document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-03-21 02:10:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2020-03-15 21:31:19 +08:00
commit a56863a40b
7 changed files with 626 additions and 639 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
sources/tech/20180522 Advanced use of the less text file viewer in Linux.md
View File

@ -1,119 +0,0 @@
Translating by MjSeven
Advanced use of the less text file viewer in Linux
======
![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/osdc_terminals_0.png?itok=XwIRERsn)
I recently read Scott Nesbitt's article "[Using less to view text files at the Linux command line][1]" and was inspired to share additional tips and tricks I use with `less`.
### LESS env var
If you have an environment variable `LESS` defined (e.g., in your `.bashrc`), `less` treats it as a list of options, as if passed on the command line.
I use this:
```
LESS='-C -M -I -j 10 -# 4'
```
These mean:
* `-C` Make full-screen reprints faster by not scrolling from the bottom.
* `-M` Show more information from the last (status) line. You can customize the information shown with `-PM`, but I usually do not bother.
* `-I` Ignore letter case (upper/lower) in searches.
* `-j 10` Show search results in line 10 of the terminal, instead of the first line. This way you have 10 lines of context each time you press `n` (or `N`) to jump to the next (or previous) match.
* `-# 4` Jump four characters to the right or left when pressing the Right or Left arrow key. The default is to jump half of the screen, which I usually find to be too much. Generally speaking, `less` seems to be (at least partially) optimized to the environment it was initially developed in, with slow modems and low-bandwidth internet connections, when it made sense to jump half a screen.
### PAGER env var
Many programs show information using the command set in the `PAGER` environment variable (if it's set). So, you can set `PAGER=less` in your `.bashrc` and have your program run `less`. Check the man page environ(7) (`man 7 environ`) for other such variables.
### -S
`-S` tells `less` to chop long lines instead of wrapping them. I rarely find a need for this unless (and until) I've started viewing a file. Fortunately, you can type all command-line options inside `less` as if they were keyboard commands. So, if I want to chop long lines while I'm already in a file, I can simply type `-S`.
The command-line optiontellsto chop long lines instead of wrapping them. I rarely find a need for this unless (and until) I've started viewing a file. Fortunately, you can type all command-line options insideas if they were keyboard commands. So, if I want to chop long lines while I'm already in a file, I can simply type
Here's an example I use a lot:
```
    su - postgres
    export PAGER=less  # Because I didn't bother editing postgres' .bashrc on all the machines I use it on
    psql
```
Sometimes when I later view the output of a `SELECT` command with a very wide output, I type `-S` so it will be formatted nicely. If it jumps too far when I press the Right arrow to see more (because I didn't set `-#`), I can type `-#8`, then each Right arrow press will move eight characters to the right.
Sometimes after typing `-S` too many times, I exit psql and run it again after entering:
```
export LESS=-S
```
### F
The command `F` makes `less` work like `tail -f`—waiting until more data is added to the file before showing it. One advantage this has over `tail -f` is that highlighting search matches still works. So you can enter `less /var/log/logfile`, search for something—which will highlight all occurrences of it (unless you used `-g`)—and then press `F`. When more data is written to the log, `less` will show it and highlight the new matches.
After you press `F`, you can press `Ctrl+C` to stop it from looking for new data (this will not kill it); go back into the file to see older stuff, search for other things, etc.; and then press `F` again to look at more new data.
### Searching
Searches use the system's regexp library, and this usually means you can use extended regular expressions. In particular, searching for `one|two|three` will find and highlight all occurrences of one, two, or three.
Another pattern I use a lot, especially with wide log lines (e.g., ones that span more than one terminal line), is `.*something.*`, which highlights the entire line. This pattern makes it much easier to see where a line starts and finishes. I also combine these, such as: `.*one thing.*|.*another thing.*`, or `key: .*|.*marker.*` to see the contents of `key` (e.g., in a log file with a dump of some dictionary/hash) and highlight relevant marker lines (so I have a context), or even, if I know the value is surrounded by quotes:
```
key: '[^']*'|.*marker.*
```
`less` maintains a history of your search items and saves them to disk for future invocations. When you press `/` (or `?`), you can go through this history with the Up or Down arrow (as well as do basic line editing).
I stumbled upon what seems to be a very useful feature when skimming through the `less` man page while writing this article: skipping uninteresting lines with `&!pattern`. For example, while looking for something in `/var/log/messages`, I used to iterate through this list of commands:
```
    cat /var/log/messages | egrep -v 'systemd: Started Session' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session|User Slice' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session|User Slice|dbus' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session|User Slice|dbus|PackageKit Daemon' | less
```
But now I know how to do the same thing within `less`. For example, I can type `&!systemd: Started Session`, then decide I want to get rid of `systemd: Starting Session`, so I add it by typing `&!` and use the Up arrow to get the previous search from the history. Then I type `|systemd: Starting Session` and press `Enter`, continuing to add more items the same way until I filter out enough to see the more interesting stuff.
### =
The command `=` shows more information about the file and location, even more than `-M`. If the file is very long, and calculating `=` takes too long, you can press `Ctrl+C` and it will stop trying.
If the content you're viewing is from a pipe rather than a file, `=` (and `-M`) will not show what it does not know, including the number of lines and bytes in the file. To see that data, if you know that `command` will finish quickly, you can jump to the end with `G`, and then `less` will start showing that information.
If you press `G` and the command writing to the pipe takes longer than expected, you can press `Ctrl+C`, and the command will be killed. Pressing `Ctrl+C` will kill it even if you didn't press `G`, so be careful not to press `Ctrl+C` accidentally if you don't intend to kill it. For this reason, if the command does something (that is, it's not only showing information), it's usually safer to write its output to a file and view the file in a separate terminal, instead of using a pipe.
### Why you need less
`less` is a very powerful program, and contrary to newer contenders in this space, such as `most` and `moar`, you are likely to find it on almost all the systems you use, just like `vi`. So, even if you use GUI viewers or editors, it's worth investing some time going through the `less` man page, at least to get a feeling of what's available. This way, when you need to do something that might be covered by existing functionality, you'll know to search the manual page or the internet to find what you need.
For more information, visit the [less home page][2]. The site has a nice FAQ with more tips and tricks.
--------------------------------------------------------------------------------
via: https://opensource.com/article/18/5/advanced-use-less-text-file-viewer
作者:[Yedidyah Bar David][a]
选题:[lujun9972](https://github.com/lujun9972)
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://opensource.com/users/didib
[1]:http://opensource.com/article/18/4/using-less-view-text-files-command-line
[2]:http://www.greenwoodsoftware.com/less/

2
sources/tech/20191224 Why your Python code should be flat and sparse.md
View File

@ -1,5 +1,5 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: translator: (caiichenr)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )

170
sources/tech/20200204 DevOps vs Agile- What-s the difference.md
View File

@ -1,170 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (messon007)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (DevOps vs Agile: What's the difference?)
[#]: via: (https://opensource.com/article/20/2/devops-vs-agile)
[#]: author: (Taz Brown https://opensource.com/users/heronthecli)
DevOps vs Agile: What's the difference?
======
The difference between the two is what happens after development.
![Pair programming][1]
Early on, software development didn't really fit under a particular management umbrella. Then along came [waterfall][2], which spoke to the idea that software development could be defined by the length of time an application took to create or build.
Back then, it often took long periods of time to create, test, and deploy software because there were no checks and balances during the development process. The results were poor software quality with defects and bugs and unmet timelines. The focus was on long, drawn-out plans for software projects.
Waterfall projects have been associated with the [triple constraint][3] model, which is also called the project management triangle. Each side of the triangle represents a component of the triple constraints of project management: **scope**, **time**, and **cost**. As [Angelo Baretta writes][4], the triple constraint model "says that cost is a function of time and scope, that these three factors are related in a defined and predictable way… [I]f we want to shorten the schedule (time), we must increase cost. It says that if we want to increase scope, we must increase cost or schedule."
### Transitioning from waterfall to agile
Waterfall came from manufacturing and engineering, where a linear process makes sense; you build the wall before you build the roof. Similarly, software development problems were viewed as something that could be solved with planning. From beginning to end, the development process was clearly defined by a roadmap that would lead to the final delivery of a product.
Eventually, waterfall was recognized as detrimental and counterintuitive to software development because, often, the value could not be determined until the very end of the project cycle, and in many cases, the projects failed. Also, the customer didn't get to see any working software until the end of the project.
Agile takes a different approach that moves away from planning the entire project, committing to estimated dates, and being accountable to a plan. Rather, agile assumes and embraces uncertainty. It is built around the idea of responding to change instead of charging past it or ignoring the need for it. Instead, change is considered as a way to fulfill the needs of the customer.
### Agile values
Agile is governed by the Agile Manifesto, which defines [12 principles][5]:
1. Satisfying the customer is the top priority
2. Welcome changing requirements, even late in development
3. Deliver working software frequently
4. Development and business must work together
5. Build projects around motivated people
6. Face-to-face communication is the most efficient and effective method of conveying information
7. The primary measure of success is working software
8. Agile processes promote sustainable development
9. Maintain continuous attention to technical excellence and good design
10. Simplicity is essential
11. The best architectures, requirements, and designs emerge from self-organizing teams
12. Regularly reflect on work, then tune and adjust behavior
Agile's four [core values][6] are:
* **Individuals and interactions** over processes and tools
* **Working software** over comprehensive documentation
* **Customer collaboration** over contract negotiation
* **Responding to change** over following a plan
This contrasts with waterfall's rigid planning style. In agile, the customer is a member of the development team rather than engaging only at the beginning, when setting business requirements, and at the end, when reviewing the final product (as in waterfall). The customer helps the team write the [acceptance criteria][7] and remains engaged throughout the process. In addition, agile requires changes and continuous improvement throughout the organization. The development team works with other teams, including the project management office and the testers. What gets done and when are led by a designated role and agreed to by the team as a whole.
### Agile software development
Agile software development requires adaptive planning, evolutionary development, and delivery. Many software development methodologies, frameworks, and practices fall under the umbrella of being agile, including:
* Scrum
* Kanban (visual workflow)
* XP (eXtreme Programming)
* Lean
* DevOps
* Feature-driven development (FDD)
* Test-driven development (TDD)
* Crystal
* Dynamic systems development method (DSDM)
* Adaptive software development (ASD)
All of these have been used on their own or in combination for developing and deploying software. The most common are [scrum, kanban][8] (or the combination called scrumban), and DevOps.
[Scrum][9] is a framework under which a team, generally consisting of a scrum master, product owner, and developers, operates cross-functionally and in a self-directed manner to increase the speed of software delivery and
to bring greater business value to the customer. The focus is on faster iterations with smaller [increments][10].
[Kanban][11] is an agile framework, sometimes called a workflow management system, that helps teams visualize their work and maximize efficiency (thus being agile). Kanban is usually represented by a digital or physical board. A team's work moves across the board, for example, from not started, to in progress, testing, and finished, as it progresses. Kanban allows each team member to see the state of all work at any time.
### DevOps values
DevOps is a culture, a state of mind, a way that software development or infrastructure is, and a way that software and applications are built and deployed. There is no wall between development and operations; they work simultaneously and without silos.
DevOps is based on two other practice areas: lean and agile. DevOps is not a title or role within a company; it's really a commitment that an organization or team makes to continuous delivery, deployment, and integration. According to [Gene Kim][12], author of _The Phoenix Project_ and _The Unicorn Project_, there are three "ways" that define the principles of DevOps:
* The First Way: Principles of flow
* The Second Way: Principles of feedback
* The Third Way: Principles of continuous learning
### DevOps software development
DevOps does not happen in a vacuum; it is a flexible practice that, in its truest form, is a shared culture and mindset around software development and IT or infrastructure implementation.
When you think of automation, cloud, microservices, you think of DevOps. In an [interview][13], _Accelerate: Building and Scaling High Performing Technology Organizations_ authors Nicole Forsgren, Jez Humble, and Gene Kim explained:
> * Software delivery performance matters, and it has a significant impact on organizational outcomes such as profitability, market share, quality, customer satisfaction, and achieving organizational and mission goals.
> * High performers achieve levels of throughput, stability, and quality; they're not trading off to achieve these attributes.
> * You can improve your performance by implementing practices from the lean, agile, and DevOps playbooks.
> * Implementing these practices and capabilities also has an impact on your organizational culture, which in turn has an impact on both your software delivery performance and organizational performance.
> * There's still lots of work to do to understand how to improve performance.
>
### DevOps vs. agile
Despite their similarities, DevOps and agile are not the same, and some argue that DevOps is better than agile. To eliminate the confusion, it's important to get down to the nuts and bolts.
#### Similarities
* Both are software development methodologies; there is no disputing this.
* Agile has been around for over 20 years, and DevOps came into the picture fairly recently.
* Both believe in fast software development, and their principles are based on how fast software can be developed without causing harm to the customer or operations.
#### Differences
* **The difference between the two** is what happens after development.
* Software development, testing, and deployment happen in both DevOps and agile. However, pure agile tends to stop after these three stages. In contrast, DevOps includes operations, which happen continually. Therefore, monitoring and software development are also continuous.
* In agile, separate people are responsible for developing, testing, and deploying the software. In DevOps, the DevOps engineering role is are responsible for everything; development is operations, and operations is development.
* DevOps is more associated with cost-cutting, and agile is more synonymous with lean and reducing waste, and concepts like agile project accounting and minimum viable product (MVP) are relevant.
* Agile focuses on and embodies empiricism (**adaptation**, **transparency**, and **inspection**) instead of predictive measures.
Agile | DevOps
---|---
Feedback from customer | Feedback from self
Smaller release cycles | Smaller release cycles, immediate feedback
Focus on speed | Focus on speed and automation
Not the best for business | Best for business
### Wrapping up
Agile and DevOps are distinct, although their similarities lead people to think they are one and the same. This does both agile and DevOps a disservice.
In my experience as an agilist, I have found it valuable for organizations and teams to understand—from a high level—what agile and DevOps are and how they aid teams in working faster and more efficiently, delivering quality faster, and improving customer satisfaction.
Agile and DevOps are not adversarial in any way (or at least the intent is not there). They are more allies than enemies in the agile revolution. Agile and DevOps can operate exclusively and inclusively, which allows both to exist in the same space.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/2/devops-vs-agile
作者:[Taz Brown][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/heronthecli
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/collab-team-pair-programming-code-keyboard.png?itok=kBeRTFL1 (Pair programming)
[2]: http://www.agilenutshell.com/agile_vs_waterfall
[3]: https://en.wikipedia.org/wiki/Project_management_triangle
[4]: https://www.pmi.org/learning/library/triple-constraint-erroneous-useless-value-8024
[5]: https://agilemanifesto.org/principles.html
[6]: https://agilemanifesto.org/
[7]: https://www.productplan.com/glossary/acceptance-criteria/
[8]: https://opensource.com/article/19/8/scrum-vs-kanban
[9]: https://www.scrum.org/
[10]: https://www.scrum.org/resources/what-is-an-increment
[11]: https://www.atlassian.com/agile/kanban
[12]: https://itrevolution.com/the-unicorn-project/
[13]: https://www.infoq.com/articles/book-review-accelerate/

349
sources/tech/20200312 Make SSL certs easy with k3s.md
View File

@ -1,349 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Make SSL certs easy with k3s)
[#]: via: (https://opensource.com/article/20/3/ssl-letsencrypt-k3s)
[#]: author: (Lee Carpenter https://opensource.com/users/carpie)
Make SSL certs easy with k3s
======
How to encrypt your website with k3s and Letsencrypt on a Raspberry Pi.
![Files in a folder][1]
In a [previous article][2], we deployed a couple of simple websites on our k3s cluster. There were non-encrypted sites. Now that's fine, and they work, but non-encrypted is very last century! These days most websites are encrypted. In this article, we are going to install [cert-manager][3] and use it to deploy TLS encrypted sites on our cluster. Not only will the sites be encrypted, but they will be using valid public certificates that are automatically provisioned and automatically renewed from [Let's][4] [Encrypt][4]! Let's get started!
### Materials needed
To follow along with the article, you will need [the k3s Raspberry Pi cluster][5] we built in a previous article. Also, you will need a public static IP address and a domain name that you own and can create DNS records for. If you have a dynamic DNS provider that provides a domain name for you, that may work as well. However, in this article, we will be using a static IP and [CloudFlare][6] to manually create DNS "A" records.
As we create configuration files in this article, if you don't want to type them out, they are all available for download [here][7].
### Why are we using cert-manager?
Traefik (which comes pre-bundled with k3s) actually has Let's Encrypt support built-in, so you may be wondering why we are installing a third-party package to do the same thing. At the time of this writing, Traefik's Let's Encrypt support retrieves certificates and stores them in files. Cert-manager retrieves certificates and stores them in Kubernetes **secrets**. **Secrets** can be simply referenced by name and, therefore, easier to use, in my opinion. That is the main reason we are going to use cert-manager in this article.
### Installing cert-manager
Mostly we will simply follow the cert-manager [documentation][8] for installing on Kubernetes. Since we are working with an ARM architecture, however, we will be making slight changes, so we will go through the procedure here.
The first step is to create the cert-manager namespace. The namespace helps keep cert-manager's pods out of our default namespace, so we do not have to see them when we do things like **kubectl get pods** with our own pods. Creating the namespace is simple:
```
kubectl create namespace cert-manager
```
The installation instructions have you download the cert-manager YAML configuration file and apply it to your cluster all in one step. We need to break that into two steps in order to modify the file for our ARM-based Pis. We will download the file and do the conversion in one step:
```
curl -sL \
<https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml> |\
sed -r 's/(image:.*):(v.*)$/\1-arm:\2/g' &gt; cert-manager-arm.yaml
```
This downloads the configuration file and updates all the contained docker images to be the ARM versions. To check what it did:
```
$ grep image: cert-manager-arm.yaml
          image: "quay.io/jetstack/cert-manager-cainjector-arm:v0.11.0"
          image: "quay.io/jetstack/cert-manager-controller-arm:v0.11.0"
          image: "quay.io/jetstack/cert-manager-webhook-arm:v0.11.0"
```
As we can see, the three images now have **-arm** added to the image name. Now that we have the correct file, we simply apply it to our cluster:
```
`kubectl apply -f cert-manager-arm.yaml`
```
This will install all of cert-manager. We can know when the installation finished by checking with **kubectl --namespace cert-manager get pods** until all pods are in the **Running** state.
That is actually it for cert-manager installation!
### A quick overview of Let's Encrypt
The nice thing about Let's Encrypt is that they provide us with publicly validated TLS certificates for free! This means that we can have a completely valid TLS encrypted website that anyone can visit for our home or hobby things that do not make money to support themselves without paying out of our own pocket for TLS certificates! Also, when using Let's Encrypt certificates with cert-manager, the entire process of procuring the certificates is automated. Certificate renewal is also automated!
But how does this work? Here is a simplified explanation of the process. We (or cert-manager on our behalf) issue a request for a certificate to Let's Encrypt for a domain name that we own. Let's Encrypt verifies that we own that domain by using an ACME DNS or HTTP validation mechanism. If the verification is successful, Let's Encrypt provides us with certificates, which cert-manager installs in our website (or other TLS encrypted endpoint). These certificates are good for 90 days before the process needs to be repeated. Cert-manager, however, will automatically keep the certificates up-to-date for us.
In this article, we will use the HTTP validation method as it is simpler to set up and works for the majority of use cases. Here is the basic process that will happen behind the scenes. Cert-manager will issue a certificate request to Let's Encrypt. Let's Encrypt will issue an ownership verification challenge in response. The challenge will be to put an HTTP resource at a specific URL under the domain name that the certificate is being requested for. The theory is that if we can put that resource at that URL and Let's Encrypt can retrieve it remotely, then we must really be the owners of the domain. Otherwise, either we could not have placed the resource in the correct place, or we could not have manipulated DNS to allow Let's Encrypt to get to it. In this case, cert-manager puts the resource in the right place and automatically creates a temporary **Ingress** record that will route traffic to the correct place. If Let's Encrypt can read the challenge and it is correct, it will issue the certificates back to cert-manager. Cert-manager will then store the certificates as secrets, and our website (or whatever) will use those certificates for securing our traffic with TLS.
### Preparing our network for the challenges
I'm assuming that you are wanting to set this up on your home network and have a router/access point that is connected in some fashion to the broader internet. If that is not the case, the following process may not be what you need.
To make the challenge process work, we need the domain that we are requesting a certificate for to route to our k3s cluster on port 80. To do that, we need to tell the world's DNS system where that is. So, we'll need to map the domain name to our public IP address. If you do not know what your public IP address is, you can go to somewhere like [WhatsMyIP][9], and it will tell you. Next, we need to enter a DNS "A" record that maps our domain name to our public IP address. For this to work reliably, you need a static public IP address, or you may be able to use a dynamic DNS provider. Some dynamic DNS providers will issue you a domain name that you may be able to use with these instructions. I have not tried this, so I cannot say for sure it works with all providers.
For this article, we are going to assume a static public IP and use CloudFlare to set the DNS "A" records. You may use your own DNS provider if you wish. The important part is that you are able to set the "A" records.
For this rest of the article, I am going to use **[k3s.carpie.net][10]** as the example domain since this is a domain I own. You would obviously replace that with whatever domain you own.
Ok, for the sake of example, assume our public IP address is 198.51.100.42. We would go to our DNS provider's DNS record section and add a record of type "A," with a name of **[k3s.carpie.net][10]** (CloudFlare assumes the domain, so there we could just enter **k3s**) and enter 198.51.100.42 as the IPv4 address.
![][11]
Be aware that sometimes it takes a while for the DNS updates to propagate. It may be several hours before you can resolve the name. It is imperative that the name resolves before moving on. Otherwise, all our certificate requests will fail.
We can check that the name resolves using the **dig** command:
```
$ dig +short k3s.carpie.net
198.51.100.42
```
Keep running the above command until an IP is returned. Just a note about CloudFlare: ClouldFlare provides a service that hides your actual IP by proxying the traffic. In this case, we'll get back a CloudFlare IP instead of our IP. This should work fine for our purposes.
The final step for network configuration is configuring our router to route incoming traffic on ports 80 and 443 to our k3s cluster. Sadly, router configuration screens vary widely, so I can't tell you exactly what yours will look like. Most of the time, the admin page we need is under "Port forwarding" or something similar. I have even seen it listed under "Gaming" (which is apparently what port forwarding is mostly used for)! Let's see what the configuration looks like for my router.
![][12]
If you had my setup, you would go to 192.168.0.1 to log in to the router administration application. For this router, it's under **NAT / QoS** -&gt; **Port Forwarding**. Here we set port **80**, **TCP** protocol to forward to 192.168.0.50 (the IP of **kmaster** our master node) port **80**. We also set port **443** to map to **kmaster** as well. This is technically not needed for the challenges, but at the end of the article, we are going to deploy a TLS enabled website, and we will need **443** mapped to get to it. So it's convenient to go ahead and map it now. We save and apply the changes, and we should be good to go!
### Configuring cert-manager to use Lets Encrypt (staging)
Now we need to configure cert-manager to issue certificates through Let's Encrypt. Let's Encrypt provides a staging (e.g., test) environment for us to sort out our configurations on. It is much more tolerant of mistakes and frequency of requests. If we bumble around on the production environment, we'll very quickly find ourselves temporarily banned! As such, we'll manually test requests using the staging environment.
Create a file, **letsencrypt-issuer-staging.yaml** with the contents:
```
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
   # The ACME server URL
    server: <https://acme-staging-v02.api.letsencrypt.org/directory>
    # Email address used for ACME registration
    email: &lt;your_email&gt;@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: traefik
```
Make sure to update the email address to your address. This is how Let's Encrypt contacts us if something is wrong or we are doing bad things!
Now we create the issuer with:
```
`kubectl apply -f letsencrypt-issuer-staging.yaml`
```
We can check that the issuer was created successfully with:
```
`kubectl get clusterissuers`
```
**Clusterissuers** is a new Kubernetes resource type created by cert-manager.
Let's now request a test certificate manually. For our sites, we will not need to do this; we are just testing out the process to make sure our configuration is correct.
Create a certificate request file, **le-test-certificate.yaml** with the contents:
```
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: k3s-carpie-net
  namespace: default
spec:
  secretName: k3s-carpie-net-tls
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: k3s.carpie.net
  dnsNames:
 - k3s.carpie.net
```
This record just says we want to request a certificate for the domain **[k3s.carpie.net][10]**, using a **ClusterIssuer** named **letsencrypt-staging** (which we created in the previous step) and store the certificate files in the Kubernetes secret named **k3s-carpie-net-tls**.
Apply it like normal:
```
`kubectl apply -f le-test-certificate.yaml`
```
We can check the status with:
```
`kubectl get certificates`
```
If we see something like:
```
NAME                    READY   SECRET                  AGE
k3s-carpie-net          True    k3s-carpie-net-tls      30s
```
We are good to go! (The key here is **READY** being **True**).
### Troubleshooting certificate request issues
That's the happy path. If **READY** is **False**, we could give it some time and check the status again in case it takes a bit. If it stays **False,** then we have an issue we need to troubleshoot. At this point, we can walk the chain of Kubernetes resources until we find a status message that tells us the problem.
Let's say that we did the request above, and **READY** was **False**. We start the troubleshooting with:
```
`kubectl describe certificates k3s-carpie-net`
```
This will return a lot of information. Usually, the helpful things are in the **Events:** section, which is typically at the bottom. Let's say the last event was **Created new CertificateRequest resource "k3s-carpie-net-1256631848**. We would then describe that request:
```
`kubectl describe certificaterequest k3s-carpie-net-1256631848`
```
Now let's say the last event there was **Waiting on certificate issuance from order default/k3s-carpie-net-1256631848-2342473830**.
Ok, we can describe the order:
```
`kubectl describe orders default/k3s-carpie-net-1256631848-2342473830`
```
Let's say that has an event that says **Created Challenge resource "k3s-carpie-net-1256631848-2342473830-1892150396" for domain "[k3s.carpie.net][10]"**. Let's describe the challenge:
```
`kubectl describe challenges k3s-carpie-net-1256631848-2342473830-1892150396`
```
The last event returned from here is **Presented challenge using http-01 challenge mechanism**. That looks ok, so we scan up the describe output and see a message **Waiting for http-01 challenge propagation: failed to perform self check GET request … no such host**. Finally! We have found the problem! In this case, **no such host** means that the DNS lookup failed, so then we would go back and manually check our DNS settings and that our domain's DNS resolves correctly for us and make any changes needed.
### Clean up our test certificates
We actually want a real certificate for the domain name we used, so let's go ahead and clean up both the certificate and the secret we just created:
```
kubectl delete certificates k3s-carpie-net
kubectl delete secrets k3s-carpie-net-tls
```
### Configuring cert-manager to use Let's Encrypt (production)
Now that we have test certificates working, it's time to move up to production. Just like we configured cert-manager for Let's Encrypt staging environment, we need to do the same for production now. Create a file (you can copy and modify staging if desired) named **letsencrypt-issuer-production.yaml** with the contents:
```
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
 # The ACME server URL
  server: <https://acme-v02.api.letsencrypt.org/directory>
  # Email address used for ACME registration
  email: &lt;your_email&gt;@example.com
  # Name of a secret used to store the ACME account private key
  privateKeySecretRef:
    name: letsencrypt-prod
  # Enable the HTTP-01 challenge provider
  solvers:
  - http01:
      ingress:
        class: traefik
```
(If you are copying from the staging, the only that changes is the **server:** URL. Don't forget the email)!
Apply with:
```
`kubectl apply -f letsencrypt-issuer-production.yaml`
```
### Request a certificate for our website
It's important to note that all the steps we have completed to this point are one time set up! For any additional requests in the future, we can start at this point in the instructions!
Let's deploy that same site we deployed in the [previous article][13]. (If you still have it around, you can just modify the YAML file. If not, you may want to recreate it and re-deploy it).
We just need to modify **mysite .yaml's** **Ingress** section to be:
```
\---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: mysite-nginx-ingress
  annotations:
    kubernetes.io/ingress.class: "traefik"
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  rules:
  - host: k3s.carpie.net
    http:
      paths:
      - path: /
        backend:
          serviceName: mysite-nginx-service
          servicePort: 80
  tls:
  - hosts:
   - k3s.carpie.net
    secretName: k3s-carpie-net-tls
```
Please note that just the **Ingress** section of **mysite.yaml** is shown above. The changes are the addition of the **annotation [cert-manager.io/cluster-issuer][14]: letsencrypt-prod**. This tells traefik which issuer to use when creating certificates. The only other addition is the **tls:** block. This tells traefik that we expect to have TLS on host **[k3s.carpie.net][10],** and we expect the TLS certificate files to be stored in the secret **k3s-carpie-net-tls**.
Please remember that we did not create these certificates! (Well, we created test certificates similarly named, but we deleted those.) Traefik will read this and go looking for the secret. When it does not find it, it sees the annotation saying we want to use **letsencrypt-prod** issuer to procure one. From there, it will make the request and install the certificate in the secret for us!
We're done! Let's try it out.
There it is in all its encrypted TLS beauty! Congratulations!
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/3/ssl-letsencrypt-k3s
作者:[Lee Carpenter][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/carpie
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/files_documents_paper_folder.png?itok=eIJWac15 (Files in a folder)
[2]: https://carpie.net/articles/ingressing-with-k3s
[3]: https://cert-manager.io/
[4]: https://letsencrypt.org/
[5]: https://opensource.com/article/20/3/kubernetes-raspberry-pi-k3s
[6]: https://cloudflare.com/
[7]: https://gitlab.com/carpie/k3s_using_certmanager/-/archive/master/k3s_using_certmanager-master.zip
[8]: https://cert-manager.io/docs/installation/kubernetes/
[9]: https://whatsmyip.org/
[10]: http://k3s.carpie.net
[11]: https://opensource.com/sites/default/files/uploads/ep011_dns_example.png
[12]: https://opensource.com/sites/default/files/uploads/ep011_router.png
[13]: https://carpie.net/articles/ingressing-with-k3s#deploying-a-simple-website
[14]: http://cert-manager.io/cluster-issuer

111
translated/tech/20180522 Advanced use of the less text file viewer in Linux.md Normal file
View File

@ -0,0 +1,111 @@
Linux 中使用 less 查看文件的高级用法
======
![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/osdc_terminals_0.png?itok=XwIRERsn)
最近,我正在拜读 Scott Nesbitt 的文章“[在 Linux 中使用 less 命令来查看文本文件][1]”,并受到了一些启发,所以我想分享一些使用 `less` 命令的技巧。
### LESS 环境变量
如果你定义了环境变量 `LESS`(例如在 `.bashrc` 中),那么 `less` 会将其视为一个选项列表,就像在命令行中传递给它一样。
我这样定义:
```
LESS='-C -M -I -j 10 -# 4'
```
它的意思是:
* `-C` 通过不从底部滚动来加快全屏打印速度。
* `-M` 在最后一行(状态行)显示更多信息。你可以使用 `-PM` 来自定义显示的信息,但我通常只用 `-M`
* `-I` 忽略搜索中的大小写。
* `-j 10` 在终端的第 10 行而不是第一行显示搜索结果。这样,每次按 `n` 或(`N` 跳到下一个(或上一个)匹配项时,就会有 10 条上下文。
* `-# 4` 当按下向右或向左的箭头时,会向右或向左跳四个字符。默认情况时跳转半个屏幕,我觉得太多了。一般来说,`less` 似乎(至少部分)优化了最初开发时的环境,使用慢速调制解调器和低带宽的互联网连接,这样可以跳过半个屏幕。
### PAGER 环境变量
许多程序使用在 `PAGER` 环境变量中的命令来显示信息。因此,你可以在 `.bashrc` 中设置 `PAGER=less`,然后让程序运行 `less`。查看 man 页(`man 7 environ`)中是否有其它此类变量。·
### -S
`-S` 告诉 `less` 将长行隔断而不是将它们包起来。除非或直到我开始查看文件,否则我很少需要这样做。幸运的是,你可以在 `less` 中输入所有命令行选项,就像它们是键盘命令一样。因此,如果我想在文件已经打开的情况下隔断长行,我可以简单地输入 `-S`
这是我经常使用的一个例子:
```
    su - postgres
    export PAGER=less  # 因为我没在所有的机器上编辑 postgres .bashrc而是在 psql 使用
```
有时当我查看一个 `SELECT` 命令的输出非常宽,我会输入 `-S` 以便将其格式化。如果当我按下右箭头想查看更多内容时它跳得太远(因为我没有设置 `-#`),则可以输入 `-#8`,那么每次按下右箭头都会向右移动八个字符。
有时在多次输入 `-S` 之后,我会退出 psql 并设置环境变量后再次运行它:
```
export LESS=-S
```
### F
命令 `F` 使 `less``tail -f` 一样工作,等待更多的数据被添加到文件后再显示。与 `tail -f` 相比,它的一个优点是,高亮显示搜索匹配仍然有效。因此,你可以输入 `less /var/log/logfile`,搜索某些内容时,它将高亮显示所有出现的内容(除非你使用了 -g然后按下 `F` 键,当更多数据写入到日志时,`less` 将显示它并高亮新的匹配项。
按下 `F` 后,可以按 `Ctrl+C` 来停止其查找新数据(这不会干掉它),这样你可以返回文件查看旧内容,搜索其它内容等,然后再次按 `F` 键来查看更多新数据。
### 搜索
搜索使用系统的 regexp 库,这通常意味着你可以使用扩展正则表达式。特别是,搜索 `one|two|three` 将找到并高亮所有的 one、two 或 three。
我经常使用的另一种模式是 `.*someting.*`,特别是对于一些很长的日志行(例如,跨越多个终端行),它会高亮整行。这种模式使查看一行的起始和结束位置变得更加容易。我还会结合其它内容,例如 `.*one thing.*|.*another thing.*`,或者使用 `key: .*|.*marker.*` 来查看 `key` 的内容。例如,一个日志文件中包含一些字典/哈希的转储。它会高亮相关的标记行,这样我就有上下文了,甚至,如果我知道这个值被引号引起来的话,就可以:
```
key: '[^']*'|.*marker.*
```
`less` 会保留你搜索项的历史纪录,并将其保存到磁盘中以备将来调用。当你按下 `/``?` 时,可以使用向上或向下箭头浏览历史记录(以及基本的行编辑)。
在撰写本文时,我无意间看了下 less 手册页,发现了一个非常有用的功能:使用 `&!pattern` 跳过无趣的行。例如,当我在 `/var/log/messages` 中寻找内容时,经常会遍历以下命令:
```
    cat /var/log/messages | egrep -v 'systemd: Started Session' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session|User Slice' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session|User Slice|dbus' | less
    cat /var/log/messages | egrep -v 'systemd: Started Session|systemd: Starting Session|User Slice|dbus|PackageKit Daemon' | less
```
但是现在我知道如何在 `less` 中做同样的事情。例如,我可以输入 `&!systemd: Started Session`,然后决定删除 `systemd: Starting Session`,所以我输入 `&!`,并使用向上箭头从历史记录中获得上一次搜索的结果。然后我输入 `|systemd: Starting Session` 并按下 `Enter`,继续以相同的方式添加更多条目,直到我过滤掉足够多的条目,看到更有趣的内容。
### =
命令 `=` 显示有关文件和位置的更多信息,甚至比 `-M` 更多。如果文件非常大,计算 `=` 花费的时间太长,可以按下 `Ctrl+C`,它将停止尝试。
如果你正在查看的内容来自管道而不是文件,则 `=` (和 `-M`)不会显示未知内容,包括文件中的行数和字节数。要查看这些数据,如果你知道管道命令将很快结束,则可以使用 `G` 跳到最后,然后 `less` 将开始显示这些信息。
如果按下 `G` 并且写入管道的命令花费的时间比预期的长,你可以按下 `Ctrl+C`,该命令将被终止。即使你没有按 `G``Ctrl+C` 键也会杀死它。因此,如果你不想杀死它,请不要意外按下 `Ctrl+C`。出于这个原因,如果命令执行了某些操作(不仅是显示信息),通常更安全的做法是将其输出写入文件并在单独的终端中查看文件,而不是使用管道。
### 为什么你需要 less
`less` 是一个非常强大的程序,与该领域中较新的竞争者(例如 most 和 moar不同你可能会在几乎所有的系统上找到它就像 `vi` 一样。因此,即使你使用 GUI 查看器或编辑器,花一些时间浏览 `less` 手册页也是值得的,至少可以了解以下可用的内容。这样,当你需要做一些现有功能可能涉及的工作时,就会知道如何要搜索手册页或互联网来找到所需的内容。
有关更多信息,访问 [less 主页][2]。网站有一个不错的常见问题解答,其中包含更多提示和技巧。
--------------------------------------------------------------------------------
via: https://opensource.com/article/18/5/advanced-use-less-text-file-viewer
作者:[Yedidyah Bar David][a]
选题:[lujun9972](https://github.com/lujun9972)
译者:[译者ID](https://github.com/MjSeven)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://opensource.com/users/didib
[1]:http://opensource.com/article/18/4/using-less-view-text-files-command-line
[2]:http://www.greenwoodsoftware.com/less/

181
translated/tech/20200204 DevOps vs Agile- What-s the difference.md Normal file
View File

@ -0,0 +1,181 @@
[#]: collector: "lujun9972"
[#]: translator: "messon007"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
[#]: subject: "DevOps vs Agile: What's the difference?"
[#]: via: "https://opensource.com/article/20/2/devops-vs-agile"
[#]: author: "Taz Brown https://opensource.com/users/heronthecli"
DevOps和敏捷: 究竟有什么区别?
======
两者之间的区别在于开发完毕之后发生的事情。
![Pair programming][1]
早期, 软件开发并没有特定的管理流程。随后出现了[瀑布开发流程][2], 它提出软件开发活动可以被开发和构建应用所耗费的时间来定义。
那时候, 由于在开发流程中没有审查环节和权衡考虑, 常常需要花费很长的时间来开发, 测试和部署软件。交付的软件也是带有缺陷和Bug的质量较差的软件, 而且交付时间也不满足要求。那时候软件项目管理的重点是长期计划。
瀑布流程与[三重约束模型][3]相关, 三重约束模型也称为项目管理三角形。三角形的每一个边代表项目管理三要素的一个要素: **范围, 时间和成本**. 正如[Angelo Baretta写到][4], 三重约束模型认为成本是时间和范围的函数, 这三个约束以一种确定的, 可预测的方式相互作用。如果我们想缩短时间, 就必须增加成本。如果我们想增加范围, 就必须增加成本或时间。
### 从瀑布流程过渡到敏捷开发
瀑布流程来源于生产和工程领域, 这些领域适合线性化的流程: 正如房屋封顶之前需要先盖好支撑墙。 相似地, 软件开发问题被认为可以通过提前做好计划来解决。从头到尾,开发流程被路线图清晰地定义,顺从路线图就可以得到最终交付的产品。
最终, 瀑布模型被认为对软件开发是不利的而且违反人的直觉, 因为直到开发流程的最后才能体现出其价值, 这导致许多项目最终都以失败告终。而且, 在项目结束前客户看不到任何可以工作的软件。
敏捷采用了一种不同的方法, 它抛弃了规划整个项目, 承诺估计的时间点, 简单的遵循计划。与瀑布流程相反, 它假设和拥抱不确定性。它的理念是以响应变化代替讨论过去, 它认为变更是客户需求的一部分。
### 敏捷价值观
敏捷由敏捷宣言代言, 敏捷宣言定义了[12条原则][5]:
1. 我们最重要的目标,是通过持续不断地及早交付有价值的软件使客户满意。
2. 欣然面对需求变化,即使在开发后期也一样。
3. 经常交付可工作的软件,相隔几星期或一两个月,倾向于采取较短的周期。
4. 业务人员和开发人员必须相互合作,项目中的每一天都不例外。
5. 激发个体的斗志,以他们为核心搭建项目。提供所需的环境和支援,辅以信任,从而达成目标。
6. 面对面沟通是传递信息的最佳的也是效率最高的方法。
7. 可工作的软件是进度的首要度量标准。
8. 敏捷流程倡导可持续的开发,责任人、开发人员和用户要能够共同维持其步调稳定延续。
9. 坚持不懈地追求技术卓越和良好设计,敏捷能力由此增强。
10. 以简洁为本,它是极力减少不必要工作量的艺术。
11. 最好的架构, 需求和设计出自自组织团队
12. 团队定期地反思如何能提高成效,并依此调整自身的举止表现。
敏捷的四个[核心价值观][6]是:
* **个体和互动** 高于 流程和工具
* **工作的软件** 高于 详尽的文档
* **客户合作** 高于 合同谈判
* **响应变化** 高于 遵循计划
这与瀑布流程死板的计划风格相反。在敏捷流程中,客户是开发团队的一员,而不仅仅是在项目开始时参与项目需求的定义, 在项目结束时验收最终的产品。客户帮忙团队完成[准入标准][7],保持参与整个流程。另外,敏捷需要整个组织的变化和持续的改进。开发团队和其他团队一起合作, 包括项目管理团队和测试团队。做什么和计划什么时候做由指定的角色领导, 并由整个团队同意。
### 敏捷软件开发
敏捷软件开发需要自适应的规划,演进式的开发和交付。许多软件开发方法,框架和实践遵从敏捷的理念,包括:
* Scrum
* Kanban (可视化工作流)
* XP(极限编程)
* 精益
* DevOps
* 特性驱动开发(FDD)
* 测试驱动开发(TDD)
* 水晶方法
* 动态系统开发方法(DSDM)
* 自适应软件开发(ASD)
所有这些已经被单独用于或一起用于开发和部署软件。最常用的是[scrum][8], kanban(或scrumban)和DevOps.
[Scrum][9]是一个框架, 采用该框架的团队通常由一个scrum教练, 产品经理和开发人员组成, 该功能团队采用自主的工作方式, 能够加快软件交付速度从而给客户带来巨大的商业价值。其关注点是[较小增量][10]的快速迭代。
[Kanban][11]是一个敏捷框架有时也叫工作流管理系统它能帮助团队可视化他们的工作从而最大化效率。Kanban通常由数字或物理展示板来呈现。团队的工作移到展示板上例如未启动进行中, 测试中, 已完成。Kanban使得每个团队成员可以随时看到所有工作的状态。
### DevOps价值观
DevOps是一种文化, 思维状态, 一种软件开发的方式或者基础设施开发的方式,一种软件和应用被构建和部署的方式。它假设开发和运维之间没有隔阂, 他们一起合作,没有矛盾。
DevOps基于两个其他实践: 精益和敏捷。DevOps不是一个公司内的岗位或角色它是一个组织或团队对持续交付持续部署和持续集成的坚持不懈的追求。[Gene Kim][12](Phoenix项目和Unicorn项目的作者)认为有三种方式定义DevOps的理念
* 第一种: 自动化流程
* 第二种: 快速反馈
* 第三种: 持续学习
### DevOps软件开发
DevOps不会凭空产生它是一种灵活的实践它的本质是一种关于软件开发和IT基础设施实施的共享文化和思想。
当你想到自动化微服务时你会想到DevOps。在一次[访谈][13]中, "*加速构建和扩张高性能技术组织*"的作者Nicol Forsgren, Jez Humble和Gene Kim这样解释到
> * 软件交付能力关系到甚至极大地影响到组织结果例如利润,市场份额,质量,客户满意度以及达成组织的战略目标。
> * 优秀的团队能达到很高的交付量,稳定性和质量;他们并没有为了获得这些属性而进行取舍。
> * 你可以通过实施精益敏捷和DevOps中的实践来提升能力。
> * 实施这些实践和能力也会影响你的组织文化,并且会进一步对你的软件交付能力和组织能力产生有益的提升。
> * 懂得怎样改进能力需要做很多工作。
>
### DevOps和敏捷的对比
DevOps和敏捷有相似性但是他们不完全相同一些人认为DevOps比敏捷更好。为了避免造成混淆深入地了解他们是很重要的。
#### 相似之处
* 毫无疑问,两者都是软件开发技术;
* 敏捷已经存在了20多年DevOps是最近才出现的。
* 两者都追求软件的快速开发,它们的理念都基于怎样在不伤害客户或运维利益的情况下快速开发出软件。
#### 不同之处
* **两者的差异** 在于软件开发完成后发生的事情。
* 在DevOps和敏捷中软件开发测试和部署的阶段都相同。然而敏捷流程在这三个阶段之后会终止。相反DevOps包括后续持续的运维。因此DevOps会持续的监控软件运行情况和进行持续的开发。
* 敏捷中不同的人负责软件的开发测试和部署。而DevOps的工程角色负责所有活动开发即运维运维即开发。
* DevOps更关注于削减成本而敏捷则是精益和减少浪费的代名词侧重于像敏捷项目会计和最小可行产品的概念。
* **敏捷专注于并体现了经验主义(适应,透明和检查),而不是预测性措施。**
敏捷 | DevOps
---|---
从客户得到反馈 | 从自己得到反馈
较小的发布周期 | 较小的发布周期,立即反馈
聚焦于速度 | 聚焦于速度和自动化
对业务不是最好 | 对业务最好
### 总结
敏捷和DevOps是截然不同的尽管它们的相似之处使人们认为它们是相同的。 这对敏捷和DevOps都是一种伤害。
根据我作为一名敏捷专家的经验我发现对于组织和团队从高层次上了解敏捷和DevOps是什么以及它们如何帮助团队更高效地工作更快地交付高质量产品从而提高客户满意度非常有价值。
敏捷和DevOps绝不是对抗性的或至少没有这个意图。在敏捷革命中他们更像是盟友而不是敌人。敏捷和DevOps可以相互协作一致对外因此可以在相同的场合共存。
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/2/devops-vs-agile
作者:[Taz Brown][a]
选题:[lujun9972][b]
译者:[messon007](https://github.com/messon007)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/heronthecli
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/collab-team-pair-programming-code-keyboard.png?itok=kBeRTFL1 "Pair programming"
[2]: http://www.agilenutshell.com/agile_vs_waterfall
[3]: https://en.wikipedia.org/wiki/Project_management_triangle
[4]: https://www.pmi.org/learning/library/triple-constraint-erroneous-useless-value-8024
[5]: https://agilemanifesto.org/principles.html
[6]: https://agilemanifesto.org/
[7]: https://www.productplan.com/glossary/acceptance-criteria/
[8]: https://opensource.com/article/19/8/scrum-vs-kanban
[9]: https://www.scrum.org/
[10]: https://www.scrum.org/resources/what-is-an-increment
[11]: https://www.atlassian.com/agile/kanban
[12]: https://itrevolution.com/the-unicorn-project/
[13]: https://www.infoq.com/articles/book-review-accelerate/

333
translated/tech/20200312 Make SSL certs easy with k3s.md Normal file
View File

@ -0,0 +1,333 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Make SSL certs easy with k3s)
[#]: via: (https://opensource.com/article/20/3/ssl-letsencrypt-k3s)
[#]: author: (Lee Carpenter https://opensource.com/users/carpie)
用 k3s 轻松管理 SSL 证书
======
> 如何在树莓派上使用 k3s 和 Let's Encrypt 来加密你的网站。
![Files in a folder][1]
在[上一篇文章][2]中,我们在 k3s 集群上部署了几个简单的网站。那些是未加密的网站。很好,它们可以工作,但是未加密的网站有点太过时了!如今,大多数网站都是加密的。在本文中,我们将安装 [cert-manager][3] 并将其用于在集群上以部署采用 TLS 加密的网站。这些网站不仅会被加密,而且还会使用有效的公共证书,这些证书会从 [Let's Encrypt][4] 自动获取和更新!让我们开始吧!
### 所需材料
要继续阅读本文,你将需要我们在上一篇文章中构建的 [k3s 树莓派集群][5]。另外,你需要拥有一个公用静态 IP 地址,并有一个可以为其创建 DNS 记录的域名。如果你有一个动态 DNS 提供程序为你提供域名,可能也行。但是,在本文中,我们将使用静态 IP 和 [CloudFlare][6] 来手动创建 DNS 的 A 记录。
我们在本文中创建配置文件时,如果你不想键入它们,则可以在[此处][7]进行下载。
### 我们为什么使用 cert-manager
Traefik预先捆绑了 k3s实际上具有内置的 Let's Encrypt 支持因此你可能想知道为什么我们要安装第三方软件包来做同样的事情。在撰写本文时Traefik 中的 Let's Encrypt 支持检索证书并将其存储在文件中。cert-manager 会检索证书并将其存储在 Kubernetes 的 “<ruby>机密信息<rt>secrets</rt></ruby>” 中。我认为,“机密信息”可以简单地按名称引用,因此更易于使用。这就是我们在本文中使用 cert-manager 的主要原因。
### 安装 cert-manager
通常,我们只是遵循 cert-manager 的[文档][8]在 Kubernetes 上进行安装。但是,由于我们使用的是 ARM 体系结构,因此我们需要进行一些更改,以便我们可以完成这个操作。
第一步是创建 cert-manager 命名空间。命名空间有助于将 cert-manager 的<ruby>吊舱<rt>Pod</rt></ruby>排除在我们的默认命名空间之外,因此当我们使用自己的“吊舱”执行 `kubectl get pods` 之类的操作时,我们不必看到它们。创建名称空间很简单:
```
kubectl create namespace cert-manager
```
这份安装说明会告诉你下载 cert-manager 的 YAML 配置文件并将其一步全部应用到你的集群。我们需要将其分为两个步骤,以便为基于 ARM 的树莓派修改文件。我们将下载文件并一步一步进行转换:
```
curl -sL \
https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml |\
sed -r 's/(image:.*):(v.*)$/\1-arm:\2/g' > cert-manager-arm.yaml
```
这会下载配置文件,并将所有包含的 docker 镜像更新为 ARM 版本。来检查一下它做了什么:
```
$ grep image: cert-manager-arm.yaml
          image: "quay.io/jetstack/cert-manager-cainjector-arm:v0.11.0"
          image: "quay.io/jetstack/cert-manager-controller-arm:v0.11.0"
          image: "quay.io/jetstack/cert-manager-webhook-arm:v0.11.0"
```
如我们所见,三个镜像现在在镜像名称上添加了 `-arm`。现在我们有了正确的文件,我们只需将其应用于集群:
```
kubectl apply -f cert-manager-arm.yaml
```
这将安装所有的 cert-manager。我们可以通过 `kubectl --namespace cert-manager get pods` 来检查安装何时完成,直到所有“吊舱”都处于 `Running` 状态。
这实际上就完成了 cert-manager 的安装!
### Let's Encrypt 概述
Let's Encrypt 的好处是,它们免费为我们提供了经过公共验证的 TLS 证书!这意味着我们可以拥有一个完全有效的、可供任何人访问的 TLS 加密网站,这些家庭或业余的爱好活动挣不到钱,也无需自己掏腰包购买 TLS 证书!以及,当通过 cert-manager 使用 Let's Encrypt 的证书时,获得证书的整个过程是自动化的,证书的续订也是自动的!
但它是如何工作的?下面是该过程的简化说明。我们(或代表我们的 cert-manager向 Let's Encrypt 发出我们拥有的域名的证书请求。Let's Encrypt 通过使用 ACME DNS 或 HTTP 验证机制来验证我们是否拥有该域。如果验证成功,则 Let's Encrypt 将向我们提供证书,这些证书将由 cert-manager 安装在我们的网站(或其他 TLS 加密的终结点)中。在需要重复此过程之前,这些证书可以使用 90 天。但是cert-manager 会自动为我们更新证书。
在本文中,我们将使用 HTTP 验证方法因为它更易于设置并且适用于大多数情况。以下是幕后将发生的基本过程。cert-manager 将向 Let's Encrypt 发出证书请求。作为回应Let's Encrypt 将发出所有权验证的<ruby>质询<rt>challenges</rt></ruby>。这个质询是将一个 HTTP 资源放在请求证书的域名下的一个特定 URL 上。从理论上讲,如果我们可以将该资源放在该 URL 上,并且让 Let's Encrypt 可以远程获取它,那么我们实际上必须是该域的所有者。否则,要么我们无法将资源放置在正确的位置,要么我们无法操纵 DNS 以使 Let's Encrypt 访问它。在这种情况下cert-manager 会将资源放在正确的位置,并自动创建一个临时的 `Ingress` 记录,以将流量路由到正确的位置。如果 Let's Encrypt 可以读到该质询要求的资源并正确无误,它将把证书发回给 cert-manager。然后cert-manager 将证书存储为“机密信息”,然后我们的网站(或其他任何网站)将使用这些证书通过 TLS 保护我们的流量。
### 为该质询设置网络
我假设你要在家庭网络上进行设置,并拥有一个以某种方式连接到更广泛的互联网的路由器/接入点。如果不是这种情况,则可能不需要以下过程。
为了使质询过程正常运行,我们需要一个我们要申请证书的域名,以将其路由到端口 80 上的 k3s 集群。为此,我们需要告诉世界上的 DNS 系统它的位置。因此,我们需要将域名映射到我们的公共 IP 地址。如果你不知道你的公共 IP 地址是什么,可以访问 [WhatsMyIP][9] 之类的地方,它会告诉你。接下来,我们需要输入 DNS 的 A 记录,该记录将我们的域名映射到我们的公共 IP 地址。为了使此功能可靠地工作,你需要一个静态的公共 IP 地址,或者你可以使用动态 DNS 提供商。一些动态 DNS 提供商会向你颁发一个域名,你可以按照以下说明使用它。我没有尝试过,所以不能肯定地说它适用于所有提供商。
对于本文,我们将假设有一个静态公共 IP 并使用 CloudFlare 来设置 DNS 的 A 记录。如果愿意,可以使用自己的 DNS 提供程序。重要的是你可以设置 A 记录。
在本文的其余部分中,我将使用 [k3s.carpie.net][10] 作为示例域,因为这是我拥有的域。你显然会用自己拥有的任何域替换它。
为示例起见,假设我们的公共 IP 地址是 198.51.100.42。我们将转到我们的 DNS 提供商的 DNS 记录部分,并添加一个名为 [k3s.carpie.net][10] 的类型为 `A` 的记录CloudFlare 已经假定了域的部分,因此我们只需输入 `k3s`),然后输入 `198.51.100.42` 作为 IPv4 地址。
![][11]
请注意,有时 DNS 更新要传播一段时间。你可能需要几个小时才能解析该名称。在继续之前该名称必须可以解析。否则,我们所有的证书请求都将失败。
我们可以使用 `dig` 命令检查名称是否解析:
```
$ dig +short k3s.carpie.net
198.51.100.42
```
继续运行以上命令,直到可以返回 IP 才行。关于 CloudFlare 有个小注释ClouldFlare 提供了通过代理流量来隐藏你的实际 IP 的服务。在这种情况下,我们取回的是 CloudFlare 的 IP而不是我们的 IP。 但对于我们的目的,这应该可以正常工作。
网络配置的最后一步是配置路由器,以将端口 80 和 443 上的传入流量路由到我们的 k3s 集群。可悲的是,路由器配置页面的差异很大,因此我无法确切地说明你的外观是什么样子。大多数时候,我们需要的管理页面位于“端口转发”或类似内容下。我甚至看到过它列在“游戏”之下(显然是端口转发主要用于的游戏)!让我们看看我的路由器的配置如何。
![][12]
如果你和我的设置一样,则转到 192.168.0.1 登录到路由器管理应用程序。对于此路由器,它位于 “ NAT / QoS” -> “端口转发”。在这里,我们将端口 80/TCP 协议设置为转发到 192.168.0.50(主节点 `kmaster` 的 IP的端口 80。我们还将端口 443 设置为也映射到 `kmaster`。从技术上讲,这对于质询来说并不是必需的,但是在本文的结尾,我们将部署一个启用 TLS 的网站,并且需要映射 443 来进行访问。因此,现在进行映射很方便。我们保存并应用更改,应该一切顺利!
### 配置 cert-manager 来使用 Let's Encrypt暂存环境
现在,我们需要配置 cert-manager 来通过 Let's Encrypt 颁发证书。Let's Encrypt 为我们提供了一个暂存(例如用于测试)环境,以便审视我们的配置。这样它更能容忍错误和请求的频率。如果我们对生产环境做了错误的操作,我们很快就好发现自己被暂时禁止访问了!因此,我们将使用暂存环境手动测试请求。
创建一个文件 `letsencrypt-issuer-staging.yaml`,内容如下:
```
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your_email>@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: traefik
```
请确保将电子邮件地址更新为你的地址。如果出现问题或我们弄坏了一些东西,这就是 Let's Encrypt 与我们联系的方式!
现在,我们使用以下方法创建发行者:
```
kubectl apply -f letsencrypt-issuer-staging.yaml
```
我们可以使用以下方法检查发行者是否已成功创建:
```
kubectl get clusterissuers
```
`clusterissuers` 是由 cert-manager 创建的一种新的 Kubernetes 资源类型。
现在让我们手动请求一个测试证书。对于我们的网站,我们不需要这样做;我们只是在测试这个过程,以确保我们的配置正确。
创建一个包含以下内容的证书请求文件 `le-test-certificate.yaml`
```
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: k3s-carpie-net
namespace: default
spec:
secretName: k3s-carpie-net-tls
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: k3s.carpie.net
dnsNames:
- k3s.carpie.net
```
该记录仅表示我们要使用名为 `letsencrypt-staging`(我们在上一步中创建的)的 `ClusterIssuer` 来请求域 [k3s.carpie.net][10] 的证书,并在 Kubernetes 的机密信息中名为 `k3s-carpie-net-tls` 文件中存储该证书。
像平常一样应用它:
```
kubectl apply -f le-test-certificate.yaml
```
我们可以通过以下方式查看状态:
```
kubectl get certificates
```
如果我们看到类似以下内容:
```
NAME                    READY   SECRET                  AGE
k3s-carpie-net          True    k3s-carpie-net-tls      30s
```
我们走在幸福之路!(这里的关键是`READY` 是 `True`)。
### 解决证书颁发问题
上面是幸福的道路。如果 `READY``False`,我们可以等等它,然后再次花点时间检查状态。如果它一直是 `False`,那么我们就有一个需要解决的问题。此时,我们可以遍历 Kubernetes 资源链,直到找到一条告诉我们问题的状态消息。
假设我们执行了上面的请求,而 `READY``False`。我们可以从以下方面开始故障排除:
```
kubectl describe certificates k3s-carpie-net
```
这将返回很多信息。通常,有用的内容位于 `Events:` 部分,该部分通常位于底部。假设最后一个事件是 `Created new CertificateRequest resource "k3s-carpie-net-1256631848`。然后我们<ruby>描述<rt> describe</rt></ruby>一些该请求:
```
kubectl describe certificaterequest k3s-carpie-net-1256631848
```
现在比如说最后一个事件是 `Waiting on certificate issuance from order default/k3s-carpie-net-1256631848-2342473830`
那么,我们可以描述该顺序:
```
`kubectl describe orders default/k3s-carpie-net-1256631848-2342473830`
```
假设有一个事件,事件为 `Created Challenge resource "k3s-carpie-net-1256631848-2342473830-1892150396" for domain "k3s.carpie.net"`。让我们描述一下该质询:
```
kubectl describe challenges k3s-carpie-net-1256631848-2342473830-1892150396
```
从这里返回的最后一个事件是 `Presented challenge using http-01 challenge mechanism`。看起来没问题,因此我们浏览一下描述的输出,并看到一条消息 `Waiting for http-01 challenge propagation: failed to perform self check GET request … no such host`。终于!我们发现了问题!在这种情况下,`no such host` 意味着 DNS 查找失败,因此我们需要返回并手动检查我们的 DNS 设置,正确解析域的 DNS并进行所需的任何更改。
### 清理我们的测试证书
我们实际上想要使用的是域名的真实证书,所以让我们继续清理证书和我们刚刚创建的机密信息:
```
kubectl delete certificates k3s-carpie-net
kubectl delete secrets k3s-carpie-net-tls
```
### 配置 cert-manager 以使用 Let's Encrypt生产环境
现在我们已经有了测试证书,是时候移动到生产环境了。就像我们在 Let's Encrypt 暂存环境中配置 cert-manager 一样,我们现在也需要对生产环境进行同样的操作。创建一个名为 `letsencrypt-issuer-production.yaml` 的文件(如果需要,可以复制和修改暂存环境的文件),其内容如下:
```
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your_email>@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: traefik
```
(如果要从暂存环境进行复制,则唯一的更改是 `server:` URL。也请不要忘记修改电子邮件
应用它:
```
kubectl apply -f letsencrypt-issuer-production.yaml
```
### 申请我们网站的证书
重要的是要注意,我们到目前为止完成的所有步骤都是一次性设置的!对于将来的任何其他申请,我们可以从这个说明开始!
让我们部署在[上一篇文章][13]中部署的同样站点。(如果仍然可用,则可以修改 YAML 文件。如果没有,则可能需要重新创建并重新部署它)。
我们只需要将 `mysite.yaml``Ingress` 部分修改为:
```
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: mysite-nginx-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: k3s.carpie.net
http:
paths:
- path: /
backend:
serviceName: mysite-nginx-service
servicePort: 80
tls:
- hosts:
- k3s.carpie.net
secretName: k3s-carpie-net-tls
```
请注意,上面仅显示了 `mysite.yaml``Ingress` 部分。所做的更改是添加了注释 `cert-manager.io/cluster-issuer: letsencrypt-prod`。这告诉 traefik 创建证书时使用哪个发行者。 唯一的其他增加是 `tls:` 块。这告诉 traefik 我们希望在主机 [k3s.carpie.net][10] 上具有 TLS 功能,并且我们希望 TLS 证书文件存储在机密信息 `k3s-carpie-net-tls` 中。
请记住我们没有创建这些证书好吧我们创建了名称相似的测试证书但我们删除了这些证书。Traefik 将读取这些配置并继续寻找机密信息。当找不到时,它会看到注释说我们想使用 `letsencrypt-prod` 发行者来获取它。由此,它将提出请求并为我们安装证书到机密信息之中!
大功告成! 让我们尝试一下。
它现在具有了加密 TLS 所有优点!恭喜你!
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/3/ssl-letsencrypt-k3s
作者:[Lee Carpenter][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/carpie
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/files_documents_paper_folder.png?itok=eIJWac15 (Files in a folder)
[2]: https://carpie.net/articles/ingressing-with-k3s
[3]: https://cert-manager.io/
[4]: https://letsencrypt.org/
[5]: https://opensource.com/article/20/3/kubernetes-raspberry-pi-k3s
[6]: https://cloudflare.com/
[7]: https://gitlab.com/carpie/k3s_using_certmanager/-/archive/master/k3s_using_certmanager-master.zip
[8]: https://cert-manager.io/docs/installation/kubernetes/
[9]: https://whatsmyip.org/
[10]: http://k3s.carpie.net
[11]: https://opensource.com/sites/default/files/uploads/ep011_dns_example.png
[12]: https://opensource.com/sites/default/files/uploads/ep011_router.png
[13]: https://carpie.net/articles/ingressing-with-k3s#deploying-a-simple-website
[14]: http://cert-manager.io/cluster-issuer