From: 刘洪青 <hongqing.liu@supwisdom.com>
Date: Mon, 18 Jan 2021 14:12:09 +0000 (+0800)
Subject: chore: authx-service-bff 部署脚本
X-Git-Url: https://source.supwisdom.com/gerrit/gitweb?a=commitdiff_plain;h=c04a9b52b5aec83e8b9a1fb8db993a1203a04018;p=institute%2Fdeploy-authx-service.git

chore: authx-service-bff 部署脚本
---

diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml
index 5eb183f..07deb46 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml
@@ -14,3 +14,230 @@ data:
   # 修改harbor仓库配置，并使用 base64 工具进行编码
   # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
   .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+
+####################################################
+# redis-server
+####################################################
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  namespace: authx-service
+  name: redis-data-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  # 根据情况修改
+  storageClassName: nfs-client
+  resources:
+    requests:
+      storage: 10Gi
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: authx-service
+  name: redis-server
+  labels:
+    app: redis
+    release: redis-server
+type: Opaque
+data:
+  REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: authx-service
+  name: redis-server
+  labels:
+    app: redis
+    release: redis-server
+spec:
+  ports:
+  - name: redis
+    port: 6379
+    protocol: TCP
+    targetPort: redis
+  selector:
+    app: redis
+    release: redis-server
+    role: master
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  namespace: authx-service
+  name: redis-server
+  labels:
+    app: redis
+    release: redis-server
+spec:
+  podManagementPolicy: OrderedReady
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: redis
+      release: redis-server
+      role: master
+  serviceName: redis-master
+  template:
+    metadata:
+      labels:
+        app: redis
+        release: redis-server
+        role: master
+    spec:
+      # 若使用了学校搭设的私有仓库，请增加以下配置（取消注释即可，注意这里的缩进，imagePullSecrets要对齐到本行#符号）
+      # imagePullSecrets:
+      #   - name: harbor-registry
+      containers:
+      - name: redis-server
+        env:
+        - name: REDIS_DISABLE_COMMANDS
+          value: FLUSHDB,FLUSHALL
+        - name: REDIS_REPLICATION_MODE
+          value: master
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-server
+              key: REDIS_PASSWORD
+        # 若使用了学校搭设的私有仓库，请修改
+        image: bitnami/redis:4.0
+        # 若使用了学校搭设的私有仓库，请修改 为 Always
+        imagePullPolicy: IfNotPresent
+        # imagePullPolicy: Always
+        livenessProbe:
+          exec:
+            command:
+            - redis-cli
+            - ping
+          failureThreshold: 5
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        ports:
+        - containerPort: 6379
+          name: redis
+          protocol: TCP
+        readinessProbe:
+          exec:
+            command:
+            - redis-cli
+            - ping
+          failureThreshold: 5
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources:
+          requests:
+            memory: "1024Mi"
+          limits:
+            memory: "1024Mi"
+        volumeMounts:
+        - mountPath: /bitnami/redis/data
+          name: redis-data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      securityContext:
+        fsGroup: 0
+        # runAsUser: 1001
+        # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+        # runAsUser: 0
+      terminationGracePeriodSeconds: 30
+      volumes:
+      # - name: redis-data
+      #   emptyDir: {}
+      - name: redis-data
+        persistentVolumeClaim:
+          claimName: redis-data-pvc
+  updateStrategy:
+    rollingUpdate:
+      partition: 0
+    type: RollingUpdate
+
+
+
+####################################################
+# rabbitmq-server
+####################################################
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: authx-service
+  name: rabbitmq-server
+  labels:
+    app: rabbitmq
+    release: rabbitmq-server
+type: Opaque
+data:
+  RABBITMQ_USERNAME: Z3Vlc3Q=
+  RABBITMQ_PASSWORD: Z3Vlc3Q=
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: authx-service
+  name: rabbitmq-server
+  labels:
+    app: rabbitmq-server
+spec:
+  ports:
+    - port: 5672
+      targetPort: tcp-1
+      protocol: TCP
+      name: tcp-1
+    - port: 15672
+      targetPort: tcp-2
+      protocol: TCP
+      name: tcp-2
+  selector:
+    app: rabbitmq-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: authx-service
+  name: rabbitmq-server
+spec:
+  selector:
+    matchLabels:
+      app: rabbitmq-server
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: rabbitmq-server
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      # 若使用了学校搭设的私有仓库，请增加以下配置（取消注释即可，注意对齐、缩进）
+      # imagePullSecrets:
+      #   - name: harbor-registry
+      containers:
+      - name: rabbitmq-server
+        # 若使用了学校搭设的私有仓库，请修改
+        image: rabbitmq:management
+        # 若使用了学校搭设的私有仓库，请修改 为 Always
+        imagePullPolicy: IfNotPresent
+        # imagePullPolicy: Always
+        ports:
+        - containerPort: 5672
+          name: tcp-1
+        - containerPort: 15672
+          name: tcp-2
+        resources:
+          requests:
+            memory: "1024Mi"
+          limits:
+            memory: "1024Mi"
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml
new file mode 100644
index 0000000..ed2a7c2
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml
@@ -0,0 +1,35 @@
+# 1.authx-service-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: authx-service
+  name: jvm-env
+data:
+  MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: authx-service
+  name: redis-env-secret
+type: Opaque
+data:
+  SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+  SPRING_REDIS_PORT: NjM3OQ==
+  SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: authx-service
+  name: rabbitmq-env-secret
+type: Opaque
+data:
+  SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVy
+  SPRING_RABBITMQ_PORT: NTY3Mg==
+  SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+  SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
new file mode 100644
index 0000000..3f802ee
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
@@ -0,0 +1,134 @@
+# 4.4.authx-service-bff.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: authx-service
+  name: authx-service-bff-env
+data:
+  SERVER_PORT: "8080"
+  SSL_ENABLED: "false"
+  #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+  #SSL_KEYSTORE_PASSWORD: ""
+  #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+  #SSL_TRUSTSTORE_PASSWORD: ""
+
+  SERVER_MAXHTTPHEADERSIZE: "10240"
+
+  SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+  SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+  SERVER_TOMCAT_MAX_THREADS: "800"
+  SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+  LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_AUTHX_SERVICE_BFF: INFO
+
+
+  SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+  SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+  SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+  CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+  CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+  #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+  #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+  #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+  #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+  #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+  USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+  USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+  #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+  #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+  #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+  #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+  #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+  USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+  USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false"
+  #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+  #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+  #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+  #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+  #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+  TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+  TPAS_CLIENT_AUTH_ENABLED: "false"
+  #TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
+  #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+  #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+  #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+  #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: authx-service
+  name: authx-service-bff-svc
+  labels:
+    app: authx-service-bff
+    needMonitor: 'true'
+spec:
+  ports:
+    - port: 8080
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 6060
+      targetPort: http-metrics
+      protocol: TCP
+      name: http-metrics
+  selector:
+    app: authx-service-bff
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: authx-service
+  name: authx-service-bff
+spec:
+  selector:
+    matchLabels:
+      app: authx-service-bff
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: authx-service-bff
+    spec:
+      containers:
+      - name: authx-service-bff
+        image: harbor.supwisdom.com/authx-service/authx-service-bff:1.2.0-SNAPSHOT
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: http
+        - containerPort: 6060
+          name: http-metrics
+        envFrom:
+        - configMapRef:
+            name: jvm-env
+        - secretRef:
+            name: redis-env-secret
+        - configMapRef:
+            name: authx-service-bff-env
+        resources:
+          requests:
+            memory: "400Mi"
+          limits:
+            memory: "400Mi"
+        readinessProbe:
+          httpGet:
+            path: /actuator/health
+            port: 8080
+          initialDelaySeconds: 20
+          periodSeconds: 5
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 10
+      imagePullSecrets:
+        - name: harbor-registry
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/9.api-docs-installer.yaml b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/9.api-docs-installer.yaml
new file mode 100644
index 0000000..37b3d84
--- /dev/null
+++ b/deploy-manifests/k8s-rancher/1.authx-service/0.authx-service/9.api-docs-installer.yaml
@@ -0,0 +1,52 @@
+# 9.api-docs-installer.yaml
+
+# 依赖平台OpenAPI的部署
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: authx-service
+  name: api-docs-installer-env
+data:
+  ##
+  # 平台OpenAPI的外网访问地址，
+  # **修改** 学校的根域名
+  POA_SERVER_URL: https://poa.dev.supwisdom.com
+
+  # **修改** poa-sa 服务的k8s内部地址
+  POA_SA_SERVER_URL: http://poa-sa-svc.poa.svc.cluster.local:8443
+
+  TOKEN_API_SERVER_URL: http://token-server-svc.token-server.svc.cluster.local:8080
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: authx-service
+  name: api-docs-installer
+spec:
+  completions: 1
+  parallelism: 1
+  template:
+    metadata:
+      labels:
+        app: api-docs-installer
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: api-docs-installer
+        # 若使用了学校搭设的私有仓库，请修改
+        image: harbor.supwisdom.com/authx-service/api-docs-installer:1.2.0-SNAPSHOT
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: api-docs-installer-env
+        # resources:
+        #   requests:
+        #     memory: "256Mi"
+        #   limits:
+        #     memory: "256Mi"
+      imagePullSecrets:
+        - name: harbor-registry
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql b/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
index 1b8a9d5..d545bcd 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
+++ b/deploy-manifests/k8s-rancher/1.authx-service/10.0.init.sql
@@ -1,14 +1,17 @@
 -- 10.0.init.sql
 
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
 
 use cas_server;
 
 -- 更新 服务 personal-security-center 的信息
-
 update TB_SERVICE 
 set 
   INFORMATION_URL='http://personal-security-center.paas.example.com', 
-  LOGOUT_URL='http://personal-security-center.paas.example.com/cas/slo?redirect_uri=https://security-center.paas.example.com/?clearCertification=clearCertification',
+  LOGOUT_URL='http://personal-security-center.paas.example.com/slo?redirect_uri=http://security-center.paas.example.com/?clearCertification=clearCertification',
   SERVICE_ID='http://personal-security-center.paas.example.com/cas/(.*)'
 where ID='2';  -- todo, modify