From: 刘洪青 Date: Fri, 11 Mar 2022 06:30:36 +0000 (+0800) Subject: chore: nwpu,1.2 X-Git-Url: https://source.supwisdom.com/gerrit/gitweb?a=commitdiff_plain;h=a1bab1565f58809f97ac44ab6e9b931e51ae4718;p=institute%2Fdeploy-authx-service.git chore: nwpu,1.2 --- diff --git "a/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202110080900_1__TABLE.sql" "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202110080900_1__TABLE.sql" new file mode 100644 index 0000000..4680a3b --- /dev/null +++ "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202110080900_1__TABLE.sql" @@ -0,0 +1,12 @@ +-- V1.2.0009_202110080900_1__TABLE.sql + + +ALTER TABLE `TB_B_ACCOUNT` ADD INDEX `IDX_ACCOUNT_USERNAME` (`USER_NAME` ASC); + +ALTER TABLE `TB_B_ORGANIZATION` ADD INDEX `IDX_ORG_NAME` (`NAME` ASC); + +ALTER TABLE `TB_B_IDENTITY_TYPE` ADD UNIQUE INDEX `UQ_ID_TYPE_CODE` (`CODE` ASC); +ALTER TABLE `TB_B_IDENTITY_TYPE` ADD INDEX `IDX_ID_TYPE_NAME` (`NAME` ASC); + +ALTER TABLE TB_B_ACCOUNT ADD COLUMN ACCOUNT_NAME_PAD VARCHAR(255) NOT NULL DEFAULT(LPAD(ACCOUNT_NAME, 20, ' ')); +ALTER TABLE TB_B_ACCOUNT ADD INDEX ACCOUNT_NAME_PAD(ACCOUNT_NAME_PAD); diff --git "a/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql" "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql" new file mode 100644 index 0000000..8f048dc --- /dev/null +++ "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql" @@ -0,0 +1,18 @@ +-- V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql + + +ALTER TABLE `TB_B_IDENTITY_PIC` +CHANGE COLUMN `IDENTITY_PIC_1` `IDENTITY_PIC_1` VARCHAR(500) NOT NULL COMMENT '证照图片1'; + +ALTER TABLE `TB_B_IDENTITY_PIC` +CHANGE COLUMN `IDENTITY_PIC_2` `IDENTITY_PIC_2` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片2'; + +ALTER TABLE `TB_B_IDENTITY_PIC` +CHANGE COLUMN `IDENTITY_PIC_3` `IDENTITY_PIC_3` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片3'; + +ALTER TABLE `TB_B_IDENTITY_PIC` +CHANGE COLUMN `IDENTITY_PIC_4` `IDENTITY_PIC_4` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片4'; + +ALTER TABLE `TB_B_IDENTITY_PIC` +CHANGE COLUMN `IDENTITY_PIC_5` `IDENTITY_PIC_5` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片5'; + diff --git "a/project/nwpu/1.2.7_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202109041000_1__TABLE_USER.sql" "b/project/nwpu/1.2.7_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202109041000_1__TABLE_USER.sql" new file mode 100644 index 0000000..99f9cbb --- /dev/null +++ "b/project/nwpu/1.2.7_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202109041000_1__TABLE_USER.sql" @@ -0,0 +1,19 @@ +-- V1.2.0009_202109041000_1__TABLE_USER.sql + + +ALTER TABLE `TB_B_USER` +ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID'; + +ALTER TABLE `TB_B_ACCOUNT` +ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID'; + +ALTER TABLE `TB_B_ORGANIZATION` +ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID'; + +ALTER TABLE `TB_B_GROUP` +ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID'; + +ALTER TABLE `TB_B_USER` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC); +ALTER TABLE `TB_B_ACCOUNT` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC); +ALTER TABLE `TB_B_ORGANIZATION` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC); +ALTER TABLE `TB_B_GROUP` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC); diff --git "a/project/nwpu/k8s-rancher/0.1.0.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\351\203\250\347\275\262\346\236\266\346\236\204.md" "b/project/nwpu/k8s-rancher/0.1.0.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\351\203\250\347\275\262\346\236\266\346\236\204.md" new file mode 100644 index 0000000..27ca2d8 --- /dev/null +++ "b/project/nwpu/k8s-rancher/0.1.0.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\351\203\250\347\275\262\346\236\266\346\236\204.md" @@ -0,0 +1,4 @@ + +# 认证授权服务部署架构 + + diff --git "a/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md" "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md" new file mode 100644 index 0000000..a92e6a0 --- /dev/null +++ "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md" @@ -0,0 +1,970 @@ + +# 安装部署手册 + +**业务中台之认证授权服务** + + +* 修订历史 + +版本 | 作者 | 日期 | 备注 +- | - | - | - +v1 | 刘洪青 | 2020-06-10 | 初稿 + + +[TOC] + + +## 安装准备 + +### MySQL 初始配置及相关基础命令 + +数据文件目录:/var/lib/mysql + +* 安装完成后,调整 mysql 服务的配置参数 + + 查看当前配置:show variables; + + 最大连接数 max_connections + 操作日志的保留时长 binlog_expire_logs_seconds + + 参考命令: + ``` + set global max_connections = 1000; + set persist max_connections = 1000; + + // 7天 86400 * 7 + // 1天 86400 + set global binlog_expire_logs_seconds = 86400 * 7; + set persist binlog_expire_logs_seconds = 86400 * 7; + ``` + + 时区设置 + + 确保MySQL 的时区设置为 GMT+8 + + +* 创建数据库帐号 + + 参考命令: + ``` + create user 'user'@'%' identified with mysql_native_password by 'your_password'; + ``` + + +* 创建 database + + 参考命令: + ``` + create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci; + ``` + + +* 授予权限 + + 将 database 的权限授予对应的帐号 + + 参考命令: + ``` + grant all privileges on `user`.* to 'user'@'%' with grant option; + ``` + + +* 授予 SUPER 权限 + 由于 部分帐号 需要创建 触发器,故,需要 SUPER 权限 + 涉及帐号有 user、user_authz、cas_server + + 参考命令: + ``` + grant SUPER on *.* to 'user'@'%'; + grant SUPER on *.* to 'user_authz'@'%'; + grant SUPER on *.* to 'cas_server'@'%'; + + grant SUPER on *.* to 'tmp_data'@'%'; + ``` + + +* 备份与还原 + + 参考命令: + 备份: + ``` + mysqldump -u root -p cas_server > cas_server.sql + mysqldump -u root -p token_server > token_server.sql + mysqldump -u root -p user > user.sql + mysqldump -u root -p user_authz > user_authz.sql + mysqldump -u root -p agent_service > agent_service.sql + ``` + + 还原: + ``` + mysql -u root -p cas_server < cas_server.sql + mysql -u root -p token_server < token_server.sql + mysql -u root -p user < user.sql + mysql -u root -p user_authz < user_authz.sql + mysql -u root -p agent_service < agent_service.sql + ``` + + +### Harbor 准备及相关说明 + +* 创建 devops 帐号 + + 用于 rancher 部署时拉取镜像 + + 用户管理 下 创建用户 + 如 devops + + +* 镜像同步 + + 从 https://harbor.supwisdom.com 中同步镜像 + + 仓库管理 下 新建目标 + ``` + supwisdom https://harbor.supwisdom.com rancher.devops / PWMgP85qiLFC + ``` + + 同步管理 下 新建规则 + + ``` + admin-portal admin-portal/* + authx-service authx-service/* + + thirdparty-agent-service thirdparty-agent-service/* + + user-data-service goa/* + user-authorization-service user-authorization-service/* + cas-server cas-server/* + token-server token-server/* + + jobs-server jobs-server/* + + personal-security-center personal-security-center/* + ``` + + 同步规则,创建完成后,进行镜像同步 + + 选择某个同步规则,点击 同步,等待任务完成 + + +* 授予 devops 帐号 对各个项目的 访客 权限 + + 项目 下,点击 项目名称,进入到 成员,添加用户,查找用户 devops,选择角色 访客,确定,添加即可 + + +### Rancher 准备及相关说明 + +* 创建项目 + + 进入 全局 - 集群(具体名称视项目安装而定) - 项目/命名空间,添加项目 + + 输入 项目名称,保存 + + +* 创建命名空间 + + 进入 全局 - 集群(具体名称视项目安装而定) - 项目/命名空间 + + 在新建的项目中,添加命名空间 + + 输入 名称,保存 + + +* 导入YAML + + 进入 全局 - 集群(具体名称视项目安装而定) - 项目(某个项目) + + 进入 资源 - 工作负载 + + +### 域名准备 + +* 确定域名 + + 首先明确是否使用泛域名,如:`*.paas.xxx.edu.cn`,或 直接使用学校域名 `xxx.edu.cn` + + 本产品安装需要的域名如下: + ``` + cas.paas.xxx.edu.cn 认证(视具体情况,可调整) + token.paas.xxx.edu.cn 认证(APP适用) + + personal-security-center.paas.xxx.edu.cn 个人安全中心后端API + + security-center.paas.xxx.edu.cn 安全中心前端UI(帐号激活、忘记密码) + + authx-minio.paas.xxx.edu.cn 文件服务 + ``` + + 如果使用 学校域名,则去除 .paas 即可,同时申请开通相关域名 + + +### 应用配置项说明 + +#### 公共配置项 + +* JVM 相关 + + ConfigMap,jvm-env + + key | 说明 | 配置示例 + - | - | - + MAX_RAM_PERCENTAGE | JAVA 应用,JVM内存 占 POD内存的比例 | 75.0 + + +* 数据库连接配置相关 + + Secret,datasource-env-secret + + key | 说明 | 配置示例 + - | - | - + JDBC_URL | 数据源连接配置(base64加密) | amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdXNlcj9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp + JDBC_USERNAME | 数据库用户(base64加密) | dXNlcg== + JDBC_PASSWORD | 数据库密码(base64加密) | a2luZ3N0YXI= + + +* redis 连接配置相关 + + Secret,redis-env-secret + + key | 说明 | 配置示例 + - | - | - + SPRING_REDIS_HOST | redis 服务(base64加密),默认为 redis-server | cmVkaXMtc2VydmVy + SPRING_REDIS_PORT | redis 服务端口(base64加密),默认为 6379 | NjM3OQ== + SPRING_REDIS_PASSWORD | redis 服务密码(base64加密) | + + +* rabbit mq 连接配置相关 + + Secret,rabbitmq-env-secret + + key | 说明 | 配置示例 + - | - | - + SPRING_RABBITMQ_HOST | rabbit mq 服务(base64加密),默认为 rabbitmq-server | cmFiYml0bXEtc2VydmVy + SPRING_RABBITMQ_PORT | rabbit mq 服务端口(base64加密),默认为 5672 | NTY3Mg== + SPRING_RABBITMQ_USERNAME | rabbit mq 服务用户(base64加密) | + SPRING_RABBITMQ_PASSWORD | rabbit mq 服务密码(base64加密) | + + +#### 服务配置项 + +注: +外部访问地址,一般为域名地址,需要根据学校域名进行修改 +k8s集群内部地址,为集群内部,跨namespace访问的域名地址,一般无须修改 + + +* auth-service 下的 authx-service-minio + + Secret,minio-env-secret + + key | 说明 | 配置示例 + - | - | - + MINIO_ACCESS_KEY | minio帐号(base64加密),默认为 1y8N@8R@a_2u | MXk4TkA4UkBhXzJ1 + MINIO_SECRET_KEY | minio密钥(base64加密),默认为 8pxlIe9#lN7Q | OHB4bEllOSNsTjdR + + +* auth-service 下的 poa-api-docs-installer + + ConfigMap,poa-api-docs-installer-env + + key | 说明 | 配置示例 + - | - | - + POA_SERVER_URL | POA网关地址(外部访问地址) | http://poa.paas.xxx.edu.cn + POA_SA_SERVER_URL | POA管理接口地址(k8s集群内部地址) | http://poa-sa-svc.poa.svc.cluster.local:8443 + - | - | - + USER_API_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-poa-svc.user-data-service.svc.cluster.local:8080 + USER_AUTHZ_API_SERVER_URL | 授权服务开放接口地址(k8s集群内部地址) | http://user-authorization-poa-svc.user-authorization-service.svc.cluster.local:8080 + COMMUNICATE_API_SERVER_URL | 通信服务开放接口地址(k8s集群内部地址) | http://communicate-center-poa-svc.communicate-center.svc.cluster.local:8080 + + +* thirdparty-agent-service 下的 thirdparty-agent-service + + ConfigMap,agent-service-env + + key | 说明 | 配置示例 + - | - | - + FILE_MINIO_AUTOCONFIGURE_ENABLED | minio 服务开启开关 | true、false + FILE_MINIO_ENDPOINT | minio 服务地址(k8s集群内部地址) | http://minio-svc.authx-service.svc.cluster.local:9000 + - | - | - + MAIL_SMTP_AUTOCONFIGURE_ENABLED | smtp 服务开启开关 | true、false + MAIL_SMTP_HOST | smtp 服务地址 | smtp.mxhichina.com + MAIL_SMTP_PORT | smtp 服务端口 | 25 + MAIL_SMTP_SECURE_MODE | smtp 服务的安全模式(NONE,无;SSL,安全) | NONE + MAIL_SMTP_USERNAME | smtp 服务帐号 | security.institute@supwisdom.com + MAIL_SMTP_PASSWORD | smtp 服务密码 | Security2019 + MAIL_SMTP_FROM | 发件人邮箱 | security.institute@supwisdom.com + MAIL_SMTP_FROM_PERSONAL | 发件人名称 | 智慧校园 + - | - | - + SMS_ALIYUN_AUTOCONFIGURE_ENABLED | 阿里云短信服务开启开关 | true、false + SMS_ALIYUN_REGION_ID | 区域 | cn-hangzhou + SMS_ALIYUN_ACCESS_KEY_ID | 阿里云短信服务的帐号 | + SMS_ALIYUN_ACCESS_SECRET | 阿里云短信服务的密钥 | + + Secret,agent-service-env-secret + + key | 说明 | 配置示例 + - | - | - + FILE_MINIO_ACCESSKEY | minio 服务帐号(base64加密),默认为 1y8N@8R@a_2u | MXk4TkA4UkBhXzJ1 + FILE_MINIO_SECRETKEY | minio 服务密钥(base64加密),默认为 8pxlIe9#lN7Q | OHB4bEllOSNsTjdR + + +* user-data-service 下的 user-data-service-poa + + ConfigMap,user-data-service-poa-env + + key | 说明 | 配置示例 + - | - | - + CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + - | - | - + TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)
默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio + + +* user-data-service 下的 user-data-service-goa + + ConfigMap,user-data-service-goa-env + + key | 说明 | 配置示例 + - | - | - + PASSWORD_ENCODER_IMPL | 密码加密算法的实现
default:支持 bcrypt 等加密算法,默认;
SHA-256:支持 SHA-256 加密算法 | default、SHA-256 + - | - | - + JOBS_RABBITMQ_ENABLED | 是否推送数据到 jobs-server 的 rabbit mq | true、false + JOBS_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.jobs-server.svc.cluster.local + JOBS_RABBITMQ_PORT | rabbit mq 服务端口 | 5672 + JOBS_RABBITMQ_USERNAME | rabbit mq 服务用户 | + JOBS_RABBITMQ_PASSWORD | rabbit mq 服务密码 | + JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步帐号数据至 jobs 的 MQ | true、false + JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSSYNCPASSWORDRABBITSENDER_ENABLED | 是否同步密码(明文密码)到 jobs 的 MQ | true、false + JOBS_RABBITMQ_ORGANIZATIONUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步组织机构数据至 jobs 的 MQ | true、false + JOBS_RABBITMQ_GROUPUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步用户组数据至 jobs 的 MQ | true、false + + +* user-data-service 下的 user-data-service-biz + + ConfigMap,user-data-service-biz-env + + key | 说明 | 配置示例 + - | - | - + CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + - | - | - + TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)
默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio + + +* user-authorization-service 下的 user-authorization-service-poa + + ConfigMap,user-authorization-service-poa-env + + key | 说明 | 配置示例 + - | - | - + USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + + +* user-authorization-service 下的 user-authorization-service-sa + + ConfigMap,user-authorization-service-sa-env + + key | 说明 | 配置示例 + - | - | - + 暂无 | | + + +* cas-server 下的 cas-server-sa-api + + ConfigMap,cas-server-sa-api-env + + key | 说明 | 配置示例 + - | - | - + SERVICE_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新应用对接数据
默认:true | true、false + ACCOUNT_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新帐号数据
默认:false | true、false + FEDERATION_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新联合登录帐号绑定数据
默认:true | true、false + - | - | - + USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + + +* cas-server 下的 cas-server-security-engine + + ConfigMap,cas-server-security-engine-env + + key | 说明 | 配置示例 + - | - | - + CASSERVER_SA_API_SERVER_URL | CAS认证服务开放接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + + +* cas-server 下的 cas-server-site-webapp + + ConfigMap,cas-server-site-webapp-env + + key | 说明 | 配置示例 + - | - | - + LOGGING_CONFIG | 日志配置文件路径 | file:/etc/cas/log4j2-file.xml + - | - | - + CAS_SERVER_NAME | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn + CAS_TGC_SECURE | TGC cookie 安全设置
true:https安全
false: | true、false + CAS_TICKET_TGT_MAX_TIME_TO_LIVE_IN_SECONDS | TGT的最大生命周期
默认:14天 | 1209600 + CAS_TICKET_TGT_TIME_TO_KILL_IN_SECONDS | TGT的失效时长
默认:2天 | 172800 + CAS_AUTHN_TOKEN_CRYPTO_SIGNING_KEY | jwt格式的ticket的签名密钥 | `(@K7qy)awCjxp$L653Mf$2` + SPRING_THYMELEAF_PREFIX | 登录页面UI的代码目录 | classpath:/templates/themes/classic/ + - | - | - + CASSERVER_FEDERATION_QQ_ENABLED | 联合登录 QQ,是否启用 | true、false + CASSERVER_FEDERATION_QQ_APPID | 联合登录 QQ,appid | + CASSERVER_FEDERATION_QQ_APPKEY | 联合登录 QQ,appkey | + - | - | - + CASSERVER_FEDERATION_OPENWEIXIN_ENABLED | 联合登录 微信,是否启用 | true、false + CASSERVER_FEDERATION_OPENWEIXIN_APPID | 联合登录 微信,appid | + CASSERVER_FEDERATION_OPENWEIXIN_APPSECRET | 联合登录 微信,appsecret | + - | - | - + CASSERVER_FEDERATION_WORKWEIXIN_ENABLED | 联合登录 企业微信,是否启用 | true、false + CASSERVER_FEDERATION_WORKWEIXIN_CORPID | 联合登录 企业微信,企业ID | + CASSERVER_FEDERATION_WORKWEIXIN_AGENTID | 联合登录 企业微信,应用AgentId | + CASSERVER_FEDERATION_WORKWEIXIN_SECRET | 联合登录 企业微信,Secret | + - | - | - + CASSERVER_FEDERATION_ALIPAY_ENABLED | 联合登录 支付宝,是否启用 | true、false + CASSERVER_FEDERATION_ALIPAY_APPID | 联合登录 支付宝,appid | + CASSERVER_FEDERATION_ALIPAY_APPPRIVATEKEY | 联合登录 支付宝,应用私钥 | + CASSERVER_FEDERATION_ALIPAY_ALIPAYPUBLICKEY | 联合登录 支付宝,支付宝公钥 | + - | - | - + CASSERVER_JWT_ISS | idToken 签发者标识 | cas.paas.xxx.edu.cn + CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8 | idToken 签名私钥(pkcs8),参考 certs/jwt/readme.md 生成公私钥pem | + CASSERVER_JWT_PUBLIC_KEY_PEM | idToken 签名公钥,参考 certs/jwt/readme.md 生成公私钥pem | + - | - | - + CASSERVERSITE_CAPTCHA_ENABLED | 是否启用登录验证码 | true、false + CASSERVERSITE_ACCOUNT_SERVICE_IMPL | 帐号服务的实现
redis:帐号数据存放在redis中
user-sa:帐号数据从用户服务获取 | user-sa + CASSERVERSITE_ROLE_SERVICE_IMPL | 角色服务的实现
redis:角色数据存放在redis中
user-authz-sa:角色数据从授权服务获取 | user-authz-sa + CASSERVERSITE_SMS_SENDER_IMPL | 动态密码的短信发送实现
default:控制台输出
agent-service:代理服务 | agent-service + CASSERVERSITE_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS | 动态密码失效时长
默认:5分钟 | 300 + CASSERVERSITE_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心 + CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。 + - | - | - + TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080 + TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址
console:控制台输出,默认
aliyun:阿里云短信服务
其他,支持学校定制接口 | /api/v1/tpas/sms/console/send + TPAS_AGENT_SERVICE_FILE_PATH | 文件服务地址
默认:minio文件服务 | /api/v1/tpas/file/minio + - | - | - + CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + - | - | - + USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + - | - | - + USER_AUTHZ_SERVICE_SA_API_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080 + - | - | - + SUPERAPP_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(外部访问地址) | https://token.paas.xxx.edu.cn/jwt/publicKey + + +* cas-server 下的 cas-server-site-scheme + + ConfigMap,cas-server-site-scheme-config + + key | 说明 | 配置示例 + - | - | - + SCHEME_COLOR | UI 主题色 | 409EFF + - | - | - + CASSERVER_SA_API_SERVER_URL | CAS认证服务开放接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + + 注:若配置了 CASSERVER_SA_API_SERVER_URL,则使用配置表中的配置;否则,使用 SCHEME_COLOR 指定的设置。 + + +* token-server 下的 token-server + + ConfigMap,token-server-env + + key | 说明 | 配置示例 + - | - | - + TOKEN_SERVER_PREFIX | TOKEN认证地址(外部访问地址) | https://token.paas.xxx.edu.cn + - | - | - + TOKEN_SERVER_SECURITY_JWT_ISS | idToken签发者标识 | token.paas.xxx.edu.cn + TOKEN_SERVER_SECURITY_JWT_EXPIRATION | idToken 失效时长
默认:30天 | 2592000 + TOKEN_SERVER_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8 | idToken 签名私钥(pkcs8),参考 certs/jwt/readme.md 生成公私钥pem
可以与CAS认证一致 | + TOKEN_SERVER_SECURITY_JWT_PUBLIC_KEY_PEM | idToken 签名公钥,参考 certs/jwt/readme.md 生成公私钥pem
可以与CAS认证一致 | + - | - | - + TOKEN_SERVER_FACE_SOURCE_TYPE | 人脸服务
aiface:新开普人脸
aipface:百度人脸 | aiface + 若须对接新开普人脸,须由新开普人脸系统提供相关配置 | + TOKEN_SERVER_FACE_AIFACE_URL | | + TOKEN_SERVER_FACE_AIFACE_APPKEY | | + TOKEN_SERVER_FACE_AIFACE_APPSECRET | | + TOKEN_SERVER_FACE_AIFACE_SECRETKEY | | + TOKEN_SERVER_FACE_AIFACE_TERM_CODE | | + 若须对接百度人脸,须在百度开放平台注册应用 | + TOKEN_SERVER_FACE_AIPFACE_APPID | | + TOKEN_SERVER_FACE_AIPFACE_APIKEY | | + TOKEN_SERVER_FACE_AIPFACE_SECRETKEY | | + - | - | - + TOKEN_SERVER_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS | 动态密码失效时长
默认:5分钟 | 300 + TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。 + TOKEN_SERVER_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心 + - | - | - + MESSAGECENTER_ENABLED | 是否对接消息平台
默认:false| true、false + MESSAGECENTER_APP_ID | 应用ID(由消息平台生成)| + MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN | 消息类型代码(APP 登录) | APP_LOGIN + - | - | - + POA_SERVER_URL | POA网关地址(外部访问地址) | https://poa.paas.xxx.edu.cn + POA_CLIENT_ID | client id | + POA_CLIENT_SECRET | client secret | + POA_SCOPES | api 接口的 scope | messagecenter:v1:sendMessage + - | - | - + TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080 + TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址
console:控制台输出,默认
aliyun:阿里云短信服务
其他,支持学校定制接口 | /api/v1/tpas/sms/console/send + - | - | - + CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + - | - | - + USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + + +* personal-security-center 下的 personal-security-center-bff + + ConfigMap,personal-security-center-bff-env + + key | 说明 | 配置示例 + - | - | - + PERSONAL_SECURITY_CENTER_SERVER_PREFIX | 个人安全中心访问地址(外部访问地址) | https://personal-security-center.paas.xxx.edu.cn + CAS_SERVER_PREFIX | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn + - | - | - + CASSERVER_SITE_SERVER_URL | CAS认证接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + - | - | - + CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + - | - | - + USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + - | - | - + TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)
默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio + TPAS_MAIL_API_URL | 邮件发送服务地址(k8s集群内部地址)
console:控制台输出,默认
smtp:SMTP服务
其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp + TPAS_SMS_API_URL | 短信发送服务地址(k8s集群内部地址)
console:控制台输出,默认
aliyun:阿里云短信服务
其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console + + ConfigMap,personal-security-center-bff-template-env + 邮件内容模板、短信内容模板 + + key | 说明 | 配置示例 + - | - | - + EMAIL_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_EMAIL_ADDRESS | 邮件内容模板-激活帐号 | {name}:您正在激活帐号,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_FORGOT_PASSWORD_SEND_CODE | 邮件内容模板-找回密码 | {name}:您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + - | - | - + EMAIL_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE | 邮件内容模板-修改密码 | {name}:您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE | 邮件内容模板-修改安全邮箱 | {name}:您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE_BY_EMAIL_ADDRESS | 邮件内容模板-修改安全邮箱-验证邮箱 | {name}:您正在修改安全邮箱,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE | 邮件内容模板-修改安全手机 | {name}:您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + - | - | - + EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE | 邮件内容模板-绑定QQ | {name}:您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ | 邮件内容模板-解绑QQ | {name}:您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE | 邮件内容模板-绑定微信 | {name}:您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN | 邮件内容模板-解绑微信 | {name}:您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE | 邮件内容模板-绑定企业微信 | {name}:您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN | 邮件内容模板-解绑企业微信 | {name}:您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE | 邮件内容模板-绑定支付宝 | {name}:您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY | 邮件内容模板-解绑支付宝 | {name}:您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + - | - | - + SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_PRE_MOBILE | 短信内容模板-激活帐号-预留手机身份验证 | {prefix}您正在激活帐号,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_MOBILE | 短信内容模板-激活帐号 | {prefix}您正在激活帐号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_FORGOT_PASSWORD_SEND_CODE| 短信内容模板-找回密码 | {prefix}您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + - | - | - + SMS_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE | 短信内容模板-修改密码 | {prefix}您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE | 短信内容模板-修改安全邮箱 | {prefix}您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE | 短信内容模板-修改安全手机 | {prefix}您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE_BY_MOBILE | 短信内容模板-修改安全手机-验证手机 | {prefix}您正在修改安全手机,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。 + - | - | - + SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE | 邮件内容模板-绑定QQ | {prefix}您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ | 邮件内容模板-解绑QQ | {prefix}您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE | 邮件内容模板-绑定微信 | {prefix}您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN | 邮件内容模板-解绑微信 | {prefix}您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE | 邮件内容模板-绑定企业微信 | {prefix}您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN | 邮件内容模板-解绑企业微信 | {prefix}您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE | 邮件内容模板-绑定支付宝 | {prefix}您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY | 邮件内容模板-解绑支付宝 | {prefix}您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。 + - | - | - + SMS_TEMPLATE_ACCOUNT_INFO_SEND_CODE_BY_MOBILE | 帐号查询-验证手机 | {prefix}您当前正在查询账号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_ACCOUNT_INFO_SEND_ACCOUNT_NAME | 帐号查询-发送帐号名 | {prefix}您当前正在查询账号,查询结果为:{accountName},账号是您在学校中的重要信息,请妥善保管。' + - | - | - + SMS_TEMPLATE_PREFIX | 短信签名、前缀 | + + +* personal-security-center 下的 personal-security-center-zuul + + ConfigMap,personal-security-center-zuul-env + + key | 说明 | 配置示例 + - | - | - + APP_SERVER_HOST_URL | 个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn + CAS_SERVER_HOST_URL | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn + - | - | - + APPLICATION_INDEX_REDIRECT_URI | 网关服务的默认首页,安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn + + +* personal-security-center 下的 security-center-ui + + ConfigMap,security-center-ui-env + + key | 说明 | 配置示例 + - | - | - + RESOURCE_PREFIX | LOGO、FAVICON 等资源地址 | http://authx-minio.paas.xxx.edu.cn/security-center-ui + MAIN_SERVER | 安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn + - | - | - + PERSONAL_CENTER_API | 后端API,个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn + - | - | - + AUTH_CAS | CAS认证地址(外部访问地址) | http://cas.paas.xxx.edu.cn/cas + JWT_ISS | JWT Token 签名方标识 | http://cas.paas.xxx.edu.cn/cas + JWT_SECRET | JWT Token 签名密钥 | 固定值,`(@K7qy)awCjxp$L653Mf$2` + + +## 开始安装 + + +### 数据库创建 + +* 数据库帐号 + + 以下是 各服务对应的数据库帐号 + + 服务 | 数据库帐号 + - | - + 用户服务 user-data-service | user + 授权服务 user-authorization-service | user_authz + 认证服务 cas-server | cas_server + 认证服务(APP适用) token-server | token_server + - | - + 第三方代理服务 thridparty-agent-service | agent_service + - | - + v4认证迁移数据 | tmp_data + + 命令: + **请修改命令中的 `your_password` 为实际的数据库帐号的密码** + ``` + create user 'user'@'%' identified with mysql_native_password by 'your_password'; + create user 'user_authz'@'%' identified with mysql_native_password by 'your_password'; + create user 'cas_server'@'%' identified with mysql_native_password by 'your_password'; + create user 'token_server'@'%' identified with mysql_native_password by 'your_password'; + + create user 'agent_service'@'%' identified with mysql_native_password by 'your_password'; + + create user 'tmp_data'@'%' identified with mysql_native_password by 'your_password'; + ``` + + +* 数据库 + + 以下是 各服务对应的数据库 + + 服务 | 数据库 + - | - + 用户服务 user-data-service | user + 授权服务 user-authorization-service | user_authz + 认证服务 cas-server | cas_server + 认证服务(APP适用) token-server | token_server + - | - + 第三方代理服务 thridparty-agent-service | agent_service + - | - + v4认证迁移数据 | tmp_data + + 命令: + ``` + create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci; + create database `user_authz` DEFAULT CHARSET utf8 COLLATE utf8_general_ci; + create database `cas_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci; + create database `token_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci; + + create database `agent_service` DEFAULT CHARSET utf8 COLLATE utf8_general_ci; + + create database `tmp_data` DEFAULT CHARSET utf8 COLLATE utf8_general_ci; + ``` + + +* 数据库权限授予 + + 将 database 的权限授予对应的帐号 + + 命令: + ``` + grant all privileges on `user`.* to 'user'@'%' with grant option; + grant all privileges on `user_authz`.* to 'user_authz'@'%' with grant option; + grant all privileges on `cas_server`.* to 'cas_server'@'%' with grant option; + grant all privileges on `token_server`.* to 'token_server'@'%' with grant option; + + grant all privileges on `agent_service`.* to 'agent_service'@'%' with grant option; + + grant all privileges on `tmp_data`.* to 'tmp_data'@'%' with grant option; + ``` + + +* SUPER 权限授予 + + 由于 部分帐号 需要创建 触发器,故,需要 SUPER 权限 + 涉及帐号有 user、user_authz、cas_server + + 命令: + ``` + grant SUPER on *.* to 'user'@'%'; + grant SUPER on *.* to 'user_authz'@'%'; + grant SUPER on *.* to 'cas_server'@'%'; + + grant SUPER on *.* to 'tmp_data'@'%'; + ``` + + +* 用户数据的交换帐号 + + **待部署完成后操作** + + 如果,存在数据交换 须将组织机构数据、帐号数据 同步到用户服务的数据库的 + 则,需要创建一个 交换用的数据库帐号(user_trans),并为该帐号授予 表 user.TMP_ORGANIZATION_ORIGIN、user.TMP_ACCOUNT_ORIGIN 的读写操作的权限 + + 命令: + ``` + create user 'user_trans'@'%' identified with mysql_native_password by 'your_password'; + + grant select on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%'; + grant insert on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%'; + grant update on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%'; + grant delete on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%'; + + grant select on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%'; + grant insert on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%'; + grant update on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%'; + grant delete on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%'; + + grant select on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%'; + grant insert on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%'; + grant update on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%'; + grant delete on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%'; + + grant select on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%'; + grant insert on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%'; + grant update on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%'; + grant delete on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%'; + ``` + + +### rancher 容器部署 + +* 修改 yaml 中的相关配置 + + 具体参考 yaml 文件中的说明 + + 0.infras + + 基础设施,目前包含 MySQL数据库的Web管理端、SpringBoot服务的管理端 + + ``` + 0.0.0.infras-base.yaml 请修改 harbor-registry 的帐号密码 + + 0.0.1.infras-mysql.yaml 请修改 MySQL数据库 的地址、IP,mysql-adminer 访问域名 + + 0.0.2.infras-sba.yaml 请修改 docker 镜像地址 + + ``` + + 1.authx-service + + 业务中台 之 认证授权服务 + + 参考 yaml 中的说明,修改相关配置 + + ``` + 在各个服务的安装脚本目录下,修改以下文件(若存在)中的配置 + 0.*-base.yaml 请修改 harbor-registry 的帐号密码 + + 4.x.*.yaml, 5.*-datax-job.yaml 请修改 docker 镜像地址 + + 1.*-env.yaml, 5.*-datax-job.yaml 请修改 数据库密码 + + 2.*-ingresses.yaml 请修改 访问域名 + + 0.0.trans-service-v4 + + 此为 认证v4 的数据迁移服务(可选) + + 将 认证v4 的数据导入到 tmp_data 下 + + 数据迁移后,还需要手动编写脚本,将数据迁移至 用户服务、授权服务 的数据库中 + + 0.authx-service + + 此为 公共基础服务 + + 如:MySQL 服务地址(Endpoints)、文件存储服务 + + 1.authx-service-mysql.yaml + + 请修改 mysql 的服务地址 IP + + 2.authx-service-minio.yaml + + 请修改 minio 的 `MINIO_ACCESS_KEY`、`MINIO_SECRET_KEY` + + 根据情况修改 pvc 的 storageClassName + + 9.poa-api-docs_install.yaml + + 用于将 认证授权服务的 poa 接口文档,导入到 poa-sa 中,**请在 poa 安装完成后处理** + + 请修改 poa 的服务地址 `POA_SERVER_URL` + + 1.thirdparty-agent-service + + 此为 第三方服务的代理服务 + + file-minio + + 修改 minio 的 `FILE_MINIO_ACCESSKEY`、`FILE_MINIO_SECRETKEY` + + mail-smtp + + 获取 学校的 smtp 服务地址,邮箱帐号,用于发送邮件 + + sms-aliyun + + 如果 学校使用 阿里云的短信服务,提供 `ACCESS_KEY_ID`、`ACCESS_SECRET`; + 否则,提供相关的短信平台,进行定制开发 + + 2.user-data-service + + 此为 用户服务 + + user-data-service-goa + + 如果 须将用户数据的变更下发到 Openldap 等第三方业务中,则须配置 `JOBS_RABBITMQ_*` 为开启(ENABLED=true) + + 3.user-authorization-service + + 此为 授权服务 + + 4.cas-server + + 此为 认证服务 + + cas-server-site-webapp + + 生成公私钥证书,参考 certs/jwt/readme.md 生成公私钥pem,修改相关配置 `CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8`、`CASSERVER_JWT_PUBLIC_KEY_PEM` + + 修改 认证服务的外网访问地址 `CAS_SERVER_NAME` + + 修改 CAT TGC 的安全,若 使用 https,则须修改 `CAS_TGC_SECURE: "true"` + + 修改 安全中心(帐号激活、找回密码)的链接地址 `CASSERVERSITE_FORGOT_PASSWORD_URL`、`CASSERVERSITE_ACTIVE_ACCOUNT_URL` + + 联合登录(QQ、微信、企业微信、支付宝等)配置 `CASSERVER_FEDERATION_*` + + 动态密码认证 相关配置 + 1. 短信模板(动态密码) `CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE` + 2. 短信接口地址 `TPAS_AGENT_SERVICE_SMS_SENDER_PATH` + + 如果 须与 超级APP 对接,须修改 Token 验签公钥地址 `SUPERAPP_TOKEN_SIGNING_KEY_URL` + + 如果 须开启图片验证码,修改 `CASSERVERSITE_CAPTCHA_ENABLED: "true"` + + 5.token-server + + 此为 认证服务(适用于APP,可选) + + token-server + + 生成公私钥证书(与cas-server保持一致),参考 certs/jwt/readme.md 生成公私钥pem,修改相关配置 `TOKEN_SERVER_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8`、`TOKEN_SERVER_SECURITY_JWT_PUBLIC_KEY_PEM` + + 修改 认证服务的外网访问地址 `TOKEN_SERVER_PREFIX` + + 修改 认证服务 Id-Token 的签发者标识 `TOKEN_SERVER_SECURITY_JWT_ISS` + + 动态密码认证 相关配置(与cas-server保持一致) + 1. 短信模板(动态密码) `TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE` + 2. 短信接口地址 `TPAS_AGENT_SERVICE_SMS_SENDER_PATH` + + 人脸认证,须配置人脸服务,目前支持 新开普人脸服务、百度人脸服务,根据情况获取相关配置参数 + + APP 登录信息 个推,使用了消息服务的接口,该接口由 POA 提供,故须 + 1. 注册 POA client,获取 `clientId`、`clientSecret`,申请 Scope `messagecenter:v1:sendMessage` + 2. 获取 消息服务的 `appId` + + 6.personal-security-center + + 此为 个人安全中心 后端API,安全中心 前端UI + + 提供个人帐号相关的操作的接口,以及 帐号激活、密码找回 等功能 + + TODO: 修改 bff、zuul 配置 + TODO: 修改 security-center-ui 配置 + + 9.jobs-server + + 此为 任务调度服务 + + 基于 定时任务、触发任务 等,完成 用户数据的同步 + + 如: + * 源头数据进入到临时表后,写入用户的正式表 + * 用户数据更新后,通过消息队列,增量更新 Openldap 数据 + + ``` + + +* 添加项目、命名空间 + + 项目 + ``` + infras # 基础设施(可选,方便实施工作) + + authx-service # 认证授权服务 + + admin-platform # 管理平台 + + ``` + + 命名空间 + + 在项目 infras 下创建 命名空间: + + ``` + base + + ``` + + 在项目 authx-service 下创建 命名空间: + + ``` + trans-service(认证v4的数据迁移服务,可选) + + authx-service + + thirdparty-agent-service + + user-data-service + + user-authorization-service + + cas-server + + token-server + + personal-security-center + + jobs-server + + ``` + + +* 导入YAML + + 在项目 infras 中,将 0.infras 下的 yaml 按编号依次导入 + + ``` + 0.0.0.infras-base.yaml + + 0.0.1.infras-mysql.yaml mysql web管理 + + 0.0.2.infras-sba.yaml + + ``` + + 在项目 authx-service 中,将 1.authx-service 下的 yaml 按编号依次导入 + + **务必确保 `4.0.*-installer.yaml` 执行成功** + + +### 数据配置 + + 数据脚本初始化 + + 先修改 脚本中的域名(如果存在) + + +* 可选,1.authx-service/10.0.tmp.sql + + 若通过交换同步组织机构、帐号数据的,须执行该数据库脚本 + + +* 可选,1.authx-service/10.1.init-flow.sql + + 若部署了 流程平台 的产品 + + 可默认创建几个管理员帐号,以及初始授权 + diff --git "a/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf" "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf" new file mode 100644 index 0000000..35bc552 Binary files /dev/null and "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf" differ diff --git "a/project/nwpu/k8s-rancher/0.1.2.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.0-V1.2\357\274\211.md" "b/project/nwpu/k8s-rancher/0.1.2.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.0-V1.2\357\274\211.md" new file mode 100644 index 0000000..9590b2e --- /dev/null +++ "b/project/nwpu/k8s-rancher/0.1.2.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.0-V1.2\357\274\211.md" @@ -0,0 +1,246 @@ + +# 认证授权服务升级文档(V1.0 ~ V1.2) + + +## 部署变更说明 + +对本次升级进行的简要说明,具体的升级步骤,详见 **升级说明** + +1. 新增 StatefulSet authx-service/redis-server + +2. 新增 Deployment authx-service/rabbitmq-server , 用于将 user-data-service,user-authorization-service,jobs-server 连接的 rabbitmq-server 进行合并 + +3. 新增 Deployment authx-service/authx-service-bff + + +4. 删除 Deployment user-data-service/rabbitmq-server + +5. 修改 Secret user-data-service/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local + +6. 修改 ConfigMap user-data-service/user-data-service-goa-env , 将 JOBS_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local + +7. 修改 Deployment user-data-service/user-data-service-biz , 增加 环境变量 rabbitmq-env-secret + + +8. 删除 Deployment user-data-service/rabbitmq-server + +9. 修改 Secret user-authorization-service/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local + +10. 修改 ConfigMap user-authorization-service/user-authorization-sa-env , 将 USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local + + +11. 删除 Deployment jobs-server/rabbitmq-server + +12. 修改 Secret jobs-server/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local + +13. 新增 Secret token-server/rabbitmq-env-secret +14. 修改 Deployment token-server/token-server, 增加 环境变量 secretRef rabbitmq-env-secret + +13. 变更 CronJob user-data-service/user-data-service-datax-job 的定时 schedule 为 `30 */4 * * *` +14. 变更 CronJob user-authorization-service/user-authorization-datax-job 的定时 schedule 为 `30 */4 * * *` + +15. 变更 CronJob cas-server/cas-server-datax-job 的定时 schedule 为 `5 */2 * * *` + + +16. 删除 Job authx-service/poa-api-docs-installer ,由各服务下独立部署 +17. 新增 Job user-data-service/api-docs-installer +18. 新增 Job user-authorization-service/api-docs-installer +19. 新增 Job token-server/api-docs-installer + + +## 升级说明 + +1. 数据库脚本进行升级 + + 重新执行 Job user-data-service/user-data-service-installer + + 重新执行 Job user-authorization-service/user-authorization-installer + + 重新执行 Job cas-server/cas-server-installer + + 重新执行 Job token-server/token-server-installer + +2. 部署 StatefulSet authx-service/redis-server , Deployment authx-service/rabbitmq-server + + 部署yaml 位于 1.authx-service/0.authx-service/0.authx-service-base.yaml, 1.authx-service/0.authx-service/1.authx-service-env.yaml + +3. 部署 Deployment authx-service/authx-service-bff + + 部署yaml 位于 1.authx-service/0.authx-service/4.4.authx-service-bff.yaml + +4. Secret user-data-service/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST + + ``` + SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local + ``` + +5. Secret user-authorization-service/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST + + ``` + SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local + ``` + +6. Secret jobs-server/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST + + ``` + SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local + ``` + +7. Deployment user-data-service/user-data-service-biz 下的环境变量中,引用其他资源,添加附加资源 Secret rabbitmq-env-secret + +8. ConfigMap user-data-service/user-data-service-goa-env 下,更新 JOBS_RABBITMQ 相关的配置 + + ``` + JOBS_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local + ``` + +9. ConfigMap user-authorization-service/user-authorization-sa-env 下,新增 USER_AUTHORIZATION_SA_USER_RABBITMQ 相关的配置 + + ``` + USER_AUTHORIZATION_SA_USER_RABBITMQ_CONSUMER_ENABLED: "false" + USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST: rabbitmq-server.jobs-server.svc.cluster.local + USER_AUTHORIZATION_SA_USER_RABBITMQ_PORT: "5672" + USER_AUTHORIZATION_SA_USER_RABBITMQ_USERNAME: guest + USER_AUTHORIZATION_SA_USER_RABBITMQ_PASSWORD: guest + ``` + +10. 新增 Secret token-server/rabbitmq-env-secret + + 部署yaml 位于 5.token-server/1.token-server-env.yaml + +11. 修改 Deployment token-server/token-server, 增加 环境变量 secretRef rabbitmq-env-secret + +12. 修改 x-datax-job 的定时策略 + + CronJob user-data-service/user-data-service-datax-job 下,修改 schedule 为 `30 */4 * * *` + + CronJob user-authorization-service/user-authorization-datax-job 下,修改 schedule 为 `30 */4 * * *` + + CronJob CronJob cas-server/cas-server-datax-job 下,修改 schedule 为 `5 */2 * * *` + + +13. 将 工作负载 下的服务 升级到 1.2.x 版本 + + +14. 更新 POA 的 api-docs + + 执行 Job user-data-service/api-docs-installer + + 执行 Job user-authorization-service/api-docs-installer + + 执行 Job token-server/api-docs-installer + + +## 初始化脚本 + +1. 整理 授权服务、云平台管理 下的角色 + + **检查 授权服务下的 以下角色 的 APPLICATION_ID 已经更新为 10** + + 在 user_authz 的 TB_ROLE 表中 + + 确保 cas-admin, user-admin, user-authz-admin, user-authz-grant-admin, user-authz-man-grant-admin 只有一条记录 + + 若 存在 与 上述代码 重复的角色,则删除 APPLICATION_ID = 1 且 ID 不为 20, 30, 40, 41, 42 的 相关角色。 + + 同时,在 admin_center 的 TB_MGT_ROLE 表中 + + 删除 ID 不为 20, 30, 40, 41, 42 的 相关角色。 + + ```sql + use user_authz; + + -- 检查 授权服务下的 以下角色 的 APPLICATION_ID 已经更新为 10 + UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='20'; + + UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='30'; + + UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='40'; + UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='41'; + UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='42'; + + use admin_center; + + -- 删除认证授权的角色 + delete from TB_MGT_ROLE where ID in ('20', '30', '40','41','42'); + + commit; + ``` + +2. 更新 接口路由、应用、菜单、角色权限 + + 注:如果已经存在,请忽略 + + ```sql + use admin_center; + + -- 新增接口路由 + + insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) + values ('21', 0, 'authx-service-admin-api', '认证授权 - 聚合接口(认证、授权)', '1', '/api/v2/admin', 'http://localhost:8009', 0); + insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) + values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0); + + commit; + + update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='21'; + update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='22'; + + commit; + + -- 新增应用 + + insert into TB_MGT_APPLICATION (ID, DELETED, CODE, NAME, STATUS) + values ('10', 0, '10', '用户授权', '1'); + + commit; + + -- 更新现有菜单 的 所属 APPLICATION_ID + + update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '2____'; + update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '3____'; + update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '4____'; + + commit; + + -- 新增功能菜单 + + update TB_MGT_PERMISSION + set LFT = LFT+10 + where LFT>=35 + ; + + update TB_MGT_PERMISSION + set RGT = RGT+10 + where RGT>=35 + ; + + insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) + values ('20650', 0, 'casConfig', '认证对接配置', '0', '2', 'el-icon-service', '/cas-server/casConfig', '10', '20000', 20650, 2, 35, 36); + + insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) + values ('20700', 0, 'loginPageConfig', '登录页面配置', '1', '2', 'su-icon-tongxunxinxi', '/cas-server/loginPageConfig', '10', '20000', 20700, 2, 37, 38); + insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) + values ('20800', 0, 'linkLoginConfig', '联合登录配置', '1', '2', 'su-icon-test', '/cas-server/linkLoginConfig', '10', '20000', 20800, 2, 39, 40); + + insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) + values ('20900', 0, 'infoPerfectConfig', '信息完善配置', '1', '2', 'su-icon-chongxintijiao', '/cas-server/infoPerfectConfig', '10', '20000', 20900, 2, 41, 42); + + insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) + values ('21000', 0, 'lockManagement', '认证锁定管理', '1', '2', 'su-icon-shouquanjiguanli', '/cas-server/lockManagement', '10', '20000', 21000, 2, 43, 44); + + commit; + + insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID) + + select CONCAT('20_', ID) as ID, 0 as DELETED, '20' as ROLE_ID, ID as PERMISSION_ID + from TB_MGT_PERMISSION + where ID like '2____' + and ( + CONCAT('20_', ID) not in (select CONCAT('20_', PERMISSION_ID) from TB_MGT_ROLE_PERMISSION) + or CONCAT('20_', ID) not in (select ID from TB_MGT_ROLE_PERMISSION) + ) + ; + + commit; + ``` diff --git "a/project/nwpu/k8s-rancher/0.2.1.POA\357\274\210\345\271\263\345\217\260OpenAPI\357\274\211\346\234\215\345\212\241\346\263\250\345\206\214.md" "b/project/nwpu/k8s-rancher/0.2.1.POA\357\274\210\345\271\263\345\217\260OpenAPI\357\274\211\346\234\215\345\212\241\346\263\250\345\206\214.md" new file mode 100644 index 0000000..5dcbbb6 --- /dev/null +++ "b/project/nwpu/k8s-rancher/0.2.1.POA\357\274\210\345\271\263\345\217\260OpenAPI\357\274\211\346\234\215\345\212\241\346\263\250\345\206\214.md" @@ -0,0 +1,7 @@ + +# POA(平台OpenAPI)服务注册 + +**请确保POA已经安装完成** + +根据 9.poa-api-docs 下的 readme.md 的说明进行操作 + diff --git "a/project/nwpu/k8s-rancher/0.2.2.\347\237\255\344\277\241\345\271\263\345\217\260\345\257\271\346\216\245\350\257\264\346\230\216.md" "b/project/nwpu/k8s-rancher/0.2.2.\347\237\255\344\277\241\345\271\263\345\217\260\345\257\271\346\216\245\350\257\264\346\230\216.md" new file mode 100644 index 0000000..b786222 --- /dev/null +++ "b/project/nwpu/k8s-rancher/0.2.2.\347\237\255\344\277\241\345\271\263\345\217\260\345\257\271\346\216\245\350\257\264\346\230\216.md" @@ -0,0 +1,14 @@ +# 短信平台对接说明 + + +## 阿里云短信服务 + +须申请阿里云短信服务 + +参考 docs 下的 《阿里云短信申请(签名、模板)》 + + +## 第三方短信平台 + +须进行定制开发 + diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.0.infras-base.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.0.infras-base.yaml new file mode 100644 index 0000000..e137c9c --- /dev/null +++ b/project/nwpu/k8s-rancher/0.infras/0.0.0.infras-base.yaml @@ -0,0 +1,18 @@ +# 0.0.0.infras-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: base + name: harbor-registry +data: + # 修改harbor仓库配置 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + # 上一行的数据根据项目情况修改完毕后进行base64加密生成dockerconfigjson需要的数值 + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.1.infras-mysql.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.1.infras-mysql.yaml new file mode 100644 index 0000000..fd62f7d --- /dev/null +++ b/project/nwpu/k8s-rancher/0.infras/0.0.1.infras-mysql.yaml @@ -0,0 +1,102 @@ +# 0.0.1.infras-mysql.yaml + +# 此服务可选安装,用于MySQL数据库的管理提供Web端 + +#################################################### +# mysql-server +#################################################### +--- +apiVersion: v1 +kind: Service +metadata: + namespace: base + name: mysql-server +spec: + ports: + - name: tcp-mysql + port: 3306 + protocol: TCP + targetPort: 3306 +--- +kind: Endpoints +apiVersion: v1 +metadata: + namespace: base + name: mysql-server +subsets: + - addresses: + # 修改实际MySQL服务器的IP地址 + - ip: 172.30.104.82 + ports: + - name: tcp-mysql + port: 3306 + protocol: TCP + + +#################################################### +# mysql-adminer +#################################################### +--- +apiVersion: v1 +kind: Service +metadata: + namespace: base + name: mysql-adminer +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app: mysql-adminer + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: base + name: mysql-adminer +spec: + selector: + matchLabels: + app: mysql-adminer + replicas: 1 + template: + metadata: + labels: + app: mysql-adminer + spec: + containers: + - name: mysql-adminer + image: adminer:4 + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + env: + - name: ADMINER_DEFAULT_SERVER + value: mysql-server + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: mysql-adminer-ingress + namespace: base +spec: + rules: + # 修改为学校的根域名 + - host: mysql-adminer.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: mysql-adminer + servicePort: http + diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.2.infras-sba.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.2.infras-sba.yaml new file mode 100644 index 0000000..783247d --- /dev/null +++ b/project/nwpu/k8s-rancher/0.infras/0.0.2.infras-sba.yaml @@ -0,0 +1,112 @@ +# 0.0.2.infras-sba.yaml + +# 此服务可选安装,用于开发人员排查问题 + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: base + name: spring-boot-admin-env +data: + SPRING_BOOT_ADMIN_UI_PUBLIC_URL: / + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: base + name: spring-boot-admin-env-secret +data: + # sbaadmin + SBA_USERNAME: c2JhYWRtaW4= + # sbanimda + SBA_PASSWORD: c2JhbmltZGE= + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: base + name: spring-boot-admin-svc + labels: + app: spring-boot-admin + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: spring-boot-admin + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: base + name: spring-boot-admin +spec: + selector: + matchLabels: + app: spring-boot-admin + replicas: 1 + template: + metadata: + labels: + app: spring-boot-admin + spec: + containers: + - name: spring-boot-admin + # 若使用了学校搭设的私有仓库,请修改 + image: harbor.supwisdom.com/institute/spring-boot-admin:0.1.0-SNAPSHOT + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - secretRef: + name: spring-boot-admin-env-secret + - configMapRef: + name: spring-boot-admin-env + resources: + requests: + cpu: 200m + memory: "256Mi" + limits: + cpu: 1000m + memory: "256Mi" + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: sba-ingress + namespace: base +spec: + rules: + # 修改为学校的根域名 + - host: sba.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: spring-boot-admin-svc + servicePort: http diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.x.infras-monitor.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.x.infras-monitor.yaml new file mode 100644 index 0000000..88c23c2 --- /dev/null +++ b/project/nwpu/k8s-rancher/0.infras/0.0.x.infras-monitor.yaml @@ -0,0 +1,21 @@ +# + +# 此配置可选安装,用于配置监控 + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: authx-service-monitor + namespace: cattle-prometheus +spec: + selector: + matchLabels: + needMonitor: 'true' + namespaceSelector: + matchNames: + - user-data-service + - user-authorization-service + - cas-server + endpoints: + - port: http-metrics + path: /metrics diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.z.infras-tmp.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.z.infras-tmp.yaml new file mode 100644 index 0000000..7830e3d --- /dev/null +++ b/project/nwpu/k8s-rancher/0.infras/0.0.z.infras-tmp.yaml @@ -0,0 +1,102 @@ + + +# 创建 namespace,如 tmp +# 并修改以下配置中的 namespace + +# 创建 ConfigMap + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + # 修改namespace + namespace: tmp + name: txt +data: + # 修改 key,value + # 其中, + # key 为 文件名 + # value 为 文件内容 + FWdJ6SLVde.txt: "70976dc348062015aaecd04c4fe393c6" + + + +# 部署nginx,并将 ConfigMap 挂载成文件 + +--- +apiVersion: v1 +kind: Service +metadata: + # 修改namespace + namespace: tmp + name: txt-svc + labels: + app: txt-svc +spec: + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app: txt + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + # 修改namespace + namespace: tmp + name: txt +spec: + selector: + matchLabels: + app: txt + replicas: 1 + template: + metadata: + labels: + app: txt + spec: + containers: + - name: txt-nginx + # 根据情况修改镜像地址 + image: nginx:latest + ports: + - containerPort: 80 + name: http + volumeMounts: + - name: txt + mountPath: /usr/share/nginx/html + readOnly: true + volumes: + - name: txt + configMap: + # 这个是 ConfigMap 的名称 + name: txt + items: + # 将 ConfigMap 中某个 key 的 value 映射为 文件及文件内容 + - key: FWdJ6SLVde.txt + path: FWdJ6SLVde.txt + +# 配置ingress + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + # 修改namespace + namespace: tmp + name: txt-ingress +spec: + rules: + # 修改为学校的根域名 + - host: txt.paas.xxx.edu.cn + http: + paths: + # 修改path,对应某个文件路径 + - path: /FWdJ6SLVde.txt + backend: + serviceName: txt-svc + servicePort: http + diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/0.trans-service-v4-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/0.trans-service-v4-base.yaml new file mode 100644 index 0000000..e37e2d5 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/0.trans-service-v4-base.yaml @@ -0,0 +1,47 @@ +# 0.trans-service-v4-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: trans-service + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + +#################################################### +# mysql-server +#################################################### +--- +apiVersion: v1 +kind: Service +metadata: + namespace: trans-service + name: mysql-server +spec: + ports: + - name: tcp-mysql + port: 3306 + protocol: TCP + targetPort: 3306 +--- +kind: Endpoints +apiVersion: v1 +metadata: + namespace: trans-service + name: mysql-server +subsets: + - addresses: + # 修改实际MySQL服务器的IP地址 + - ip: 172.30.104.82 + ports: + - name: tcp-mysql + port: 3306 + protocol: TCP diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/1.trans-service-v4-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/1.trans-service-v4-env.yaml new file mode 100644 index 0000000..7c65b68 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/1.trans-service-v4-env.yaml @@ -0,0 +1,26 @@ +# 1.trans-service-v4-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: trans-service + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: trans-service + name: datasource-env-secret +type: Opaque +data: + # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/tmp_data?serverTimezone=Asia/Shanghai + JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdG1wX2RhdGE/c2VydmVyVGltZXpvbmU9QXNpYS9TaGFuZ2hhaQ== + # tmp_data + JDBC_USERNAME: dG1wX2RhdGE= + # 修改为实际的数据库密码,并使用 base64 工具进行编码 + # kingstar + JDBC_PASSWORD: a2luZ3N0YXI= diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/4.0.trans-service-v4-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/4.0.trans-service-v4-installer.yaml new file mode 100644 index 0000000..f2a99b8 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/4.0.trans-service-v4-installer.yaml @@ -0,0 +1,46 @@ +# 4.0.trans-service-v4-installer.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: trans-service + name: trans-installer-env +data: + DB_TYPE: mysql8 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: trans-installer + namespace: trans-service +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: trans-installer + spec: + restartPolicy: Never + containers: + - name: trans-installer + # 若使用了学校搭设的私有仓库,请修改 + image: harbor.supwisdom.com/admin-portal/trans-installer:1.0.0-SNAPSHOT + imagePullPolicy: Always + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - configMapRef: + name: trans-installer-env + # resources: + # requests: + # memory: "256Mi" + # limits: + # memory: "256Mi" + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/5.trans-service-v4-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/5.trans-service-v4-datax-job.yaml new file mode 100644 index 0000000..e61d762 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/5.trans-service-v4-datax-job.yaml @@ -0,0 +1,55 @@ +# 5.trans-service-v4-datax-job.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: trans-service + name: trans-datax-job-env +data: + EANBLED_JOBS: TMP_DM_GENDER,TMP_DM_ORGTYPE,TMP_DM_ACCOUNTTYPE,TMP_DM_IDENTITYTYPE,TMP_ORGANIZE,TMP_PERSON,TMP_ACCOUNT,TMP_REGISTERED_SERVICE,TMP_WEAK_PASSWORD_DICT,TMP_TB_ORGANIZE,TMP_TB_USER,TMP_TB_ACCOUNT,TMP_TB_USERGROUP,TMP_TB_ROLE,TMP_TB_APPLICATION,TMP_TB_FUNCTION,TMP_TB_RIGHT,TMP_TB_ACCOUNTSECURITYEMAIL,TMP_TB_ACCOUNTSECURITYMOBILE,TMP_REF_ORGANIZEUSER,TMP_REF_USERGROUPACCOUNT,TMP_REF_ACCOUNTROLE,TMP_REF_USERGROUPROLE,TMP_REF_USERROLE,TMP_REF_APPLICATIONROLE,TMP_REF_FUNCTIONROLE,TMP_REF_RIGHTROLE + + ORACLEREADER_UNIAUTH_USERNAME: idc_u_uniauth + ORACLEREADER_UNIAUTH_PASSWORD: kingstar + ORACLEREADER_UNIAUTH_JDBC_URL: jdbc:oracle:thin:@172.30.104.101:1521/xydb + + MYSQLWRITER8_TMP_USERNAME: tmp_data + MYSQLWRITER8_TMP_PASSWORD: kingstar + MYSQLWRITER8_TMP_JDBC_URL: jdbc:mysql://mysql-server:3306/tmp_data + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: trans-datax-job + namespace: trans-service +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: trans-datax-job + spec: + restartPolicy: Never + containers: + - name: trans-datax-job + # 若使用了学校搭设的私有仓库,请修改 + image: harbor.supwisdom.com/admin-portal/trans-datax-job:1.0.0-SNAPSHOT + imagePullPolicy: Always + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - configMapRef: + name: trans-datax-job-env + # resources: + # requests: + # memory: "400Mi" + # limits: + # memory: "400Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/0.authx-platform-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/0.authx-platform-base.yaml new file mode 100644 index 0000000..c67ecae --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/0.authx-platform-base.yaml @@ -0,0 +1,16 @@ +# 0.authx-platform-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: authx-platform + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/2.authx-platform-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/2.authx-platform-ingresses.yaml new file mode 100644 index 0000000..16aed5d --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/2.authx-platform-ingresses.yaml @@ -0,0 +1,18 @@ +# 2.authx-platform-ingresses.yaml + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: authx-platform + name: authx-platform-docsify-ingress +spec: + rules: + # 修改为学校的根域名 + - host: authx-docs.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: authx-platform-docsify-svc + servicePort: http diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/4.9.authx-platform-docsify.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/4.9.authx-platform-docsify.yaml new file mode 100644 index 0000000..144b0f5 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/4.9.authx-platform-docsify.yaml @@ -0,0 +1,62 @@ +# 4.9.authx-platform-docsify.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: authx-platform + name: authx-platform-docsify-env +data: + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: authx-platform + name: authx-platform-docsify-svc + labels: + app: authx-platform-docsify-svc +spec: + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app: authx-platform-docsify + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: authx-platform + name: authx-platform-docsify +spec: + selector: + matchLabels: + app: authx-platform-docsify + replicas: 1 + template: + metadata: + labels: + app: authx-platform-docsify + spec: + containers: + - name: authx-platform-docsify + # 若使用了学校搭设的私有仓库,请修改 + image: harbor.supwisdom.com/authx-platform/authx-platform-docsify:0.0.1-SNAPSHOT + imagePullPolicy: Always + ports: + - containerPort: 80 + name: http + envFrom: + - configMapRef: + name: authx-platform-docsify-env + resources: + requests: + memory: "128Mi" + limits: + memory: "256Mi" + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml new file mode 100644 index 0000000..b37330a --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml @@ -0,0 +1,243 @@ +# 0.authx-service-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: authx-service + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + + +#################################################### +# redis-server +#################################################### + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: authx-service + name: redis-data-pvc +spec: + accessModes: + - ReadWriteMany + # 根据情况修改 + storageClassName: nfs-client + resources: + requests: + storage: 10Gi + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: authx-service + name: redis-server + labels: + app: redis + release: redis-server +type: Opaque +data: + REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== +--- +apiVersion: v1 +kind: Service +metadata: + namespace: authx-service + name: redis-server + labels: + app: redis + release: redis-server +spec: + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis + release: redis-server + role: master + type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: authx-service + name: redis-server + labels: + app: redis + release: redis-server +spec: + podManagementPolicy: OrderedReady + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: redis + release: redis-server + role: master + serviceName: redis-master + template: + metadata: + labels: + app: redis + release: redis-server + role: master + spec: + # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可,注意这里的缩进,imagePullSecrets要对齐到本行#符号) + # imagePullSecrets: + # - name: harbor-registry + containers: + - name: redis-server + env: + - name: REDIS_DISABLE_COMMANDS + value: FLUSHDB,FLUSHALL + - name: REDIS_REPLICATION_MODE + value: master + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-server + key: REDIS_PASSWORD + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/bitnami/redis:4.0 + # 若使用了学校搭设的私有仓库,请修改 为 Always + imagePullPolicy: IfNotPresent + # imagePullPolicy: Always + livenessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - containerPort: 6379 + name: redis + protocol: TCP + readinessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + volumeMounts: + - mountPath: /bitnami/redis/data + name: redis-data + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: + fsGroup: 0 + # runAsUser: 1001 + # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372 + # runAsUser: 0 + terminationGracePeriodSeconds: 30 + volumes: + # - name: redis-data + # emptyDir: {} + - name: redis-data + persistentVolumeClaim: + claimName: redis-data-pvc + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate + + + +#################################################### +# rabbitmq-server +#################################################### +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: authx-service + name: rabbitmq-server + labels: + app: rabbitmq + release: rabbitmq-server +type: Opaque +data: + RABBITMQ_USERNAME: Z3Vlc3Q= + RABBITMQ_PASSWORD: Z3Vlc3Q= +--- +apiVersion: v1 +kind: Service +metadata: + namespace: authx-service + name: rabbitmq-server + labels: + app: rabbitmq-server +spec: + ports: + - port: 5672 + targetPort: tcp-1 + protocol: TCP + name: tcp-1 + - port: 15672 + targetPort: tcp-2 + protocol: TCP + name: tcp-2 + selector: + app: rabbitmq-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: authx-service + name: rabbitmq-server +spec: + selector: + matchLabels: + app: rabbitmq-server + replicas: 1 + template: + metadata: + labels: + app: rabbitmq-server + annotations: + sidecar.istio.io/inject: "false" + spec: + # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可,注意对齐、缩进) + # imagePullSecrets: + # - name: harbor-registry + containers: + - name: rabbitmq-server + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/library/rabbitmq:management + # 若使用了学校搭设的私有仓库,请修改 为 Always + imagePullPolicy: IfNotPresent + # imagePullPolicy: Always + ports: + - containerPort: 5672 + name: tcp-1 + - containerPort: 15672 + name: tcp-2 + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml new file mode 100644 index 0000000..ed2a7c2 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml @@ -0,0 +1,35 @@ +# 1.authx-service-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: authx-service + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: authx-service + name: redis-env-secret +type: Opaque +data: + SPRING_REDIS_HOST: cmVkaXMtc2VydmVy + SPRING_REDIS_PORT: NjM3OQ== + SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: authx-service + name: rabbitmq-env-secret +type: Opaque +data: + SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVy + SPRING_RABBITMQ_PORT: NTY3Mg== + SPRING_RABBITMQ_USERNAME: Z3Vlc3Q= + SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q= diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-mysql.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-mysql.yaml new file mode 100644 index 0000000..4b8e83f --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-mysql.yaml @@ -0,0 +1,102 @@ +# 0.0.1.authx-service-mysql.yaml + +#################################################### +# mysql-server +# 外部 MySQL 的服务地址映射 +#################################################### +--- +apiVersion: v1 +kind: Service +metadata: + namespace: authx-service + name: mysql-server +spec: + ports: + - name: tcp-mysql + port: 3306 + protocol: TCP + targetPort: 3306 +--- +kind: Endpoints +apiVersion: v1 +metadata: + namespace: authx-service + name: mysql-server +subsets: + - addresses: + # 修改实际MySQL服务器的IP地址 + - ip: 172.30.104.82 + ports: + - name: tcp-mysql + port: 3306 + protocol: TCP + + +# 此服务可选安装,用于MySQL数据库的管理提供Web端 + +#################################################### +# mysql-adminer +#################################################### +--- +apiVersion: v1 +kind: Service +metadata: + namespace: authx-service + name: mysql-adminer +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: http + selector: + app: mysql-adminer + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: authx-service + name: mysql-adminer +spec: + selector: + matchLabels: + app: mysql-adminer + replicas: 1 + template: + metadata: + labels: + app: mysql-adminer + spec: + containers: + - name: mysql-adminer + image: adminer:4 + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + env: + - name: ADMINER_DEFAULT_SERVER + value: mysql-server + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: authx-service + name: mysql-adminer-ingress +spec: + rules: + # 修改为学校的根域名 + - host: mysql-adminer.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: mysql-adminer + servicePort: http diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-minio.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-minio.yaml new file mode 100644 index 0000000..3e6aa0b --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-minio.yaml @@ -0,0 +1,136 @@ +# 2.authx-service-minio.yaml + +#################################################### +# minio +# 文件服务器,对象存储 +#################################################### + +# 手动初始化默认的图片 +# +# 访问 https://authx-minio.paas.xxx.edu.cn +# 登录 1y8N@8R@a_2u , 8pxlIe9#lN7Q + +# 创建 bucket: cas-server-site-ui +# 将 cas-server-site-ui 目录下的 图片,上传到 cas-server-site-ui 中(此为认证登录界面上使用的图片,实际项目中,由UI进行设计后,替换) + +# 创建 bucket: portrait ,并设置访问策略 * Read Only +# 将 portrait 目录下的 图片,上传到 portrait 中(此为用户的默认头像) + +# 创建 bucket: security-center-ui ,并设置访问策略 * Read Only +# 在 security-center-ui 目录下 创建目录 favicon ,上传文件 security-center-ui/favicon/favicon.ico +# 在 security-center-ui 目录下 创建目录 logo ,上传文件 security-center-ui/logo/logo.png +# 此为安全中心界面上使用的图片,由UI进行设计后,替换 + +# 创建 bucket: admin-platform ,并设置访问策略 * Read Only +# 在 admin-platform 目录下 创建目录 favicon ,上传文件 admin-platform/favicon/sw.ico (ico 的文件名,根据 admin-platform 中配置的 SCHOOL_NAME 来确定) +# 此为云平台界面上使用的图片,由UI进行设计后,替换 + + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-data-pvc + namespace: authx-service +spec: + accessModes: + - ReadWriteMany + # 根据情况修改 + storageClassName: nfs-client + resources: + requests: + storage: 50Gi + +--- +apiVersion: v1 +kind: Secret +metadata: + name: minio-env-secret + namespace: authx-service +type: Opaque +data: + # 修改 access_key,并使用 base64 工具进行编码 + # 默认值:1y8N@8R@a_2u + MINIO_ACCESS_KEY: MXk4TkA4UkBhXzJ1 + # 修改 secret_key,并使用 base64 工具进行编码 + # 默认至:8pxlIe9#lN7Q + MINIO_SECRET_KEY: OHB4bEllOSNsTjdR + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: authx-service + name: minio-svc + labels: + app: minio +spec: + ports: + - port: 9000 + targetPort: http + protocol: TCP + name: http + selector: + app: minio +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: authx-service + name: minio +spec: + selector: + matchLabels: + app: minio + replicas: 1 + template: + metadata: + labels: + app: minio + spec: + containers: + - name: minio + image: minio/minio:RELEASE.2020-04-23T00-58-49Z + imagePullPolicy: Always + args: + - "server" + - "/data" + ports: + - containerPort: 9000 + name: http + envFrom: + - secretRef: + name: minio-env-secret + volumeMounts: + - mountPath: /data + name: minio-data + resources: + requests: + memory: "256Mi" + limits: + memory: "256Mi" + volumes: + - name: minio-data + persistentVolumeClaim: + claimName: minio-data-pvc + + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: authx-minio-ingress + namespace: authx-service + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 8m +spec: + rules: + # 修改为学校的根域名 + - host: authx-minio.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: minio-svc + servicePort: http diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml new file mode 100644 index 0000000..106a222 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml @@ -0,0 +1,134 @@ +# 4.4.authx-service-bff.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: authx-service + name: authx-service-bff-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_AUTHX_SERVICE_BFF: INFO + + + SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800" + SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100" + SPRING_REDIS_JEDIS_POOL_MINIDLE: "100" + + + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080 + USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore + #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio + TPAS_CLIENT_AUTH_ENABLED: "false" + #TPAS_CLIENT_AUTH_KEY_PASSWORD: "" + #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: authx-service + name: authx-service-bff-svc + labels: + app: authx-service-bff + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: authx-service-bff + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: authx-service + name: authx-service-bff +spec: + selector: + matchLabels: + app: authx-service-bff + replicas: 1 + template: + metadata: + labels: + app: authx-service-bff + spec: + containers: + - name: authx-service-bff + image: paas.harbor.nwpu.edu.cn/authx-service/authx-service-bff:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: redis-env-secret + - configMapRef: + name: authx-service-bff-env + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/8.echo-server.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/8.echo-server.yaml new file mode 100644 index 0000000..0c2de7e --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/8.echo-server.yaml @@ -0,0 +1,58 @@ +# 8.echo-server.yaml + +# 用于环境测试 + +--- +apiVersion: v1 +kind: Service +metadata: + name: echo-server + namespace: default + labels: + run: echo-server +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + run: echo-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: echo-server + namespace: default +spec: + selector: + matchLabels: + run: echo-server + replicas: 1 + template: + metadata: + labels: + run: echo-server + spec: + containers: + - name: echo-server + # 若使用了学校搭设的私有仓库,请修改 + image: inanimate/echo-server:latest + ports: + - containerPort: 8080 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: echo-server-ingress + namespace: default +spec: + rules: + # **修改** 学校的根域名 + - host: echo.paas.xxx.edu.cn + http: + paths: + - backend: + serviceName: echo-server + servicePort: 80 diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/admin-platform/favicon/sw.ico b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/admin-platform/favicon/sw.ico new file mode 100644 index 0000000..ffce864 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/admin-platform/favicon/sw.ico differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/bg.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/bg.png new file mode 100644 index 0000000..19a2beb Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/bg.png differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/favicon.ico b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/favicon.ico new file mode 100644 index 0000000..ffce864 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/favicon.ico differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/icon.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/icon.png new file mode 100644 index 0000000..61a5920 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/icon.png differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/logo.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/logo.png new file mode 100644 index 0000000..53938d7 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/logo.png differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/1.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/1.png new file mode 100644 index 0000000..fd1a680 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/1.png differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/2.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/2.png new file mode 100644 index 0000000..fd1a680 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/2.png differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/profile.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/profile.png new file mode 100644 index 0000000..fd1a680 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/profile.png differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/favicon/favicon.ico b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/favicon/favicon.ico new file mode 100644 index 0000000..ffce864 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/favicon/favicon.ico differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/logo/logo.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/logo/logo.png new file mode 100644 index 0000000..53938d7 Binary files /dev/null and b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/logo/logo.png differ diff --git a/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/0.thirdparty-agent-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/0.thirdparty-agent-service-base.yaml new file mode 100644 index 0000000..b6a4f77 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/0.thirdparty-agent-service-base.yaml @@ -0,0 +1,16 @@ +# thirdparty-agent-service-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: thirdparty-agent-service + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 diff --git a/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/1.thirdparty-agent-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/1.thirdparty-agent-service-env.yaml new file mode 100644 index 0000000..b568c8a --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/1.thirdparty-agent-service-env.yaml @@ -0,0 +1,26 @@ +# thirdparty-agent-service-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: thirdparty-agent-service + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: thirdparty-agent-service + name: datasource-env-secret +type: Opaque +data: + # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/agent_service?serverTimezone=Asia/Shanghai + SPRING_DATASOURCE_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvYWdlbnRfc2VydmljZT9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp + # agent_service + SPRING_DATASOURCE_USERNAME: YWdlbnRfc2VydmljZQ== + # 修改为实际的数据库密码,并使用 base64 工具进行编码 + # kingstar + SPRING_DATASOURCE_PASSWORD: a2luZ3N0YXI= diff --git a/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml new file mode 100644 index 0000000..a129c1c --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml @@ -0,0 +1,156 @@ +# thirdparty-agent-service.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: thirdparty-agent-service + name: agent-service-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_TPAS: INFO + + ## file-db + FILE_DB_AUTOCONFIGURE_ENABLED: "false" + + ## file-minio + FILE_MINIO_AUTOCONFIGURE_ENABLED: "true" + FILE_MINIO_ENDPOINT: http://minio-svc.authx-service.svc.cluster.local:9000 + # FILE_MINIO_ACCESSKEY: "" + # FILE_MINIO_SECRETKEY: "" + + ## mail-console + MAIL_CONSOLE_AUTOCONFIGURE_ENABLED: "true" + + # 若须对接邮件服务,须提供 SMTP 帐号 + ## mail-smtp + MAIL_SMTP_AUTOCONFIGURE_ENABLED: "false" + MAIL_SMTP_HOST: smtp.mxhichina.com + MAIL_SMTP_PORT: "25" + MAIL_SMTP_SECURE_MODE: NONE + MAIL_SMTP_USERNAME: security.institute@supwisdom.com + MAIL_SMTP_PASSWORD: Security2019 + MAIL_SMTP_FROM: security.institute@supwisdom.com + MAIL_SMTP_FROM_PERSONAL: 智慧校园 + + ## sms-console + SMS_CONSOLE_AUTOCONFIGURE_ENABLED: "true" + + # 若须使用阿里云短信服务,须提供帐号 + ## sms-aliyun + SMS_ALIYUN_AUTOCONFIGURE_ENABLED: "false" + SMS_ALIYUN_REGION_ID: cn-hangzhou + SMS_ALIYUN_ACCESS_KEY_ID: "" + SMS_ALIYUN_ACCESS_SECRET: "" + + # 若须对接sms 接口,须进行二开定制 + + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: thirdparty-agent-service + name: agent-service-env-secret +type: Opaque +data: + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_PASSWORD: "" + + ## file-minio + FILE_MINIO_ACCESSKEY: MXk4TkA4UkBhXzJ1 + # 1y8N@8R@a_2u + FILE_MINIO_SECRETKEY: OHB4bEllOSNsTjdR + # 8pxlIe9#lN7Q + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: thirdparty-agent-service + name: agent-service-svc + labels: + app: agent-service + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: agent-service + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: thirdparty-agent-service + name: agent-service +spec: + selector: + matchLabels: + app: agent-service + replicas: 1 + template: + metadata: + labels: + app: agent-service + spec: + containers: + - name: agent-service + # 若使用了学校搭设的私有仓库,请修改 + image: harbor.supwisdom.com/thirdparty-agent-service/agent-service:1.2.0-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - secretRef: + name: agent-service-env-secret + - configMapRef: + name: agent-service-env + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.0.init.sql b/project/nwpu/k8s-rancher/1.authx-service/10.0.init.sql new file mode 100644 index 0000000..0ab59fa --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.0.init.sql @@ -0,0 +1,284 @@ +-- 10.0.init.sql + +/* +将 paas.example.com 替换为 paas.学校域名.edu.cn +*/ + + +use cas_server; + +-- 更新 服务 personal-security-center 的信息 +update TB_SERVICE +set + INFORMATION_URL='http://personal-security-center.paas.example.com', + LOGOUT_URL='http://personal-security-center.paas.example.com/slo?redirect_uri=http://security-center.paas.example.com/?clearCertification=clearCertification', + SERVICE_ID='http://personal-security-center.paas.example.com/cas/(.*)' +where ID='2'; -- todo, modify + + +-- security-center-ui 认证对接信息 + +INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`, + `RESPONSE_TYPE`, `LOGOUT_TYPE`, + `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`, + `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`, + `APPLICATION_ID`, `EXTERNAL_ID`) +VALUES ('22', '1', 0, 'admin', '2020-07-01 00:00:00', + '安全中心', '安全中心', 'https://security-center.paas.example.com', 'https://security-center.paas.example.com/?clearCertification=clearCertification', + 'REDIRECT', 'FRONT_CHANNEL', + 22, '安全中心', 22, 'https://security-center.paas.example.com/(.*)', + 1, 1, 1, + '22', '22'); + +commit; + +-- 修改根域名 +update TB_SERVICE +set + INFORMATION_URL='http://security-center.paas.example.com', + LOGOUT_URL='http://security-center.paas.example.com/?clearCertification=clearCertification', + SERVICE_ID='http://security-center.paas.example.com/(.*)', + ID_TOKEN_ENABLED=1, + JWT_AS_SERVICE_TICKET=1, + APPLICATION_DOMAIN='security-center.paas.example.com' +where ID='22'; -- todo, modify + +commit; + + +-- 请注意图片的后缀名,须与实际的文件名保持一致 +update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__logo.png' where ID='51'; -- casServer.config.logo +update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__logo.png' where ID='52'; -- casServer.config.logoM + +update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__bg.png' where ID='53'; -- casServer.config.bg +update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__bg.png' where ID='54'; -- casServer.config.bgM + +update TB_CONFIG set CONFIG_VALUE='409EFF' where ID='55'; -- casServer.config.schemeColor + +update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__icon.png' where ID='56'; -- casServer.config.iconImageUrl + +update TB_CONFIG set CONFIG_VALUE='https://example.com/download.htm' where ID='57'; -- casServer.config.superappDownloadUrl +update TB_CONFIG set CONFIG_VALUE='超级APP' where ID='57-1'; -- casServer.config.superappName + +update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__favicon.ico' where ID='58'; -- casServer.config.webFavicon +update TB_CONFIG set CONFIG_VALUE='树维信息' where ID='59'; -- casServer.config.webTitle + +update TB_CONFIG set CONFIG_VALUE='' where ID='61'; -- casServer.config.copyrightContent +update TB_CONFIG set CONFIG_VALUE='' where ID='62'; -- casServer.config.copyrightContentM + + + +use admin_center; + + +-- 管理接口路由 + +insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) +values ('20', 0, 'authx-service-user-api', '认证授权 - 用户接口', '1', '/api/v1/base', 'https://localhost:8022', 0); + +insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) +values ('40', 0, 'authx-service-personal-api', '认证授权 - 个人信息接口', '1', '/api/v1/personal', 'http://localhost:8041/api/v1', 1); + +insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) +values ('21', 0, 'authx-service-admin-api', '认证授权 - 聚合接口(认证、授权)', '1', '/api/v2/admin', 'http://localhost:8009', 0); +insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX) +values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0); + +commit; + +update TB_MGT_ROUTE set URL='http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080' where ID='20'; + +update TB_MGT_ROUTE set URL='http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1' where ID='40'; + +update TB_MGT_ROUTE set URL='http://authx-service-bff.authx-service.svc.cluster.local:8080' where ID='21'; +update TB_MGT_ROUTE set URL='http://authx-service-bff.authx-service.svc.cluster.local:8080' where ID='22'; + +commit; + + +-- 应用 + +insert into TB_MGT_APPLICATION (ID, DELETED, CODE, NAME, STATUS) +values ('10', 0, '10', '用户授权', '1'); + +commit; + + +-- 菜单 + +/* +-- 认证管理 + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20000', 0, 'cas-server', '认证管理', '1', '2', '', '/', '10', '1', 20000, 1, 18, 33); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20100', 0, 'loginConfig', '登录方式配置', '1', '2', 'su-icon-denglupeizhi', '/cas-server/loginConfig', '10', '20000', 20100, 2, 19, 20); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20200', 0, 'safeLoginConfig', '账号安全配置', '1', '2', 'su-icon-config-security', '/cas-server/safeLoginConfig', '10', '20000', 20200, 2, 21, 22); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20300', 0, 'accountActivationConfiguration', '账号激活配置', '1', '2', 'su-icon-bulb', '/cas-server/accountActivationConfiguration', '10', '20000', 20300, 2, 23, 24); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20400', 0, 'safeConfig', '安全策略配置', '1', '2', 'su-icon-celuepeizhi', '/cas-server/safeConfig', '10', '20000', 20400, 2, 25, 26); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20500', 0, 'passwordConfig', '密码策略配置', '1', '2', 'su-icon-mimacelue', '/cas-server/passwordConfig', '10', '20000', 20500, 2, 27, 28); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20600', 0, 'serverManagement', '应用对接配置', '1', '2', 'el-icon-service', '/cas-server/serverManagement', '10', '20000', 20600, 2, 29, 30); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('21100', 0, 'analyze', '认证统计分析', '1', '2', 'su-icon-renzhengtongjifenxi', '/cas-server/analyze', '10', '20000', 21100, 2, 31, 32); + +commit; + +-- 用户管理 + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30000', 0, 'user-server', '用户管理', '1', '2', '', '/', '10', '1', 30000, 1, 34, 53); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30100', 0, 'dictionary', '字典管理', '1', '2', 'su-icon-zidian', '/user-server/dictionary', '10', '30000', 30100, 2, 35, 36); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30200', 0, 'identity', '身份管理', '1', '2', 'su-icon-shenfen', '/user-server/identity', '10', '30000', 30200, 2, 37, 38); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30300', 0, 'mechanism', '组织机构管理', '1', '2', 'su-icon-department', '/user-server/mechanism', '10', '30000', 30300, 2, 39, 40); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30400', 0, 'person', '人员管理', '1', '2', 'su-icon-people', '/user-server/person', '10', '30000', 30400, 2, 41, 42); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30500', 0, 'label', '标签管理', '1', '2', 'su-icon-biaoqian', '/user-server/label', '10', '30000', 30500, 2, 43, 44); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30600', 0, 'simpleUserGroupManage', '普通用户组管理', '1', '2', 'su-icon-portrait', '/user-server/simpleUserGroupManage', '10', '30000', 30600, 2, 45, 46); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30700', 0, 'postUserGroupManage', '岗位用户组管理', '1', '2', 'su-icon-personnel', '/user-server/postUserGroupManage', '10', '30000', 30700, 2, 47, 48); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30800', 0, 'assignation', '人员分配', '1', '2', 'su-icon-tihuanbanliren', '/user-server/assignation', '10', '30000', 30800, 2, 49, 50); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('31000', 0, 'activateAccount', '账号激活审核', '1', '2', 'su-icon-yonghushouquan', '/user-server/activateAccount', '10', '30000', 31000, 2, 51, 52); + +commit; + +-- 授权管理 + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('40000', 0, 'authorization-server', '授权管理', '1', '2', '', '/', '10', '1', 40000, 1, 54, 77); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('40100', 0, 'applicationRole', '角色授权', '1', '2', 'su-icon-yingyongjuese', '/auth-server/applicationRole', '10', '40000', 40100, 2, 55, 56); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('40200', 0, 'authorizationRoleComponent', '角色组授权', '1', '2', 'su-icon-juesezu', '/auth-server/authorizationRoleComponent', '10', '40000', 40200, 2, 57, 58); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('40300', 0, 'userAuthManagePeople', '用户授权', '1', '2', 'su-icon-yonghushouquan', '/auth-server/userAuthManagePeople', '10', '40000', 40300, 2, 59, 60); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('40400', 0, 'roleAuthManagement', '用户规则授权', '1', '2', 'su-icon-yonghuguize', '/auth-server/roleAuthManagement', '10', '40000', 40400, 2, 61, 62); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('40500', 0, 'userGroupAuth', '用户组授权', '1', '2', 'su-icon-yonghuguize', '/auth-server/userGroupAuth', '10', '40000', 40500, 2, 63, 64); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('40900', 0, 'authorizationAndManagement', '分级授权管理', '1', '2', 'su-icon-shouquanjiguanli', '/auth-server/authorizationAndManagement', '10', '40000', 40900, 2, 65, 66); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('41100', 0, 'accountAuthorizationAudit', '账号授权审计', '1', '2', 'su-icon-zhsqsj', '/auth-server/accountAuthorizationAudit', '10', '40000', 41100, 2, 67, 68); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('41200', 0, 'userAudit', '用户规则权限审计', '1', '2', 'su-icon-yhgzqxsj', '/auth-server/userAudit', '10', '40000', 41200, 2, 69, 70); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('41300', 0, 'rolePermissionAudit', '角色/组授权审计', '1', '2', 'su-icon-jszsqsj', '/auth-server/rolePermissionAudit', '10', '40000', 41300, 2, 71, 72); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('41400', 0, 'authOperationsAudit', '权限操作审计', '1', '2', 'su-icon-qxczsj', '/auth-server/authOperationsAudit', '10', '40000', 41400, 2, 73, 74); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('41500', 0, 'authStatisticalMonitor', '授权统计监控', '1', '2', 'su-icon-sqtjjk', '/auth-server/authStatisticalMonitor', '10', '40000', 41500, 2, 75, 76); + +commit; +*/ + +/* +update TB_MGT_PERMISSION + set LFT = LFT+2 +where LFT>=51 +; + +update TB_MGT_PERMISSION + set RGT = RGT+2 +where RGT>=51 +; + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('30750', 0, 'userScope', '用户规则', '1', '1', 'el-icon-guide', '/user-server/userScope', '1', '30000', 30750, 2, 51, 52); + +commit; +*/ + + +update TB_MGT_PERMISSION + set LFT = LFT+10 +where LFT>=35 +; + +update TB_MGT_PERMISSION + set RGT = RGT+10 +where RGT>=35 +; + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20650', 0, 'casConfig', '认证对接配置', '1', '2', 'el-icon-service', '/cas-server/casConfig', '10', '20000', 20650, 2, 35, 36); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20700', 0, 'loginPageConfig', '登录页面配置', '1', '2', 'su-icon-tongxunxinxi', '/cas-server/loginPageConfig', '10', '20000', 20700, 2, 37, 38); +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20800', 0, 'linkLoginConfig', '联合登录配置', '1', '2', 'su-icon-test', '/cas-server/linkLoginConfig', '10', '20000', 20800, 2, 39, 40); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('20900', 0, 'infoPerfectConfig', '信息完善配置', '1', '2', 'su-icon-chongxintijiao', '/cas-server/infoPerfectConfig', '10', '20000', 20900, 2, 41, 42); + +insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT) +values ('21000', 0, 'lockManagement', '认证锁定管理', '1', '2', 'su-icon-shouquanjiguanli', '/cas-server/lockManagement', '10', '20000', 21000, 2, 43, 44); + +commit; + + + +-- 角色权限 + +insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID) + +select CONCAT('20_', ID) as ID, 0 as DELETED, '20' as ROLE_ID, ID as PERMISSION_ID +from TB_MGT_PERMISSION +where ID like '2____' or ID='1' +; + +insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID) + +select CONCAT('30_', ID) as ID, 0 as DELETED, '30' as ROLE_ID, ID as PERMISSION_ID +from TB_MGT_PERMISSION +where ID like '3____' or ID='1' +; + +insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID) + +select CONCAT('40_', ID) as ID, 0 as DELETED, '40' as ROLE_ID, ID as PERMISSION_ID +from TB_MGT_PERMISSION +where ID like '4____' or ID='1' +; + + +insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID) + +select CONCAT('41_', ID) as ID, 0 as DELETED, '41' as ROLE_ID, ID as PERMISSION_ID +from TB_MGT_PERMISSION +where ID in ('40000', '40100', '40300', '40400', '40500') or ID='1' +; + + +insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID) + +select CONCAT('42_', ID) as ID, 0 as DELETED, '41' as ROLE_ID, ID as PERMISSION_ID +from TB_MGT_PERMISSION +where ID in ('40000', '40900') or ID='1' +; + +commit; + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.0.tmp.sql b/project/nwpu/k8s-rancher/1.authx-service/10.0.tmp.sql new file mode 100644 index 0000000..b7aaa52 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.0.tmp.sql @@ -0,0 +1,206 @@ + +/* + * 若通过交换同步组织机构、帐号数据的,须执行该数据库脚本 + */ + +use user; + +/* + +delete from TB_B_ACCOUNT_ORGANIZATION where ADD_ACCOUNT='trans'; + +delete from TB_B_SAFETY where ADD_ACCOUNT='trans'; +delete from TB_B_ACCOUNT where ADD_ACCOUNT='trans'; +delete from TB_B_USER where ADD_ACCOUNT='trans'; + +delete from TMP_ACCOUNT_TRANS; + +update TMP_ACCOUNT_ORIGIN set UID=UID; +*/ + + +DROP TRIGGER IF EXISTS after_update_organization_origin; + +delimiter // +create trigger after_update_organization_origin after update on TMP_ORGANIZATION_ORIGIN for each row +begin + declare ID1 varchar(100); + declare ID2 varchar(100); + + -- new 代表 表中新增的数据 + set ID1 = (select ID from TMP_ORGANIZATION_TRANS + where ((ID is null and new.ID is null) or ID=new.ID) + and ((PARENT_ORGANIZATION_ID is null and new.PARENT_ORGANIZATION_ID is null) or PARENT_ORGANIZATION_ID=new.PARENT_ORGANIZATION_ID) + and ((CODE is null and new.CODE is null) or CODE=new.CODE) + and ((NAME is null and new.NAME is null) or NAME=new.NAME) + and ((DESCRIPTION is null and new.DESCRIPTION is null) or DESCRIPTION=new.DESCRIPTION) + and ((TYPE_ID is null and new.TYPE_ID is null) or TYPE_ID=new.TYPE_ID) + and ((STATE is null and new.STATE is null) or STATE=new.STATE) + and ((ENABLE is null and new.ENABLE is null) or ENABLE=new.ENABLE) + and ((IS_DATA_CENTER is null and new.IS_DATA_CENTER is null) or IS_DATA_CENTER=new.IS_DATA_CENTER) + ); + -- into @ID1; + + if ID1 is null then + set ID2 = (select ID from TMP_ORGANIZATION_TRANS where ID=new.ID); -- into @ID2; + + if ID2 is null then + insert into TMP_ORGANIZATION_TRANS(TRANS_STATUS, TRANS_TIME, PROC_STATUS, PROC_TIME, + ID, PARENT_ORGANIZATION_ID, + CODE, NAME, DESCRIPTION, + TYPE_ID, + STATE, ENABLE, + IS_DATA_CENTER + ) + values ('1', now(), '0', null, + new.ID, new.PARENT_ORGANIZATION_ID, + new.CODE, new.NAME, new.DESCRIPTION, + new.TYPE_ID, + new.STATE, new.ENABLE, + new.IS_DATA_CENTER + ) + ; + + else + update TMP_ORGANIZATION_TRANS set + TRANS_STATUS='2', + TRANS_TIME=now(), + PROC_STATUS='0', + PARENT_ORGANIZATION_ID=new.PARENT_ORGANIZATION_ID, + CODE=new.CODE, + NAME=new.NAME, + DESCRIPTION=new.DESCRIPTION, + TYPE_ID=new.TYPE_ID, + STATE=new.STATE, + ENABLE=new.ENABLE, + IS_DATA_CENTER=new.IS_DATA_CENTER + where ID=new.ID + ; + + end if; + + else + + -- 如果数据没变化,但存在记录,且被处理,则标记未 不更新、不处理 + update TMP_ORGANIZATION_TRANS set + TRANS_STATUS='0', + TRANS_TIME=now(), + PROC_STATUS='0' + where ID=new.ID + and PROC_RESULT!='0' + ; + + end if; + +end // +delimiter ; + + +DROP TRIGGER IF EXISTS after_update_account_origin; + +delimiter // +create trigger after_update_account_origin after update on TMP_ACCOUNT_ORIGIN for each row +begin + declare ID1 varchar(100); + declare ID2 varchar(100); + + -- new 代表 表中新增的数据 + set ID1 = (select ID from TMP_ACCOUNT_TRANS + where ((ID is null and new.ID is null) or ID=new.ID) + and ((UID is null and new.UID is null) or UID=new.UID) + and ((NAME is null and new.NAME is null) or NAME=new.NAME) + and ((NAME_SPELLING is null and new.NAME_SPELLING is null) or NAME_SPELLING=new.NAME_SPELLING) + and ((FULL_NAME_SPELLING is null and new.FULL_NAME_SPELLING is null) or FULL_NAME_SPELLING=new.FULL_NAME_SPELLING) + and ((CERTIFICATE_TYPE_ID is null and new.CERTIFICATE_TYPE_ID is null) or CERTIFICATE_TYPE_ID=new.CERTIFICATE_TYPE_ID) + and ((CERTIFICATE_NUMBER is null and new.CERTIFICATE_NUMBER is null) or CERTIFICATE_NUMBER=new.CERTIFICATE_NUMBER) + and ((PHONE_NUMBER is null and new.PHONE_NUMBER is null) or PHONE_NUMBER=new.PHONE_NUMBER) + and ((EMAIL is null and new.EMAIL is null) or EMAIL=new.EMAIL) + and ((IMAGE_URL is null and new.IMAGE_URL is null) or IMAGE_URL=new.IMAGE_URL) + and ((GENDER_ID is null and new.GENDER_ID is null) or GENDER_ID=new.GENDER_ID) + and ((NATION_ID is null and new.NATION_ID is null) or NATION_ID=new.NATION_ID) + and ((COUNTRY_ID is null and new.COUNTRY_ID is null) or COUNTRY_ID=new.COUNTRY_ID) + and ((ADDRESS_ID is null and new.ADDRESS_ID is null) or ADDRESS_ID=new.ADDRESS_ID) + and ((ACCOUNT_NAME is null and new.ACCOUNT_NAME is null) or ACCOUNT_NAME=new.ACCOUNT_NAME) + and ((ACCOUNT_EXPIRY_DATE is null and new.ACCOUNT_EXPIRY_DATE is null) or ACCOUNT_EXPIRY_DATE=new.ACCOUNT_EXPIRY_DATE) + and ((ORGANIZATION_ID is null and new.ORGANIZATION_ID is null) or ORGANIZATION_ID=new.ORGANIZATION_ID) + and ((IDENTITY_TYPE_ID is null and new.IDENTITY_TYPE_ID is null) or IDENTITY_TYPE_ID=new.IDENTITY_TYPE_ID) + and ((ACTIVATION is null and new.ACTIVATION is null) or ACTIVATION=new.ACTIVATION) + and ((STATE is null and new.STATE is null) or STATE=new.STATE) + and ((IS_DATA_CENTER is null and new.IS_DATA_CENTER is null) or IS_DATA_CENTER=new.IS_DATA_CENTER) + ); + -- into @ID1; + + if ID1 is null then + set ID2 = (select ID from TMP_ACCOUNT_TRANS where ID=new.ID); -- into @ID2; + + if ID2 is null then + insert into TMP_ACCOUNT_TRANS(TRANS_STATUS, TRANS_TIME, PROC_STATUS, PROC_TIME, + ID, UID, + NAME, NAME_SPELLING, FULL_NAME_SPELLING, + CERTIFICATE_TYPE_ID, CERTIFICATE_NUMBER, + PHONE_NUMBER, EMAIL, + IMAGE_URL, + GENDER_ID, NATION_ID, COUNTRY_ID, ADDRESS_ID, + ACCOUNT_NAME, ACCOUNT_EXPIRY_DATE, ORGANIZATION_ID, IDENTITY_TYPE_ID, + ACTIVATION, STATE, + IS_DATA_CENTER + ) + values ('1', now(), '0', null, + new.ID, new.UID, + new.NAME, new.NAME_SPELLING, new.FULL_NAME_SPELLING, + new.CERTIFICATE_TYPE_ID, new.CERTIFICATE_NUMBER, + new.PHONE_NUMBER, new.EMAIL, + new.IMAGE_URL, + new.GENDER_ID, new.NATION_ID, new.COUNTRY_ID, new.ADDRESS_ID, + new.ACCOUNT_NAME, new.ACCOUNT_EXPIRY_DATE, new.ORGANIZATION_ID, new.IDENTITY_TYPE_ID, + new.ACTIVATION, new.STATE, + new.IS_DATA_CENTER + ) + ; + + else + update TMP_ACCOUNT_TRANS set + TRANS_STATUS='2', + TRANS_TIME=now(), + PROC_STATUS='0', + UID=new.UID, + NAME=new.NAME, + NAME_SPELLING=new.NAME_SPELLING, + FULL_NAME_SPELLING=new.FULL_NAME_SPELLING, + CERTIFICATE_TYPE_ID=new.CERTIFICATE_TYPE_ID, + CERTIFICATE_NUMBER=new.CERTIFICATE_NUMBER, + PHONE_NUMBER=new.PHONE_NUMBER, + EMAIL=new.EMAIL, + IMAGE_URL=new.IMAGE_URL, + GENDER_ID=new.GENDER_ID, + NATION_ID=new.NATION_ID, + COUNTRY_ID=new.COUNTRY_ID, + ADDRESS_ID=new.ADDRESS_ID, + ACCOUNT_NAME=new.ACCOUNT_NAME, + ACCOUNT_EXPIRY_DATE=new.ACCOUNT_EXPIRY_DATE, + ORGANIZATION_ID=new.ORGANIZATION_ID, + IDENTITY_TYPE_ID=new.IDENTITY_TYPE_ID, + ACTIVATION=new.ACTIVATION, + STATE=new.STATE, + IS_DATA_CENTER=new.IS_DATA_CENTER + where ID=new.ID + ; + + end if; + + else + + -- 如果数据没变化,但存在记录,且被处理,则标记未 不更新、不处理 + update TMP_ACCOUNT_TRANS set + TRANS_STATUS='0', + TRANS_TIME=now(), + PROC_STATUS='0' + where ID=new.ID + and PROC_RESULT!='0' + ; + + end if; + +end // +delimiter ; + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.0.trans.sql b/project/nwpu/k8s-rancher/1.authx-service/10.0.trans.sql new file mode 100644 index 0000000..784af9b --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.0.trans.sql @@ -0,0 +1,73 @@ +-- 10.0.trans.sql + +/* + 脚本用于 认证v4 的数据迁移 +*/ + +--执行前 TB_B_USER.UID 加索引 + + + +-- 更新老认证的密码 +UPDATE user.TB_B_USER u, ( + select ACCOUNT_NAME, case when ENCODED_PASSWORD is null then PASSWORD else ENCODED_PASSWORD end as PASSWORD + from tmp_data.TMP_ACCOUNT +) a +SET u.PASSWORD = a.PASSWORD +WHERE u.UID = a.ACCOUNT_NAME + + + +-- 更新激活状态 +update user.TB_B_ACCOUNT a, ( + select TB_B_USER.ID from tmp_data.TMP_ACCOUNT + inner join user.TB_B_USER on TMP_ACCOUNT.ACCOUNT_NAME=TB_B_USER.UID + where TMP_ACCOUNT.IS_ACTIVATED=1 +) tmp +set a.ACTIVATION=1 +where a.USER_ID=tmp.ID + + + +-- 更新老认证的安全邮箱 +update user.TB_B_SAFETY s, ( + select TB_B_USER.ID, TMP_TB_ACCOUNTSECURITYEMAIL.EMAILACCOUNTID as ACCOUNTID, EMAILINFO + from tmp_data.TMP_TB_ACCOUNTSECURITYEMAIL + inner join tmp_data.TMP_TB_ACCOUNT on TMP_TB_ACCOUNTSECURITYEMAIL.EMAILACCOUNTID=TMP_TB_ACCOUNT.ACCOUNTKEY + inner join user.TB_B_USER on TMP_TB_ACCOUNT.ACCOUNTKEY=TB_B_USER.UID + where EMAILINFO is not null and EMAILINFO!='' and EMAILINFO!='-1' and EMAILSTATUS in ('已验证', '待修改') +) email +set s.SECURE_EMAIL=email.EMAILINFO +where s.USER_ID=email.ID +; + +-- 更新老认证的安全手机 +update user.TB_B_SAFETY s, ( + select TB_B_USER.ID, TMP_TB_ACCOUNTSECURITYMOBILE.MOBILEACCOUNTID as ACCOUNTID, MOBILEINFO + from tmp_data.TMP_TB_ACCOUNTSECURITYMOBILE + inner join tmp_data.TMP_TB_ACCOUNT on TMP_TB_ACCOUNTSECURITYMOBILE.MOBILEACCOUNTID=TMP_TB_ACCOUNT.ACCOUNTKEY + inner join user.TB_B_USER on TMP_TB_ACCOUNT.ACCOUNTKEY=TB_B_USER.UID + where MOBILEINFO is not null and MOBILEINFO!='' and MOBILEINFO!='-1' and MOBILESTATUS in ('已验证', '待修改') +) mobile +set s.SECURE_PHONE=mobile.MOBILEINFO +where s.USER_ID=mobile.ID +; + + + + +-- 迁移 微信 绑定信息 +insert into cas_server.TB_FEDERATION (ID, COMPANY_ID, DELETED, ADD_ACCOUNT, USER_NO, FEDERATED_TYPE, FEDERATED_ID) +select ID, '1', 0, 'trans', + ACCOUNT_NAME, 'openweixin', WECHAT_UNIONID +from tmp_data.TMP_ACCOUNT_WECHAT +; + + +-- 迁移 QQ 绑定信息 +insert into cas_server.TB_FEDERATION (ID, COMPANY_ID, DELETED, ADD_ACCOUNT, USER_NO, FEDERATED_TYPE, FEDERATED_ID) +select ID, '1', 0, 'trans', + ACCOUNT_NAME, 'qq', QQ_OPENID +from tmp_data.TMP_ACCOUNT_QQ +; + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-address-book.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-address-book.sql new file mode 100644 index 0000000..43f48ec --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-address-book.sql @@ -0,0 +1,59 @@ +-- 10.1.init-address-book.sql + + +/* +将 paas.example.com 替换为 paas.学校域名.edu.cn +*/ + + +-- 以下脚本为可选操作 + +/* + * 若部署了通讯录服务产品 + * 可默认创建几个管理员帐号,以及初始授权 + */ + + +use user; + + +-- 通讯录 + +insert into `TB_APPLICATION` (ID, DELETED, + BUSINESS_DOMAIN_ID, BUSINESS_DOMAIN_NAME, SYSTEM_ID, SYSTEM_NAME, + APPLICATION_ID, NAME, DESCRIPTION, + ENABLED) +values ('90', 0, + '1', '智慧校园', '1', '业务中台', + '90', '通讯录', '', + 1 +); + +commit; + + + +use user_authz; + +-- 通讯录 + +INSERT INTO `TB_R_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, + `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`) +VALUES ('90', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', + 'address-book', '通讯录', '通讯录', 1); + +INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`, + `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`) +VALUES ('90', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', '90', + '通讯录', '90', '', 1); + +-- 更新应用的定时同步接口的地址 +-- UPDATE `TB_APPLICATION` set `SYNC_URL`='http://message-platform.paas.xxx.edu.cn/roles' WHERE ID='90'; + +commit; + + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-flow.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-flow.sql new file mode 100644 index 0000000..4b1a696 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-flow.sql @@ -0,0 +1,122 @@ +-- 10.1.init.sql + +/* +将 paas.example.com 替换为 paas.学校域名.edu.cn +*/ + + +-- 以下脚本为可选操作 + +/* + * 若部署了流程平台、门户的产品 + * 可默认创建几个管理员帐号,以及初始授权 + */ + + +-- 创建管理帐号 + +use user; + +-- flowadmin +INSERT INTO `TB_B_USER` (`ID`, `DELETED`, + `UID`, `PASSWORD`, `NAME`, `NAME_SPELLING`, `FULL_NAME_SPELLING`, + `CERTIFICATE_TYPE_ID`, `CERTIFICATE_NUMBER`, `PHONE_NUMBER`, `EMAIL`, + `GENDER_ID`, `NATION_ID`, `COUNTRY_ID`, `ADDRESS_ID`) +VALUES ('50', 0, + '50', 'flowadmin', '流程表单管理员', 'flowadmin', 'flowadmin', + '20001', '50', null, 'flowadmin@supwisdom.com', + '30001', '40001', '50156', '310000'); + +INSERT INTO `TB_B_ACCOUNT` (`ID`, `DELETED`, `USER_ID`, + `ACCOUNT_NAME`, `ACCOUNT_EXPIRY_DATE`, `ORGANIZATION_ID`, `IDENTITY_TYPE_ID`, + `ACTIVATION`, `STATE`, `IS_DATA_CENTER`) +VALUES ('50', 0, '50', + 'flowadmin', null, '1', '1', + 1, 'NORMAL', 0); + +INSERT INTO `TB_B_SAFETY`(`ID`, `DELETED`, `USER_ID`, `SCORE`, `PASSWORD_SCORE`, `SECURE_EMAIL`, `SECURE_PHONE`) +VALUES ('50', 0, '50', '0', '0', null, null); + +INSERT INTO `TB_B_ACCOUNT_ORGANIZATION` (`ID`, `DELETED`, + `ROOT_ORGANIZATION_ID`, `ACCOUNT_ID`, `ORGANIZATION_ID`) +VALUES ('50_1', 0, + '0', '50', '1'); + +INSERT INTO `TB_B_ACCOUNT_LABEL`(`ID`, `DELETED`, + `ACCOUNT_ID`, `LABEL_ID`) +VALUES ('50_1', 0, '50', '1'); + +commit; + + +-- 创建管理帐号的授权 + +use user_authz; + +-- flow +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('50', '1', 0, 'admin', '2019-07-01 00:00:00', '1', 'flow-admin', '流程管理员', '流程管理员', 1, '50'); +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('51', '1', 0, 'admin', '2019-07-01 00:00:00', '1', 'flow-biz', '流程业务员', '流程业务员', 1, '51'); + +INSERT INTO `TB_GRANTED_ACCOUNT_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, + `ACCOUNT_ID`, `ROLE_ID`, + `GRANT_EXPIRED_DATE`) +VALUES ('50_50', '1', 0, + '50', '50', + NULL); + +INSERT INTO `TB_ROLE_USER` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `ORIGIN_TYPE`, `ORIGIN_PK`, + `APPLICATION_ID`, `ROLE_ID`, `ACCOUNT_ID`, + `GRANT_EXPIRED_DATE`) +VALUES ('50_50', '1', 0, 'admin', '2019-07-01 00:00:00', + NULL, NULL, + '1', '50', '50', + NULL); + +commit; + + +-- 创建认证帐号、认证对接 + +use cas_server; + +-- flow + +INSERT INTO `TB_ACCOUNT` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `USERNAME`, `PASSWORD`, `DESCRIPTION`, `ENABLED`, `ACCOUNT_NON_EXPIRED`, `ACCOUNT_NON_LOCKED`, `CREDENTIALS_NON_EXPIRED`, + `IDENTITY`, `USER_NO`, `NAME`, `MOBILE`, `EMAIL_ADDRESS`, `IDENTITY_TYPE`, `IDENTITY_NO`, + `EXTERNAL_ID`) +VALUES ('50', '1', 0, 'admin', '2019-07-01 00:00:00', + 'flowadmin', 'flowadmin', '流程管理员', 1, 1, 1, 1, + 'admin', '50', '流程管理员', '', 'flowadmin@supwisdom.com', '20001', '', + '50'); + +commit; + +INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`, + `RESPONSE_TYPE`, `LOGOUT_TYPE`, + `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`, + `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`, + `APPLICATION_ID`, `EXTERNAL_ID`) +VALUES ('50', '1', 0, 'admin', '2019-07-01 00:00:00', + '流程平台', '流程平台', 'https://formflow.paas.example.com', 'https://formflow.paas.example.com/formflow/cas/authen/logout', + 'REDIRECT', 'FRONT_CHANNEL', + 50, '流程平台', 50, 'https://formflow.paas.example.com/(.*)', + 1, 1, 1, + '50', '50'); + +commit; + +update TB_SERVICE +set + INFORMATION_URL='http://formflow.paas.example.com', + LOGOUT_URL='http://formflow.paas.example.com/formflow/cas/authen/logout', + SERVICE_ID='http://formflow.paas.example.com/(.*)', + ID_TOKEN_ENABLED=1 +where ID='50'; -- todo, modify + +commit; + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message-platform.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message-platform.sql new file mode 100644 index 0000000..0cd7f6b --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message-platform.sql @@ -0,0 +1,64 @@ +-- 10.1.init-message-platform.sql + + +/* +将 paas.example.com 替换为 paas.学校域名.edu.cn +*/ + + +-- 以下脚本为可选操作 + +/* + * 若部署了消息服务产品 + * 可默认创建几个管理员帐号,以及初始授权 + */ + + +use user; + + +-- 消息平台 + +insert into `TB_APPLICATION` (ID, DELETED, + BUSINESS_DOMAIN_ID, BUSINESS_DOMAIN_NAME, SYSTEM_ID, SYSTEM_NAME, + APPLICATION_ID, NAME, DESCRIPTION, + ENABLED) +values ('80', 0, + '1', '智慧校园', '1', '业务中台', + '80', '消息平台', '', + 1 +); + +commit; + + + +use user_authz; + +-- 消息平台 + +INSERT INTO `TB_R_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, + `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`) +VALUES ('80', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', + 'message-platform', '消息平台', '消息平台', 1); + +INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`, + `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`) +VALUES ('80', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', '80', + '消息平台', '80', '', 1); + +-- 更新应用的定时同步接口的地址 +UPDATE `TB_APPLICATION` set `SYNC_URL`='http://message-platform.paas.xxx.edu.cn/roles' WHERE ID='80'; + +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('66666', '1', 0, 'admin', '2019-07-01 00:00:00', + '80', 'message-publisher', '消息发布员', '消息发布员', 1, '66666'); + +commit; + + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message.sql new file mode 100644 index 0000000..e34383c --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message.sql @@ -0,0 +1,88 @@ +-- 10.1.init-message.sql + +/* +将 paas.example.com 替换为 paas.学校域名.edu.cn +*/ + + +-- 以下脚本为可选操作 + +/* + * 若部署了消息服务产品 + * 可默认创建几个管理员帐号,以及初始授权 + */ + + +-- 创建管理帐号 + +use user; + +-- 消息平台管理 + +INSERT INTO `TB_B_USER` (`ID`, `DELETED`, + `UID`, `PASSWORD`, `NAME`, `NAME_SPELLING`, `FULL_NAME_SPELLING`, + `CERTIFICATE_TYPE_ID`, `CERTIFICATE_NUMBER`, `PHONE_NUMBER`, `EMAIL`, + `GENDER_ID`, `NATION_ID`, `COUNTRY_ID`, `ADDRESS_ID`) +VALUES ('80', 0, + '80', 'messageadmin', '消息平台管理员', 'messageadmin', 'messageadmin', + '20001', '80', null, 'messageadmin@supwisdom.com', + '30001', '40001', '50156', '310000'); + +INSERT INTO `TB_B_ACCOUNT` (`ID`, `DELETED`, `USER_ID`, + `ACCOUNT_NAME`, `ACCOUNT_EXPIRY_DATE`, `ORGANIZATION_ID`, `IDENTITY_TYPE_ID`, + `ACTIVATION`, `STATE`, `IS_DATA_CENTER`) +VALUES ('80', 0, '80', + 'messageadmin', null, '1', '1', + 1, 'NORMAL', 0); + +INSERT INTO `TB_B_SAFETY`(`ID`, `DELETED`, `USER_ID`, `SCORE`, `PASSWORD_SCORE`, `SECURE_EMAIL`, `SECURE_PHONE`) +VALUES ('80', 0, '80', '0', '0', null, null); + +INSERT INTO `TB_B_ACCOUNT_ORGANIZATION` (`ID`, `DELETED`, + `ROOT_ORGANIZATION_ID`, `ACCOUNT_ID`, `ORGANIZATION_ID`) +VALUES ('80_1', 0, + '0', '80', '1'); + +INSERT INTO `TB_B_ACCOUNT_LABEL`(`ID`, `DELETED`, + `ACCOUNT_ID`, `LABEL_ID`) +VALUES ('80_1', 0, '80', '1'); + +commit; + + + +-- 创建管理帐号的授权 + +use user_authz; + + +-- 消息平台管理 + +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('80', '1', 0, 'admin', '2020-07-01 00:00:00', + '1', 'message-admin', '消息平台管理员', '消息平台管理员', 1, '80'); +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('81', '1', 0, 'admin', '2020-07-01 00:00:00', + '1', 'message-opt', '消息平台操作员', '消息平台操作员', 1, '81'); + +INSERT INTO `TB_GRANTED_ACCOUNT_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, + `ACCOUNT_ID`, `ROLE_ID`, + `GRANT_EXPIRED_DATE`) +VALUES ('80_80', '1', 0, + '80', '80', + NULL); + +INSERT INTO `TB_ROLE_USER` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `ORIGIN_TYPE`, `ORIGIN_PK`, + `APPLICATION_ID`, `ROLE_ID`, `ACCOUNT_ID`, + `GRANT_EXPIRED_DATE`) +VALUES ('80_80', '1', 0, 'admin', '2019-07-01 00:00:00', + NULL, NULL, + '1', '80', '80', + NULL); + +commit; + + diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-portal.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-portal.sql new file mode 100644 index 0000000..61b09d4 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-portal.sql @@ -0,0 +1,140 @@ +-- 10.1.init.sql + +/* +将 paas.example.com 替换为 paas.学校域名.edu.cn +*/ + + +-- 以下脚本为可选操作 + +/* + * 若部署了流程平台、门户的产品 + * 可默认创建几个管理员帐号,以及初始授权 + */ + + +-- 创建管理帐号 + +use user; + +-- portaladmin +INSERT INTO `TB_B_USER` (`ID`, `DELETED`, + `UID`, `PASSWORD`, `NAME`, `NAME_SPELLING`, `FULL_NAME_SPELLING`, + `CERTIFICATE_TYPE_ID`, `CERTIFICATE_NUMBER`, `PHONE_NUMBER`, `EMAIL`, + `GENDER_ID`, `NATION_ID`, `COUNTRY_ID`, `ADDRESS_ID`) +VALUES ('60', 0, + '60', 'portaladmin', '门户管理员', 'portaladmin', 'portaladmin', + '20001', '60', null, 'portaladmin@supwisdom.com', + '30001', '40001', '50156', '310000'); + +INSERT INTO `TB_B_ACCOUNT` (`ID`, `DELETED`, `USER_ID`, + `ACCOUNT_NAME`, `ACCOUNT_EXPIRY_DATE`, `ORGANIZATION_ID`, `IDENTITY_TYPE_ID`, + `ACTIVATION`, `STATE`, `IS_DATA_CENTER`) +VALUES ('60', 0, '60', + 'portaladmin', null, '1', '1', + 1, 'NORMAL', 0); + +INSERT INTO `TB_B_SAFETY`(`ID`, `DELETED`, `USER_ID`, `SCORE`, `PASSWORD_SCORE`, `SECURE_EMAIL`, `SECURE_PHONE`) +VALUES ('60', 0, '60', '0', '0', null, null); + +INSERT INTO `TB_B_ACCOUNT_ORGANIZATION` (`ID`, `DELETED`, + `ROOT_ORGANIZATION_ID`, `ACCOUNT_ID`, `ORGANIZATION_ID`) +VALUES ('60_1', 0, + '0', '60', '1'); + +INSERT INTO `TB_B_ACCOUNT_LABEL`(`ID`, `DELETED`, + `ACCOUNT_ID`, `LABEL_ID`) +VALUES ('60_1', 0, '60', '1'); + +commit; + + +-- 创建管理帐号的授权 + +use user_authz; + +-- portal +INSERT INTO `TB_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, + `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`) +VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', + 'portal', '门户', '门户', 1); + +INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`, + `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`) +VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', '60', + '门户', '60', '', 1); + +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00', + '60', 'portal-admin', '门户管理员', '门户管理员', 1, '60'); + +INSERT INTO `TB_ROLE_USER` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `ORIGIN_TYPE`, `ORIGIN_PK`, + `APPLICATION_ID`, `ROLE_ID`, `ACCOUNT_ID`, + `GRANT_EXPIRED_DATE`) +VALUES ('60_60_60', '1', 0, 'admin', '2019-07-01 00:00:00', + NULL, NULL, + '60', '60', '60', + NULL); + +commit; + + +-- 配置门户角色的同步接口 + +update TB_APPLICATION +set + SYNC_URL='http://portal.paas.example.com/portal-web/api/open/role/findAll' +where ID='60'; -- todo, modify + +commit; + + +-- 创建认证帐号、认证对接 + +use cas_server; + +-- portal + +INSERT INTO `TB_ACCOUNT` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `USERNAME`, `PASSWORD`, `DESCRIPTION`, `ENABLED`, `ACCOUNT_NON_EXPIRED`, `ACCOUNT_NON_LOCKED`, `CREDENTIALS_NON_EXPIRED`, + `IDENTITY`, `USER_NO`, `NAME`, `MOBILE`, `EMAIL_ADDRESS`, `IDENTITY_TYPE`, `IDENTITY_NO`, + `EXTERNAL_ID`) +VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00', + 'portaladmin', 'portaladmin', '门户管理员', 1, 1, 1, 1, + 'admin', '60', '门户管理员', '', 'portaladmin@supwisdom.com', '20001', '', + '60'); + +commit; + + +INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`, + `RESPONSE_TYPE`, `LOGOUT_TYPE`, + `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`, + `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`, + `APPLICATION_ID`, `EXTERNAL_ID`) +VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00', + '门户', '门户', 'https://ecampus.paas.example.com', 'https://ecampus.paas.example.com/cas/slo', + 'REDIRECT', 'FRONT_CHANNEL', + 60, '门户', 60, 'https://ecampus.paas.example.com/login', + 1, 1, 1, + '60', '60'); + +commit; + +update TB_SERVICE +set + INFORMATION_URL='http://ecampus.paas.example.com', + LOGOUT_URL='http://ecampus.paas.example.com/cas/slo', + SERVICE_ID='http://ecampus.paas.example.com/cas/(.*)', + ID_TOKEN_ENABLED=1 +where ID='60'; -- todo, modify + +commit; + diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/0.user-data-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/0.user-data-service-base.yaml new file mode 100644 index 0000000..a9d74c3 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/0.user-data-service-base.yaml @@ -0,0 +1,255 @@ +# user-data-service-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: user-data-service + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + +#################################################### +# redis-server +#################################################### + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: user-data-service + name: redis-data-pvc +spec: + accessModes: + - ReadWriteMany + # 根据情况修改 + storageClassName: nfs-client + resources: + requests: + storage: 50Gi + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: user-data-service +type: Opaque +data: + REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: user-data-service +spec: + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis + release: redis-server + role: master + type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: user-data-service +spec: + podManagementPolicy: OrderedReady + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: redis + release: redis-server + role: master + serviceName: redis-master + template: + metadata: + labels: + app: redis + release: redis-server + role: master + spec: + containers: + - name: redis-server + env: + - name: REDIS_DISABLE_COMMANDS + value: FLUSHDB,FLUSHALL + - name: REDIS_REPLICATION_MODE + value: master + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-server + key: REDIS_PASSWORD + # 若使用了学校搭设的私有仓库,请修改 + image: bitnami/redis:4.0 + # 若使用了学校搭设的私有仓库,请修改 为 Always + imagePullPolicy: IfNotPresent + # imagePullPolicy: Always + livenessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - containerPort: 6379 + name: redis + protocol: TCP + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + readinessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /bitnami/redis/data + name: redis-data + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: + fsGroup: 1001 + # runAsUser: 1001 + # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372 + runAsUser: 0 + terminationGracePeriodSeconds: 30 + volumes: + # - name: redis-data + # emptyDir: {} + - name: redis-data + persistentVolumeClaim: + claimName: redis-data-pvc + # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可,注意这里的缩进,imagePullSecrets要对齐到本行#符号) + # imagePullSecrets: + # - name: harbor-registry + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate + + + +# #################################################### +# # rabbitmq-server +# #################################################### +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# labels: +# app: rabbitmq +# release: rabbitmq-server +# name: rabbitmq-server +# namespace: user-data-service +# type: Opaque +# data: +# RABBITMQ_USERNAME: Z3Vlc3Q= +# RABBITMQ_PASSWORD: Z3Vlc3Q= +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: rabbitmq-server +# namespace: user-data-service +# labels: +# app: rabbitmq-server +# spec: +# ports: +# - port: 5672 +# targetPort: tcp-1 +# protocol: TCP +# name: tcp-1 +# - port: 15672 +# targetPort: tcp-2 +# protocol: TCP +# name: tcp-2 +# selector: +# app: rabbitmq-server +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: rabbitmq-server +# namespace: user-data-service +# spec: +# selector: +# matchLabels: +# app: rabbitmq-server +# replicas: 1 +# template: +# metadata: +# labels: +# app: rabbitmq-server +# annotations: +# sidecar.istio.io/inject: "false" +# spec: +# containers: +# - name: rabbitmq-server +# env: +# - name: RABBITMQ_VM_MEMORY_HIGH_WATERMARK +# value: "0.6" +# - name: RABBITMQ_DEFAULT_USER +# valueFrom: +# secretKeyRef: +# name: rabbitmq-server +# key: RABBITMQ_USERNAME +# - name: RABBITMQ_DEFAULT_PASS +# valueFrom: +# secretKeyRef: +# name: rabbitmq-server +# key: RABBITMQ_PASSWORD +# # 若使用了学校搭设的私有仓库,请修改 +# image: rabbitmq:management +# # 若使用了学校搭设的私有仓库,请修改 为 Always +# imagePullPolicy: IfNotPresent +# # imagePullPolicy: Always +# ports: +# - containerPort: 5672 +# name: tcp-1 +# - containerPort: 15672 +# name: tcp-2 +# resources: +# requests: +# memory: "1024Mi" +# limits: +# memory: "1024Mi" +# # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可) +# # imagePullSecrets: +# # - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/1.user-data-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/1.user-data-service-env.yaml new file mode 100644 index 0000000..0f7e6e2 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/1.user-data-service-env.yaml @@ -0,0 +1,53 @@ +# user-data-service-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-data-service + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: user-data-service + name: datasource-env-secret +type: Opaque +data: + # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai + JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdXNlcj9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp + # user + JDBC_USERNAME: dXNlcg== + # 修改为实际的数据库密码,并使用 base64 工具进行编码 + # kingstar + JDBC_PASSWORD: a2luZ3N0YXI= + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: user-data-service + name: redis-env-secret +type: Opaque +data: + SPRING_REDIS_HOST: cmVkaXMtc2VydmVy + SPRING_REDIS_PORT: NjM3OQ== + SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== + + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: user-data-service + name: rabbitmq-env-secret +type: Opaque +data: + # rabbitmq-server.authx-service.svc.cluster.local + SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw= + SPRING_RABBITMQ_PORT: NTY3Mg== + SPRING_RABBITMQ_USERNAME: Z3Vlc3Q= + SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q= diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/2.user-data-service-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/2.user-data-service-ingresses.yaml new file mode 100644 index 0000000..6680f1f --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/2.user-data-service-ingresses.yaml @@ -0,0 +1,20 @@ +# user-data-service-ingresses.yaml + +# 暂时不使用,直接使用内部地址 +# --- +# apiVersion: extensions/v1beta1 +# kind: Ingress +# metadata: +# namespace: user-data-service +# name: user-api-ingress +# spec: +# rules: +# # 修改为学校的根域名 +# - host: user-api.paas.xxx.edu.cn +# http: +# paths: +# - path: / +# backend: +# serviceName: user-data-service-poa-svc +# servicePort: http + diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml new file mode 100644 index 0000000..7654c6f --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml @@ -0,0 +1,55 @@ +# user-data-service-installer.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-data-service + name: user-data-service-installer-env +data: + DB_TYPE: mysql8 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: user-data-service-installer + namespace: user-data-service +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: user-data-service-installer + spec: + restartPolicy: Never + containers: + - name: user-data-service-installer + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/goa/installer:1.2.10-RELEASE + imagePullPolicy: Always + env: + - name: DB_TYPE + value: mysql8 + - name: JDBC_URL + value: jdbc:mysql://mysql-server:3306/user_test?serverTimezone=Asia/Shanghai + - name: JDBC_USERNAME + value: user_test + - name: JDBC_PASSWORD + value: Supwisdom!Nwpu123 + envFrom: + - configMapRef: + name: jvm-env + # - secretRef: + # name: datasource-env-secret + - configMapRef: + name: user-data-service-installer-env + # resources: + # requests: + # memory: "256Mi" + # limits: + # memory: "256Mi" + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml new file mode 100644 index 0000000..3f93f40 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml @@ -0,0 +1,124 @@ +# user-data-service-poa.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-data-service + name: user-data-service-poa-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio + TPAS_CLIENT_AUTH_ENABLED: "false" + #TPAS_CLIENT_AUTH_KEY_PASSWORD: "" + #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + # **修改** 学校的根域名 + FILE_SERVER_TYPE: minio + FILE_SERVER_URL: https://authx-minio.paas.xxx.edu.cn + + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: user-data-service + name: user-data-service-poa-svc + labels: + app: user-data-service-poa + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: user-data-service-poa + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: user-data-service + name: user-data-service-poa +spec: + selector: + matchLabels: + app: user-data-service-poa + replicas: 1 + template: + metadata: + labels: + app: user-data-service-poa + spec: + containers: + - name: user-data-service-poa + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/goa/poa-api:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - configMapRef: + name: user-data-service-poa-env + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8888 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml new file mode 100644 index 0000000..37c911f --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml @@ -0,0 +1,146 @@ +# user-data-service-goa.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-data-service + name: user-data-service-goa-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "20480" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800" + SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100" + SPRING_REDIS_JEDIS_POOL_MINIDLE: "100" + + + # 加密算法的实现,默认 default,支持 bcrypt 等加密算法; SHA-256 支持 SHA-256 加密算法 + PASSWORD_ENCODER_IMPL: default + + PASSWORD_ENABLE_TRANS_UPDATE_PASSWORD: "false" + + SECURITY_API_SECURITY_ACCOUNT_SERVICE_IMPL: redis + + + # 推送数据到 jobs-server 的配置 + JOBS_RABBITMQ_ENABLED: "false" + JOBS_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local + JOBS_RABBITMQ_PORT: "5672" + JOBS_RABBITMQ_USERNAME: guest + JOBS_RABBITMQ_PASSWORD: guest + + + # 是否同步帐号到 openldap(已弃用) + # JOBS_RABBITMQ_ACCOUNTUSERSVC2OPENLDAPRABBITSENDER_ENABLED: "false" + + # 是否同步 帐号 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap) + JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSRABBITSENDER_ENABLED: "false" + # 是否同步 密码(明文密码)到 jobs 的 MQ,由 jobs 再进行分发(如分发到 城市热点) + JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSSYNCPASSWORDRABBITSENDER_ENABLED: "false" + + # 是否同步 组织机构 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap) + JOBS_RABBITMQ_ORGANIZATIONUSERSVC2JOBSRABBITSENDER_ENABLED: "false" + + # 是否同步 用户组 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap) + JOBS_RABBITMQ_GROUPUSERSVC2JOBSRABBITSENDER_ENABLED: "false" + + # 是否同步 帐号用户组 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap) + JOBS_RABBITMQ_ACCOUNTGROUPUSERSVC2JOBSRABBITSENDER_ENABLED: "false" + + + LOGGING_LEVEL_COM_SUPWISDOM_GOA: INFO + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: user-data-service + name: user-data-service-goa-svc + labels: + app: user-data-service-goa + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: user-data-service-goa + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: user-data-service + name: user-data-service-goa +spec: + selector: + matchLabels: + app: user-data-service-goa + replicas: 1 + template: + metadata: + labels: + app: user-data-service-goa + spec: + containers: + - name: user-data-service-goa + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/goa/goa-api:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - secretRef: + name: redis-env-secret + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: user-data-service-goa-env + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8888 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml new file mode 100644 index 0000000..2f72655 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml @@ -0,0 +1,130 @@ +# user-data-service-biz.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-data-service + name: user-data-service-biz-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080 + USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore + #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio + TPAS_CLIENT_AUTH_ENABLED: "false" + #TPAS_CLIENT_AUTH_KEY_PASSWORD: "" + #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: user-data-service + name: user-data-service-biz-svc + labels: + app: user-data-service-biz + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: user-data-service-biz + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: user-data-service + name: user-data-service-biz +spec: + selector: + matchLabels: + app: user-data-service-biz + replicas: 1 + template: + metadata: + labels: + app: user-data-service-biz + spec: + containers: + - name: user-data-service-biz + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/goa/biz-api:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: user-data-service-biz-env + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8888 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml new file mode 100644 index 0000000..361c963 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml @@ -0,0 +1,56 @@ +# user-data-service-datax-job.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-data-service + name: user-data-service-datax-job-env +data: + JOB_APPLICATION_AUTHZ2USER_MYSQLREADER8_USERNAME: "user_authz" + # 修改为实际的数据库密码 + JOB_APPLICATION_AUTHZ2USER_MYSQLREADER8_PASSWORD: "kingstar" + JOB_APPLICATION_AUTHZ2USER_MYSQLREADER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user_authz?serverTimezone=Asia/Shanghai" + + JOB_APPLICATION_AUTHZ2USER_MYSQLWRITER8_USERNAME: "user" + # 修改为实际的数据库密码 + JOB_APPLICATION_AUTHZ2USER_MYSQLWRITER8_PASSWORD: "kingstar" + JOB_APPLICATION_AUTHZ2USER_MYSQLWRITER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai" + +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: user-data-service-datax-job + namespace: user-data-service +spec: + schedule: "30 */4 * * *" + jobTemplate: + metadata: + labels: + app: user-data-service-datax-job + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: user-data-service-datax-job + spec: + restartPolicy: Never + containers: + - name: user-data-service-datax-job + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/goa/datax-job:1.2.10-RELEASE + imagePullPolicy: Always + envFrom: + - configMapRef: + name: user-data-service-datax-job-env + # resources: + # requests: + # memory: "400Mi" + # limits: + # memory: "400Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml new file mode 100644 index 0000000..53ff777 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml @@ -0,0 +1,52 @@ +# 9.api-docs-installer.yaml + +# 依赖平台OpenAPI的部署 + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-data-service + name: api-docs-installer-env +data: + ## + # 平台OpenAPI的外网访问地址, + # **修改** 学校的根域名 + POA_SERVER_URL: http://poa.paas.nwpu.edu.cn + + # **修改** poa-sa 服务的k8s内部地址 + POA_SA_SERVER_URL: http://platform-openapi-sa.poa.svc.cluster.local:8443 + + USER_API_SERVER_URL: http://user-data-service-poa-svc.user-data-service.svc.cluster.local:8080 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: user-data-service + name: api-docs-installer +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: api-docs-installer + spec: + restartPolicy: Never + containers: + - name: api-docs-installer + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/goa/api-docs-installer:1.2.10-RELEASE + imagePullPolicy: Always + envFrom: + - configMapRef: + name: api-docs-installer-env + # resources: + # requests: + # memory: "256Mi" + # limits: + # memory: "256Mi" + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/0.user-authorization-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/0.user-authorization-service-base.yaml new file mode 100644 index 0000000..68bb04c --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/0.user-authorization-service-base.yaml @@ -0,0 +1,88 @@ +# user-authorization-service-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: user-authorization-service + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + + +# #################################################### +# # rabbitmq-server +# #################################################### +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# labels: +# app: rabbitmq +# release: rabbitmq-server +# name: rabbitmq-server +# namespace: user-data-service +# type: Opaque +# data: +# RABBITMQ_USERNAME: Z3Vlc3Q= +# RABBITMQ_PASSWORD: Z3Vlc3Q= +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: rabbitmq-server +# namespace: user-data-service +# labels: +# app: rabbitmq-server +# spec: +# ports: +# - port: 5672 +# targetPort: tcp-1 +# protocol: TCP +# name: tcp-1 +# - port: 15672 +# targetPort: tcp-2 +# protocol: TCP +# name: tcp-2 +# selector: +# app: rabbitmq-server +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: rabbitmq-server +# namespace: user-data-service +# spec: +# selector: +# matchLabels: +# app: rabbitmq-server +# replicas: 1 +# template: +# metadata: +# labels: +# app: rabbitmq-server +# annotations: +# sidecar.istio.io/inject: "false" +# spec: +# containers: +# - name: rabbitmq-server +# # 若使用了学校搭设的私有仓库,请修改 +# image: rabbitmq:management +# # 若使用了学校搭设的私有仓库,请修改 为 Always +# imagePullPolicy: IfNotPresent +# # imagePullPolicy: Always +# ports: +# - containerPort: 5672 +# name: tcp-1 +# - containerPort: 15672 +# name: tcp-2 +# # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可) +# # imagePullSecrets: +# # - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/1.user-authorization-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/1.user-authorization-service-env.yaml new file mode 100644 index 0000000..0017035 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/1.user-authorization-service-env.yaml @@ -0,0 +1,40 @@ +# user-authorization-service-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: jvm-env + namespace: user-authorization-service +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + name: datasource-env-secret + namespace: user-authorization-service +type: Opaque +data: + # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user_authz?serverTimezone=Asia/Shanghai + JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdXNlcl9hdXRoej9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp + # user_authz + JDBC_USERNAME: dXNlcl9hdXRoeg== + # 修改为实际的数据库密码,并使用 base64 工具进行编码 + # kingstar + JDBC_PASSWORD: a2luZ3N0YXI= + +--- +apiVersion: v1 +kind: Secret +metadata: + name: rabbitmq-env-secret + namespace: user-authorization-service +type: Opaque +data: + # rabbitmq-server.authx-service.svc.cluster.local + SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw= + SPRING_RABBITMQ_PORT: NTY3Mg== + SPRING_RABBITMQ_USERNAME: Z3Vlc3Q= + SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q= diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/2.user-authorization-service-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/2.user-authorization-service-ingresses.yaml new file mode 100644 index 0000000..95996f6 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/2.user-authorization-service-ingresses.yaml @@ -0,0 +1,27 @@ +# user-authorization-service-ingresses.yaml + +# 创建 ca-secret + +# cd PATH/ca/certs/client + +# kubectl describe secret ca-secret -n user-authorization-service + +# kubectl create secret generic ca-secret --from-file=client.truststore=client.truststore -n user-authorization-service + +# 暂时不使用,直接使用内部地址 +# --- +# apiVersion: extensions/v1beta1 +# kind: Ingress +# metadata: +# namespace: user-authorization-service +# name: user-authz-api-ingress +# spec: +# rules: +# # 修改为学校的根域名 +# - host: user-authz-api.paas.xxx.edu.cn +# http: +# paths: +# - path: / +# backend: +# serviceName: user-authorization-poa-svc +# servicePort: http diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml new file mode 100644 index 0000000..c0d200e --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml @@ -0,0 +1,56 @@ +# user-authorization-installer.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-authorization-service + name: user-authorization-installer-env +data: + DB_TYPE: mysql8 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: user-authorization-service + name: user-authorization-installer +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: user-authorization-installer + spec: + restartPolicy: Never + containers: + - name: user-authorization-installer + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-installer:1.2.10-RELEASE + imagePullPolicy: Always + env: + - name: DB_TYPE + value: mysql8 + - name: JDBC_URL + value: jdbc:mysql://mysql-server:3306/user_authz_test?serverTimezone=Asia/Shanghai + - name: JDBC_USERNAME + value: user_authz_test + - name: JDBC_PASSWORD + value: Supwisdom!Nwpu123 + envFrom: + - configMapRef: + name: jvm-env + # - secretRef: + # name: datasource-env-secret + - configMapRef: + name: user-authorization-installer-env + # resources: + # requests: + # memory: "256Mi" + # limits: + # memory: "256Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml new file mode 100644 index 0000000..f565f74 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml @@ -0,0 +1,111 @@ +# user-authorization-poa.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-authorization-service + name: user-authorization-poa-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + + USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: user-authorization-service + name: user-authorization-poa-svc + labels: + app: user-authorization-poa + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: user-authorization-poa + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: user-authorization-service + name: user-authorization-poa +spec: + selector: + matchLabels: + app: user-authorization-poa + replicas: 1 + template: + metadata: + labels: + app: user-authorization-poa + spec: + containers: + - name: user-authorization-poa + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-poa:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - secretRef: + name: datasource-env-secret + - configMapRef: + name: jvm-env + - configMapRef: + name: user-authorization-poa-env + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8888 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml new file mode 100644 index 0000000..b014153 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml @@ -0,0 +1,115 @@ +# user-authorization-sa.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-authorization-service + name: user-authorization-sa-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "20480" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + + USER_AUTHORIZATION_SA_USER_RABBITMQ_CONSUMER_ENABLED: "false" + USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local + USER_AUTHORIZATION_SA_USER_RABBITMQ_PORT: "5672" + USER_AUTHORIZATION_SA_USER_RABBITMQ_USERNAME: guest + USER_AUTHORIZATION_SA_USER_RABBITMQ_PASSWORD: guest + + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO + + # SBA_URL: http://spring-boot-admin-svc.base.svc.cluster.local:8080 + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: user-authorization-service + name: user-authorization-sa-svc + labels: + app: user-authorization-sa + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: user-authorization-sa + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: user-authorization-service + name: user-authorization-sa +spec: + selector: + matchLabels: + app: user-authorization-sa + replicas: 1 + template: + metadata: + labels: + app: user-authorization-sa + spec: + containers: + - name: user-authorization-sa + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-sa:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: user-authorization-sa-env + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8888 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml new file mode 100644 index 0000000..4510580 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml @@ -0,0 +1,56 @@ +# user-authorization-datax-job.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-authorization-service + name: user-authorization-datax-job-env +data: + JOB_USER2AUTHZ_MYSQLREADER8_USERNAME: "user" + # 修改为实际的数据库密码 + JOB_USER2AUTHZ_MYSQLREADER8_PASSWORD: "kingstar" + JOB_USER2AUTHZ_MYSQLREADER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai" + + JOB_USER2AUTHZ_MYSQLWRITER8_USERNAME: "user_authz" + # 修改为实际的数据库密码 + JOB_USER2AUTHZ_MYSQLWRITER8_PASSWORD: "kingstar" + JOB_USER2AUTHZ_MYSQLWRITER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user_authz?serverTimezone=Asia/Shanghai" + +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: user-authorization-datax-job + namespace: user-authorization-service +spec: + schedule: "30 */4 * * *" + jobTemplate: + metadata: + labels: + app: user-authorization-datax-job + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: user-authorization-datax-job + spec: + restartPolicy: Never + containers: + - name: user-authorization-datax-job + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-datax-job:1.2.10-RELEASE + imagePullPolicy: Always + envFrom: + - configMapRef: + name: user-authorization-datax-job-env + # resources: + # requests: + # memory: "400Mi" + # limits: + # memory: "400Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml new file mode 100644 index 0000000..ab9b73b --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml @@ -0,0 +1,52 @@ +# 9.api-docs-installer.yaml + +# 依赖平台OpenAPI的部署 + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: user-authorization-service + name: api-docs-installer-env +data: + ## + # 平台OpenAPI的外网访问地址, + # **修改** 学校的根域名 + POA_SERVER_URL: http://poa.paas.nwpu.edu.cn + + # **修改** poa-sa 服务的k8s内部地址 + POA_SA_SERVER_URL: http://platform-openapi-sa.poa.svc.cluster.local:8443 + + USER_AUTHZ_API_SERVER_URL: http://user-authorization-poa-svc.user-authorization-service.svc.cluster.local:8080 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: user-authorization-service + name: api-docs-installer +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: api-docs-installer + spec: + restartPolicy: Never + containers: + - name: api-docs-installer + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/user-authorization-service/api-docs-installer:1.2.10-RELEASE + imagePullPolicy: Always + envFrom: + - configMapRef: + name: api-docs-installer-env + # resources: + # requests: + # memory: "256Mi" + # limits: + # memory: "256Mi" + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml new file mode 100644 index 0000000..eaf380f --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml @@ -0,0 +1,234 @@ +# cas-server-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: harbor-registry + namespace: cas-server +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + +#################################################### +# redis-server +#################################################### + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: cas-server + name: redis-data-pvc +spec: + accessModes: + - ReadWriteMany + # 根据情况修改 + storageClassName: nfs-client + resources: + requests: + storage: 50Gi + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: cas-server +type: Opaque +data: + REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: cas-server +spec: + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis + release: redis-server + role: master + type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: cas-server +spec: + podManagementPolicy: OrderedReady + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: redis + release: redis-server + role: master + serviceName: redis-master + template: + metadata: + labels: + app: redis + release: redis-server + role: master + spec: + containers: + - name: redis-server + env: + - name: REDIS_DISABLE_COMMANDS + value: FLUSHDB,FLUSHALL + - name: REDIS_REPLICATION_MODE + value: master + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-server + key: REDIS_PASSWORD + # 若使用了学校搭设的私有仓库,请修改 + image: bitnami/redis:4.0 + # 若使用了学校搭设的私有仓库,请修改 为 Always + imagePullPolicy: IfNotPresent + # imagePullPolicy: Always + livenessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - containerPort: 6379 + name: redis + protocol: TCP + readinessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /bitnami/redis/data + name: redis-data + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: + fsGroup: 1001 + # runAsUser: 1001 + # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372 + runAsUser: 0 + terminationGracePeriodSeconds: 30 + volumes: + # - name: redis-data + # emptyDir: {} + - name: redis-data + persistentVolumeClaim: + claimName: redis-data-pvc + # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可) + # imagePullSecrets: + # - name: harbor-registry + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate + + +#################################################### +# rabbitmq-server +#################################################### +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: rabbitmq + release: rabbitmq-server + name: rabbitmq-server + namespace: cas-server +type: Opaque +data: + RABBITMQ_USERNAME: Z3Vlc3Q= + RABBITMQ_PASSWORD: Z3Vlc3Q= + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: cas-server + name: rabbitmq-server + labels: + app: rabbitmq-server +spec: + ports: + - port: 5672 + targetPort: tcp-1 + protocol: TCP + name: tcp-1 + - port: 15672 + targetPort: tcp-2 + protocol: TCP + name: tcp-2 + selector: + app: rabbitmq-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rabbitmq-server + namespace: cas-server +spec: + selector: + matchLabels: + app: rabbitmq-server + replicas: 1 + template: + metadata: + labels: + app: rabbitmq-server + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: rabbitmq-server + # 若使用了学校搭设的私有仓库,请修改 + image: rabbitmq:management + # 若使用了学校搭设的私有仓库,请修改 为 Always + imagePullPolicy: IfNotPresent + # imagePullPolicy: Always + ports: + - containerPort: 5672 + name: tcp-1 + - containerPort: 15672 + name: tcp-2 + # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可) + # imagePullSecrets: + # - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml new file mode 100644 index 0000000..f8b56ca --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml @@ -0,0 +1,51 @@ +# cas-server-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: cas-server + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: cas-server + name: datasource-env-secret +type: Opaque +data: + # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/cas_server?serverTimezone=Asia/Shanghai + JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvY2FzX3NlcnZlcj9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp + # cas_server + JDBC_USERNAME: Y2FzX3NlcnZlcg== + # 修改为实际的数据库密码,并使用 base64 工具进行编码 + # kingstar + JDBC_PASSWORD: a2luZ3N0YXI= + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: cas-server + name: redis-env-secret +type: Opaque +data: + SPRING_REDIS_HOST: cmVkaXMtc2VydmVy + SPRING_REDIS_PORT: NjM3OQ== + SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: cas-server + name: rabbitmq-env-secret +type: Opaque +data: + SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVy + SPRING_RABBITMQ_PORT: NTY3Mg== + SPRING_RABBITMQ_USERNAME: Z3Vlc3Q= + SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q= diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml new file mode 100644 index 0000000..9ffc2a6 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml @@ -0,0 +1,45 @@ +# cas-server-ingresses.yaml + +# 创建 ca-secret + +# cd PATH/ca/certs/client + +# kubectl describe secret ca-secret -n cas-server + +# kubectl create secret generic ca-secret --from-file=client.truststore=client.truststore -n cas-server + + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: cas-server + name: cas-ingress + annotations: + nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" + # cert-manager.io/cluster-issuer: "letsencrypt-staging" + # nginx.ingress.kubernetes.io/ssl-redirect: "true" + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + # nginx.ingress.kubernetes.io/auth-tls-secret: "cas-server/ca-secret" + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" +spec: + # tls: + # - hosts: + # - cas.paas.xxx.edu.cn + # secretName: cas-ingress-tls + rules: + # 修改为学校的根域名 + - host: cas.paas.xxx.edu.cn + http: + paths: + - path: /cas + backend: + serviceName: cas-server-site-webapp-svc + servicePort: http + - path: /cas/schemes + backend: + serviceName: cas-server-site-scheme-svc + servicePort: http + + +# TODO: https 配置说明 diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml new file mode 100644 index 0000000..28b9f01 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml @@ -0,0 +1,56 @@ +# cas-server-installer.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: cas-server + name: cas-server-installer-env +data: + DB_TYPE: mysql8 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: cas-server + name: cas-server-installer +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: cas-server-installer + spec: + restartPolicy: Never + containers: + - name: cas-server-installer + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-installer:1.2.9-SNAPSHOT + imagePullPolicy: Always + env: + - name: DB_TYPE + value: mysql8 + - name: JDBC_URL + value: jdbc:mysql://mysql-server:3306/cas_server_test?serverTimezone=Asia/Shanghai + - name: JDBC_USERNAME + value: cas_server_test + - name: JDBC_PASSWORD + value: Supwisdom!Nwpu123 + envFrom: + - configMapRef: + name: jvm-env + # - secretRef: + # name: datasource-env-secret + - configMapRef: + name: cas-server-installer-env + # resources: + # requests: + # memory: "256Mi" + # limits: + # memory: "256Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml new file mode 100644 index 0000000..ef0abb4 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml @@ -0,0 +1,134 @@ +# cas-server-sa-api.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: cas-server + name: cas-server-sa-api-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800" + SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100" + SPRING_REDIS_JEDIS_POOL_MINIDLE: "100" + + + SERVICE_REFRESH_REDIS_TIMER_ENABLED: "true" + ACCOUNT_REFRESH_REDIS_TIMER_ENABLED: "false" + FEDERATION_REFRESH_REDIS_TIMER_ENABLED: "true" + + + USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: cas-server + name: cas-server-sa-api-env-secret +type: Opaque +data: + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: Y2xpZW50 + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: Y2xpZW50 + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: Y2xpZW50 + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: cas-server + name: cas-server-sa-api-svc + labels: + app: cas-server-sa-api + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: cas-server-sa-api +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: cas-server + name: cas-server-sa-api +spec: + selector: + matchLabels: + app: cas-server-sa-api + replicas: 1 + template: + metadata: + labels: + app: cas-server-sa-api + spec: + containers: + - name: cas-server-sa-api + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-sa-api:1.2.9-SNAPSHOT + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - secretRef: + name: redis-env-secret + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: cas-server-sa-api-env + - secretRef: + name: cas-server-sa-api-env-secret + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml new file mode 100644 index 0000000..0e7e2c5 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml @@ -0,0 +1,88 @@ +# cas-server-security-engine.yaml + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: cas-server + name: cas-server-security-engine-env-secret +type: Opaque +data: + #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: Y2xpZW50 + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: Y2xpZW50 + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: Y2xpZW50 + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: cas-server + name: cas-server-security-engine-env +data: + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: cas-server + name: cas-server-security-engine-svc + labels: + app: cas-server-security-engine + needMonitor: 'true' +spec: + ports: + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: cas-server-security-engine + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: cas-server + name: cas-server-security-engine +spec: + selector: + matchLabels: + app: cas-server-security-engine + replicas: 1 + template: + metadata: + labels: + app: cas-server-security-engine + spec: + containers: + - name: cas-server-security-engine + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-security-engine:1.2.9-SNAPSHOT + imagePullPolicy: Always + ports: + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: cas-server-security-engine-env + - secretRef: + name: cas-server-security-engine-env-secret + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml new file mode 100644 index 0000000..7bb240d --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml @@ -0,0 +1,262 @@ +# cas-server-site-webapp.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: cas-server + name: cas-server-site-webapp-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEY_PASSWORD: "" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800" + SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100" + SPRING_REDIS_JEDIS_POOL_MINIDLE: "100" + + + LOGGING_CONFIG: file:/etc/cas/log4j2-file.xml + + + ## + # 认证服务的外网访问地址, + # **修改** 学校的根域名 + CAS_SERVER_NAME: https://cas.paas.xxx.edu.cn + + ## + # Ticket Granting Cookie + # 若未启用 https,**修改** 为 false + CAS_TGC_SECURE: "true" + + # TGT Expiration Policy + CAS_TICKET_TGT_MAX_TIME_TO_LIVE_IN_SECONDS: "1209600" + CAS_TICKET_TGT_TIME_TO_KILL_IN_SECONDS: "172800" + + # JWT Tickets + CAS_AUTHN_TOKEN_CRYPTO_SIGNING_KEY: "(@K7qy)awCjxp$L653Mf$2" + + ## + # 登录UI,主题 + SPRING_THYMELEAF_PREFIX: classpath:/templates/themes/classic/ + + ## + # 测试环境中可使用,正式环境下请配置为空 + # + CAS_AUTHN_ACCEPT_USERS: "" + + + ## 配置第三方认证的相关参数 + CASSERVER_FEDERATION_QQ_ENABLED: "true" + CASSERVER_FEDERATION_QQ_NAME: QQ + CASSERVER_FEDERATION_QQ_APPID: "" + CASSERVER_FEDERATION_QQ_APPKEY: "" + + CASSERVER_FEDERATION_OPENWEIXIN_ENABLED: "true" + CASSERVER_FEDERATION_OPENWEIXIN_NAME: 微信 + CASSERVER_FEDERATION_OPENWEIXIN_APPID: "" + CASSERVER_FEDERATION_OPENWEIXIN_APPSECRET: "" + + CASSERVER_FEDERATION_WORKWEIXIN_ENABLED: "true" + CASSERVER_FEDERATION_WORKWEIXIN_NAME: 企业微信 + CASSERVER_FEDERATION_WORKWEIXIN_CORPID: "" + CASSERVER_FEDERATION_WORKWEIXIN_AGENTID: "" + CASSERVER_FEDERATION_WORKWEIXIN_SECRET: "" + + CASSERVER_FEDERATION_ALIPAY_ENABLED: "true" + CASSERVER_FEDERATION_ALIPAY_NAME: 支付宝 + CASSERVER_FEDERATION_ALIPAY_APPID: "" + CASSERVER_FEDERATION_ALIPAY_APPPRIVATEKEY: "" + CASSERVER_FEDERATION_ALIPAY_ALIPAYPUBLICKEY: "" + + CASSERVER_FEDERATION_DINGTALK_ENABLED: "true" + CASSERVER_FEDERATION_DINGTALK_NAME: 钉钉 + CASSERVER_FEDERATION_DINGTALK_APPID: "" + CASSERVER_FEDERATION_DINGTALK_APPSECRET: "" + + + # **修改** + # jwt 的签发方标识,一般为 认证的域名 + CASSERVER_JWT_ISS: cas.paas.xxx.edu.cn + # **修改** + # 参考 certs/jwt/readme.md 生成公私钥pem,修改相关配置 + CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8: "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgShIdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyqfNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0+Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+95sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtWLiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCPWbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7MsmcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/DmcgSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8lXDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsSDS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr94RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1bLsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dOjAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvistOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38voNcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtksniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNmJMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8evFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Aiut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/cUPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdTWVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8KLdTYUkvPHsEAtxR+kwTAg==" + CASSERVER_JWT_PUBLIC_KEY_PEM: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQAB" + + # **视情况修改** + ## 是否启用登录验证码 + CASSERVERSITE_CAPTCHA_ENABLED: "true" + CASSERVERSITE_CAPTCHA_SKIP_N: "true" + + CASSERVERSITE_FEDERATED_CAPTCHA_ENABLED: "true" + + ## 配置用户的登录名的正则校验(用于手机、邮箱登录的判断) + #CASSERVERSITE_USERNAME_REGEX_MOBILE: "" + # \d{11}$ + #CASSERVERSITE_USERNAME_REGEX_EMAIL_ADDRESS: "" + # \w+\.?\w+@\w+\.[a-z]+(\.[a-z]+)? + + ## 配置认证时,帐号服务的实现( redis 帐号数据存放在redis中, user-sa 帐号数据从用户服务获取) + CASSERVERSITE_ACCOUNT_SERVICE_IMPL: user-sa + + ## 配置认证时,角色服务的实现( redis 角色数据存放在redis中, user-authz-sa 角色数据从授权服务获取) + CASSERVERSITE_ROLE_SERVICE_IMPL: user-authz-sa + + ## 配置认证时,动态码的短信发送实现( default 控制台输出, agent-service 代理服务) + CASSERVERSITE_SMS_SENDER_IMPL: agent-service + + # **修改** 学校的根域名 + CASSERVERSITE_FORGOT_PASSWORD_URL: https://security-center.paas.xxx.edu.cn/find-pwd + CASSERVERSITE_ACTIVE_ACCOUNT_URL: https://security-center.paas.xxx.edu.cn/active-account + + ## 动态码登录相关配置 + CASSERVERSITE_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300" + CASSERVERSITE_PASSWORDLESS_SMS_FROM: 认证中心 + # **修改** 根据实际情况,修改短信模板 + CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE: 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。 + + + ## 密码验证接口(外部接口) + CASSERVERSITE_SECURITY_PASSWORD_VERIFY_URL: "" + # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword + + + TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080 + TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + # **修改** + # 若须对接sms 接口,须进行二开定制 + TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send + + TPAS_AGENT_SERVICE_FILE_PATH: /api/v1/tpas/file/minio + + + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + USER_AUTHZ_SERVICE_SA_API_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080 + USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false" + #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + ## + # 超级APP Token 的验签公钥 + # 如须和 超级APP 进行对接,修改此配置 + # **修改** 学校的根域名 + SUPERAPP_TOKEN_SIGNING_KEY_URL: https://token.paas.xxx.edu.cn/jwt/publicKey + + + ## + # 第三方CAS 认证对接 + # + CASCLIENT_ENABLED: "false" + CASCLIENT_CAS_SERVER_URL: http://third-party-cas/cas + CASCLIENT_CAS_CLIENT_URL: http://localhost:8080/cas/login + CASCLIENT_CAS_CLIENT_LOGOUT_URL: http://localhost:8080/cas/logout + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: cas-server + name: cas-server-site-webapp-svc + labels: + app: cas-server-site-webapp + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: cas-server-site-webapp +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: cas-server + name: cas-server-site-webapp +spec: + selector: + matchLabels: + app: cas-server-site-webapp + replicas: 1 + template: + metadata: + labels: + app: cas-server-site-webapp + spec: + containers: + - name: cas-server-site-webapp + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-site-webapp:1.2.9-SNAPSHOT + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: redis-env-secret + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: cas-server-site-webapp-env + resources: + requests: + memory: "6000Mi" + limits: + memory: "6000Mi" + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml new file mode 100644 index 0000000..f377837 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml @@ -0,0 +1,113 @@ +# 4.6.cas-server-site-scheme.yaml + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: cas-server + name: cas-server-site-scheme-pvc +spec: + accessModes: + - ReadWriteMany + # 根据情况修改 + storageClassName: nfs-client + resources: + requests: + storage: 5Gi + + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: cas-server + name: cas-server-site-scheme-config +data: + # 当配置了 CASSERVER_SA_API_SERVER_URL,则使用配置表中的配置,否则,使用 SCHEME_COLOR 指定的设置 + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + SCHEME_COLOR: "" + # 409EFF + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: cas-server + name: cas-server-site-scheme-svc + labels: + app: cas-server-site-scheme-svc +spec: + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app: cas-server-site-scheme + + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: cas-server + name: cas-server-site-scheme +spec: + selector: + matchLabels: + app: cas-server-site-scheme + replicas: 1 + template: + metadata: + labels: + app: cas-server-site-scheme + spec: + initContainers: + - command: + - chmod + - -R + - "777" + - /usr/share/nginx/html + # 根据情况修改镜像地址 + image: busybox:1.25.0 + imagePullPolicy: IfNotPresent + name: chmod-html-dir + volumeMounts: + - name: html + mountPath: /usr/share/nginx/html + containers: + - name: cas-server-site-scheme-nginx + # 根据情况修改镜像地址 + image: nginx:latest + ports: + - containerPort: 80 + name: http + volumeMounts: + - mountPath: /usr/share/nginx/html + name: html + resources: + requests: + cpu: 500m + memory: "256Mi" + limits: + cpu: 2000m + memory: "256Mi" + - name: cas-server-site-scheme-generator + # 根据情况修改镜像地址 + image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-site-scheme:1.2.9-SNAPSHOT + imagePullPolicy: Always + envFrom: + - configMapRef: + name: cas-server-site-scheme-config + volumeMounts: + - mountPath: /usr/share/nginx/html + name: html + volumes: + # - name: html + # emptyDir: {} + - name: html + persistentVolumeClaim: + claimName: cas-server-site-scheme-pvc + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml new file mode 100644 index 0000000..ab86d7b --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml @@ -0,0 +1,57 @@ +# cas-server-datax-job.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: cas-server + name: cas-server-datax-job-env +data: + JOB_ACCOUNT_USER2CAS_MYSQLREADER8_USERNAME: "user" + # 修改为实际的数据库密码 + JOB_ACCOUNT_USER2CAS_MYSQLREADER8_PASSWORD: "kingstar" + JOB_ACCOUNT_USER2CAS_MYSQLREADER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai" + + JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_USERNAME: "cas_server" + # 修改为实际的数据库密码 + JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_PASSWORD: "kingstar" + JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/cas_server?serverTimezone=Asia/Shanghai" + + +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + namespace: cas-server + name: cas-server-datax-job +spec: + schedule: "5 */2 * * *" + jobTemplate: + metadata: + labels: + app: cas-server-datax-job + spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: cas-server-datax-job + spec: + restartPolicy: Never + containers: + - name: cas-server-datax-job + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-datax-job:1.2.9-SNAPSHOT + imagePullPolicy: Always + envFrom: + - configMapRef: + name: cas-server-datax-job-env + # resources: + # requests: + # memory: "400Mi" + # limits: + # memory: "400Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem new file mode 100644 index 0000000..e1c0db0 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrV +SeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3 +tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn +5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMlto +PmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0 +MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQABAoIBAFbVhx3B54Cemyt9 +uS0mRpuU80wMG/xOqtcDtjrxjDVAj1m4cJLRh48swl62sulHMx0A4IgIYGR4IHbj +NphTPqIASR0lmE6P14smZs6egksbzuCxlkCAW38TpQiBqZ5A3najTU3U75rkNpFA +FVNciYV8NR+T5YvG26ZCJFMYW4+zLJnEmUuF2qo9Y4TlqAc7dUmRKR4A2eJvDBDA +X4y7vv0kACFhnSZsgDXbFN1f3/w5nIEqru6ExWGYhBciak0cglRyZsiKgDgLah5C +pyXBn3rq8FCLl+TVanWIY/yTPt5PJVw0cqMgtEAA4Z30fObl1fzp1wlQQvBgAbjD ++A2oh8kCgYEA48I7W1W/40Lq9iWLEg0tLGSN0uF/dvYFlOugMgpZ1DW0SFXDeC8o +Z6fPnf5vfqFVepA340w57hM+01h6/eERXHnHYr3oc8UR3UZUafiIZrQrc7LT4UuX +9FOv3ufQq8sYMVfoeYw1LLKJM3c9Wy7JwvPlYCjS9o1V6pLi5Bd0aoUCgYEA46hN +fOlV96Ho+WJZi5qouC1RRVc6V++XTowBXPpHv0j15tdaO5Y9Tja/rfWSnMLz8fY+ +Tj1yWo22hNkMdSl80zykE+OBnaTr4rLTiUEjacdntNCuEp/+27CavvlCexbZkfoi +b32Ktbltc+bWlSI4eYYcBbSAVt/L6DXIIQl1bzMCgYAFMEaT5RczATJDG0XYym4O +BdhpRnPV7PLhmqCSo0O6nuKVh0altUVRXzROoB5AH0LIQQLU7cagEtYqkGh04iy4 +E5okOLlT8dhfVxvTMjNBS7d1skw7ZLJ4gXOPO264iy7o6NzF8BjCBOs1PfEq45z7 +EP1XvHZZ4YxkhKYglhwz1QKBgGcDZiTKlMrb6cbG2QwRrJzCbM76nHzj/kxdj9RZ +sBN/WT3eXocuAYmdvnhh8bibgrUPHrxak58kFt3gNQHjBweynfAd9y21TcOj9ZJa +9kJMJ8Iq10m4OiOAs1UNBycZfNPQIrreTODUChHy91A+Tt22cIGoXpZw6ByoEWnZ +lNj/AoGADQW8aQ09UnciVBbisyef3FDwRczp93jRkaP0Xo10gouUqXfTqE8A4enW +335O6VFi2B/wRSC1vfkS/LoTLfJnU1lYAyqza3WS3VlATbG/PUrfcfycJbnKoG07 +839BtIf2Yhjc8j4YBgAUa5VlWCHUvCi3U2FJLzx7BALcUfpMEwI= +-----END RSA PRIVATE KEY----- diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem new file mode 100644 index 0000000..4c9e224 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgSh +IdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyq +fNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0 ++Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+9 +5sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtW +LiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4 +jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCP +WbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO +4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7Ms +mcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/Dmc +gSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8l +XDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsS +DS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr9 +4RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1b +LsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dO +jAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvi +stOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38vo +NcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1 +RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtk +sniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNm +JMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8e +vFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Ai +ut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/c +UPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdT +WVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8 +KLdTYUkvPHsEAtxR+kwTAg== +-----END PRIVATE KEY----- diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem new file mode 100644 index 0000000..7523d69 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtAL +iJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qv +rn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjj +zP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4 +O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K +5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginj +fwIDAQAB +-----END PUBLIC KEY----- diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md new file mode 100644 index 0000000..81ac267 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md @@ -0,0 +1,98 @@ +# readme.md + + +## 使用 openssl 生成 公私钥 + + +1. 生成私钥 App Private Key + +必须为 RSA2(SHA256) + +```bash +openssl genrsa -out jwt_private_key.pem 2048 +``` + +2. 将私钥转换为 PKCS8 格式 + +```bash +openssl pkcs8 -topk8 -inform PEM -in jwt_private_key.pem -outform PEM -nocrypt -out jwt_private_key_pkcs8.pem +``` + +3. 导出公钥 App Public Key + +```bash +openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pem +``` + +4. 将 jwt_public_key.pem 中的内容,去除换行和空格,转成字符串。 + +处理前: +```language +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7V +FmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD ++vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWr +BUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlI +aMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdr +lO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7P +rQIDAQAB +-----END PUBLIC KEY----- +``` +处理后: +```language +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB +-----END PUBLIC KEY----- +``` + +4. 将 jwt_private_key_pkcs8.pem 中的内容,去除换行和空格,转成字符串。 + +处理前: +```language +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W+ ++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba3 +9FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1 +axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3 +HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQeb +OHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQ +IwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkK +P/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtV +bQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPB +pck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+V +S8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106 +Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30 +mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu +6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWg +TP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJ +S1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu +7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0 +TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+OR +NuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7c +KQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLn +LVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaV +m+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8 +ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5 +Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyN +ZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0 +uNGn7GMQXLxalpCkz4SXRg== +-----END PRIVATE KEY----- +``` +处理后: +```language +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg== +-----END PRIVATE KEY----- +``` + + +5. (可选)将pem内容进行 base64 编码后,配置到k8s + +echo -n '-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB +-----END PUBLIC KEY-----' |base64 + + +echo -n '-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg== +-----END PRIVATE KEY-----' |base64 diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/0.token-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/0.token-server-base.yaml new file mode 100644 index 0000000..0353ee3 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/0.token-server-base.yaml @@ -0,0 +1,143 @@ +# 0.token-server-base.yaml + +#################################################### +# harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: harbor-registry + namespace: token-server +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + +#################################################### +# redis-server +#################################################### +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: token-server +type: Opaque +data: + REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: token-server +spec: + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis + release: redis-server + role: master + type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: token-server +spec: + podManagementPolicy: OrderedReady + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: redis + release: redis-server + role: master + serviceName: redis-master + template: + metadata: + labels: + app: redis + release: redis-server + role: master + spec: + containers: + - name: redis-server + env: + - name: REDIS_DISABLE_COMMANDS + value: FLUSHDB,FLUSHALL + - name: REDIS_REPLICATION_MODE + value: master + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-server + key: REDIS_PASSWORD + # 若使用了学校搭设的私有仓库,请修改 + image: bitnami/redis:4.0 + # 若使用了学校搭设的私有仓库,请修改 为 Always + imagePullPolicy: IfNotPresent + # imagePullPolicy: Always + livenessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - containerPort: 6379 + name: redis + protocol: TCP + readinessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /bitnami/redis/data + name: redis-data + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: + fsGroup: 0 + # fsGroup: 1001 + # runAsUser: 1001 + # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372 + runAsUser: 0 + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: redis-data + # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可) + # imagePullSecrets: + # - name: harbor-registry + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate + diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml new file mode 100644 index 0000000..304756b --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml @@ -0,0 +1,53 @@ +# 1.token-server-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: token-server + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: token-server + name: datasource-env-secret +type: Opaque +data: + # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/token_server?serverTimezone=Asia/Shanghai + JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdG9rZW5fc2VydmVyP3NlcnZlclRpbWV6b25lPUFzaWEvU2hhbmdoYWk= + # token_server + JDBC_USERNAME: dG9rZW5fc2VydmVy + # 修改为实际的数据库密码,并使用 base64 工具进行编码 + # kingstar + JDBC_PASSWORD: a2luZ3N0YXI= + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: token-server + name: redis-env-secret +type: Opaque +data: + SPRING_REDIS_HOST: cmVkaXMtc2VydmVy + SPRING_REDIS_PORT: NjM3OQ== + SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== + + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: token-server + name: rabbitmq-env-secret +type: Opaque +data: + # rabbitmq-server.authx-service.svc.cluster.local + SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw= + SPRING_RABBITMQ_PORT: NTY3Mg== + SPRING_RABBITMQ_USERNAME: Z3Vlc3Q= + SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q= diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml new file mode 100644 index 0000000..808eb18 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml @@ -0,0 +1,23 @@ +# 2.token-server-ingresses.yaml + + +# 移动端应用认证服务 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: token-server + name: token-server-ingress + annotations: + nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" +spec: + rules: + # 修改为学校的根域名 + - host: token.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: token-server-svc + servicePort: http + diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml new file mode 100644 index 0000000..f04a28e --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml @@ -0,0 +1,42 @@ +# 4.0.token-server-installer.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: token-server + name: token-server-installer-env +data: + DB_TYPE: mysql8 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: token-server + name: token-server-installer +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: token-server-installer + spec: + restartPolicy: Never + containers: + - name: token-server-installer + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/token-server/token-server-installer:1.2.8-RELEASE + imagePullPolicy: Always + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - configMapRef: + name: token-server-installer-env + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml new file mode 100644 index 0000000..71f50d2 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml @@ -0,0 +1,205 @@ +# 4.1.token-server.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: token-server + name: token-server-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEY_PASSWORD: "" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + LOGGING_LEVEL_COM_SUPWISDOM_INSITITUTE_TOKEN_SERVER: INFO + + + SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10" + SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50" + SPRING_DATASOURCE_DRUID_MIN_IDLE: "10" + + SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800" + SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100" + SPRING_REDIS_JEDIS_POOL_MINIDLE: "100" + + + # **修改** 学校的根域名 + TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn + # **修改** 学校的根域名 + TOKEN_SERVER_SECURITY_JWT_ISS: token.paas.xxx.edu.cn + #TOKEN_SERVER_SECURITY_JWT_EXPIRATION: 2592000 + #TOKEN_SERVER_SECURITY_JWT_KICKOUT_ENABLED: "false" + # **修改** + # 请使用与 cas-server 一致的公私钥 + TOKEN_SERVER_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8: "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgShIdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyqfNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0+Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+95sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtWLiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCPWbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7MsmcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/DmcgSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8lXDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsSDS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr94RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1bLsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dOjAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvistOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38voNcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtksniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNmJMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8evFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Aiut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/cUPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdTWVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8KLdTYUkvPHsEAtxR+kwTAg==" + TOKEN_SERVER_SECURITY_JWT_PUBLIC_KEY_PEM: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQAB" + + + # face + # aiface 新开普人脸,aipface 百度人脸 + TOKEN_SERVER_FACE_SOURCE_TYPE: aiface + + # 若须对接新开普人脸,须由新开普人脸系统提供相关配置 + TOKEN_SERVER_FACE_AIFACE_URL: "" + TOKEN_SERVER_FACE_AIFACE_APPKEY: "" + TOKEN_SERVER_FACE_AIFACE_APPSECRET: "" + TOKEN_SERVER_FACE_AIFACE_SECRETKEY: "" + TOKEN_SERVER_FACE_AIFACE_TERM_CODE: "" + + # 若须对接百度人脸,须在百度开放平台注册应用 + TOKEN_SERVER_FACE_AIPFACE_APPID: "" + TOKEN_SERVER_FACE_AIPFACE_APIKEY: "" + TOKEN_SERVER_FACE_AIPFACE_SECRETKEY: "" + + + # passwordless + TOKEN_SERVER_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300" + TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE: 【认证中心】您正在进行登录,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。 + TOKEN_SERVER_PASSWORDLESS_SMS_FROM: 认证中心 + + + ## 密码验证接口(外部接口) + TOKEN_SERVER_SECURITY_PASSWORD_VERIFY_URL: "" + # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword + + + # **修改** 从消息中心申请 + MESSAGECENTER_ENABLED: "false" + MESSAGECENTER_APP_ID: "" + MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN: APP_LOGIN + MESSAGECENTER_MESSAGE_TYPE_CODE_PASSWORD: PASSWORD + + # **修改** 从POA申请 + POA_SERVER_URL: https://poa.paas.xxx.edu.cn + POA_CLIENT_ID: "" + POA_CLIENT_SECRET: "" + POA_SCOPES: messagecenter:v1:sendMessage + + + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080 + TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: token-server + name: token-server-env-secret +type: Opaque +data: + SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw= + # rabbitmq-server.authx-service.svc.cluster.local + SPRING_RABBITMQ_PORT: NTY3Mg== + SPRING_RABBITMQ_USERNAME: Z3Vlc3Q= + SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q= + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: token-server + name: token-server-svc + labels: + app: token-server + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: token-server + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: token-server + name: token-server +spec: + selector: + matchLabels: + app: token-server + replicas: 1 + template: + metadata: + labels: + app: token-server + spec: + containers: + - name: token-server + # 若使用了学校搭设的私有仓库,请 **修改** + image: paas.harbor.nwpu.edu.cn/token-server/token-server:1.2.8-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: datasource-env-secret + - secretRef: + name: redis-env-secret + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: token-server-env + resources: + requests: + memory: "1024Mi" + limits: + memory: "1024Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml new file mode 100644 index 0000000..e5c876b --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml @@ -0,0 +1,47 @@ +# 9.api-docs-installer.yaml + +# 依赖平台OpenAPI的部署 + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: token-server + name: api-docs-installer-env +data: + ## + # 平台OpenAPI的外网访问地址, + # **修改** 学校的根域名 + POA_SERVER_URL: http://poa.paas.nwpu.edu.cn + + # **修改** poa-sa 服务的k8s内部地址 + POA_SA_SERVER_URL: http://platform-openapi-sa.poa.svc.cluster.local:8443 + + TOKEN_API_SERVER_URL: http://token-server-svc.token-server.svc.cluster.local:8080 + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: token-server + name: api-docs-installer +spec: + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: api-docs-installer + spec: + restartPolicy: Never + containers: + - name: api-docs-installer + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/token-server/api-docs-installer:1.2.8-RELEASE + imagePullPolicy: Always + envFrom: + - configMapRef: + name: api-docs-installer-env + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml new file mode 100644 index 0000000..11139b2 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml @@ -0,0 +1,144 @@ +# personal-security-center-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: personal-security-center + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + +#################################################### +# redis-server +#################################################### + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: personal-security-center +type: Opaque +data: + REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: personal-security-center +spec: + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis + release: redis-server + role: master + type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: redis + release: redis-server + name: redis-server + namespace: personal-security-center +spec: + podManagementPolicy: OrderedReady + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: redis + release: redis-server + role: master + serviceName: redis-master + template: + metadata: + labels: + app: redis + release: redis-server + role: master + spec: + containers: + - name: redis-server + env: + - name: REDIS_DISABLE_COMMANDS + value: FLUSHDB,FLUSHALL + - name: REDIS_REPLICATION_MODE + value: master + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-server + key: REDIS_PASSWORD + # 若使用了学校搭设的私有仓库,请修改 + image: bitnami/redis:4.0 + # 若使用了学校搭设的私有仓库,请修改 为 Always + imagePullPolicy: IfNotPresent + # imagePullPolicy: Always + livenessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - containerPort: 6379 + name: redis + protocol: TCP + readinessProbe: + exec: + command: + - redis-cli + - ping + failureThreshold: 5 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /bitnami/redis/data + name: redis-data + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: + fsGroup: 1001 + # runAsUser: 1001 + # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372 + runAsUser: 0 + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: redis-data + # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可) + # imagePullSecrets: + # - name: harbor-registry + updateStrategy: + rollingUpdate: + partition: 0 + type: RollingUpdate + diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml new file mode 100644 index 0000000..4611488 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml @@ -0,0 +1,22 @@ +# personal-security-center-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: personal-security-center + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: personal-security-center + name: redis-env-secret +type: Opaque +data: + SPRING_REDIS_HOST: cmVkaXMtc2VydmVy + SPRING_REDIS_PORT: NjM3OQ== + SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA== diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml new file mode 100644 index 0000000..3bdc109 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml @@ -0,0 +1,42 @@ +# personal-security-center-ingresses.yaml + + +# 个人中心后端接口 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: personal-security-center + name: personal-security-center-ingress + annotations: + nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" +spec: + rules: + # 修改为学校的根域名 + - host: personal-security-center.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: personal-security-center-zuul-svc + servicePort: http + + +# 安全中心前端 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: personal-security-center + name: security-center-ui-ingress +spec: + rules: + # 修改为学校的根域名 + - host: security-center.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: security-center-ui-svc + servicePort: http + diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml new file mode 100644 index 0000000..513dfea --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml @@ -0,0 +1,255 @@ +# personal-security-center-bff.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: personal-security-center + name: personal-security-center-bff-template-env +data: + # 根据情况,修改邮件模板 + EMAIL_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_EMAIL_ADDRESS: '{name}:您正在激活帐号,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_FORGOT_PASSWORD_SEND_CODE: '{name}:您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + + EMAIL_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE: '{name}:您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE: '{name}:您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE_BY_EMAIL_ADDRESS: '{name}:您正在修改安全邮箱,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE: '{name}:您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + + EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE: '{name}:您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ: '{name}:您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE: '{name}:您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN: '{name}:您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE: '{name}:您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN: '{name}:您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE: '{name}:您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY: '{name}:您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE: '{name}:您正在绑定钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + EMAIL_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE_UNBIND_DINGTALK: '{name}:您正在解绑钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + + EMAIL_TEMPLATE_USER_COMPLETED_SECURITY_EMAIL_ADDRESS_SEND_CODE_BY_EMAIL_ADDRESS: '{name}:您正在绑定安全邮箱,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。' + + # 根据情况,修改短信模板 + SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_PRE_MOBILE: '{prefix}您正在激活帐号,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_MOBILE: '{prefix}您正在激活帐号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_FORGOT_PASSWORD_SEND_CODE: '{prefix}您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + + SMS_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE: '{prefix}您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE: '{prefix}您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE: '{prefix}您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE_BY_MOBILE: '{prefix}您正在修改安全手机,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。' + + SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE: '{prefix}您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ: '{prefix}您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE: '{prefix}您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN: '{prefix}您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE: '{prefix}您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN: '{prefix}您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE: '{prefix}您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY: '{prefix}您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE: '{prefix}{name}:您正在绑定钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE_UNBIND_DINGTALK: '{prefix}{name}:您正在解绑钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + + SMS_TEMPLATE_USER_COMPLETED_SECURITY_MOBILE_SEND_CODE: '{name}:您正在绑定安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + + SMS_TEMPLATE_USER_COMPLETED_REALNAME_SEND_CODE_BY_PRE_MOBILE: '{name}:您正在实名认证,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。' + + SMS_TEMPLATE_ACCOUNT_INFO_SEND_CODE_BY_MOBILE: '{prefix}您当前正在查询账号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。' + SMS_TEMPLATE_ACCOUNT_INFO_SEND_ACCOUNT_NAME: '{prefix}您当前正在查询账号,查询结果为:{accountName},账号是您在学校中的重要信息,请妥善保管。' + + SMS_TEMPLATE_PREFIX: '' + + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: personal-security-center + name: personal-security-center-bff-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_PERSONAL_SECURITY_CENTER_BFF: INFO + + + SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE: 10Mb + # SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE: 10Mb + + SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800" + SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100" + SPRING_REDIS_JEDIS_POOL_MINIDLE: "100" + + + # 修改为学校的 personal-security-center 的访问域名 + PERSONAL_SECURITY_CENTER_SERVER_PREFIX: http://personal-security-center.paas.xxx.edu.cn + # 修改为学校的 cas 的访问域名 + CAS_SERVER_PREFIX: http://cas.paas.xxx.edu.cn/cas + + PERSONAL_SECURITY_BFF_NONCE_STORE_IMPL: redis + + + ## 密码验证接口(外部接口) + PERSONAL_SECURITY_BFF_SECURITY_PASSWORD_VERIFY_URL: "" + # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword + + + # 新开普人脸对接配置 + # 修改为实际项目配置 + PERSONAL_SECURITY_BFF_FACE_AIFACE_URL: "http://117.158.17.228:3003/aiface" + PERSONAL_SECURITY_BFF_FACE_AIFACE_APPKEY: "GcacXnw46DxMAApNoSTX" + PERSONAL_SECURITY_BFF_FACE_AIFACE_APPSECRET: "eXl15kcYGBdCYTOCFD21" + PERSONAL_SECURITY_BFF_FACE_AIFACE_SECRETKEY: "12345678abcdefgh87654321" + PERSONAL_SECURITY_BFF_FACE_AIFACE_TERM_CODE: "12" + + + CASSERVER_SITE_SERVER_URL: http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas + CASSERVER_SITE_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SITE_CLIENT_AUTH_KEY_PASSWORD: "" + #CASSERVER_SITE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #CASSERVER_SITE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #CASSERVER_SITE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #CASSERVER_SITE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080 + CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false" + #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + # PERSONAL_SECURITY_CENTER_SA_API_SERVER_URL: http://personal-security-center-sa-api-svc.personal-security-center.svc.cluster.local:8080 + # PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_ENABLED: "false" + #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio + TPAS_MAIL_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp + TPAS_SMS_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console + TPAS_CLIENT_AUTH_ENABLED: "false" + #TPAS_CLIENT_AUTH_KEY_PASSWORD: "" + #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + # COMMUNICATOR_EMAIL_MAIL_SERVER_HOST: "smtp.supwisdom.com" + # COMMUNICATOR_EMAIL_MAIL_SERVER_PORT: "25" + # COMMUNICATOR_EMAIL_USER_NAME: "security.institute@supwisdom.com" + # COMMUNICATOR_EMAIL_PASSWORD: "Security2019" + # COMMUNICATOR_EMAIL_VALIDATE: "true" + + # COMMUNICATOR_SMS_SENDER_URL: https://agent-service-api.supwisdom.com/api/v1/tpas/sms/console/send + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: personal-security-center + name: personal-security-center-bff-env-secret +type: Opaque +data: + + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: personal-security-center + name: personal-security-center-bff-svc + labels: + app: personal-security-center-bff + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: personal-security-center-bff + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: personal-security-center + name: personal-security-center-bff +spec: + selector: + matchLabels: + app: personal-security-center-bff + replicas: 1 + template: + metadata: + labels: + app: personal-security-center-bff + spec: + containers: + - name: personal-security-center-bff + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/personal-security-center/personal-security-bff:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: redis-env-secret + - secretRef: + name: personal-security-center-bff-env-secret + - configMapRef: + name: personal-security-center-bff-env + - configMapRef: + name: personal-security-center-bff-template-env + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml new file mode 100644 index 0000000..936bc4e --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml @@ -0,0 +1,187 @@ +# personal-security-center-zuul.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: personal-security-center + name: personal-security-center-zuul-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore + #SSL_TRUSTSTORE_PASSWORD: "" + + SERVER_MAXHTTPHEADERSIZE: "10240" + + SERVER_TOMCAT_ACCEPT_COUNT: "5000" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "800" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_PERSONAL_SECURITY_CENTER: INFO + + + SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE: 10Mb + # SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE: 10Mb + + SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800" + SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100" + SPRING_REDIS_JEDIS_POOL_MINIDLE: "100" + + + ZUUL_HOST_MAX_PER_ROUTE_CONNECTIONS: "1000" + ZUUL_HOST_MAX_TOTAL_CONNECTIONS: "1000" + + ZUUL_SEMAPHORE_MAX_SEMAPHORES: "10000" + + + ZUUL_ROUTES_PERSONAL_ME_URL: http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1/me + ZUUL_ROUTES_PERSONAL_BFF_URL: http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1 + + ZUUL_ROUTES_USER_BIZ_URL: http://user-data-service-biz-svc.user-data-service.svc.cluster.local:8080/api/v1/user/biz + + # 修改为学校的 portal 的访问域名 + ZUUL_ROUTES_PORTAL_URL: http://portal.paas.xxx.edu.cn/portal-web/api + + + INFRAS_SECURITY_BASIC_ENABLED: "false" + + INFRAS_SECURITY_JWT_ENABLED: "true" + #INFRAS_SECURITY_JWT_KEY_ALIAS: "supwisdom-jwt-key" + #INFRAS_SECURITY_JWT_KEY_PASSWORD: "changeit" + #INFRAS_SECURITY_JWT_KEY_STORE: "file:/certs/jwt/jwt.keystore" + #INFRAS_SECURITY_JWT_KEY_STORE_PASSWORD: "changeit" + + INFRAS_SECURITY_JWT_TOKEN_GENERATE_TYPE: cas + #INFRAS_SECURITY_JWT_TOKEN_DECRYPT_KEY_PRIVATE_KEY_PEM_PKCS8: "" + INFRAS_SECURITY_JWT_TOKEN_SIGNING_KEY_URL: "http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas/jwt/publicKey" + # 对接 uniauth认证时,使用以下配置 + #INFRAS_SECURITY_JWT_TOKEN_SIGNING_KEY_URL: "http://uniauth-prod-backend.uniauth.svc.cluster.local:9090/idtoken/publicKey" + + + INFRAS_SECURITY_CAS_ENABLED: "true" + # 修改为学校的 personal-security-center 的访问域名 + APP_SERVER_HOST_URL: "http://personal-security-center.paas.xxx.edu.cn" + #APP_LOGIN_URL: "/cas/login" + #APP_LOGOUT_URL: "/cas/logout" + # 修改为学校的 cas 的访问域名 + CAS_SERVER_HOST_URL: "http://cas.paas.xxx.edu.cn/cas" + + + # 后端API服务,域名访问时,默认跳转地址 + # 修改为学校的 security-center 安全中心的访问域名 + APPLICATION_INDEX_REDIRECT_URI: "http://security-center.paas.xxx.edu.cn" + + + ZUUL_HTTPCLIENT_CLIENT_AUTH_ENABLED: "false" + #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEY_PASSWORD: "" + #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore + #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + + + USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore + #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore + #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080 + USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore + #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore + #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: personal-security-center + name: personal-security-center-zuul-env-secret +type: Opaque +data: + # 参考 certs/jwt/readme.md 生成公私钥pem,替换相关配置 + INFRAS_SECURITY_JWT_PUBLIC_KEY_PEM: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDeW9BNzhMbTlHT3NlS1pPL1lZenlWWUJ6cQpaREVzdWlXNVFleXJDL2JFWFZrT2lKc0RnNFRjc2o5Vnp5dGp2MEFZVmxEcmkxdlExaWZhSG9HN0Z1dE40cTVICllxbGZDSzdvOXpNRWo2cU40NFIydUtjR3BCQnd0WlNCZGxWc2tLZ2NOWGlvU3RTRjZZTFp1Q25jWU5HUXZaOSsKeGY5bll5L09scXczWUFQRUx3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ== + INFRAS_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUNlQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Jd2dnSmVBZ0VBQW9HQkFMS2dEdnd1YjBZNng0cGsKNzloalBKVmdIT3BrTVN5NkpibEI3S3NMOXNSZFdRNkltd09EaE55eVAxWFBLMk8vUUJoV1VPdUxXOURXSjlvZQpnYnNXNjAzaXJrZGlxVjhJcnVqM013U1BxbzNqaEhhNHB3YWtFSEMxbElGMlZXeVFxQncxZUtoSzFJWHBndG00CktkeGcwWkM5bjM3Ri8yZGpMODZXckRkZ0E4UXZBZ01CQUFFQ2dZRUFuakhFczdDSUdlR0t3TlZkMlAwaU5ZU1cKZHp0ZWxhY1NLN3puMWlCVlhsanh1ejVlVXNGU2xJWkVNMEd6d3JZcEZLUzFLN1lURGFQc1RXOUJJNmxMb0FaawpnaU1vOUE5YnMzdW5XOEg3N2M5T3NTUXZpdHM1eGp3MEJ0dFo0dVhwYmdlUlJmS1dFOFp6MngyYWFIeVdyU1ZIClJINGVya3JYSTFrZzZwQTlyaWtDUVFEaVd0VW5kWktpWHFNTkhJb1RrOUpLNXFyaVJqdS9FTzdtVncvRGo4RmEKSVhFOTMvTkhSVllMZ3E2cFY4SUJiNmlhZnpXbittdkplR3AvbEJsaU81dHpBa0VBeWdUMTE4V25jaFl5elNlTAp3NlVDUkhIOHlJRGx6aGwzWFhxTnhDV2M5V1dGbVpZSERIVy92L2x5dnpwUEtmb3VucmhoUTVXY2g4eGVDSDVqCml1WjlWUUpCQUtsRkJkdUJSOHVXZTlaRlBsaFBsZFlmVXpEdEZxYldVZUQ4d0RRZFg1azRJd2dEWGxrdzE1eTUKK0VWNDlBTEE3bFBDeDJ3N2o3bFZERWNsaUNuMnExTUNRQnltSTI4Y0dxajFPUE1iSHBqNk41NFpSQzN6Q2FQMgp2SlRISW4ra2plUEhKL0VsODQzeXpPU2VyWVVzOGJrVVA3UkdsWlNPRFFxOUVzREZtN3hBLzVrQ1FRQ3A1ZldQCnNWbjFsek15ckYxNHJSK0ZSSWZMazBFMnBMdm5aYzV0NjB3OFpzSVFPRGlOTXZvSDRZUEdSemFpcG9LQnlSeE0KazR1WElVVTMxaVN6VGR4ZgotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: personal-security-center + name: personal-security-center-zuul-svc + labels: + app: personal-security-center-zuul + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: personal-security-center-zuul + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: personal-security-center + name: personal-security-center-zuul +spec: + selector: + matchLabels: + app: personal-security-center-zuul + replicas: 1 + template: + metadata: + labels: + app: personal-security-center-zuul + spec: + containers: + - name: personal-security-center-zuul + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/personal-security-center/personal-security-zuul:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: redis-env-secret + - secretRef: + name: personal-security-center-zuul-env-secret + - configMapRef: + name: personal-security-center-zuul-env + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + readinessProbe: + httpGet: + path: /actuator/health + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml new file mode 100644 index 0000000..6a8e5be --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml @@ -0,0 +1,81 @@ +# 4.9.security-center-ui.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: personal-security-center + name: security-center-ui-env +data: + # **修改** 学校的根域名 + RESOURCE_PREFIX: http://authx-minio.paas.xxx.edu.cn/security-center-ui + SCHOOL_NAME: "" + MAIN_SERVER: http://security-center.paas.xxx.edu.cn + + PERSONAL_CENTER_API: http://personal-security-center.paas.xxx.edu.cn + + # 可选 cas,uniauth + AUTH_TYPE: cas + + # AUTH_TYPE 为 uniauth 时,配置 + UNIAUTH_IDTOKEN: http://uniauth.paas.xxx.edu.cn/idtoken + UNIAUTH_IDTOKEN_ISS: "uniauth" + UNIAUTH_CLIENT_ID: "22" + + # AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET + AUTH_CAS: http://cas.paas.xxx.edu.cn/cas + JWT_ISS: http://cas.paas.xxx.edu.cn/cas + JWT_SECRET: (@K7qy)awCjxp$L653Mf$2 + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: personal-security-center + name: security-center-ui-svc + labels: + app: security-center-ui-svc +spec: + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app: security-center-ui + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: personal-security-center + name: security-center-ui +spec: + selector: + matchLabels: + app: security-center-ui + replicas: 1 + template: + metadata: + labels: + app: security-center-ui + spec: + containers: + - name: security-center-ui + # 若使用了学校搭设的私有仓库,请修改 + image: paas.harbor.nwpu.edu.cn/personal-security-center/security-center-ui:1.2.10-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 80 + name: http + envFrom: + - configMapRef: + name: security-center-ui-env + resources: + requests: + memory: "128Mi" + limits: + memory: "256Mi" + imagePullSecrets: + - name: harbor-registry diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md new file mode 100644 index 0000000..3c94b3e --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md @@ -0,0 +1,83 @@ +# readme.md + + +## 使用 openssl 生成 公私钥 + + +1. 生成私钥 App Private Key + +必须为 RSA2(SHA256) + +```bash +openssl genrsa -out jwt_private_key.pem 1024 +``` + +2. 将私钥转换为 PKCS8 格式 + +```bash +openssl pkcs8 -topk8 -inform PEM -in jwt_private_key.pem -outform PEM -nocrypt -out jwt_private_key_pkcs8.pem +``` + +3. 导出公钥 App Public Key + +```bash +openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pem +``` + +4. 将 jwt_public_key.pem 中的内容,去除换行和空格,转成字符串。 + +处理前: +```language +-----BEGIN PUBLIC KEY----- +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBr5wUHXSlLSFU17T4wDX8ehAI +2nnZxCc2SnpgfNwuR3jvViSVyr+Pd6JJEeMcl397qKjWqFD/CRlUSB/UEPQRxxbB +XVlXRB289KE9xteDk04bU17ILgX8Vz/7LFRLn2CpaCSICfWENhoMRJm7xIAodrI3 +FugvRF/6jdTQis2LcQIDAQAB +-----END PUBLIC KEY----- +``` +处理后: +```language +-----BEGIN PUBLIC KEY----- +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBr5wUHXSlLSFU17T4wDX8ehAI2nnZxCc2SnpgfNwuR3jvViSVyr+Pd6JJEeMcl397qKjWqFD/CRlUSB/UEPQRxxbBXVlXRB289KE9xteDk04bU17ILgX8Vz/7LFRLn2CpaCSICfWENhoMRJm7xIAodrI3FugvRF/6jdTQis2LcQIDAQAB +-----END PUBLIC KEY----- +``` + +4. 将 jwt_private_key_pkcs8.pem 中的内容,去除换行和空格,转成字符串。 + +处理前: +```language +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMGvnBQddKUtIVTX +tPjANfx6EAjaednEJzZKemB83C5HeO9WJJXKv493okkR4xyXf3uoqNaoUP8JGVRI +H9QQ9BHHFsFdWVdEHbz0oT3G14OTThtTXsguBfxXP/ssVEufYKloJIgJ9YQ2GgxE +mbvEgCh2sjcW6C9EX/qN1NCKzYtxAgMBAAECgYBKBSjq7w7jCUpRuFYrMpnvMV7r +Y0NqG/K4ZuI5+b3T2fC31v4IWQG4fIoCztky1hscUSqlTpIVxY5ujVnMm+YKMXs+ +qW2zyUdvoqUbFNAZstYatg6FQ7QlwXMDnIzlq6w5lEofsO46+0kH/d9IX+cPN0nH +04J1UKwg0ugyjYVUAQJBAP8di+ECIJkVTbi96JWMCfK1eYdxwe+8DEd7kcW2P6qU +/0fxP6qExkbFqPWQbJVNvOKmH5tVW5oi4Q7vaT4MzJECQQDCW4kMG7a6yBKRWZ1/ +hAixqumBv5FFCnL/yzqH6a5n8tb91vcQCwBGfu+YeQt8zVI56BTP4AJDF5KQu1vq +kcDhAkEA+YaHu2QeSDzrEShG5obbcBaKMK1WmEqg5AX8FZrleM5VRqOztvA5Ex3f +3ZgObJZlinYb8g2yE/fLk5UdpgBU0QJAFw+FU0p2g/L5QQXBCkBAR9RfoGV6dxam +TnNunnG7n9nQaI35Ao5LmhG1nAHAuy4hc311+rQ5kHxbh5Czd0GUAQJBALxZpqPZ +y7LrKmTbVLAdd0K1dQ3jWUsqk5HXwlxzrmmypn5ut41zwZQl0znyrv7XcfDZ6dqR +hh20uoiJ/Hfky6A= +-----END PRIVATE KEY----- +``` +处理后: +```language +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMGvnBQddKUtIVTXtPjANfx6EAjaednEJzZKemB83C5HeO9WJJXKv493okkR4xyXf3uoqNaoUP8JGVRIH9QQ9BHHFsFdWVdEHbz0oT3G14OTThtTXsguBfxXP/ssVEufYKloJIgJ9YQ2GgxEmbvEgCh2sjcW6C9EX/qN1NCKzYtxAgMBAAECgYBKBSjq7w7jCUpRuFYrMpnvMV7rY0NqG/K4ZuI5+b3T2fC31v4IWQG4fIoCztky1hscUSqlTpIVxY5ujVnMm+YKMXs+qW2zyUdvoqUbFNAZstYatg6FQ7QlwXMDnIzlq6w5lEofsO46+0kH/d9IX+cPN0nH04J1UKwg0ugyjYVUAQJBAP8di+ECIJkVTbi96JWMCfK1eYdxwe+8DEd7kcW2P6qU/0fxP6qExkbFqPWQbJVNvOKmH5tVW5oi4Q7vaT4MzJECQQDCW4kMG7a6yBKRWZ1/hAixqumBv5FFCnL/yzqH6a5n8tb91vcQCwBGfu+YeQt8zVI56BTP4AJDF5KQu1vqkcDhAkEA+YaHu2QeSDzrEShG5obbcBaKMK1WmEqg5AX8FZrleM5VRqOztvA5Ex3f3ZgObJZlinYb8g2yE/fLk5UdpgBU0QJAFw+FU0p2g/L5QQXBCkBAR9RfoGV6dxamTnNunnG7n9nQaI35Ao5LmhG1nAHAuy4hc311+rQ5kHxbh5Czd0GUAQJBALxZpqPZy7LrKmTbVLAdd0K1dQ3jWUsqk5HXwlxzrmmypn5ut41zwZQl0znyrv7XcfDZ6dqRhh20uoiJ/Hfky6A= +-----END PRIVATE KEY----- +``` + + +5. (可选)将pem内容进行 base64 编码后,配置到k8s + +echo -n '-----BEGIN PUBLIC KEY----- +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzgNo1jsexpIahW50bbEFcJV6qzOnjjMBum4jMB/CgkJqZHxEh9u1yhdzfdHI+TJREy9RuoqumdRGpVA+YXOwHZnPUU/cHQQkITViPVPSvIHLKA7eqHbmb9FZdQZfFmadBm+AcVpQG+h4SuJgD5yAtye7oRLzxEGXZM+trt8HoFwIDAQAB +-----END PUBLIC KEY-----' |base64 + + +echo -n '-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAPOA2jWOx7GkhqFbnRtsQVwlXqrM6eOMwG6biMwH8KCQmpkfESH27XKF3N90cj5MlETL1G6iq6Z1EalUD5hc7Admc9RT9wdBCQhNWI9U9K8gcsoDt6oduZv0Vl1Bl8WZp0Gb4BxWlAb6HhK4mAPnIC3J7uhEvPEQZdkz62u3wegXAgMBAAECgYEA7mA8veOJsGjs9zd1ZKwki+11cGVrrjxTAbS3RW2cbcNB5RZZslNF/i/3mrUnRb+4AmU8EBalTS4b3RUSs0h8MZV9ObLazZg/c8GlLJeISuRWSuCG7ysvn4NS5ncCj5LW/0w6qKTtzIZqKdMbKfPl1xs+fPCaqlv7mpzIGUYGOKECQQD9125TlH6ftXoR5qaN6CLUuRpdpizjE59pmQMxgL/MQS45G9pUtTHfCZVDKgftqHFZEhL2ysrCbl7TFwHJ2wjHAkEA9ZLqvVPP4RLl78lt/OjLRliGDCeWkw5samzeveIsiaeWItsHzcGqipVw1zCaRRlY/hPs4uHSY0hWWV1+SGr2MQJAcgNdLnU4GovsdDXhAUQOwPUS/pUw/B1IMKnlYUqu2xM7q7Ly8bEg4UjwneY3AWvy3Urc8bRMNeBU/wMKbpvO6QJAVUuZQvdYbdmtidLR5BVLfXyD2rbpYtyQpYp490UWqR1PVX30QPAydv4e+m9ENhnuwhlTnx5Gf/uBGnsRwL9+EQJAcB6ptBg0drWmnpDC3HhFUSWaBVp6BAZic/YeC95pwynlcKScCTI+IY+wXKWRQwcqb2K+STaX4vhsTDLxDZaJAw== +-----END PRIVATE KEY-----' |base64 diff --git a/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/0.jobs-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/0.jobs-server-base.yaml new file mode 100644 index 0000000..dcf76b5 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/0.jobs-server-base.yaml @@ -0,0 +1,103 @@ +# jobs-server-base.yaml + +#################################################### +# harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: harbor-registry + namespace: jobs-server +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 + + +# #################################################### +# # rabbitmq-server +# #################################################### + +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# labels: +# app: rabbitmq +# release: rabbitmq-server +# name: rabbitmq-server +# namespace: jobs-server +# type: Opaque +# data: +# RABBITMQ_USERNAME: Z3Vlc3Q= +# RABBITMQ_PASSWORD: Z3Vlc3Q= + +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: rabbitmq-server +# namespace: jobs-server +# labels: +# app: rabbitmq-server +# spec: +# ports: +# - port: 5672 +# targetPort: tcp-1 +# protocol: TCP +# name: tcp-1 +# - port: 15672 +# targetPort: tcp-2 +# protocol: TCP +# name: tcp-2 +# selector: +# app: rabbitmq-server +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: rabbitmq-server +# namespace: jobs-server +# spec: +# selector: +# matchLabels: +# app: rabbitmq-server +# replicas: 1 +# template: +# metadata: +# labels: +# app: rabbitmq-server +# annotations: +# sidecar.istio.io/inject: "false" +# spec: +# containers: +# - name: rabbitmq-server +# env: +# - name: RABBITMQ_VM_MEMORY_HIGH_WATERMARK +# value: "0.6" +# - name: RABBITMQ_DEFAULT_USER +# valueFrom: +# secretKeyRef: +# name: rabbitmq-server +# key: RABBITMQ_USERNAME +# - name: RABBITMQ_DEFAULT_PASS +# valueFrom: +# secretKeyRef: +# name: rabbitmq-server +# key: RABBITMQ_PASSWORD +# # 若使用了学校搭设的私有仓库,请修改 +# image: rabbitmq:management +# # 若使用了学校搭设的私有仓库,请修改 为 Always +# imagePullPolicy: IfNotPresent +# # imagePullPolicy: Always +# ports: +# - containerPort: 5672 +# name: tcp-1 +# - containerPort: 15672 +# name: tcp-2 +# # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可) +# # imagePullSecrets: +# # - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/1.jobs-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/1.jobs-server-env.yaml new file mode 100644 index 0000000..10ece22 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/1.jobs-server-env.yaml @@ -0,0 +1,24 @@ +# 1.jobs-server-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: jobs-server + name: rabbitmq-env-secret +type: Opaque +data: + # rabbitmq-server.authx-service.svc.cluster.local + SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw= + SPRING_RABBITMQ_PORT: NTY3Mg== + SPRING_RABBITMQ_USERNAME: Z3Vlc3Q= + SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q= diff --git a/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/4.1.jobs-server.yaml b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/4.1.jobs-server.yaml new file mode 100644 index 0000000..c872bd8 --- /dev/null +++ b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/4.1.jobs-server.yaml @@ -0,0 +1,198 @@ +# 4.1.jobs-server.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-env +data: + LOGGING_LEVEL_COM_SUPWISDOM_INSITITUTE_JOBS_SERVER: INFO + + +--- +# 组织机构数据,定时触发 OrganizationTrans2UserSvcJob +# 适用于由交换同步到转换表的场景 +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-organizationtriggertransjob-env +data: + ORGANIZATIONTRIGGERTRANSJOB_ENABLED: "false" + # cron 和 fixedDelay 只能 二选一,配置一个即可 + # 0 0 2 * * * + ORGANIZATIONTRIGGERTRANSJOB_SCHEDULED_CRON: "" + # 120 秒 + ORGANIZATIONTRIGGERTRANSJOB_SCHEDULED_FIXED_DELAY: "1200000" + ORGANIZATIONTRIGGERTRANSJOB_WRITER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai" + ORGANIZATIONTRIGGERTRANSJOB_WRITER_DATASOURCE_USERNAME: "user" + # 修改为实际的数据库密码 + ORGANIZATIONTRIGGERTRANSJOB_WRITER_DATASOURCE_PASSWORD: "kingstar" + + +--- +# 组织机构数据,临时表 - 正式 +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-organizationtrans2usersvcjob-env +data: + ORGANIZATIONTRANS2USERSVCJOB_ENABLED: "false" + ORGANIZATIONTRANS2USERSVCJOB_PAGE_SIZE: "1000" + ORGANIZATIONTRANS2USERSVCJOB_READER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai" + ORGANIZATIONTRANS2USERSVCJOB_READER_DATASOURCE_USERNAME: "user" + # 修改为实际的数据库密码 + ORGANIZATIONTRANS2USERSVCJOB_READER_DATASOURCE_PASSWORD: "kingstar" + + ORGANIZATIONTRANS2USERSVCJOB_WRITE_USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + + +--- +# 帐号数据,定时触发 AccountTrans2UserSvcJob +# 适用于由交换同步到转换表的场景 +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-accounttriggertransjob-env +data: + ACCOUNTTRIGGERTRANSJOB_ENABLED: "false" + # cron 和 fixedDelay 只能 二选一,配置一个即可 + # 0 0 2 * * * + ACCOUNTTRIGGERTRANSJOB_SCHEDULED_CRON: "" + # 120 秒 + ACCOUNTTRIGGERTRANSJOB_SCHEDULED_FIXED_DELAY: "1200000" + ACCOUNTTRIGGERTRANSJOB_WRITER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai" + ACCOUNTTRIGGERTRANSJOB_WRITER_DATASOURCE_USERNAME: "user" + # 修改为实际的数据库密码 + ACCOUNTTRIGGERTRANSJOB_WRITER_DATASOURCE_PASSWORD: "kingstar" + + +--- +# 帐号数据,临时表 - 正式 +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-accounttrans2usersvcjob-env +data: + ACCOUNTTRANS2USERSVCJOB_ENABLED: "false" + ACCOUNTTRANS2USERSVCJOB_PAGE_SIZE: "1000" + ACCOUNTTRANS2USERSVCJOB_READER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai" + ACCOUNTTRANS2USERSVCJOB_READER_DATASOURCE_USERNAME: "user" + # 修改为实际的数据库密码 + ACCOUNTTRANS2USERSVCJOB_READER_DATASOURCE_PASSWORD: "kingstar" + + ACCOUNTTRANS2USERSVCJOB_WRITE_USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + + + +## 须确保 用户服务 将变更数据推送到 rabbit mq 中 + +--- +# 帐号,用户服务 - jobs +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-accountusersvc2jobsrabbitreceiver-env +data: + ACCOUNTUSERSVC2JOBSRABBITRECEIVER_ENABLED: "false" + ACCOUNTUSERSVC2JOBSRABBITRECEIVER_TRIGGER_EVENTS: "" + # jobs2OpenldapEventJob + +--- +# 组织机构,用户服务 - jobs +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-organizationusersvc2jobsrabbitreceiver-env +data: + ORGANIZATIONUSERSVC2JOBSRABBITRECEIVER_ENABLED: "false" + ORGANIZATIONUSERSVC2JOBSRABBITRECEIVER_TRIGGER_EVENTS: "" + # jobs2OpenldapEventJob + +--- +# 用户组,用户服务 - jobs +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-groupusersvc2jobsrabbitreceiver-env +data: + GROUPUSERSVC2JOBSRABBITRECEIVER_ENABLED: "false" + GROUPUSERSVC2JOBSRABBITRECEIVER_TRIGGER_EVENTS: "" + # jobs2OpenldapEventJob + + +--- +# 密码,用户服务 - jobs +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: jobs-server + name: jobs-server-accountusersvc2jobssyncpassword-env +data: + ACCOUNTUSERSVC2JOBSSYNCPASSWORD_ENABLED: "false" + ACCOUNTUSERSVC2JOBSSYNCPASSWORD_TRIGGER_EVENTS: "" + # accountJobsSyncPassword2JciDrCOMEventJob + + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: jobs-server + name: jobs-server +spec: + selector: + matchLabels: + app: jobs-server + replicas: 1 + template: + metadata: + labels: + app: jobs-server + spec: + containers: + - name: jobs-server + # 若使用了学校搭设的私有仓库,请修改 + image: harbor.supwisdom.com/jobs-server/jobs-server:1.2.1-RELEASE + imagePullPolicy: Always + ports: + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - secretRef: + name: rabbitmq-env-secret + - configMapRef: + name: jobs-server-env + - configMapRef: + name: jobs-server-organizationtriggertransjob-env + - configMapRef: + name: jobs-server-organizationtrans2usersvcjob-env + - configMapRef: + name: jobs-server-accounttriggertransjob-env + - configMapRef: + name: jobs-server-accounttrans2usersvcjob-env + - configMapRef: + name: jobs-server-accountusersvc2jobssyncpassword-env + - configMapRef: + name: jobs-server-accountusersvc2jobsrabbitreceiver-env + - configMapRef: + name: jobs-server-organizationusersvc2jobsrabbitreceiver-env + - configMapRef: + name: jobs-server-groupusersvc2jobsrabbitreceiver-env + resources: + requests: + memory: "2000Mi" + limits: + memory: "2000Mi" + imagePullSecrets: + - name: harbor-registry + diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml new file mode 100644 index 0000000..da2e069 --- /dev/null +++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml @@ -0,0 +1,21 @@ +# 01-account-management-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Service +metadata: + namespace: account-management + name: account-management-svc + labels: + app: account-management-svc +spec: + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app: account-management-ui \ No newline at end of file diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml new file mode 100644 index 0000000..33d95d0 --- /dev/null +++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml @@ -0,0 +1 @@ +# 02-account-management-env.yaml diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml new file mode 100644 index 0000000..5ba7843 --- /dev/null +++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml @@ -0,0 +1,18 @@ +# 03-account-management-ingresses.yaml + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: account-management + name: account-management-ingress +spec: + rules: + # 修改为学校的根域名 + - host: account-management.paas.xxx.edu.cn + http: + paths: + - path: / + backend: + serviceName: account-management-svc + servicePort: http diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml new file mode 100644 index 0000000..a6a7831 --- /dev/null +++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml @@ -0,0 +1,71 @@ +# 04-1-account-management.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: account-management + name: account-management-env +data: + # **修改** 学校的根域名 + BASE_API: http://personal-security-center.paas.xxx.edu.cn/ + + AUTH_TYPE: cas + + # AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET + AUTH_CAS: http://cas.paas.xxx.edu.cn/cas + JWT_ISS: http://cas.paas.xxx.edu.cn/cas + JWT_SECRET: (@K7qy)awCjxp$L653Mf$2 + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: account-management + name: account-management-svc + labels: + app: account-management-svc +spec: + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app: account-management + + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: account-management + name: account-management +spec: + selector: + matchLabels: + app: account-management + replicas: 1 + template: + metadata: + labels: + app: account-management + spec: + containers: + - name: account-management + image: harbor.supwisdom.com/account-management/account-management:0.0.1 + imagePullPolicy: Always + ports: + - containerPort: 80 + name: http + envFrom: + - configMapRef: + name: account-management-env + resources: + requests: + memory: "128Mi" + limits: + memory: "256Mi" + imagePullSecrets: + - name: harbor-supwisdom diff --git a/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql b/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql new file mode 100644 index 0000000..4148c76 --- /dev/null +++ b/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql @@ -0,0 +1,71 @@ +-- 10.0.init.sql + + +/* +将 paas.example.com 替换为 paas.学校域名.edu.cn +*/ + + +use cas_server; + +-- account-management 认证对接信息 + +INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`, + `RESPONSE_TYPE`, `LOGOUT_TYPE`, + `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`, + `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`, + `APPLICATION_ID`, `EXTERNAL_ID`) +VALUES ('300', '1', 0, 'admin', '2020-07-01 00:00:00', + '帐号分级管理', '帐号分级管理', 'https://account-management.paas.example.com', 'https://account-management.paas.example.com/?clearCertification=clearCertification', + 'REDIRECT', 'FRONT_CHANNEL', + 300, '帐号分级管理', 300, 'https://account-management.paas.example.com/(.*)', + 1, 1, 1, + '300', '300'); + +commit; + +-- 修改根域名 +update TB_SERVICE +set + INFORMATION_URL='https://account-management.paas.example.com', + LOGOUT_URL='https://account-management.paas.example.com/?clearCertification=clearCertification', + SERVICE_ID='https://account-management.paas.example.com/(.*)', + ID_TOKEN_ENABLED=1, + JWT_AS_SERVICE_TICKET=1, + APPLICATION_DOMAIN='account-management.paas.example.com' +where ID='300'; -- todo, modify + +commit; + +-- user_authz + +use user_authz; + +INSERT INTO `TB_R_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, + `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`) +VALUES ('300', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', + 'user-management-service', '用户管理服务', '用户管理服务', 1); + + +INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`, + `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`) +VALUES ('300', '1', 0, 'admin', '2019-07-01 00:00:00', + '1', '300', + '用户管理服务', '300', '', 1); + + +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('300_31', '1', 0, 'admin', '2019-07-01 00:00:00', + '300', 'user-management-grant-admin', '用户业务管理员', '用户业务管理员', 1, '31'); + +INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, + `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`) +VALUES ('300_32', '1', 0, 'admin', '2019-07-01 00:00:00', + '300', 'user-management-man-grant-admin', '用户分级管理员', '用户分级管理员', 1, '32'); + +commit; diff --git a/project/nwpu/k8s-rancher/2.account-management/readme.md b/project/nwpu/k8s-rancher/2.account-management/readme.md new file mode 100644 index 0000000..4446e09 --- /dev/null +++ b/project/nwpu/k8s-rancher/2.account-management/readme.md @@ -0,0 +1,23 @@ +# readme.md + +## 帐号分级管理 实施说明 + +帐号分级管理,主要基于岗位用户组,以 部门 的维度进行分级管理 + +即,根据 用户业务管理员 所属某个岗位 下的 部门,来控制 其 可以对 哪些 部门(行政部门)下的帐号进行管理 + +* 部署时,已经初始化了 用户业务管理员 的角色 + +* 实施时,在授权管理下,将某个岗位用户组 与 用户业务管理员角色 进行授权 + +* 此时,隶属于 该岗位用户组 下的 帐号,就拥有了 用户业务管理员 的权限,而该帐号 在 此岗位用户组 下的 部门,就是他可管理的 帐号数据 的范围 + +注意:如果将 用户业务管理员角色 直接授权给 某个帐号时,此帐号 只会有该服务的访问权限,无法看到帐号数据(即没有数据权限)。除非,此帐号 还隶属于 某个授权了 用户业务管理员角色 的岗位用户组 + + +## 帐号分级管理 发布说明 + +* 将此服务的访问地址 (一般为 `https://account-management.paas.xxx.edu.cn` )公布给使用人员。 + +* 将此服务,由门户的服务管理进行发布,授予访问权限 给 用户业务管理员 角色 即可 +