From 94dba6c29a1c8b3bbd49c04ba1c02ef5b3f68df9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?=E5=88=98=E6=B4=AA=E9=9D=92?= Date: Sat, 18 Sep 2021 11:24:08 +0800 Subject: [PATCH] =?utf8?q?chore:=20attest-server=EF=BC=8C=E5=8F=91?= =?utf8?q?=E5=B8=83=E7=89=88=E6=9C=AC=201.4.0-RELEASE?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- .../7.attest-server/0.attest-server-base.yaml | 16 ++ .../7.attest-server/1.attest-server-env.yaml | 10 + .../2.attest-server-ingresses.yaml | 19 ++ .../7.attest-server/4.1.attest-server.yaml | 172 ++++++++++++++++++ 4 files changed, 217 insertions(+) create mode 100644 deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml create mode 100644 deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml create mode 100644 deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml create mode 100644 deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml new file mode 100644 index 0000000..c3968d2 --- /dev/null +++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml @@ -0,0 +1,16 @@ +# 0.attest-server-base.yaml + +#################################################### +# supwisdom harbor private docker registry +#################################################### +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + namespace: attest-server + name: harbor-registry +data: + # 修改harbor仓库配置,并使用 base64 工具进行编码 + # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}} + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19 diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml new file mode 100644 index 0000000..c6be3bc --- /dev/null +++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml @@ -0,0 +1,10 @@ +# 1.attest-server-env.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: attest-server + name: jvm-env +data: + MAX_RAM_PERCENTAGE: "75.0" diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml new file mode 100644 index 0000000..7a54b13 --- /dev/null +++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml @@ -0,0 +1,19 @@ +# 2.attest-server-ingresses.yaml + +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: attest-server-ingress + namespace: attest-server +spec: + rules: + # 修改为学校的根域名 + - host: attest.paas.xxx.edu.cn + http: + paths: + - path: /attest + backend: + serviceName: attest-server-svc + servicePort: http + diff --git a/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml new file mode 100644 index 0000000..0ce24eb --- /dev/null +++ b/deploy-manifests/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml @@ -0,0 +1,172 @@ +# 4.1.attest-server.yaml + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: attest-server + name: attest-server-env +data: + SERVER_PORT: "8080" + SSL_ENABLED: "false" + #SSL_KEY_PASSWORD: "" + #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore + #SSL_KEYSTORE_PASSWORD: "" + + SERVER_SERVLET_CONTEXT_PATH: "/attest" + + SERVER_MAXHTTPHEADERSIZE: "20480" + + SERVER_TOMCAT_ACCEPT_COUNT: "500" + SERVER_TOMCAT_MAX_CONNECTIONS: "10000" + SERVER_TOMCAT_MAX_THREADS: "500" + SERVER_TOMCAT_MIN_SPARE_THREADS: "100" + + + # **修改** 从POA申请 + POA_SERVER_URL: https://poa.paas.xxx.edu.cn + POA_CLIENT_ID: "" + POA_CLIENT_SECRET: "" + POA_SCOPES: appPush:v1:apppushByMessageType + + + # 修改为学校的根域名 + ATTEST_SERVER_PREFIX: https://attest.paas.xxx.edu.cn/attest + + + # guard + ATTEST_SERVER_SECUREPHONE_SMS_TEXT_TEMPLATE: 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。 + ATTEST_SERVER_SECUREPHONE_SMS_FROM: 认证服务 + + ATTEST_SERVER_SECUREEMAIL_MAIL_TEXT_TEMPLATE: 【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。 + ATTEST_SERVER_SECUREEMAIL_MAIL_FROM: 认证服务 + + # 在超级APP 中唤起人脸识别的 URL Scheme + ATTEST_SERVER_FACEVERIFY_SUPERAPP_URL_SCHEME: superapp + + + # 超级APP Token 的验签公钥 + TOKEN_SERVER_TOKEN_SIGNING_KEY_URL: http://token-server-svc.token-server.svc.cluster.local:8080/jwt/publicKey + + + USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080 + USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: "" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + + TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080 + TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: "" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore + #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: "" + #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore + #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: "" + + TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send + TPAS_AGENT_SERVICE_MAIL_SENDER_PATH: /api/v1/tpas/mail/console/send + TPAS_AGENT_SERVICE_FACE_FACEVERIFY_PATH: /api/v1/tpas/face/aiface/faceverify + + + ## + # token-server + # + TOKEN_SERVER_SERVER_URL: http://token-server-svc.token-server.svc.cluster.local:8080 + + + ## + # 将 attest 数据 推送到 rabbitmq + # + # ATTEST_RABBITMQ_ENABLED: "false" + # ATTEST_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local + # ATTEST_RABBITMQ_PORT: "5672" + # ATTEST_RABBITMQ_USERNAME: guest + # ATTEST_RABBITMQ_PASSWORD: guest + # + # ATTEST_RABBITMQ_APPPUSHATTEST2TOKENRABBITSENDER_ENABLED: "false" + + +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: attest-server + name: attest-server-env-secret +type: Opaque +data: + + +--- +apiVersion: v1 +kind: Service +metadata: + namespace: attest-server + name: attest-server-svc + labels: + app: attest-server + needMonitor: 'true' +spec: + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + - port: 6060 + targetPort: http-metrics + protocol: TCP + name: http-metrics + selector: + app: attest-server + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: attest-server + name: attest-server +spec: + selector: + matchLabels: + app: attest-server + replicas: 1 + template: + metadata: + labels: + app: attest-server + spec: + containers: + - name: attest-server + image: harbor.supwisdom.com/attest-server/attest-server:1.0.0-SNAPSHOT-DEV + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http + - containerPort: 6060 + name: http-metrics + envFrom: + - configMapRef: + name: jvm-env + - configMapRef: + name: attest-server-env + - secretRef: + name: attest-server-env-secret + resources: + requests: + memory: "512Mi" + limits: + memory: "512Mi" + readinessProbe: + httpGet: + path: /attest/actuator/health + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 10 + imagePullSecrets: + - name: harbor-registry + -- 2.17.1