frp配置内网穿透暴露kubernetes集群

前言

1核2G的服务器太垃圾了，搭了kubernetes，但是各种组件都吃性能，研究了一下内网穿透，尝试让电脑在开机的时候可以用公网ip访问服务，这样就完全没有性能瓶颈了

折腾了很久。。。对于rancher，helm装完有一大大大大堆的资源被安装下来了，也不知道它的流量是怎么走的，会重定向一次host，导致循环重定向，排查了半天，最终放弃挣扎了，但是正常的服务是可以用的，同时放弃了ingress-nginx,换用了apisix，这一步也折腾了很久

frp

server和client都要有

1	wget https://github.com/fatedier/frp/releases/download/v0.48.0/frp_0.48.0_linux_amd64.tar.gz

1	tar -zxvf frp_0.48.0_linux_amd64.tar.gz

配置server

vim frps.ini

# FRP服务端
[common]
# frp监听的端口，默认是7000，可以改成其他的
bind_port = 7000
# 授权码，请改成更复杂的
token = b3rpf5Gm  # 这个token之后在客户端会用到

# frp管理后台端口，请按自己需求更改
dashboard_port = 7001
# frp管理后台用户名和密码，请改成自己的
dashboard_user = admin
dashboard_pwd = admin
enable_prometheus = true

# frp日志配置
log_file = /var/log/frps.log
log_level = info
log_max_days = 3

添加到systemctl命令组，保证开机自启动，当然你也可以用docker跑服务

sudo mkdir -p /etc/frp

sudo ln -s /root/frp/frps.ini /etc/frp/frps.ini
sudo cp frps /usr/bin

vim /usr/lib/systemd/system/frps.service

[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=simple
ExecStart=/usr/local/frp/frps -c /usr/local/frp/frps.ini
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
StandardOutput=syslog
StandardError=inherit

[Install]
WantedBy=multi-user.target

1
2
3

systemctl daemon-reload
systemctl enable frps
systemctl start frps

记得打开需要的端口安全组和防火墙

配置client

vim frpc.ini

[common]
server_addr = <ip>
server_port = 7000
token = b3rpf5Gm

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
# 这个自定义，之后再ssh连接的时候要用
remote_port = 7002

1	./frpc -c frpc.ini

1
2
3

sudo cp -r frp /usr/local/

sudo vim /usr/lib/systemd/system/frpc.service

[Unit]
Description=The nginx HTTP and reverse proxy server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=simple
ExecStart=/usr/local/frp/frpc -c /usr/local/frp/frpc.ini
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=process
PrivateTmp=true
StandardOutput=syslog
StandardError=inherit

[Install]
WantedBy=multi-user.target

1
2
3

systemctl daemon-reload
systemctl enable frpc
systemctl start frpc

配置完后，可以通过ssh来测试是否能登陆自己的机器

k8s

配置fpcs，添加

1	vhost_http_port = 7080

公网server nginx配置，将请求转发到frp的http端口

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
	listen 80;
    server_name *.k8s.ryaoknw.site k8s.ryaoknw.site;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl; 
    server_name *.k8s.ryaoknw.site k8s.ryaoknw.site;
    ssl_certificate /etc/letsencrypt/live/k8s.ryaoknw.site-0001/fullchain.pem; # 泛域名证书
    ssl_certificate_key /etc/letsencrypt/live/k8s.ryaoknw.site-0001/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf; 
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; 
    location / {
        proxy_pass http://127.0.0.1:7080;
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade; #配置weboscket
        proxy_set_header Connection $connection_upgrade;#配置weboscket
    }
}

配置frpc，frpc.ini

[http]
type = http
local_ip = 127.0.0.1
local_port = 80
custom_domains = *.k8s.ryaoknw.site,k8s.ryaoknw.site
remote_port = 7080

内网nginx配置，对应http端口（7080）会被frpc转发到127.0.01:80，nginx代理了80端口，将请求转发到上游node

upstream k8s {
  server 192.168.199.111:80;  # NodePort 
  #server 192.168.199.112:80;
  #server 192.168.199.113:80;
}
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}
server {
    listen       80;
    server_name  *.k8s.ryaoknw.site k8s.ryaoknw.site;
    location / {
      proxy_pass http://k8s;
      proxy_set_header Host      $host;
      proxy_set_header X-Real-IP $remote_addr;
	  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
    }
}

至此配置完毕，可以部署服务在本地集群，然后用ingress暴露即可访问