将自己的博客网站发布到自己的 Kubernetes 集群上。

Kubernetes 环境

之前在 阿里云主机搭建-k8s-集群 这篇文章介绍了如何在阿里云环境快速搭建一个 Kubernetes 环境,按照文章的步骤,可以快速搭建一个可用的 Kubernetes 集群。

网站

同样在 Build Blog With Hugo 这边文章中,介绍了怎么使用 hugo 快速搭建一个自己的个人博客。

容器化

我的项目 hugo-dcos 包含了容器化一个 hugo 网站项目所需的一些脚本和 Dockerfile, 可以参考本项目自行容器化自己的项目。
项目使用了webhook接收 github 的通知,并在github上配置项目maoqide.github.io的 Webhooks, 当本项目有更新时,会调用 webhook 服务触发操作,拉取最新的代码。

部署

本文介绍如何将自己的个人博客通过 Kubernetes 发布到公网,让大家可以访问。
> 当然,最简单的发布方法是通过 Github Pages, 直接将 hugo 生成的 publish 文件夹上传到自己 github 的命名为 your-username.github.io 的仓库下,即可以通过 https://your-username.github.io 访问到自己的网站。

准备

创建 Deployment & Service

首先创建 Deployment 和 Service。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mysite
spec:
  selector:
    matchLabels:
      app: site
  replicas: 1
  template:
    metadata:
      labels:
        app: site
    spec:
      containers:
      - name: mysite
        image: maoqide/site:v1.1
        env:
        - name: GITHUB_HOOK_SECRET
          value: MY_SECRET
        ports:
        - containerPort: 80
        - containerPort: 9000
        livenessProbe:
          httpGet:
          # scheme: HTTPS
            path: /
            port: 80
          initialDelaySeconds: 15
          timeoutSeconds: 1

---
kind: Service
apiVersion: v1
metadata:
  name: mysite
spec:
  selector:
    app: site
  ports:
  - name: nginx
    protocol: TCP
    port: 80
    targetPort: 80
  - name: webhook
    protocol: TCP
    port: 9000
    targetPort: 9000

创建 ingress-controller

为了能够从外部访问,还需要创建 Ingress。
这里使用nginx ingress,首先要创建 nginx-ingress-controller。

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: default

---

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 33
            runAsUser: 33
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1

---

以上 yaml 创建了一个 nginx-ingress-controller 的 Deployment,并赋给 Deployment 下的 Pod 对 Ingress 等集群内资源的 API 访问权限。

接着要为 nginx-ingress-controller 创建 Node port 类型的 Service,让我们可以通过云服务器的公网地址访问到 ingress:

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---

创建 Ingress

创建 Ingress 策略。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: site-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /_hook
        backend:
          serviceName: mysite
          servicePort: 9000
      - path: /
        backend:
          serviceName: mysite
          servicePort: 80

配置域名

上述步骤完成,已经可以通过云服务器公网IP= https://IP:ingress_svc-port 访问网站了。
为了访问方便,还可以给站点配置一个域名,直接在阿里云购买一个域名,然后通过绑定一个 A 类型的域名解析,解析到阿里云公网IP,就可以通过域名加端口访问了。
如果不想访问的时候加上端口,还需要再配置一个 隐性URL 的域名解析(需要先将域名备案)。

附件

以下是上面用到的 yaml 文件:
- site-deployment
- nginx-ingress-controller
- ingress-svc
- ingress