diff --git a/.idea/22.希腊项目-阿里云-德国.iml b/.idea/22.希腊项目-阿里云-德国.iml
deleted file mode 100644
index 68ec9c2..0000000
--- a/.idea/22.希腊项目-阿里云-德国.iml
+++ /dev/null
@@ -1,10 +0,0 @@
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/CmiiDeploy.iml b/.idea/CmiiDeploy.iml
new file mode 100644
index 0000000..58e0704
--- /dev/null
+++ b/.idea/CmiiDeploy.iml
@@ -0,0 +1,10 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
index 70ee85a..34b7b1e 100644
--- a/.idea/modules.xml
+++ b/.idea/modules.xml
@@ -2,7 +2,7 @@
-
+
\ No newline at end of file
diff --git a/999-数据库脚本/z_database_execute.sh b/999-数据库脚本/z_database_execute.sh
index 6533d2e..c2dd958 100644
--- a/999-数据库脚本/z_database_execute.sh
+++ b/999-数据库脚本/z_database_execute.sh
@@ -14,6 +14,8 @@ for sql_file in $(ls "$sql_import_file_path" | sort -n -k1.1,1.2); do
echo ""
done
+ https://oss.demo.uavcmlc.com/cmlc-installation/downloadfile/amd/mysql-8.0.27-linux-glibc2.17-x86_64-minimal.zip
+
# dev
# /root/wdd/mysql/bin/mysql -uroot -pGwubc6CxRM -h192.168.35.178 -P33306 <"$sql_import_file_path/${sql_file}"
diff --git a/999-部署模板/rke-cluster-with_security.yml b/999-部署模板/rke-cluster-with_security.yml
new file mode 100644
index 0000000..2d05322
--- /dev/null
+++ b/999-部署模板/rke-cluster-with_security.yml
@@ -0,0 +1,280 @@
+nodes:
+ - address: 192.168.0.8
+ user: rke-installer
+ role:
+ - controlplane
+ - etcd
+ - worker
+ internal_address: 192.168.0.8
+ labels:
+ ingress-deploy: true
+ uavcloud.env: demo
+ - address: 192.168.0.65
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.65
+ labels:
+ uavcloud.env: demo
+ - address: 192.168.0.45
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.45
+ labels:
+ uavcloud.env: demo
+ - address: 192.168.0.7
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.7
+ labels:
+ mysql-deploy: true
+ uavcloud.env: demo
+ - address: 192.168.0.9
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.9
+ labels:
+ uavcloud.env: demo
+ - address: 192.168.0.10
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.10
+ labels:
+ uavcloud.env: demo
+ - address: 192.168.0.11
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.11
+ labels:
+ uavcloud.env: demo
+ - address: 192.168.0.83
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.83
+ labels:
+ uavcloud.env: demo
+ - address: 192.168.0.84
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.84
+ labels:
+ uavcloud.env: demo
+ - address: 192.168.0.85
+ user: rke-installer
+ role:
+ - worker
+ internal_address: 192.168.0.85
+ labels:
+ uavcloud.env: demo
+
+authentication:
+ strategy: x509
+ sans:
+ - "192.168.0.8"
+
+private_registries:
+ - url: 192.168.0.8:8033 # 私有镜像库地址
+ user: admin
+ password: "V2ryStr@ngPss"
+ is_default: true
+
+##############################################################################
+
+# 默认值为false,如果设置为true,当发现不支持的Docker版本时,RKE不会报错
+ignore_docker_version: true
+
+# Set the name of the Kubernetes cluster
+cluster_name: rke-cluster
+
+kubernetes_version: v1.20.4-rancher1-1
+
+ssh_key_path: /home/rke-installer/.ssh/id_ed25519
+
+# Enable running cri-dockerd
+# Up to Kubernetes 1.23, kubelet contained code called dockershim
+# to support Docker runtime. The replacement is called cri-dockerd
+# and should be enabled if you want to keep using Docker as your
+# container runtime
+# Only available to enable in Kubernetes 1.21 and higher
+enable_cri_dockerd: true
+
+services:
+ etcd:
+ backup_config:
+ enabled: false
+ interval_hours: 72
+ retention: 3
+ safe_timestamp: false
+ timeout: 300
+ creation: 12h
+ extra_args:
+ election-timeout: 5000
+ heartbeat-interval: 500
+ cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
+ gid: 0
+ retention: 72h
+ snapshot: false
+ uid: 0
+
+ kube-api:
+ # IP range for any services created on Kubernetes
+ # This must match the service_cluster_ip_range in kube-controller
+ service_cluster_ip_range: 10.74.0.0/16
+ # Expose a different port range for NodePort services
+ service_node_port_range: 30000-40000
+ always_pull_images: true
+ pod_security_policy: false
+ # Add additional arguments to the kubernetes API server
+ # This WILL OVERRIDE any existing defaults
+ extra_args:
+ # Enable audit log to stdout
+ audit-log-path: "-"
+ # Increase number of delete workers
+ delete-collection-workers: 3
+ # Set the level of log output to warning-level
+ v: 1
+ kube-controller:
+ # CIDR pool used to assign IP addresses to pods in the cluster
+ cluster_cidr: 10.100.0.0/16
+ # IP range for any services created on Kubernetes
+ # This must match the service_cluster_ip_range in kube-api
+ service_cluster_ip_range: 10.74.0.0/16
+ # Add additional arguments to the kubernetes API server
+ # This WILL OVERRIDE any existing defaults
+ extra_args:
+ # Set the level of log output to debug-level
+ v: 1
+ # Enable RotateKubeletServerCertificate feature gate
+ feature-gates: RotateKubeletServerCertificate=true
+ # Enable TLS Certificates management
+ # https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
+ cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem"
+ cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem"
+ kubelet:
+ # Base domain for the cluster
+ cluster_domain: cluster.local
+ # IP address for the DNS service endpoint
+ cluster_dns_server: 10.74.0.10
+ # Fail if swap is on
+ fail_swap_on: false
+ # Set max pods to 250 instead of default 110
+ extra_binds:
+ - "/data/minio-pv:/hostStorage" # 不要修改 为minio的pv添加
+ extra_args:
+ max-pods: 122
+ # Optionally define additional volume binds to a service
+ scheduler:
+ extra_args:
+ # Set the level of log output to warning-level
+ v: 0
+ tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
+ kubeproxy:
+ extra_args:
+ # Set the level of log output to warning-level
+ v: 1
+
+authorization:
+ mode: rbac
+
+addon_job_timeout: 30
+
+# Specify network plugin-in (canal, calico, flannel, weave, or none)
+network:
+ mtu: 1440
+ options:
+ flannel_backend_type: vxlan
+ plugin: calico
+ tolerations:
+ - key: "node.kubernetes.io/unreachable"
+ operator: "Exists"
+ effect: "NoExecute"
+ tolerationseconds: 300
+ - key: "node.kubernetes.io/not-ready"
+ operator: "Exists"
+ effect: "NoExecute"
+ tolerationseconds: 300
+
+# Specify DNS provider (coredns or kube-dns)
+dns:
+ provider: coredns
+ nodelocal: {}
+ # Available as of v1.1.0
+ update_strategy:
+ strategy: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 20%
+ maxSurge: 15%
+ linear_autoscaler_params:
+ cores_per_replica: 0.34
+ nodes_per_replica: 4
+ prevent_single_point_failure: true
+ min: 2
+ max: 3
+ tolerations:
+ - key: "node.kubernetes.io/unreachable"
+ operator: "Exists"
+ effect: "NoExecute"
+ tolerationseconds: 300
+ - key: "node.kubernetes.io/not-ready"
+ operator: "Exists"
+ effect: "NoExecute"
+ tolerationseconds: 300
+
+# Specify monitoring provider (metrics-server)
+monitoring:
+ provider: metrics-server
+ # Available as of v1.1.0
+ update_strategy:
+ strategy: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 8
+
+ingress:
+ provider: nginx
+ default_backend: true
+ http_port: 0
+ https_port: 0
+ extra_envs:
+ - name: TZ
+ value: Asia/Shanghai
+ node_selector:
+ ingress-deploy: true
+ options:
+ use-forwarded-headers: "true"
+ access-log-path: /var/log/nginx/access.log
+# client-body-timeout: '6000'
+# compute-full-forwarded-for: 'true'
+# enable-underscores-in-headers: 'true'
+# log-format-escape-json: 'true'
+# log-format-upstream: >-
+# { "msec": "$msec", "connection": "$connection", "connection_requests":
+# "$connection_requests", "pid": "$pid", "request_id": "$request_id",
+# "request_length": "$request_length", "remote_addr": "$remote_addr",
+# "remote_user": "$remote_user", "remote_port": "$remote_port",
+# "http_x_forwarded_for": "$http_x_forwarded_for", "time_local":
+# "$time_local", "time_iso8601": "$time_iso8601", "request": "$request",
+# "request_uri": "$request_uri", "args": "$args", "status": "$status",
+# "body_bytes_sent": "$body_bytes_sent", "bytes_sent": "$bytes_sent",
+# "http_referer": "$http_referer", "http_user_agent": "$http_user_agent",
+# "http_host": "$http_host", "server_name": "$server_name", "request_time":
+# "$request_time", "upstream": "$upstream_addr", "upstream_connect_time":
+# "$upstream_connect_time", "upstream_header_time": "$upstream_header_time",
+# "upstream_response_time": "$upstream_response_time",
+# "upstream_response_length": "$upstream_response_length",
+# "upstream_cache_status": "$upstream_cache_status", "ssl_protocol":
+# "$ssl_protocol", "ssl_cipher": "$ssl_cipher", "scheme": "$scheme",
+# "request_method": "$request_method", "server_protocol": "$server_protocol",
+# "pipe": "$pipe", "gzip_ratio": "$gzip_ratio", "http_cf_ray": "$http_cf_ray",
+# "geoip_country_code": "$geoip_country_code" }
+# proxy-body-size: 5120m
+# proxy-read-timeout: '6000'
+# proxy-send-timeout: '6000'
+
+