在 kubernetes 中部署 clash

镜像

准备工作

创建命名空间
kubectl create ns clash

镜像
镜像使用的是自己构建的。registry.cn-hongkong.aliyuncs.com/jansora/clash-and-dashboard:v1.16.0
该镜像已包含了 ui 管理。
构建方式看这里。
https://github.com/LaoYutang/clash-and-dashboard/blob/master/build/Dockerfile

订阅文件。
我这里保存到了互联网中,好管理一些。

https://cdn.jansora.com/files/xxx.yaml

k8s 配置文件。大致内容如下。

1.下载配置文件到本地,启动时指定该文件。
2. nginx 代理 external-controller: '0.0.0.0:9090' 远程管理端口。
这个配置要根据订阅文件进行调整
3. Service 暴露需要的端口。

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: clash-naiko
  namespace: clash
spec:
  selector:
    matchLabels:
      app: clash-naiko
  replicas: 1
  template:
    metadata:
      labels:
        app: clash-naiko
    spec:
      containers:
        - name: clash-naiko
          image: registry.cn-hongkong.aliyuncs.com/jansora/clash-and-dashboard:v1.16.0
          imagePullPolicy: IfNotPresent
          # 创建目录的命令
          command: [ "/bin/sh", "-c" ]
          args: [ 'wget https://cdn.jansora.com/files/xxx.yaml -O /config.yaml && /usr/sbin/nginx
          &&
          /clash -f /config.yaml ' ]
          volumeMounts:
            - name: config-volume
              mountPath: /etc/nginx/nginx.conf # 具体路径请参考官方文档
              subPath: nginx.conf
      volumes:
        - name: config-volume
          configMap:
            name: naiko-config

  serviceName: clash-naiko


---

apiVersion: v1
kind: Service
metadata:
  name: clash-naiko
  namespace: clash
spec:
  type: ClusterIP
  selector:
    app: clash-naiko
  #    app.kubernetes.io/name: hole-pre
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
      name: dashboard
    - protocol: TCP
      port: 7890
      targetPort: 7890
      name: http
    - protocol: TCP
      port: 7891
      targetPort: 7891
      name: socks5



---


# 创建 configmap
apiVersion: v1
kind: ConfigMap
metadata:
  name: naiko-config
  namespace: clash
data:
  nginx.conf: |
    worker_processes  1;
      
    events {
      worker_connections  1024;
    }
      
    http {
      include       mime.types;
      sendfile        on;
      keepalive_timeout  65;
      
      server {
        listen       80;
        server_name  localhost;
        default_type 'text/html';
        charset utf-8;
        
        location / {
          root /dashboard;
        }
        
        location /api {
          rewrite ^/api(.*)$ $1 break;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_pass http://localhost:9090;
        }
        
        error_page  404              /404.html;
        error_page  500 502 503 504  /50x.html;
      }
    }

可以通过 ingress 或者 nodePort service 模式暴露出 web 服务。

外面再接一个公网 nginx

server {
    listen 80;
    http2 on;

    server_name xxx.jansora.com;

    location / {
        proxy_pass_header Server;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
        proxy_set_header Accept-Encoding gzip;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_pass http://xxx:xxx;
    }
}

需要注意的是,不能通过 https 协议暴露到公网。 不然 ws 方式的管理后台会报错。

评论栏