zeaslity/CmiiDeploy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

新增rke-安全部分

Browse Source
This commit is contained in:
zeaslity
2025-02-21 14:15:35 +08:00
parent c5780f90d7
commit 84ecf9d0e6
5 changed files with 293 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.idea/22.希腊项目-阿里云-德国.iml generated
View File

@@ -1,10 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<module type="JAVA_MODULE" version="4">
<component name="Go" enabled="true" />
<component name="NewModuleRootManager" inherit-compiler-output="true">
<exclude-output />
<content url="file://$MODULE_DIR$" />
<orderEntry type="inheritedJdk" />
<orderEntry type="sourceFolder" forTests="false" />
</component>
</module>

10
.idea/CmiiDeploy.iml generated Normal file
View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<module version="4">
<component name="TemplatesService">
<option name="TEMPLATE_FOLDERS">
<list>
<option value="$MODULE_DIR$/1-outside-deploy/2-helm-chart/nfs-subdir-external-provisioner/templates" />
</list>
</option>
</component>
</module>

2
.idea/modules.xml generated
View File

@@ -2,7 +2,7 @@
<project version="4"> <project version="4">
<component name="ProjectModuleManager"> <component name="ProjectModuleManager">
<modules> <modules>
<module fileurl="file://$PROJECT_DIR$/.idea/22.希腊项目-阿里云-德国.iml" filepath="$PROJECT_DIR$/.idea/22.希腊项目-阿里云-德国.iml" /> <module fileurl="file://$PROJECT_DIR$/.idea/CmiiDeploy.iml" filepath="$PROJECT_DIR$/.idea/CmiiDeploy.iml" />
</modules> </modules>
</component> </component>
</project> </project>

2
999-数据库脚本/z_database_execute.sh
View File

@@ -14,6 +14,8 @@ for sql_file in $(ls "$sql_import_file_path" | sort -n -k1.1,1.2); do
echo "" echo ""
done done
https://oss.demo.uavcmlc.com/cmlc-installation/downloadfile/amd/mysql-8.0.27-linux-glibc2.17-x86_64-minimal.zip
# dev # dev
# /root/wdd/mysql/bin/mysql -uroot -pGwubc6CxRM -h192.168.35.178 -P33306 <"$sql_import_file_path/${sql_file}" # /root/wdd/mysql/bin/mysql -uroot -pGwubc6CxRM -h192.168.35.178 -P33306 <"$sql_import_file_path/${sql_file}"

280
999-部署模板/rke-cluster-with_security.yml Normal file
View File

@@ -0,0 +1,280 @@
nodes:
- address: 192.168.0.8
user: rke-installer
role:
- controlplane
- etcd
- worker
internal_address: 192.168.0.8
labels:
ingress-deploy: true
uavcloud.env: demo
- address: 192.168.0.65
user: rke-installer
role:
- worker
internal_address: 192.168.0.65
labels:
uavcloud.env: demo
- address: 192.168.0.45
user: rke-installer
role:
- worker
internal_address: 192.168.0.45
labels:
uavcloud.env: demo
- address: 192.168.0.7
user: rke-installer
role:
- worker
internal_address: 192.168.0.7
labels:
mysql-deploy: true
uavcloud.env: demo
- address: 192.168.0.9
user: rke-installer
role:
- worker
internal_address: 192.168.0.9
labels:
uavcloud.env: demo
- address: 192.168.0.10
user: rke-installer
role:
- worker
internal_address: 192.168.0.10
labels:
uavcloud.env: demo
- address: 192.168.0.11
user: rke-installer
role:
- worker
internal_address: 192.168.0.11
labels:
uavcloud.env: demo
- address: 192.168.0.83
user: rke-installer
role:
- worker
internal_address: 192.168.0.83
labels:
uavcloud.env: demo
- address: 192.168.0.84
user: rke-installer
role:
- worker
internal_address: 192.168.0.84
labels:
uavcloud.env: demo
- address: 192.168.0.85
user: rke-installer
role:
- worker
internal_address: 192.168.0.85
labels:
uavcloud.env: demo
authentication:
strategy: x509
sans:
- "192.168.0.8"
private_registries:
- url: 192.168.0.8:8033 # 私有镜像库地址
user: admin
password: "V2ryStr@ngPss"
is_default: true
##############################################################################
# 默认值为false如果设置为true当发现不支持的Docker版本时RKE不会报错
ignore_docker_version: true
# Set the name of the Kubernetes cluster
cluster_name: rke-cluster
kubernetes_version: v1.20.4-rancher1-1
ssh_key_path: /home/rke-installer/.ssh/id_ed25519
# Enable running cri-dockerd
# Up to Kubernetes 1.23, kubelet contained code called dockershim
# to support Docker runtime. The replacement is called cri-dockerd
# and should be enabled if you want to keep using Docker as your
# container runtime
# Only available to enable in Kubernetes 1.21 and higher
enable_cri_dockerd: true
services:
etcd:
backup_config:
enabled: false
interval_hours: 72
retention: 3
safe_timestamp: false
timeout: 300
creation: 12h
extra_args:
election-timeout: 5000
heartbeat-interval: 500
cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
gid: 0
retention: 72h
snapshot: false
uid: 0
kube-api:
# IP range for any services created on Kubernetes
# This must match the service_cluster_ip_range in kube-controller
service_cluster_ip_range: 10.74.0.0/16
# Expose a different port range for NodePort services
service_node_port_range: 30000-40000
always_pull_images: true
pod_security_policy: false
# Add additional arguments to the kubernetes API server
# This WILL OVERRIDE any existing defaults
extra_args:
# Enable audit log to stdout
audit-log-path: "-"
# Increase number of delete workers
delete-collection-workers: 3
# Set the level of log output to warning-level
v: 1
kube-controller:
# CIDR pool used to assign IP addresses to pods in the cluster
cluster_cidr: 10.100.0.0/16
# IP range for any services created on Kubernetes
# This must match the service_cluster_ip_range in kube-api
service_cluster_ip_range: 10.74.0.0/16
# Add additional arguments to the kubernetes API server
# This WILL OVERRIDE any existing defaults
extra_args:
# Set the level of log output to debug-level
v: 1
# Enable RotateKubeletServerCertificate feature gate
feature-gates: RotateKubeletServerCertificate=true
# Enable TLS Certificates management
# https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem"
cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem"
kubelet:
# Base domain for the cluster
cluster_domain: cluster.local
# IP address for the DNS service endpoint
cluster_dns_server: 10.74.0.10
# Fail if swap is on
fail_swap_on: false
# Set max pods to 250 instead of default 110
extra_binds:
- "/data/minio-pv:/hostStorage" # 不要修改 为minio的pv添加
extra_args:
max-pods: 122
# Optionally define additional volume binds to a service
scheduler:
extra_args:
# Set the level of log output to warning-level
v: 0
tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
kubeproxy:
extra_args:
# Set the level of log output to warning-level
v: 1
authorization:
mode: rbac
addon_job_timeout: 30
# Specify network plugin-in (canal, calico, flannel, weave, or none)
network:
mtu: 1440
options:
flannel_backend_type: vxlan
plugin: calico
tolerations:
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationseconds: 300
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationseconds: 300
# Specify DNS provider (coredns or kube-dns)
dns:
provider: coredns
nodelocal: {}
# Available as of v1.1.0
update_strategy:
strategy: RollingUpdate
rollingUpdate:
maxUnavailable: 20%
maxSurge: 15%
linear_autoscaler_params:
cores_per_replica: 0.34
nodes_per_replica: 4
prevent_single_point_failure: true
min: 2
max: 3
tolerations:
- key: "node.kubernetes.io/unreachable"
operator: "Exists"
effect: "NoExecute"
tolerationseconds: 300
- key: "node.kubernetes.io/not-ready"
operator: "Exists"
effect: "NoExecute"
tolerationseconds: 300
# Specify monitoring provider (metrics-server)
monitoring:
provider: metrics-server
# Available as of v1.1.0
update_strategy:
strategy: RollingUpdate
rollingUpdate:
maxUnavailable: 8
ingress:
provider: nginx
default_backend: true
http_port: 0
https_port: 0
extra_envs:
- name: TZ
value: Asia/Shanghai
node_selector:
ingress-deploy: true
options:
use-forwarded-headers: "true"
access-log-path: /var/log/nginx/access.log
# client-body-timeout: '6000'
# compute-full-forwarded-for: 'true'
# enable-underscores-in-headers: 'true'
# log-format-escape-json: 'true'
# log-format-upstream: >-
# { "msec": "$msec", "connection": "$connection", "connection_requests":
# "$connection_requests", "pid": "$pid", "request_id": "$request_id",
# "request_length": "$request_length", "remote_addr": "$remote_addr",
# "remote_user": "$remote_user", "remote_port": "$remote_port",
# "http_x_forwarded_for": "$http_x_forwarded_for", "time_local":
# "$time_local", "time_iso8601": "$time_iso8601", "request": "$request",
# "request_uri": "$request_uri", "args": "$args", "status": "$status",
# "body_bytes_sent": "$body_bytes_sent", "bytes_sent": "$bytes_sent",
# "http_referer": "$http_referer", "http_user_agent": "$http_user_agent",
# "http_host": "$http_host", "server_name": "$server_name", "request_time":
# "$request_time", "upstream": "$upstream_addr", "upstream_connect_time":
# "$upstream_connect_time", "upstream_header_time": "$upstream_header_time",
# "upstream_response_time": "$upstream_response_time",
# "upstream_response_length": "$upstream_response_length",
# "upstream_cache_status": "$upstream_cache_status", "ssl_protocol":
# "$ssl_protocol", "ssl_cipher": "$ssl_cipher", "scheme": "$scheme",
# "request_method": "$request_method", "server_protocol": "$server_protocol",
# "pipe": "$pipe", "gzip_ratio": "$gzip_ratio", "http_cf_ray": "$http_cf_ray",
# "geoip_country_code": "$geoip_country_code" }
# proxy-body-size: 5120m
# proxy-read-timeout: '6000'
# proxy-send-timeout: '6000'