Chemmy's Blog

chengming0916@outlook.com

发表于 更新于

使用markdown的链接语法

使用markdown的语法指定url创建站内链接,有绝对地址和相对地址两种方式,绝对地址与相对地址的区别在于是否以/开头:

使用绝对地址

代码如下:

1
2
# 格式 [标题](文章地址)
[Hexo 增加站内文章链接](/Hexo博客/Hexo-增加站内文章链接)

示例中,Hexo-增加站内文章链接使用的是文章对应的md文件名,使用hexo n创建post时,空格会转换为中划线-。/Hexo是为了文章管理方便在_posts目录下增加的子目录,Hexo-增加站内文章链接.md位于_posts/Hexo/目录下。

结果如下:

Hexo 增加站内文章链接

Hexo对绝对地址和相对地址的处理方式是不一样的。对于绝对地址/Hexo/Hexo-博客配置,生成的目标url不会变化。

使用相对地址

代码如下:

1
[Hexo 增加站内文章链接](Hexo/Hexo-增加站内文章链接)

对于相对地址Hexo/Hexo-增加站内文章链接,生成的目标URL会叠加文章的的URL,结果是/Hexo/Hexo/Hexo-增加站内文章链接,这显然不是期望的结果。但是如果是文章内的锚点链接,使用这种方式非常合适。

代码如下:

1
2
# 格式 [标题](#文章内要跳转的标题)
[测试文章内跳转锚点](#测试文章内跳转锚点)

结果如下:
跳转文章内测试锚点

生成的URL可以正确的跳转到文章内的锚点。注意,标题中的空格用-代替。

使用post_link标签

由于Hexo文章的URL规则是可以配置的,在_config.yml中可以配置URL自动添加日期、目录等信息。如果使用markdown语法的链接规则多有不便,一方面需要知道目标URL,一方面如果规则修改或者站点迁移,对应的内容需要修改。

好在Hexo提供了post_link标签解决这个问题。

代码如下:

1
2
# 格式 {% post_link 以_post下文件路径 '显示链接名'%}
{% post_link Hexo博客/Hexo-博客配置 'Hexo 博客配置' %}

示例中,Hexo-博客配置使用的是文章对应的md文件名,使用hexo n创建post时,空格会转换为中划线-。Hexo是为了文章管理方便在_posts目录下增加的子目录,Hexo-博客配置.md位于_posts/Hexo目录下。

结果如下:

Hexo 博客配置

这样的链接会自动适配_config.yml中的文章URL规则。

小结

对比markdown语法和post_link标签,推荐在文章链接到站内文章时优先使用post_link,链接到文章内锚点时优先使用markdown语法。

测试文章内跳转锚点

文章内锚点跳转示例

发表于 更新于 分类于

使用 Visual Studio 2022 创建 ASP.NET Core Web API

可以从 Visual Studio 2022 中选择 ASP.NET Core Web API 或 ASP.NET Core gRPC模板

安装依赖库,可以使用NuGet安装或使用DotNet CLI

1
2
3
4
dotnet add package Microsoft.EntityFrameworkCore.SqlServer --version 6.0.33
dotnet add package Microsoft.EntityFrameworkCore.Tools --version 6.0.33
dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore --version 6.0.33
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer --version 6.0.33

appsettings.json中添加配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
    "Logging": {
        "LogLevel": {
            "Default": "Information",
            "Microsoft.AspNetCore": "Warning"
        }
    },
    "AllowedHosts": "*",
    "Database": {
        "Driver": "SqlServer",
        "Host": "127.0.0.1",
        "Port": 6543,
        "DbName": "SAMPLE",
        "User": "postgres",
        "Password": "postgres"
    },
    "Jwt": {
        "Audience": "",
        "Issuer": "",
        "Secret": ""
    }
}

准备Model

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
using Microsoft.AspNetCore.Identity;

namespace Samples.Identity.Model

public class Role : IdentityRole<int>
{

}

public class RoleClaim : IdentityRoleClaim<int>
{

}

public class User : IdentityUser<int>
{

}

public class UserClaim : IdentityUserClaim<int>
{

}

public class UserLogin : IdentityUserLogin<int>
{

}

public class UserRole : IdentityUserRole<int>
{

}

public class UserToken : IdentityUserToken<int>
{

}

Fluent API重定义数据库表名,字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
using Sample.Identity.Model;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata.Builders;

namespace Samples.Identity.Configurations;

public class RoleClaimConfiguration : IEntityTypeConfiguration<RoleClaim>
{
    public void Configure(EntityTypeBuilder<RoleClaim> builder)
    {
        builder.ToTable("SYS_ROLE_CLAIM").HasKey(x => x.Id);
        builder.Property(x => x.Id).HasColumnName("ID").ValueGeneratedOnAdd();
        builder.Property(x => x.RoleId).HasColumnName("ROLE_ID");
        builder.Property(x => x.ClaimType).HasColumnName("CLAIM_TYPE").HasMaxLength(50);
        builder.Property(x => x.ClaimType).HasColumnName("CLAIM_VALUE").HasMaxLength(50);
    }
}

public class RoleConfiguration : IEntityTypeConfiguration<Role>
{
    public void Configure(EntityTypeBuilder<Role> builder)
    {
        builder.ToTable("SYS_ROLE").HasKey(x => x.Id);
        builder.Property(x => x.Id).HasColumnName("ID").ValueGeneratedOnAdd();
        builder.Property(x => x.Name).HasColumnName("NAME").HasMaxLength(50);
        builder.Property(x => x.NormalizedName).HasColumnName("NORMALIZED_NAME").HasMaxLength(50);
        builder.Property(x => x.ConcurrencyStamp).HasColumnName("CONCURRENCY_STAMP").HasMaxLength(50);

        builder.HasData(new Role { Id = 1, Name = "SuperAdmin", NormalizedName = "超级管理员" });
        builder.HasData(new Role { Id = 2, Name = "Admin", NormalizedName = "管理员" });
        builder.HasData(new Role { Id = 3, Name = "Operator", NormalizedName = "操作员" });
    }
}

public class UserClaimConfiguration : IEntityTypeConfiguration<UserClaim>
{
    public void Configure(EntityTypeBuilder<UserClaim> builder)
    {
        builder.ToTable("SYS_USER_CLAIM").HasKey(x => x.Id);
        builder.Property(x => x.Id).HasColumnName("ID").ValueGeneratedOnAdd();
        builder.Property(x => x.UserId).HasColumnName("USER_ID");
        builder.Property(x => x.ClaimType).HasColumnName("CLAIM_TYPE").HasMaxLength(50);
        builder.Property(x => x.ClaimValue).HasColumnName("CLAIM_VALUE").HasMaxLength(50);
    }
}

public class UserConfiguration : IEntityTypeConfiguration<User>
{
    public void Configure(EntityTypeBuilder<User> builder)
    {
        builder.ToTable("SYS_USER").HasKey(x => x.Id);
        builder.Property(x => x.Id).HasColumnName("ID").ValueGeneratedOnAdd();
        builder.Property(x => x.UserName).HasColumnName("USERNAME").HasMaxLength(20);
        builder.Property(x => x.NormalizedUserName).HasColumnName("NORMALIZED_USERNAME").HasMaxLength(20);
        builder.Property(x => x.Email).HasColumnName("EMAIL").HasMaxLength(50);
        builder.Property(x => x.NormalizedEmail).HasColumnName("NORMALIZED_EMAIL").HasMaxLength(50);
        builder.Property(x => x.EmailConfirmed).HasColumnName("EMAIL_CONFIRMED");
        builder.Property(x => x.PasswordHash).HasColumnName("PASSWORD_HASH").HasMaxLength(256);
        builder.Property(x => x.SecurityStamp).HasColumnName("SECURITY_STAMP").HasMaxLength(256);
        builder.Property(x => x.ConcurrencyStamp).HasColumnName("CONCURRENCY_STAMP").HasMaxLength(256);
        builder.Property(x => x.PhoneNumber).HasColumnName("PHONE_NUMBER").HasMaxLength(15);
        builder.Property(x => x.PhoneNumberConfirmed).HasColumnName("PHONE_NUMBER_CONFIRMED");
        builder.Property(x => x.TwoFactorEnabled).HasColumnName("TWO_FACTOR_ENABLED");
        builder.Property(x => x.LockoutEnd).HasColumnName("LOCKOUT_END");
        builder.Property(x => x.LockoutEnabled).HasColumnName("LOCKOUT_ENABLED");
        builder.Property(x => x.AccessFailedCount).HasColumnName("ACCESS_FAILED_COUNT");

        builder.HasData(new User
        {
            Id = 1,
            UserName = "admin",
            NormalizedUserName = "ADMIN",
            PasswordHash = "AQAAAAEAACcQAAAAELR93lThWhjLUaJtEMPGJXUR88rGK9RjjZytUhr0Jfy3J7JaObJCZAcu5MhPl39erg==",
            SecurityStamp = "LA4OVIYIUDB7CB44WR4CTS6FCY4VRWSO",
        });
    }
}

public class UserLoginConfiguration : IEntityTypeConfiguration<UserLogin>
{
    public void Configure(EntityTypeBuilder<UserLogin> builder)
    {
        builder.ToTable("SYS_USER_LOGIN");
        builder.Property(x => x.LoginProvider).HasColumnName("LOGIN_PROVIDER").HasMaxLength(20);
        builder.Property(x => x.ProviderKey).HasColumnName("PROVIDER_KEY").HasMaxLength(20);
        builder.Property(x => x.ProviderDisplayName).HasColumnName("PROVIDER_DISPLAY_NAME").HasMaxLength(20);
        builder.Property(x => x.UserId).HasColumnName("USER_ID");
    }
}

public class UserRoleConfiguration : IEntityTypeConfiguration<UserRole>
{
    public void Configure(EntityTypeBuilder<UserRole> builder)
    {
        builder.ToTable("SYS_USER_ROLE");
        builder.Property(x => x.UserId).HasColumnName("USER_ID");
        builder.Property(x => x.RoleId).HasColumnName("ROLE_ID");
    }
}

public class UserTokenConfiguration : IEntityTypeConfiguration<UserToken>
{
    public void Configure(EntityTypeBuilder<UserToken> builder)
    {
        builder.ToTable("SYS_USER_TOKEN");
        builder.Property(x => x.UserId).HasColumnName("USER_ID");
        builder.Property(x => x.LoginProvider).HasColumnName("LOGIN_PROVIDER").HasMaxLength(20);
        builder.Property(x => x.Name).HasColumnName("NAME").HasMaxLength(50);
        builder.Property(x => x.Value).HasColumnName("VALUE").HasMaxLength(256);
    }
}

新建DataContext

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;

namespace Samples.Identity;

public class DataContext: IdentityDbContext<User>
{
    public DataContext(DbContextOptions<DataContext> options)
        : base(options)
    {
            
    }
    
    protected override void OnModelCreating(ModelBuilder builder)
    {
        base.OnModelCreating(builder);
        builder.ApplyConfiguration(new UserConfiguration());
        builder.ApplyConfiguration(new RoleConfiguration());
        builder.ApplyConfiguration(new UserClaimConfiguration());
        builder.ApplyConfiguration(new UserRoleConfiguration());
        builder.ApplyConfiguration(new UserLoginConfiguration());
        builder.ApplyConfiguration(new RoleClaimConfiguration());
        builder.ApplyConfiguration(new UserTokenConfiguration());
    }
}

添加ViewModel

1
2
3
4
5
6
7
8
9
10
11
12
using System.ComponentModel.DataAnnotations;

namespace Sample.Identity.ViewModels;

public class LoginViewModel
{
    [Required(ErrorMessage = "用户名不能为空")]
    public string? Username { get; set; }
    
    [Required(ErrorMessage = "密码不能为空")]
    public string? Password { get; set; }
}

添加Controller

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
using Sample.Identity.ViewModels;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;

namespace Sample.Identity.Controllers;

[Route("api/[controller]")]
[ApiController]
public class AuthenticateController : ControllerBase
{
    private readonly UserManager<User> m_userManager;
    private readonly RoleManager<Role> m_roleManager;
    private readonly IConfiguration m_configuration;
    
    private readonly JwtOption m_jwtOptions;
    
    public AuthenticateController(UserManager<User> userManager,
                                 RoleManager<Role> roleManager,
                                 IConfiguration configuration)
    {
    	m_userManager = userManager;
        m_roleManager = roleManager;
        m_configuration = configuration;
        
        m_jwtOptions = m_configuration.GetSection("").Get<JwtOption>();
    }
    
    [HttpPost]
    [Route("login")]
    public async Task<IActionResult> Login([FromBody] LoginViewModel model)
    {
        var user = await m_userManager.FindByNameAsync(model.Username);
        if(user!=null && await m_userManager.CheckPasswordAsync(user, model.Password))
        {
            var roles = await m_userManager.GetRolesAsync(user);
            
            var claims = new List<Claim>
            {
                new Claim(ClaimTypes.Name, user.Username);
                new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString())
            }
            
            foreach (var role in roles)
            {
                claims.Add(new Claim(ClaimTypes.Role, role));
            }
            
            var token = GenerateToken(claims);
            
            return Ok(new {
               token = new JwtSecurityTokenHandler().WriteToken(token),
                expiration = token.ValidTo
            });
        }
        
        return Unauthorized();
    }
    
    private JwtSecurityToken GetToken(List<Claim> authClaims)
    {
        var authSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(m_jwtOptions.Secret));
        var token = new JwtSecurityToken(
                issuer: _configuration["JWT:ValidIssuer"],
                audience: _configuration["JWT:ValidAudience"],
                expires: DateTime.Now.AddHours(3),
                claims: authClaims,
                signingCredentials: new SigningCredentials(authSigningKey, SecurityAlgorithms.HmacSha256)
            );
 
            return token;
    }
}

修改Program中添加

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
using Sample.Identity;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.IdentityModel.Tokens;
using System.Text;
 
var builder = WebApplication.CreateBuilder(args);
ConfigurationManager configuration = builder.Configuration;
 
// Add services to the container.
 
// For Entity Framework
builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(configuration.GetConnectionString("ConnStr")));
 
// For Identity
builder.Services.AddIdentity<User, Role>() 
//optinos => {
//options.Password.RequireDigit = false;
//options.Password.RequireLowercase = false;
//options.Password.RequireUppercase = false;
//options.Password.RequireNonAlphanumeric = false;
//options.Password.RequiredLength = 8;
//options.Password.RequiredUniqueChars = 1;

//options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(10);
//options.Lockout.MaxFailedAccessAttempts = 5;
//options.Lockout.AllowedForNewUsers = true;
//}
    .AddEntityFrameworkStores<DataContext>()
    .AddDefaultTokenProviders();
 
 var jwtOptions = builder.Configuration.GetSection("JWT").Get<JwtOption>();
 
// Adding Authentication
builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
 
// Adding Jwt Bearer
.AddJwtBearer(options =>
{
    options.SaveToken = true;
    options.RequireHttpsMetadata = false;
    options.TokenValidationParameters = new TokenValidationParameters()
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidAudience = jwtOptions.Audience,
        ValidIssuer = jwtOptions.Issuer,
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtOptions.Secret))
    };
});
 
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
 
var app = builder.Build();
 
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}
 
app.UseHttpsRedirection();
 
// Authentication & Authorization
app.UseAuthentication();
app.UseAuthorization();
 
app.MapControllers();
 
app.Run();

执行数据迁移

1
2
add-migration L0
update-database

发表于 更新于

一、核心定位

本文作为GitOps环境搭建系列的第三篇,聚焦CoreDNS内网域名解析的配置与优化。CoreDNS是K3s集群默认集成的DNS服务器,负责处理集群内部的域名解析(如Service域名、Pod域名等)。

在GitOps环境中,CoreDNS扮演”域名解析中枢”角色,为所有组件(Traefik、Gitea、ArgoCD、Tekton、Harbor等)提供统一的内网域名解析服务。通过配置自定义域名映射,可以实现通过易记的域名访问各组件,替代复杂的IP地址访问方式,提升运维效率和可维护性。

二、部署前置检查

部署前需验证K3s集群状态及CoreDNS基础运行情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 1. 验证K3s集群状态
kubectl get nodes

# 2. 验证CoreDNS是否已运行(K3s默认集成)
kubectl get pods -n kube-system -l k8s-app=kube-dns

# 3. 查看CoreDNS Service
kubectl get svc -n kube-system kube-dns

# 4. 测试默认DNS解析功能
kubectl run test-dns --image=busybox:1.28 --rm -it --restart=Never -- nslookup kubernetes.default

# 5. 验证内网IP可达性(替换为实际IP)
ping -c 3 192.168.1.100

前置条件检查清单:

  • K3s集群运行正常
  • CoreDNS Pod处于Running状态
  • 内网IP地址可达且稳定
  • 已规划好内网域名体系(统一使用example.io)
  • 具备kube-system命名空间操作权限

三、持久化配置CoreDNS

K3s启动时会自动部署CoreDNS组件,但直接修改CoreDNS配置文件(如编辑ConfigMap或修改/var/lib/rancher/k3s/server/manifests/coredns.yaml)存在明显缺陷——K3s重启、升级时会自动初始化CoreDNS配置,所有手动修改的内容会被覆盖。因此,需采用K3s官方推荐的coredns-custom ConfigMap持久化配置方案。

3.1 创建coredns-custom ConfigMap

创建coredns-custom.yaml配置文件,定义内网域名解析规则:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# coredns-custom.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns-custom
  namespace: kube-system
data:
  # 可选配置:开启CoreDNS解析日志,便于调试
  log.override: |
    log
  # 自定义内网域名解析规则(CoreDNS会自动加载后缀为.server的配置片段)
  gitops.server: |
    example.io {
      errors          # 输出域名解析错误日志
      cache 30        # 解析结果缓存30秒
      hosts {
        # GitOps组件域名映射(替换为实际IP地址)
        192.168.1.100 traefik.example.io    # Traefik反向代理
        192.168.1.101 harbor.example.io     # Harbor镜像仓库
        192.168.1.102 gitea.example.io      # Gitea代码仓库
        192.168.1.103 tekton.example.io     # Tekton CI流水线
        192.168.1.104 argocd.example.io     # ArgoCD GitOps核心
        fallthrough   # 无匹配域名时转发至下一级解析器
      }
      prometheus :9153  # 开启Prometheus监控
      forward . /etc/resolv.conf  # 非内网域名转发至宿主机DNS
      loop             # 防止解析环路
      reload           # 配置变更自动重载
      loadbalance      # 开启负载均衡
    }

关键配置详解:

  • gitops.server:CoreDNS约定,后缀为.server的配置片段会被自动加载
  • example.io:内网根域名,所有GitOps组件域名基于此配置
  • hosts段:核心的域名-IP映射区域,按实际网络环境配置
  • fallthrough:当hosts中无匹配域名时,转发至forward指定的解析器
  • forward . /etc/resolv.conf:非内网域名转发至宿主机DNS

3.2 应用ConfigMap配置

1
2
3
4
5
# 应用CoreDNS自定义配置
kubectl apply -f coredns-custom.yaml

# 验证ConfigMap创建
kubectl get configmap coredns-custom -n kube-system -o yaml

3.3 重启CoreDNS使配置生效

1
2
3
4
5
6
7
8
# 重启CoreDNS Pod加载新配置
kubectl delete pods -n kube-system -l k8s-app=kube-dns

# 监控Pod重启过程
kubectl get pods -n kube-system -l k8s-app=kube-dns -w

# 验证CoreDNS运行状态
kubectl logs -n kube-system -l k8s-app=kube-dns --tail=20

四、验证内网DNS解析

4.1 创建测试环境

1
2
3
4
5
# 创建测试Pod
kubectl create deploy dns-test --image=busybox:1.28 --replicas=1 -- sleep 3600

# 等待Pod启动
kubectl get pods -l app=dns-test -w

4.2 执行解析测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 进入测试Pod
kubectl exec -it $(kubectl get pod -l app=dns-test -o jsonpath='{.items[0].metadata.name}') -- /bin/sh

# 容器内执行解析测试
# 1. 测试GitOps组件域名解析
nslookup traefik.example.io
nslookup harbor.example.io
nslookup gitea.example.io
nslookup tekton.example.io
nslookup argocd.example.io

# 2. 测试ping连通性
ping -c 3 traefik.example.io
ping -c 3 harbor.example.io

# 3. 测试外网域名解析(验证forward功能)
nslookup google.com
nslookup github.com

# 退出容器
exit

4.3 验证解析结果

解析结果应显示对应的IP地址:

  • traefik.example.io192.168.1.100
  • harbor.example.io192.168.1.101
  • gitea.example.io192.168.1.102
  • 外网域名应正常解析

4.4 清理测试资源

1
2
# 清理测试Pod
kubectl delete deploy dns-test

五、进阶配置:暴露CoreDNS供集群外访问

若需让K3s集群外的设备(如开发机、其他服务器)使用CoreDNS解析内网域名,可通过Traefik暴露CoreDNS的UDP 53端口。

5.1 配置Traefik UDP入口点

首先确保Traefik已启用UDP支持,编辑Traefik配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 在Traefik HelmChartConfig中添加UDP入口点
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      dns-udp:
        port: 53
        expose: true
        exposedPort: 53
        protocol: UDP

5.2 创建IngressRouteUDP规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# coredns-external.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
  name: coredns-external
  namespace: kube-system
spec:
  entryPoints:
    - dns-udp
  routes:
    - match: HostSNI(`*`)
      services:
        - name: kube-dns
          port: 53

应用配置:

1
kubectl apply -f coredns-external.yaml

5.3 集群外设备配置

在集群外设备上配置DNS服务器:

1
2
3
4
5
6
# Linux系统
sudo echo "nameserver <K3s节点IP>" > /etc/resolv.conf

# 或编辑/etc/resolv.conf
# nameserver <K3s节点IP>
# search example.io

六、生产环境配置建议

6.1 高可用配置

1
2
3
4
5
# 配置多个DNS服务器
forward . 8.8.8.8 8.8.4.4 /etc/resolv.conf {
  max_concurrent 1000  # 最大并发查询数
  expire 10s  # 连接过期时间
}

6.2 性能优化

1
2
3
4
5
6
7
# 调整缓存和性能参数
cache {
  success 9984 3600  # 成功响应缓存
  denial 9984 30     # 否定响应缓存
  prefetch 10 60s    # 预取设置
}
ready :8181  # 就绪检查端点

6.3 安全配置

1
2
3
4
5
# 限制访问范围
acl {
  allow net 192.168.1.0/24  # 只允许内网访问
  block
}

七、常见问题修复

问题现象 排查方向 修复方案
域名解析失败 CoreDNS配置/网络 检查coredns-custom ConfigMap,验证网络连通性
解析结果不正确 hosts映射错误 检查IP地址是否正确,确认网络可达
CoreDNS Pod重启失败 配置语法错误 检查CoreDNS日志:kubectl logs -n kube-system <coredns-pod>
外网域名无法解析 forward配置 检查/etc/resolv.conf内容,测试外网连通性
配置修改不生效 未重启CoreDNS 重启CoreDNS Pod:kubectl delete pods -n kube-system -l k8s-app=kube-dns

八、配置参考

所有CoreDNS配置文件和部署脚本请参考:
https://gitee.com/Chemmy/kube-template/tree/master/devops/coredns

该目录包含:

  • CoreDNS自定义配置模板
  • 生产环境优化配置
  • 外部访问配置示例
  • 监控和日志配置

总结

本文完成了CoreDNS在K3s集群中的持久化配置,实现了GitOps组件内网域名解析功能。通过coredns-custom ConfigMap方案,确保配置在K3s重启、升级后不丢失,保障域名解析服务的稳定性。

配置完成后,所有GitOps组件(Traefik、Gitea、ArgoCD、Tekton、Harbor)均可通过统一的example.io域名访问,极大简化了运维操作。下一篇文章将部署cert-manager证书管理,为所有组件配置HTTPS安全访问。

0%