Kubernetes部署Squid快速起步¶

我在构建 Fedora镜像并在 macOS工作室的 kind(本地docker模拟k8s集群) 中测试自己的开发环境，需要不断地从从Dockerfile构建Docker镜像创建系统。虽然可以修改Dockerfile来指定层层递进的镜像基础，但是考虑到后续部署Kubernetes集群应用，每个容器的操作系统和应用都需要保持更新，有必要在本地构建一个缓存代理服务器。

对于本地局域网 Squid代理服务是一个常用的缓存代理服务器，部署简单方便，并且Ubuntu的母公司Canonical在dockerhub官方维护了一个基于 Ubuntu LTS 的squid镜像 ubuntu/squid Docker Image ，并提供了长期安全维护，非常适合作为企业级应用部署。

备注

Docker环境运行Squid 适合单机部署测试，可以验证 ubuntu/squid Docker Image 基本配置工作正常之后，再来实践本文在Kubernetes中部署。

准备工作¶

完成 Docker环境运行Squid 验证了基本配置工作正常，停止验证容器并删除(防止端口抢占，节约资源) ，不过不用删除docker容器: kind(本地docker模拟k8s集群) 集群部署的 squid pod在没有输出服务之前，只在Kubernetes集群内部访问，而验证从Dockerfile构建Docker镜像和 kind(本地docker模拟k8s集群) 集群运行的pod不在同一个层次，相互无干扰
在 kind(本地docker模拟k8s集群) dev 集群的每个worker node上，先创建一个 /var/spool/squid 本地目录，这样部署时候就能够直接通过 hostpath 挂载到容器内部作为 Squid代理服务的缓存目录(另一种方法是 Docker Desktop for macOS文件共享共享NFS ):

在 kind(本地docker模拟k8s集群) dev 集群的每个worker node上，先创建一个 /var/spool/squid 本地目录¶

mkdir /var/spool/squid

由于我在 macOS工作室上使用 kind(本地docker模拟k8s集群) 运行了一个 kind集群本地Registry ，需要将 Docker环境运行Squid 验证正确的镜像先推送到 registry 中，才能方便部署到这个本地 dev Kubernetes集群:

将squid镜像推送到 kind集群本地Registry¶

docker tag ubuntu/squid:5.2-22.04_beta localhost:5001/squid-ubuntu:5.2-22.04
docker push localhost:5001/squid-ubuntu:5.2-22.04

备注

我这里标记 kind集群本地Registry 镜像名为 squid-ubuntu:5.2-22.04 :

squid v5.2
ubuntu 22.04 LTS

部署¶

下载 squid-deployment.yml 并修订:

部署到kind集群的squid-deployment.yml¶

---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: squid-volume-pv
  labels:
    type: local
spec:
  storageClassName: squid-spool
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/var/spool/squid"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: squid-volume-claim
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: squid-spool
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: squid-service
  labels:
    app: squid
spec:
  #type: LoadBalancer
  ports:
  - port: 3128
  selector:
    app: squid
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: squid-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: squid
  template:
    metadata:
      labels:
        app: squid
    spec:
      containers:
      - name: squid
        image: localhost:5001/squid-ubuntu:5.2-22.04
        ports:
        - containerPort: 3128
          name: squid
          protocol: TCP
        volumeMounts:
        - name: squid-config-volume
          mountPath: /etc/squid/squid.conf
          subPath: squid.conf
        - name: squid-data
          mountPath: /var/spool/squid
      volumes:
        - name: squid-config-volume
          configMap:
            name: squid-config
            items:
            - key: squid
              path: squid.conf
        - name: squid-data
          persistentVolumeClaim:
            claimName: squid-volume-claim

备注

存储修订为 hostpath 方式( 定义了 storageClassName: squid-spool )
service 配置段落我添加了 LoadBalancer 类型(目前暂时注释掉简化配置):
```
spec:
  type: LoadBalancer
```

这会需要进一步配置一个本地的LoadBalancer 如 Kubernetes MetalLB 负载均衡才能输出服务。如果没有指定 LoadBalancer ，则默认 ClusterIP 服务仅在集群内部可以访问，见 kubernetes service思考

下载 squid.conf 或者和我一样继续采用 Docker环境运行Squid 验证过的 Fedora 发行版 squid 默认配置 squid.conf :

fedora默认初始squid配置: /etc/squid/squid.conf¶

acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128

cache_dir ufs /var/cache/squid 100 16 256

coredump_dir /var/spool/squid

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

创建定制的configmap squid-config 以便使用ConfigMap配置Pod ，并部署pod:

部署到kind集群的squid¶

kubectl create configmap squid-config --from-file=squid=squid.conf
kubectl apply -f squid-deployment.yml

完成检查:

% kubectl get pods -o wide
NAME                                READY   STATUS    RESTARTS   AGE   IP           NODE          NOMINATED NODE   READINESS GATES
squid-deployment-679756756d-drflk   1/1     Running   0          40m   10.244.7.2   dev-worker3   <none>           <none>

% kubectl get svc -o wide
NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE   SELECTOR
squid-service   ClusterIP   10.96.119.129   <none>        3128/TCP   39m   app=squid

参考¶

Deploying squid 🦑 in k3s on an RPI4B