chore: nwpu,1.2
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml
new file mode 100644
index 0000000..eaf380f
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml
@@ -0,0 +1,234 @@
+# cas-server-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ name: harbor-registry
+ namespace: cas-server
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+####################################################
+# redis-server
+####################################################
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ namespace: cas-server
+ name: redis-data-pvc
+spec:
+ accessModes:
+ - ReadWriteMany
+ # 根据情况修改
+ storageClassName: nfs-client
+ resources:
+ requests:
+ storage: 50Gi
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: cas-server
+type: Opaque
+data:
+ REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: cas-server
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: redis
+ selector:
+ app: redis
+ release: redis-server
+ role: master
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: cas-server
+spec:
+ podManagementPolicy: OrderedReady
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: redis
+ release: redis-server
+ role: master
+ serviceName: redis-master
+ template:
+ metadata:
+ labels:
+ app: redis
+ release: redis-server
+ role: master
+ spec:
+ containers:
+ - name: redis-server
+ env:
+ - name: REDIS_DISABLE_COMMANDS
+ value: FLUSHDB,FLUSHALL
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: redis-server
+ key: REDIS_PASSWORD
+ # 若使用了学校搭设的私有仓库,请修改
+ image: bitnami/redis:4.0
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 6379
+ name: redis
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - mountPath: /bitnami/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 1001
+ # runAsUser: 1001
+ # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+ runAsUser: 0
+ terminationGracePeriodSeconds: 30
+ volumes:
+ # - name: redis-data
+ # emptyDir: {}
+ - name: redis-data
+ persistentVolumeClaim:
+ claimName: redis-data-pvc
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ updateStrategy:
+ rollingUpdate:
+ partition: 0
+ type: RollingUpdate
+
+
+####################################################
+# rabbitmq-server
+####################################################
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: rabbitmq
+ release: rabbitmq-server
+ name: rabbitmq-server
+ namespace: cas-server
+type: Opaque
+data:
+ RABBITMQ_USERNAME: Z3Vlc3Q=
+ RABBITMQ_PASSWORD: Z3Vlc3Q=
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: rabbitmq-server
+ labels:
+ app: rabbitmq-server
+spec:
+ ports:
+ - port: 5672
+ targetPort: tcp-1
+ protocol: TCP
+ name: tcp-1
+ - port: 15672
+ targetPort: tcp-2
+ protocol: TCP
+ name: tcp-2
+ selector:
+ app: rabbitmq-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: rabbitmq-server
+ namespace: cas-server
+spec:
+ selector:
+ matchLabels:
+ app: rabbitmq-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: rabbitmq-server
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ containers:
+ - name: rabbitmq-server
+ # 若使用了学校搭设的私有仓库,请修改
+ image: rabbitmq:management
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ ports:
+ - containerPort: 5672
+ name: tcp-1
+ - containerPort: 15672
+ name: tcp-2
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+ # imagePullSecrets:
+ # - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml
new file mode 100644
index 0000000..f8b56ca
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml
@@ -0,0 +1,51 @@
+# cas-server-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/cas_server?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvY2FzX3NlcnZlcj9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp
+ # cas_server
+ JDBC_USERNAME: Y2FzX3NlcnZlcg==
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: redis-env-secret
+type: Opaque
+data:
+ SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT: NjM3OQ==
+ SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: rabbitmq-env-secret
+type: Opaque
+data:
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVy
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
new file mode 100644
index 0000000..9ffc2a6
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
@@ -0,0 +1,45 @@
+# cas-server-ingresses.yaml
+
+# 创建 ca-secret
+
+# cd PATH/ca/certs/client
+
+# kubectl describe secret ca-secret -n cas-server
+
+# kubectl create secret generic ca-secret --from-file=client.truststore=client.truststore -n cas-server
+
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: cas-server
+ name: cas-ingress
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+ # cert-manager.io/cluster-issuer: "letsencrypt-staging"
+ # nginx.ingress.kubernetes.io/ssl-redirect: "true"
+ # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+ # nginx.ingress.kubernetes.io/auth-tls-secret: "cas-server/ca-secret"
+ # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
+spec:
+ # tls:
+ # - hosts:
+ # - cas.paas.xxx.edu.cn
+ # secretName: cas-ingress-tls
+ rules:
+ # 修改为学校的根域名
+ - host: cas.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /cas
+ backend:
+ serviceName: cas-server-site-webapp-svc
+ servicePort: http
+ - path: /cas/schemes
+ backend:
+ serviceName: cas-server-site-scheme-svc
+ servicePort: http
+
+
+# TODO: https 配置说明
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
new file mode 100644
index 0000000..28b9f01
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
@@ -0,0 +1,56 @@
+# cas-server-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: cas-server
+ name: cas-server-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: cas-server-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-installer:1.2.9-SNAPSHOT
+ imagePullPolicy: Always
+ env:
+ - name: DB_TYPE
+ value: mysql8
+ - name: JDBC_URL
+ value: jdbc:mysql://mysql-server:3306/cas_server_test?serverTimezone=Asia/Shanghai
+ - name: JDBC_USERNAME
+ value: cas_server_test
+ - name: JDBC_PASSWORD
+ value: Supwisdom!Nwpu123
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ # - secretRef:
+ # name: datasource-env-secret
+ - configMapRef:
+ name: cas-server-installer-env
+ # resources:
+ # requests:
+ # memory: "256Mi"
+ # limits:
+ # memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
new file mode 100644
index 0000000..ef0abb4
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
@@ -0,0 +1,134 @@
+# cas-server-sa-api.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ SERVICE_REFRESH_REDIS_TIMER_ENABLED: "true"
+ ACCOUNT_REFRESH_REDIS_TIMER_ENABLED: "false"
+ FEDERATION_REFRESH_REDIS_TIMER_ENABLED: "true"
+
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api-env-secret
+type: Opaque
+data:
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: Y2xpZW50
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: Y2xpZW50
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: Y2xpZW50
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api-svc
+ labels:
+ app: cas-server-sa-api
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: cas-server-sa-api
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-sa-api
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-sa-api
+ spec:
+ containers:
+ - name: cas-server-sa-api
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-sa-api:1.2.9-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: cas-server-sa-api-env
+ - secretRef:
+ name: cas-server-sa-api-env-secret
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
new file mode 100644
index 0000000..0e7e2c5
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
@@ -0,0 +1,88 @@
+# cas-server-security-engine.yaml
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine-env-secret
+type: Opaque
+data:
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: Y2xpZW50
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: Y2xpZW50
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: Y2xpZW50
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine-env
+data:
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine-svc
+ labels:
+ app: cas-server-security-engine
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: cas-server-security-engine
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-security-engine
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-security-engine
+ spec:
+ containers:
+ - name: cas-server-security-engine
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-security-engine:1.2.9-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: cas-server-security-engine-env
+ - secretRef:
+ name: cas-server-security-engine-env-secret
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
new file mode 100644
index 0000000..7bb240d
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
@@ -0,0 +1,262 @@
+# cas-server-site-webapp.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-site-webapp-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEY_PASSWORD: ""
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ LOGGING_CONFIG: file:/etc/cas/log4j2-file.xml
+
+
+ ##
+ # 认证服务的外网访问地址,
+ # **修改** 学校的根域名
+ CAS_SERVER_NAME: https://cas.paas.xxx.edu.cn
+
+ ##
+ # Ticket Granting Cookie
+ # 若未启用 https,**修改** 为 false
+ CAS_TGC_SECURE: "true"
+
+ # TGT Expiration Policy
+ CAS_TICKET_TGT_MAX_TIME_TO_LIVE_IN_SECONDS: "1209600"
+ CAS_TICKET_TGT_TIME_TO_KILL_IN_SECONDS: "172800"
+
+ # JWT Tickets
+ CAS_AUTHN_TOKEN_CRYPTO_SIGNING_KEY: "(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2"
+
+ ##
+ # 登录UI,主题
+ SPRING_THYMELEAF_PREFIX: classpath:/templates/themes/classic/
+
+ ##
+ # 测试环境中可使用,正式环境下请配置为空
+ #
+ CAS_AUTHN_ACCEPT_USERS: ""
+
+
+ ## 配置第三方认证的相关参数
+ CASSERVER_FEDERATION_QQ_ENABLED: "true"
+ CASSERVER_FEDERATION_QQ_NAME: QQ
+ CASSERVER_FEDERATION_QQ_APPID: ""
+ CASSERVER_FEDERATION_QQ_APPKEY: ""
+
+ CASSERVER_FEDERATION_OPENWEIXIN_ENABLED: "true"
+ CASSERVER_FEDERATION_OPENWEIXIN_NAME: 微信
+ CASSERVER_FEDERATION_OPENWEIXIN_APPID: ""
+ CASSERVER_FEDERATION_OPENWEIXIN_APPSECRET: ""
+
+ CASSERVER_FEDERATION_WORKWEIXIN_ENABLED: "true"
+ CASSERVER_FEDERATION_WORKWEIXIN_NAME: 企业微信
+ CASSERVER_FEDERATION_WORKWEIXIN_CORPID: ""
+ CASSERVER_FEDERATION_WORKWEIXIN_AGENTID: ""
+ CASSERVER_FEDERATION_WORKWEIXIN_SECRET: ""
+
+ CASSERVER_FEDERATION_ALIPAY_ENABLED: "true"
+ CASSERVER_FEDERATION_ALIPAY_NAME: 支付宝
+ CASSERVER_FEDERATION_ALIPAY_APPID: ""
+ CASSERVER_FEDERATION_ALIPAY_APPPRIVATEKEY: ""
+ CASSERVER_FEDERATION_ALIPAY_ALIPAYPUBLICKEY: ""
+
+ CASSERVER_FEDERATION_DINGTALK_ENABLED: "true"
+ CASSERVER_FEDERATION_DINGTALK_NAME: 钉钉
+ CASSERVER_FEDERATION_DINGTALK_APPID: ""
+ CASSERVER_FEDERATION_DINGTALK_APPSECRET: ""
+
+
+ # **修改**
+ # jwt 的签发方标识,一般为 认证的域名
+ CASSERVER_JWT_ISS: cas.paas.xxx.edu.cn
+ # **修改**
+ # 参考 certs/jwt/readme.md 生成公私钥pem,修改相关配置
+ CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8: "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgShIdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyqfNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0+Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+95sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtWLiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCPWbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7MsmcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/DmcgSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8lXDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsSDS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr94RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1bLsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dOjAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvistOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38voNcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtksniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNmJMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8evFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Aiut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/cUPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdTWVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8KLdTYUkvPHsEAtxR+kwTAg=="
+ CASSERVER_JWT_PUBLIC_KEY_PEM: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQAB"
+
+ # **视情况修改**
+ ## 是否启用登录验证码
+ CASSERVERSITE_CAPTCHA_ENABLED: "true"
+ CASSERVERSITE_CAPTCHA_SKIP_N: "true"
+
+ CASSERVERSITE_FEDERATED_CAPTCHA_ENABLED: "true"
+
+ ## 配置用户的登录名的正则校验(用于手机、邮箱登录的判断)
+ #CASSERVERSITE_USERNAME_REGEX_MOBILE: ""
+ # \d{11}$
+ #CASSERVERSITE_USERNAME_REGEX_EMAIL_ADDRESS: ""
+ # \w+\.?\w+@\w+\.[a-z]+(\.[a-z]+)?
+
+ ## 配置认证时,帐号服务的实现( redis 帐号数据存放在redis中, user-sa 帐号数据从用户服务获取)
+ CASSERVERSITE_ACCOUNT_SERVICE_IMPL: user-sa
+
+ ## 配置认证时,角色服务的实现( redis 角色数据存放在redis中, user-authz-sa 角色数据从授权服务获取)
+ CASSERVERSITE_ROLE_SERVICE_IMPL: user-authz-sa
+
+ ## 配置认证时,动态码的短信发送实现( default 控制台输出, agent-service 代理服务)
+ CASSERVERSITE_SMS_SENDER_IMPL: agent-service
+
+ # **修改** 学校的根域名
+ CASSERVERSITE_FORGOT_PASSWORD_URL: https://security-center.paas.xxx.edu.cn/find-pwd
+ CASSERVERSITE_ACTIVE_ACCOUNT_URL: https://security-center.paas.xxx.edu.cn/active-account
+
+ ## 动态码登录相关配置
+ CASSERVERSITE_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300"
+ CASSERVERSITE_PASSWORDLESS_SMS_FROM: 认证中心
+ # **修改** 根据实际情况,修改短信模板
+ CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE: 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
+
+
+ ## 密码验证接口(外部接口)
+ CASSERVERSITE_SECURITY_PASSWORD_VERIFY_URL: ""
+ # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword
+
+
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ # **修改**
+ # 若须对接sms 接口,须进行二开定制
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+
+ TPAS_AGENT_SERVICE_FILE_PATH: /api/v1/tpas/file/minio
+
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ USER_AUTHZ_SERVICE_SA_API_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ ##
+ # 超级APP Token 的验签公钥
+ # 如须和 超级APP 进行对接,修改此配置
+ # **修改** 学校的根域名
+ SUPERAPP_TOKEN_SIGNING_KEY_URL: https://token.paas.xxx.edu.cn/jwt/publicKey
+
+
+ ##
+ # 第三方CAS 认证对接
+ #
+ CASCLIENT_ENABLED: "false"
+ CASCLIENT_CAS_SERVER_URL: http://third-party-cas/cas
+ CASCLIENT_CAS_CLIENT_URL: http://localhost:8080/cas/login
+ CASCLIENT_CAS_CLIENT_LOGOUT_URL: http://localhost:8080/cas/logout
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-site-webapp-svc
+ labels:
+ app: cas-server-site-webapp
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: cas-server-site-webapp
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-site-webapp
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-site-webapp
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-site-webapp
+ spec:
+ containers:
+ - name: cas-server-site-webapp
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-site-webapp:1.2.9-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: cas-server-site-webapp-env
+ resources:
+ requests:
+ memory: "6000Mi"
+ limits:
+ memory: "6000Mi"
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 30
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
new file mode 100644
index 0000000..f377837
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
@@ -0,0 +1,113 @@
+# 4.6.cas-server-site-scheme.yaml
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme-pvc
+spec:
+ accessModes:
+ - ReadWriteMany
+ # 根据情况修改
+ storageClassName: nfs-client
+ resources:
+ requests:
+ storage: 5Gi
+
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme-config
+data:
+ # 当配置了 CASSERVER_SA_API_SERVER_URL,则使用配置表中的配置,否则,使用 SCHEME_COLOR 指定的设置
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ SCHEME_COLOR: ""
+ # 409EFF
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme-svc
+ labels:
+ app: cas-server-site-scheme-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: cas-server-site-scheme
+
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-site-scheme
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-site-scheme
+ spec:
+ initContainers:
+ - command:
+ - chmod
+ - -R
+ - "777"
+ - /usr/share/nginx/html
+ # 根据情况修改镜像地址
+ image: busybox:1.25.0
+ imagePullPolicy: IfNotPresent
+ name: chmod-html-dir
+ volumeMounts:
+ - name: html
+ mountPath: /usr/share/nginx/html
+ containers:
+ - name: cas-server-site-scheme-nginx
+ # 根据情况修改镜像地址
+ image: nginx:latest
+ ports:
+ - containerPort: 80
+ name: http
+ volumeMounts:
+ - mountPath: /usr/share/nginx/html
+ name: html
+ resources:
+ requests:
+ cpu: 500m
+ memory: "256Mi"
+ limits:
+ cpu: 2000m
+ memory: "256Mi"
+ - name: cas-server-site-scheme-generator
+ # 根据情况修改镜像地址
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-site-scheme:1.2.9-SNAPSHOT
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: cas-server-site-scheme-config
+ volumeMounts:
+ - mountPath: /usr/share/nginx/html
+ name: html
+ volumes:
+ # - name: html
+ # emptyDir: {}
+ - name: html
+ persistentVolumeClaim:
+ claimName: cas-server-site-scheme-pvc
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
new file mode 100644
index 0000000..ab86d7b
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
@@ -0,0 +1,57 @@
+# cas-server-datax-job.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-datax-job-env
+data:
+ JOB_ACCOUNT_USER2CAS_MYSQLREADER8_USERNAME: "user"
+ # 修改为实际的数据库密码
+ JOB_ACCOUNT_USER2CAS_MYSQLREADER8_PASSWORD: "kingstar"
+ JOB_ACCOUNT_USER2CAS_MYSQLREADER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+
+ JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_USERNAME: "cas_server"
+ # 修改为实际的数据库密码
+ JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_PASSWORD: "kingstar"
+ JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/cas_server?serverTimezone=Asia/Shanghai"
+
+
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ namespace: cas-server
+ name: cas-server-datax-job
+spec:
+ schedule: "5 */2 * * *"
+ jobTemplate:
+ metadata:
+ labels:
+ app: cas-server-datax-job
+ spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-datax-job
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: cas-server-datax-job
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-datax-job:1.2.9-SNAPSHOT
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: cas-server-datax-job-env
+ # resources:
+ # requests:
+ # memory: "400Mi"
+ # limits:
+ # memory: "400Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem
new file mode 100644
index 0000000..e1c0db0
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrV
+SeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3
+tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn
+5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMlto
+PmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0
+MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQABAoIBAFbVhx3B54Cemyt9
+uS0mRpuU80wMG/xOqtcDtjrxjDVAj1m4cJLRh48swl62sulHMx0A4IgIYGR4IHbj
+NphTPqIASR0lmE6P14smZs6egksbzuCxlkCAW38TpQiBqZ5A3najTU3U75rkNpFA
+FVNciYV8NR+T5YvG26ZCJFMYW4+zLJnEmUuF2qo9Y4TlqAc7dUmRKR4A2eJvDBDA
+X4y7vv0kACFhnSZsgDXbFN1f3/w5nIEqru6ExWGYhBciak0cglRyZsiKgDgLah5C
+pyXBn3rq8FCLl+TVanWIY/yTPt5PJVw0cqMgtEAA4Z30fObl1fzp1wlQQvBgAbjD
++A2oh8kCgYEA48I7W1W/40Lq9iWLEg0tLGSN0uF/dvYFlOugMgpZ1DW0SFXDeC8o
+Z6fPnf5vfqFVepA340w57hM+01h6/eERXHnHYr3oc8UR3UZUafiIZrQrc7LT4UuX
+9FOv3ufQq8sYMVfoeYw1LLKJM3c9Wy7JwvPlYCjS9o1V6pLi5Bd0aoUCgYEA46hN
+fOlV96Ho+WJZi5qouC1RRVc6V++XTowBXPpHv0j15tdaO5Y9Tja/rfWSnMLz8fY+
+Tj1yWo22hNkMdSl80zykE+OBnaTr4rLTiUEjacdntNCuEp/+27CavvlCexbZkfoi
+b32Ktbltc+bWlSI4eYYcBbSAVt/L6DXIIQl1bzMCgYAFMEaT5RczATJDG0XYym4O
+BdhpRnPV7PLhmqCSo0O6nuKVh0altUVRXzROoB5AH0LIQQLU7cagEtYqkGh04iy4
+E5okOLlT8dhfVxvTMjNBS7d1skw7ZLJ4gXOPO264iy7o6NzF8BjCBOs1PfEq45z7
+EP1XvHZZ4YxkhKYglhwz1QKBgGcDZiTKlMrb6cbG2QwRrJzCbM76nHzj/kxdj9RZ
+sBN/WT3eXocuAYmdvnhh8bibgrUPHrxak58kFt3gNQHjBweynfAd9y21TcOj9ZJa
+9kJMJ8Iq10m4OiOAs1UNBycZfNPQIrreTODUChHy91A+Tt22cIGoXpZw6ByoEWnZ
+lNj/AoGADQW8aQ09UnciVBbisyef3FDwRczp93jRkaP0Xo10gouUqXfTqE8A4enW
+335O6VFi2B/wRSC1vfkS/LoTLfJnU1lYAyqza3WS3VlATbG/PUrfcfycJbnKoG07
+839BtIf2Yhjc8j4YBgAUa5VlWCHUvCi3U2FJLzx7BALcUfpMEwI=
+-----END RSA PRIVATE KEY-----
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem
new file mode 100644
index 0000000..4c9e224
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgSh
+IdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyq
+fNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0
++Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+9
+5sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtW
+LiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4
+jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCP
+WbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO
+4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7Ms
+mcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/Dmc
+gSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8l
+XDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsS
+DS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr9
+4RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1b
+LsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dO
+jAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvi
+stOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38vo
+NcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1
+RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtk
+sniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNm
+JMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8e
+vFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Ai
+ut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/c
+UPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdT
+WVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8
+KLdTYUkvPHsEAtxR+kwTAg==
+-----END PRIVATE KEY-----
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem
new file mode 100644
index 0000000..7523d69
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtAL
+iJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qv
+rn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjj
+zP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4
+O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K
+5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginj
+fwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md
new file mode 100644
index 0000000..81ac267
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md
@@ -0,0 +1,98 @@
+# readme.md
+
+
+## 使用 openssl 生成 公私钥
+
+
+1. 生成私钥 App Private Key
+
+必须为 RSA2(SHA256)
+
+```bash
+openssl genrsa -out jwt_private_key.pem 2048
+```
+
+2. 将私钥转换为 PKCS8 格式
+
+```bash
+openssl pkcs8 -topk8 -inform PEM -in jwt_private_key.pem -outform PEM -nocrypt -out jwt_private_key_pkcs8.pem
+```
+
+3. 导出公钥 App Public Key
+
+```bash
+openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pem
+```
+
+4. 将 jwt_public_key.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7V
+FmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD
++vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWr
+BUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlI
+aMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdr
+lO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7P
+rQIDAQAB
+-----END PUBLIC KEY-----
+```
+处理后:
+```language
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB
+-----END PUBLIC KEY-----
+```
+
+4. 将 jwt_private_key_pkcs8.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W+
++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba3
+9FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1
+axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3
+HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQeb
+OHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQ
+IwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkK
+P/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtV
+bQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPB
+pck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+V
+S8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106
+Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30
+mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu
+6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWg
+TP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJ
+S1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu
+7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0
+TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+OR
+NuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7c
+KQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLn
+LVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaV
+m+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8
+ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5
+Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyN
+ZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0
+uNGn7GMQXLxalpCkz4SXRg==
+-----END PRIVATE KEY-----
+```
+处理后:
+```language
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg==
+-----END PRIVATE KEY-----
+```
+
+
+5. (可选)将pem内容进行 base64 编码后,配置到k8s
+
+echo -n '-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB
+-----END PUBLIC KEY-----' |base64
+
+
+echo -n '-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg==
+-----END PRIVATE KEY-----' |base64