master01 ~]#kubectl get pod
NAME READY STATUS RESTARTS AGE
liveness-httpget-demo 1/1 Running 2 (5h17m ago) 9h
mydb 1/1 Running 0 8m51s
wordpress 1/1 Running 0 8m46s
[root@k8s-master01 ~]#kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 30h
mydb ClusterIP 10.111.149.133 <none> 3306/TCP 23h
wordpress NodePort 10.103.135.96 <none> 80:30703/TCP 23h
10、基于secret卷加载的证书创建nginx
#生成证书:
[root@k8s-master01 ~]#mkdir /data/cert
[root@k8s-master01 ~]#cd /data/cert
[root@k8s-master01 cert]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
[root@k8s-master01 cert]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.wang.org.key -out www.wang.org.csr
[root@k8s-master01 cert]#openssl x509 -req -days 3650 -in www.wang.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.wang.org.crt
[root@k8s-master01 cert]#cat www.wang.org.crt ca.crt > www.wang.org.pem
#创建nginx配置文件
[root@k8s-master01 ~]#mkdir /data/conf
[root@k8s-master01 ~]#cd /data/conf
[root@k8s-master01 conf]#vim wang.conf
server {
listen 80;
server_name www.wang.org;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.wang.org;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
client_max_body_size 20m;
include /etc/nginx/conf.d/wang-*.cfg;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
[root@k8s-master01 conf]#vim wang-gzip.cfg
gzip on;
gzip_comp_level 5;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/xml text/javascript;
[root@k8s-master01 conf]#vim wang-status.cfg
location /nginx-status {
stub_status on;
access_log off;
}
#基于secret卷加载的证书创建nginx
[root@k8s-master01 ~]#kubectl create secret tls nginx-certs --cert=/data/cert/www.wang.org.pem --key=/data/cert/www.wang.org.key --dry-run=client -o yaml > nginx-ssl.yaml
[root@k8s-master01 ~]#cat nginx-ssl.yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRU......0tCg==
tls.key: LS0tLS1CR......0tLQo=
kind: Secret
metadata:
creationTimestamp: null
name: nginx-certs
type: kubernetes.io/tls
[root@k8s-master01 ~]#kubectl create configmap nginx-confs --from-file=/data/conf/ --dry-run=client -o yaml > nginx-confs.yaml
[root@k8s-master01 ~]#vim nginx-confs.yaml
apiVersion: v1
data:
wang-gzip.cfg: |
gzip on;
gzip_comp_level 5;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/xml text/javascript;
wang-status.cfg: |+
location /nginx-status {
stub_status on;
access_log off;
}
wang.conf: |+
server {
listen 80;
server_name www.wang.org;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.wang.org;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
client_max_body_size 20m;
include /etc/nginx/conf.d/wang-*.cfg;
location / {
root /usr/share/nginx/html;
}
}
kind: ConfigMap
metadata:
creationTimestamp: null
name: nginx-confs
[root@k8s-master01 ~]#vim nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginxserver
image: nginx:alpine
volumeMounts:
- name: nginx-cert
mountPath: /etc/nginx/certs/
readOnly: true
- name: nginx-conf
mountPath: /etc/nginx/conf.d/
readOnly: true
volumes:
- name: nginx-cert
secret:
secretName: nginx-certs
- name: nginx-conf
configMap:
name: nginx-confs
optional: false
[root@k8s-master01 ~]#kubectl apply -f nginx-ssl.yaml
[root@k8s-master01 ~]#kubectl apply -f nginx-confs.yaml
configmap/nginx-confs created
[root@k8s-master01 ~]#kubectl apply -f nginx.yaml
pod/nginx created
[root@k8s-master01 ~]#kubectl get pod
NAME READY STATUS RESTARTS AGE
mydb 1/1 Running 0 89m
nginx 1/1 Running 0 3s
wordpress 1/1 Running 0 89m
[root@k8s-master01 ~]#kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mydb 1/1 Running 0 89m 10.244.85.250 k8s-node01 <none> <none>
nginx 1/1 Running 0 11s 10.244.85.193 k8s-node01 <none> <none>
wordpress 1/1 Running 0 89m 10.244.85.251 k8s-node01 <none> <none>
[root@k8s-master01 ~]#curl https://10.244.85.193 -ki
HTTP/2 200
server: nginx/1.23.2
date: Fri, 11 Nov 2022 13:29:28 GMT
content-type: text/html
content-length: 615
last-modified: Wed, 19 Oct 2022 10:28:53 GMT
etag: "634fd165-267"
accept-ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@k8s-master01 ~]#kubectl exec -it nginx -- /bin/sh
/ # echo k8s-nginx > /usr/share/
GeoIP/ ca-certificates/ licenses/ misc/ udhcpc/
apk/ doc/ man/ nginx/ zoneinfo/
/ # echo k8s-nginx > /usr/share/nginx/html/index.html
/ # exit
[root@k8s-master01 ~]#curl https://10.244.85.193 -ki
HTTP/2 200
server: nginx/1.23.2
date: Fri, 11 Nov 2022 13:30:18 GMT
content-type: text/html
content-length: 10
last-modified: Fri, 11 Nov 2022 13:30:09 GMT
etag: "636e4e61-a"
accept-ranges: bytes
k8s-nginx
[root@k8s-master01 ~]#curl https://10.244.85.193 -ki
HTTP/2 200
server: nginx/1.23.2
date: Fri, 11 Nov 2022 13:30:19 GMT
content-type: text/html
content-length: 10
last-modified: Fri, 11 Nov 2022 13:30:09 GMT
etag: "636e4e61-a"
accept-ranges: bytes
k8s-nginx
[root@k8s-master01 ~]#openssl s_client -connect 10.244.85.193:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = 86, ST = Beijing, L = beijing, O = wang, OU = wang, CN = www.wang.org
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = 86, ST = Beijing, L = beijing, O = wang, OU = wang, CN = www.wang.org
verify return:1
depth=0 C = 86, ST = beijing, L = Beijing, O = wang, OU = wang.org, CN = www.wang.org
verify return:1
---
Certificate chain
0 s:C = 86, ST = beijing, L = Beijing, O = wang, OU = wang.org, CN = www.wang.org
i:C = 86, ST = Beijing, L = beijing, O = wang, OU = wang, CN = www.wang.org
1 s:C = 86, ST = Beijing, L = beijing, O = wang, OU = wang, CN = www.wang.org
i:C = 86, ST = Beijing, L = beijing, O = wang, OU = wang, CN = www.wang.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVzCCAz8CFGLplFOjrMVOzTn/i9WXcIoShREvMA0GCSqGSIb3DQEBCwUAMGYx
......
xY1eBMaBHArZGmwpPyte43uZrA0DHt/FbwmE
-----END CERTIFICATE-----
subject=C = 86, ST = beijing, L = Beijing, O = wang, OU = wang.org, CN = www.wang.org
issuer=C = 86, ST = Beijing, L = beijing, O = wang, OU = wang, CN = www.wang.org
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3728 bytes and written 376 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4DF0EF1F64D2F38A67093699377F2D670D3FD764E27E8F63D5A6C941E38DD602
Session-ID-ctx:
Master-Key: CBC4AF11BE79108E07C69C26E0C2269532415DCF516AADC544B17749E7CBE700CB669F3B4B1320FB5EDE31E1751DDB0A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b6 0b f0 c0 93 54 5e ff-92 43 0c f1 97 bf 86 81 .....T^..C......
......
00a0 - 26 1e 29 1a 6f 8e c6 0a-7b ee 9a ee 7b c5 c9 75 &.).o...{...{..u
Start Time: 1668173856
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: yes
#mysql主机(192.168.100.207)创建:
mysql> create database wpdb;
mysql> create user wordpress@'%' identified by '123456';
mysql> grant all on wpdb.* to wordpress@'%';
#以下操作都在master01操作:
[root@k8s-master01 ~]#ip a add 192.168.100.199/24 dev enp1s0
#创建secret(mysql用户名密码)
[root@k8s-master01 ~]#kubectl create secret generic mysql-secret --from-literal=db.name=wpdb --from-literal=db.user.name=wordpress --from-literal=db.user.passwd=123456 --dry-run=client -o yaml > mysql-secret.yaml
[root@k8s-master01 ~]#vim mysql-secret.yaml
apiVersion: v1
data:
db.name: d3BkYg==
db.user.passwd: MTIzNDU2
db.user.name: d29yZHByZXNz
kind: Secret
metadata:
creationTimestamp: null
name: mysql-secret
#创建用于mysql的service:
[root@k8s-master01 ~]#vim mydb-svc.yaml
apiVersion: v1
kind: Endpoints
metadata:
name: mysql-external
namespace: default
subsets:
- addresses:
- ip: 192.168.100.207
ports:
- name: mysql
port: 3306
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: mysql-external
namespace: default
spec:
type: ClusterIP
ports:
- name: mysql
port: 3306
targetPort: 3306
protocol: TCP
#创建用于wordpress的service:
[root@k8s-master01 ~]#kubectl create svc nodeport wordpress --tcp=80:80 --dry-run=client -o yaml > wordpress-svc.yaml
[root@k8s-master01 ~]#vim wordpress-svc.yaml
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: wordpress
name: wordpress
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: wordpress
type: NodePort
externalIPs:
- 192.168.100.199
status:
loadBalancer: {}
#创建wordpress pod:
kubectl run wordpress --image=wordpress:6.1-apache --port=80 --restart=Never --dry-run=client -o yaml > wordpress.yaml
[root@k8s-master01 ~]#vim wordpress.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
app: wordpress
name: wordpress
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/gtsre/wordpress:6.0.2 #更改为阿里云地址
name: wordpress
env:
- name: WORDPRESS_DB_HOST
value: mysql-external
- name: WORDPRESS_DB_NAME
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.name
- name: WORDPRESS_DB_USER
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.name
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: db.user.passwd
ports:
- containerPort: 80
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}
[root@k8s-master01 ~]#kubectl apply -f mysql-secret.yaml
[root@k8s-master01 ~]#kubectl apply -f mydb-svc.yaml
[root@k8s-master01 ~]#kubectl apply -f wordpress-svc.yaml
[root@k8s-master01 ~]#kubectl apply -f wordpress.yaml
标签:name,
kubernetes,
master01,
002,
nfs,
wordpress,
k8s,
root
From: https://blog.51cto.com/dayu/5847980