Merge branch '1.4.x' into 1.5.x
diff --git a/ReleaseNotes.md b/ReleaseNotes.md
index c91daf1..f8f8f9a 100644
--- a/ReleaseNotes.md
+++ b/ReleaseNotes.md
@@ -43,8 +43,17 @@
#### 1.2.x
-##### 1.2.1 (SNAPSHOT)
+##### 1.2.2 (SNAPSHOT)
+chore: 升级版本 1.2.2-SNAPSHOT
+
+
+##### 1.2.1
+
+chore: 发布修复版本,1.2.1-RELEASE
+fix: fastjson 升级到1.2.78
+fix: log4j2 升级到 2.15.0
+fix: 修正messagecenter接口调用时,token获取过频,导致调用失败的问题
chore: 升级版本 1.2.1-SNAPSHOT
@@ -101,8 +110,36 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.6 (SNAPSHOT)
+chore: 升级版本,1.3.6-SNAPSHOT
+
+
+##### 1.3.5
+
+chore: 发布修复版本,1.3.5-RELEASE
+Merge branch 'release-1.2.9' into 1.3.x
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+Merge branch 'release-1.2.8' into 1.3.x
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+Merge branch 'release-1.2.7' into 1.3.x
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+Merge branch 'release-1.2.6' into 1.3.x
chore: 升级版本,1.3.2-SNAPSHOT
@@ -135,8 +172,28 @@
#### 1.2.x
+##### 1.2.10 (SNAPSHOT)
+
+chore: 升级版本 1.2.10-SNAPSHOT
+
+
+##### 1.2.9
+
+chore: 发布修复版本,1.2.9-RELEASE
+fix: 升级 log4j 2.17.0,logback 1.2.10
+chore: 升级版本 1.2.9-SNAPSHOT
+
+
+##### 1.2.8
+
+chore: 发布修复版本,1.2.8-RELEASE
+fix: fastjson 升级到1.2.78, log4j2 升级到2.15.0
+chore: 升级版本 1.2.8-SNAPSHOT
+
+
##### 1.2.7 (SNAPSHOT)
+chore: 发布修复版本,1.2.7-RELEASE
chore: 升级版本 1.2.7-SNAPSHOT
@@ -223,8 +280,41 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.6 (SNAPSHOT)
+chore: 升级版本,1.3.6-SNAPSHOT
+
+
+##### 1.3.5
+
+chore: 发布修复版本,1.3.5-RELEASE
+fix: 登录页面配置主题色修改
+fix: 安全管理接口重新调用
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+fix:用户管理安全手机,安全邮箱不显示问题修改
+fix: 角色组管理人员添加回显问题修复
+fix: 普通用户组人员添加表格滚动问题修复
+fix: 岗位用户组人员选择部门顺序修改
+fix: 修改图片大小设置
+fix:岗位用户组人员管理展示bug修复
+fix: 普通用户组人员管理删除人员bug修复
chore: 升级版本,1.3.2-SNAPSHOT
@@ -312,8 +402,36 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.6 (SNAPSHOT)
+chore: 升级版本,1.3.6-SNAPSHOT
+
+
+##### 1.3.5
+
+chore: 发布修复版本,1.3.5-RELEASE
+Merge branch 'release-1.2.9' into 1.3.x
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+Merge branch 'release-1.2.8' into 1.3.x
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+Merge branch 'release-1.2.7' into 1.3.x
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+Merge branch 'release-1.2.6' into 1.3.x
chore: 升级版本,1.3.2-SNAPSHOT
@@ -343,8 +461,62 @@
#### 1.2.x
+##### 1.2.10 (SNAPSHOT)
+
+chore: 升级版本 1.2.10-SNAPSHOT
+
+
+##### 1.2.9
+
+chore: 发布修复版本,1.2.9-RELEASE
+fix: 升级 log4j 2.17.0,logback 1.2.10
+fix: 优化 organizationIdSub、organizationId 的兼容逻辑
+fix: 调整接口文档
+fix: 修正用户组人员查询接口中,organizationIdDirect 条件在查询岗位用户组时无效的问题。organizationId 条件 替换为organizationIdSub,解决普通用户组、岗位用户组实现逻辑不一致的问题
+fix: 修正group 删除后,查询报错的问题
+feat: 增加用户组创建、修改接口
+fix: 处理federationLogo 为 空时,不保存,防止覆盖原数据
+fix: 修正接口path,符合驼峰规则
+fix: 修正accountIds, accountNames 中存在空数组时,sql报错的问题
+docs: 新增读取微信openid的POA接口 文档
+feat: 优化 federation 相关接口,兼容 userNo。新增读取微信openid的POA接口
+feat: TB_B_FEDERATION_WX_OPENID建表脚本
+feat: 保存微信的openid
+chore: 升级版本 1.2.9-SNAPSHOT
+
+
+##### 1.2.8
+
+chore: 发布修复版本,1.2.8-RELEASE
+fix: fastjson 升级到1.2.78, log4j2 升级到2.15.0
+fix: 修正事务状态下,发布事件时,监听时,无法获取到最新更新的数据,导致异步处理出现问题
+chore: 升级版本 1.2.8-SNAPSHOT
+
+
##### 1.2.7 (SNAPSHOT)
+chore: 发布修复版本,1.2.7-RELEASE
+fix: 添加 mapBean[organizationCodes] 条件
+fix: EXTERNAL_ID为空字符,用户组编辑保存报错bug
+fix: 完善containOrCondition 方法的逻辑
+fix: 修正人员查询sql 拼接问题,出现 不带 where 的 union sql
+fix: 设置异步处理队列的最大线程数、队列大小,使用默认值 Integer.MAX_VALUE
+fix: 修正账号保存时,AccountName存在前后空格,导致查询数据列表不完整的问题
+fix: 修正岗位用户组下人员移除时,对账号-用户组关系的更新逻辑
+docs: 修正文档错误
+feat: IdentityType 身份类型 增、改、删操作后,数据推送到MQ
+docs: poa api-docs 更新
+fix: 修改接口path
+feat: 用户服务数据同步,新增接口,按帐号ID或帐号名获取帐号下的用户组列表
+feat: 用户服务数据同步,新增接口,获取用户组列表
+docs: poa api-docs 更新,人员列表查询接口,添加查询条件,organizationIds、organizationCodes
+feat: 人员列表查询接口,添加查询条件,organizationIds、organizationCodes
+fix: 修正接口文档,接口path 错误
+feat: 新增用户同步接口
+feat: 支持ExternalId 写入
+refactor: 调整TransLog
+feat: 新增ExternalId,外部ID,用于记录外部来源的数据的ID
+feat: 支持bcypto 加密强度的可配置
chore: 升级版本 1.2.7-SNAPSHOT
@@ -775,8 +947,36 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.6 (SNAPSHOT)
+chore: 升级版本,1.3.6-SNAPSHOT
+
+
+##### 1.3.5
+
+chore: 发布修复版本,1.3.5-RELEASE
+Merge branch 'release-1.2.9' into 1.3.x
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+Merge branch 'release-1.2.8' into 1.3.x
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+Merge branch 'release-1.2.7' into 1.3.x
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+Merge branch 'release-1.2.6' into 1.3.x
chore: 升级版本,1.3.2-SNAPSHOT
@@ -803,8 +1003,28 @@
#### 1.2.x
-##### 1.2.7 (SNAPSHOT)
+##### 1.2.10 (SNAPSHOT)
+chore: 升级版本 1.2.10-SNAPSHOT
+
+
+##### 1.2.9
+
+chore: 发布修复版本,1.2.9-RELEASE
+fix: 升级 log4j 2.17.0,logback 1.2.10
+chore: 升级版本 1.2.9-SNAPSHOT
+
+
+##### 1.2.8
+
+chore: 发布修复版本,1.2.8-RELEASE
+fix: fastjson 升级到1.2.78, log4j2 升级到2.15.0
+chore: 升级版本 1.2.8-SNAPSHOT
+
+
+##### 1.2.7
+
+chore: 发布修复版本,1.2.7-RELEASE
chore: 升级版本 1.2.7-SNAPSHOT
@@ -1040,8 +1260,32 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.5 (SNAPSHOT)
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+Merge branch 'release-1.2.8' into 1.3.x
+
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+Merge branch 'release-1.2.7' into 1.3.x
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+Merge branch 'release-1.2.6' into 1.3.x
+Merge branch 'release-1.2.5' into 1.3.x
+Merge branch 'release-1.2.4' into 1.3.x
chore: 升级版本,1.3.2-SNAPSHOT
@@ -1070,8 +1314,64 @@
#### 1.2.x
-##### 1.2.5 (SNAPSHOT)
+##### 1.2.9
+chore: 升级版本 1.2.9-SNAPSHOT
+
+
+##### 1.2.8
+
+chore: 发布修复版本,1.2.8-RELEASE
+fix: 升级 log4j 2.17.0,logback 1.2.10
+fix: 企业微信H5 免登,支持在微信中打开
+fix: 使用 钉钉 job_number 匹配 认证账号,若匹配则直接绑定
+fix: 优化Federation 绑定逻辑,处理重复数据的清理
+fix: 移动浏览器 或 webview 中,隐藏注销页面的 返回门户 的链接按钮
+fix: 仅账号密码登录提交时,对用户名、密码进行解密处理
+fix: 使用 钉钉 job_number 匹配 认证账号
+fix: 修正调用 user-sa 时,未传入 wxType, openid 的问题
+feat: cas-sa 中,不再调用 user-sa 的federation bind 接口
+feat: 记录微信绑定时的 openid
+fix: 修正配置启动加载的问题
+feat: 移除 create
+feat: 将federation 保存到 user-data-serivce-goa,同时兼容 cas-server-sa-api
+chore: 升级版本 1.2.8-SNAPSHOT
+
+
+##### 1.2.7
+
+chore: 发布修复版本,1.2.7-RELEASE
+fix: fastjson 升级到1.2.78, log4j2 升级到2.15.0
+fix: 修正联合登录跳转时,service参数值中存在参数时,进行了多次urlencode编码,导致登录失败的问题
+fix: 修正票据清理的逻辑错误
+feat: 对接钉钉H5
+feat: 钉钉,支持根据 userid,自动绑定 钉钉企业内账号(要求 userid 与 ACCOUNT_NAME 一致
+chore: 升级版本 1.2.7-SNAPSHOT
+
+
+##### 1.2.6
+
+chore: 发布修复版本,1.2.6-RELEASE
+fix: 基于配置,判断密码加密开关开启时,须强制要求密码被加密
+fix: 修正 cas client 注销跳转问题
+fix: 修正激活页面,增加『去激活』链接
+fix: 仅带有 service 的请求时,进行work weixin 的免登处理
+fix: 修正登录异常处理
+feat: 对接企业微信H5微应用
+feat: CasServerSaApiFederationManager 支持从redis 加载,若无数据,从cas-sa 加载
+feat: 生成企业微信的网页授权 url
+feat: 企业微信,支持根据userId 自动绑定
+feat: 新增企业微信小程序的配置
+chore: 升级版本 1.2.6-SNAPSHOT
+
+
+##### 1.2.5
+
+chore: 发布修复版本,1.2.5-RELEASE
+fix: 读取qq的unionid,并使用 unionid 绑定账号
+fix: 优化绑定逻辑,绑定时,判断 federatedId 是否被其他用户 other userId 绑定,若已绑定,删除记录
+fix: 修正qq 调用 getUserInfo 接口,传值问题
+fix: 修正CAS对接第三方认证(casclient、oauthcode、hmc)后,登录日志用户名显示错误的问题
chore: 升级版本 1.2.5-SNAPSHOT
@@ -1564,8 +1864,31 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.5 (SNAPSHOT)
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+Merge branch 'release-1.2.8' into 1.3.x
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+Merge branch 'release-1.2.7' into 1.3.x
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+Merge branch 'release-1.2.6' into 1.3.x
+Merge branch 'release-1.2.5' into 1.3.x
+Merge branch 'release-1.2.4' into 1.3.x
chore: 升级版本,1.3.2-SNAPSHOT
@@ -1587,8 +1910,49 @@
#### 1.2.x
-##### 1.2.5 (SNAPSHOT)
+##### 1.2.9
+chore: 升级版本 1.2.9-SNAPSHOT
+
+
+##### 1.2.8
+
+chore: 发布修复版本,1.2.8-RELEASE
+fix: 升级 log4j 2.17.0,logback 1.2.10
+fix: 修正 poa 获取 access token,重试机制的问题
+feat: 记录微信绑定时的 openid
+feat: 处理微信、微信APP、微信小程序 的openid、unionid
+feat: 移除 create
+feat: 将federation 保存到 user-data-serivce-goa,同时兼容 cas-server-sa-api
+chore: 升级版本 1.2.8-SNAPSHOT
+
+
+##### 1.2.7
+
+chore: 发布修复版本,1.2.7-RELEASE
+fix: fastjson 升级到1.2.78, log4j2 升级到2.15.0
+feat: 钉钉,支持根据 userid,自动绑定 钉钉企业内账号(要求 userid 与 ACCOUNT_NAME 一致
+chore: 升级版本 1.2.7-SNAPSHOT
+
+
+##### 1.2.6
+
+chore: 发布修复版本,1.2.6-RELEASE
+feat: 企业微信,支持根据userId 自动绑定
+feat: 对接企业微信小程序,整理企业微信对接逻辑
+fix: 修正微信公众号 client 配置错误
+feat: 对接微信公众号登录
+feat: 支持企业微信下小程序登录
+chore: 升级版本 1.2.6-SNAPSHOT
+
+
+##### 1.2.5
+
+chore: 发布修复版本,1.2.5-RELEASE
+fix: 修正昵称、头像 未保存的问题
+fix: 修正联合登录时,删除账号后导致根据绑定记录查找不到账号的问题;并取消了federatedId绑定记录已存在的问题,由后端处理相关逻辑(如:覆盖记录)
+fix: 读取qq的unionid,并使用 unionid 绑定账号
+fix: 支持人脸api 路径的前缀,可配置
chore: 升级版本 1.2.5-SNAPSHOT
@@ -1825,8 +2189,36 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.6 (SNAPSHOT)
+chore: 升级版本,1.3.6-SNAPSHOT
+
+
+##### 1.3.5
+
+chore: 发布修复版本,1.3.5-RELEASE
+Merge branch 'release-1.2.9' into 1.3.x
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+Merge branch 'release-1.2.8' into 1.3.x
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+Merge branch 'release-1.2.7' into 1.3.x
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+Merge branch 'release-1.2.6' into 1.3.x
chore: 升级版本,1.3.2-SNAPSHOT
@@ -1856,8 +2248,31 @@
#### 1.2.x
-##### 1.2.7 (SNAPSHOT)
+##### 1.2.10
+chore: 升级版本 1.2.10-SNAPSHOT
+
+
+##### 1.2.9
+
+chore: 发布修复版本,1.2.9-RELEASE
+refactor: 调整federation service 相关方法参数,传入 userId
+fix: 修正federation 接口路径错误
+fix: 升级 log4j 2.17.0,logback 1.2.10
+feat: 将federation 保存到 user-data-serivce-goa,同时兼容 cas-server-sa-api
+chore: 升级版本 1.2.9-SNAPSHOT
+
+
+##### 1.2.8
+
+chore: 发布修复版本,1.2.8-RELEASE
+fix: fastjson 升级到1.2.78, log4j2 升级到2.15.0
+chore: 升级版本 1.2.8-SNAPSHOT
+
+
+##### 1.2.7
+
+chore: 发布修复版本,1.2.7-RELEASE
chore: 升级版本 1.2.7-SNAPSHOT
@@ -2233,8 +2648,41 @@
#### 1.3.x
-##### 1.3.2 (SNAPSHOT)
+##### 1.3.6 (SNAPSHOT)
+chore: 升级版本,1.3.6-SNAPSHOT
+
+
+##### 1.3.5
+
+chore: 发布修复版本,1.3.5-RELEASE
+Merge branch 'release-1.2.9' into 1.3.x
+chore: 升级版本,1.3.5-SNAPSHOT
+
+
+##### 1.3.4
+
+chore: 发布修复版本,1.3.4-RELEASE
+Merge branch 'release-1.2.8' into 1.3.x
+fix: 修改form 表单label 字体颜色
+chore: 升级版本,1.3.4-SNAPSHOT
+
+
+##### 1.3.3
+
+chore: 发布修复版本,1.3.3-RELEASE
+Merge branch 'release-1.2.7' into 1.3.x
+fix: 忘记密码下一步修改
+fix: 账号激活填写信息未通过时,显示的步骤错误问题修改
+chore: 升级版本,1.3.3-SNAPSHOT
+
+
+##### 1.3.2
+
+chore: 发布修复版本,1.3.2-RELEASE
+fix: 联合登录设置修改
+Merge branch 'release-1.2.6' into 1.3.x
+fix: 联合登录设置企业微信绑定后文字显示
chore: 升级版本,1.3.2-SNAPSHOT
@@ -2260,8 +2708,38 @@
#### 1.2.x
-##### 1.2.6 (SNAPSHOT)
+##### 1.2.10 (SNAPSHOT)
+chore: 升级版本 1.2.10-SNAPSHOT
+
+
+##### 1.2.9
+
+chore: 发布修复版本,1.2.9-RELEASE
+chore: 升级版本 1.2.9-SNAPSHOT
+
+
+##### 1.2.8
+
+chore: 发布修复版本,1.2.8-RELEASE
+fix: 表单label 颜色值修改
+chore: 升级版本 1.2.8-SNAPSHOT
+
+
+##### 1.2.7
+
+chore: 发布修复版本,1.2.7-RELEASE
+feat: 支持 override,css 覆盖
+fix: 忘记密码下一步修改
+fix:将学号改为学工号
+fix: 学号查询
+chore: 升级版本 1.2.7-SNAPSHOT
+
+
+##### 1.2.6
+
+chore: 发布修复版本,1.2.6-RELEASE
+chore: 修正jenkins 构建问题
chore: 升级版本 1.2.6-SNAPSHOT
diff --git "a/deploy-manifests/k8s-rancher/0.1.3.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.2-V1.3\357\274\211.md" "b/deploy-manifests/k8s-rancher/0.1.3.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.2-V1.3\357\274\211.md"
index 4b0b9b7..d258e49 100644
--- "a/deploy-manifests/k8s-rancher/0.1.3.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.2-V1.3\357\274\211.md"
+++ "b/deploy-manifests/k8s-rancher/0.1.3.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.2-V1.3\357\274\211.md"
@@ -36,6 +36,17 @@
AUTH_SERVER_SPA_URL: http://admin-platform.paas.xxx.edu.cn/authx-management/auth-server
```
+5. ConfigMap user-data-service-goa-env 增加配置
+
+ ```
+ IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+ ```
+
+5. ConfigMap cas-server-security-engine-env 增加配置
+
+ ```
+ IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+ ```
## 初始化数据
diff --git "a/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md" "b/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md"
index cb2db4f..6e6c563 100644
--- "a/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md"
+++ "b/deploy-manifests/k8s-rancher/0.1.4.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.3-V1.4\357\274\211.md"
@@ -215,10 +215,15 @@
#### 方式二,bash脚本
+**将 origin 修改为正确的 学校域名**
+
+进入 admin-center-sa 下的 pod, 执行命令行
+
+
* 认证管理
```bash
-curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
+curl -i -s -X POST "http://localhost:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
-d \
'
{
@@ -264,8 +269,10 @@
#### 方式二,bash脚本
+进入 admin-center-sa 下的 pod, 执行命令行
+
```bash
-curl -i -s -X POST "http://admin-platform-admin-center-sa.admin-platform.svc.cluster.local:8080/v1/admin/rolePermissions/importRolePermission" -H 'Content-Type: application/json' \
+curl -i -s -X POST "http://localhost:8080/v1/admin/rolePermissions/importRolePermission" -H 'Content-Type: application/json' \
-d \
'
{
diff --git "a/deploy-manifests/k8s-rancher/1.authx-service/10.0.\050\345\272\237\345\274\203\051init.sql" "b/deploy-manifests/k8s-rancher/1.authx-service/10.0.\050\345\272\237\345\274\203\051init.sql"
index f5bf206..b72f689 100644
--- "a/deploy-manifests/k8s-rancher/1.authx-service/10.0.\050\345\272\237\345\274\203\051init.sql"
+++ "b/deploy-manifests/k8s-rancher/1.authx-service/10.0.\050\345\272\237\345\274\203\051init.sql"
@@ -92,6 +92,9 @@
insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0);
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('25', 0, 'authx-service-log-api', '认证授权 - 日志接口', '1', '/api/v2/log', 'http://localhost:8009', 0);
+
commit;
update TB_MGT_ROUTE set URL='http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080' where ID='20';
@@ -101,6 +104,8 @@
update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='21';
update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='22';
+update TB_MGT_ROUTE set URL='http://authx-log-sa.authx-log.svc.cluster.local:8080' where ID='25';
+
commit;
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
index 400bdfe..9be5052 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
@@ -22,6 +22,9 @@
SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+ SPRING_DATASOURCE_HIKARI_MAXIMUM_POOL_SIZE: "20"
+ SPRING_DATASOURCE_HIKARI_MINIMUM_IDLE: "10"
+
SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20"
SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml
index 304756b..a3a9a90 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml
@@ -46,8 +46,8 @@
name: rabbitmq-env-secret
type: Opaque
data:
- # rabbitmq-server.authx-service.svc.cluster.local
- SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
+ # rabbitmq-server.cas-server.svc.cluster.local
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmNhcy1zZXJ2ZXIuc3ZjLmNsdXN0ZXIubG9jYWw=
SPRING_RABBITMQ_PORT: NTY3Mg==
SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
index 9f89f26..61e68a5 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
@@ -25,6 +25,9 @@
LOGGING_LEVEL_COM_SUPWISDOM_INSITITUTE_TOKEN_SERVER: INFO
+ SPRING_DATASOURCE_HIKARI_MAXIMUM_POOL_SIZE: "50"
+ SPRING_DATASOURCE_HIKARI_MINIMUM_IDLE: "10"
+
SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50"
SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
@@ -35,9 +38,9 @@
# **修改** 学校的根域名
- TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn/token
+ TOKEN_SERVER_PREFIX: https://cas.paas.xxx.edu.cn/token
# **修改** 学校的根域名
- TOKEN_SERVER_SECURITY_JWT_ISS: token.paas.xxx.edu.cn
+ TOKEN_SERVER_SECURITY_JWT_ISS: cas-server.paas.xxx.edu.cn
#TOKEN_SERVER_SECURITY_JWT_EXPIRATION: 2592000
#TOKEN_SERVER_SECURITY_JWT_KICKOUT_ENABLED: "false"
# **修改**
@@ -180,11 +183,6 @@
name: token-server-env-secret
type: Opaque
data:
- SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
- # rabbitmq-server.authx-service.svc.cluster.local
- SPRING_RABBITMQ_PORT: NTY3Mg==
- SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
- SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
---
diff --git a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
index 09ef7ed..3222341 100644
--- a/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
+++ b/deploy-manifests/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
@@ -26,6 +26,8 @@
# USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
#ipaddr
+ IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+
IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
IPADDR_CLIENT_AUTH_ENABLED: "false"
#IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
diff --git "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md" "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md"
index a124d80..2b4d6b6 100644
--- "a/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md"
+++ "b/docs/\344\272\247\345\223\201\351\203\250\347\275\262\344\271\213\344\270\255\345\217\260\346\234\215\345\212\241\345\257\271\346\216\245\346\225\260\346\215\256\345\210\235\345\247\213\345\214\226\347\233\270\345\205\263\346\216\245\345\217\243\347\232\204\350\257\264\346\230\216.md"
@@ -54,7 +54,7 @@
"applicationDomain": "example.com",
"externalId": "0"
}' \
- 'http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080/v1/admin/services'
+ 'http://cas-server-sa.cas-server.svc.cluster.local:8080/v1/admin/services'
```
2. 更新 Service
@@ -85,7 +85,7 @@
"applicationDomain": "example.com",
"externalId": "0"
}' \
- 'http://authx-service-user-data-service-goa.authx-service.svc.cluster.local:8080/v1/admin/services'
+ 'http://cas-server-sa.cas-server.svc.cluster.local:8080/v1/admin/services'
```
@@ -415,7 +415,9 @@
"description": "示例管理员",
"enabled": true,
"applicationId": "0",
- "externalId": "0"
+ "externalId": "0",
+ "canDataGrant": false,
+ "canManDataGrant": false
}' \
'http://authx-service-user-authz-service-sa.authx-service.svc.cluster.local:8080/v1/admin/roles'
```
@@ -433,7 +435,8 @@
description | 角色描述
enabled | 是否启用(1 启用,0 禁用)
externalId | 对应所在应用内的数据的ID
-
+canDataGrant | 是否
+canManDataGrant | true
### 云平台菜单、操作
diff --git "a/docs/\345\237\272\344\272\216RabbitMQ\347\232\204\346\225\260\346\215\256\346\216\250\351\200\201\351\230\237\345\210\227\344\275\277\347\224\250\350\257\264\346\230\216.md" "b/docs/\345\237\272\344\272\216RabbitMQ\347\232\204\346\225\260\346\215\256\346\216\250\351\200\201\351\230\237\345\210\227\344\275\277\347\224\250\350\257\264\346\230\216.md"
index 211c8a3..2309115 100644
--- "a/docs/\345\237\272\344\272\216RabbitMQ\347\232\204\346\225\260\346\215\256\346\216\250\351\200\201\351\230\237\345\210\227\344\275\277\347\224\250\350\257\264\346\230\216.md"
+++ "b/docs/\345\237\272\344\272\216RabbitMQ\347\232\204\346\225\260\346\215\256\346\216\250\351\200\201\351\230\237\345\210\227\344\275\277\347\224\250\350\257\264\346\230\216.md"
@@ -7,9 +7,9 @@
本文档相关对接,须:
-* 依赖 用户服务 user-data-service,1.1.5-RELEASE 及以上版本
+* 依赖 用户服务 user-data-service,1.2.7-RELEASE 及以上版本
-* 依赖 同步服务 jobs-server 下的 rabbitmq-server
+* 依赖 authx-service 下的 rabbitmq-server
* user-data-service-goa,须开启「推送数据到 jobs-server」
@@ -20,6 +20,7 @@
内容为 json 格式,可以转换为 json 对象进行使用
+
### 数据模型
* 字典类型 DictionaryType
@@ -134,11 +135,37 @@
}
```
+* 用户组 Group
+
+```
+{
+ "id": String, // ID
+ "code": String, // 用户组代码
+ "name": String, // 用户组名称
+ "description": String, // 用户组描述
+ "type": String, // 类型,1 普通用户组,2 岗位用户组
+ "category": <ref Dictionary>, // 类别,字典
+ "state": Integer, // 状态,1:启用,0:禁用
+ "sort": Integer, // 排序
+ "common": Boolean, // 是否公共
+ "applicationId": String // 所属应用
+}
+```
+
+* 账号用户组 AccountGroup
+
+```
+{
+ "account": <ref Account>, // 帐号
+ "group": <ref Group>, // 用户组
+}
+```
+
## RabbitMQ 服务地址
```
-host: rabbitmq-server.jobs-server.svc.cluster.local
+host: rabbitmq-server.authx-service.svc.cluster.local
port: 5672
username: guest
password: guest
@@ -164,6 +191,22 @@
### 交换机清单
+* 身份类型保存
+
+交换机名称,`jobs.fanout.exchange.identityType-userSvc-2-jobs-save`
+
+数据,身份类型 IdentityType
+
+**可依据 code 身份类型代码,作为唯一标识,用于判定数据是否在目标应用存在**
+
+
+* 身份类型删除
+
+交换机名称,`jobs.fanout.exchange.identityType-userSvc-2-jobs-delete`
+
+数据,身份类型 IdentityType
+
+
* 组织机构保存
交换机名称,`jobs.fanout.exchange.organization-userSvc-2-jobs-save`
@@ -213,3 +256,33 @@
**可将明文密码同步到第三方应用**
+
+* 用户组保存
+
+交换机名称,`jobs.fanout.exchange.group-userSvc-2-jobs-save`
+
+数据,用户组 Group
+
+**可依据 code 用户组代码,作为唯一标识,用于判定数据是否在目标应用存在**
+
+
+* 用户组删除
+
+交换机名称,`jobs.fanout.exchange.group-userSvc-2-jobs-delete`
+
+数据,用户组 Group
+
+
+* 帐号用户组添加
+
+交换机名称,`jobs.fanout.exchange.account-group-userSvc-2-jobs-add`
+
+数据,帐号用户组关系 AccountGroup
+
+
+* 帐号用户组移除
+
+交换机名称,`jobs.fanout.exchange.account-group-userSvc-2-jobs-del`
+
+数据,帐号用户组关系 AccountGroup
+
diff --git "a/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202110080900_1__TABLE.sql" "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202110080900_1__TABLE.sql"
new file mode 100644
index 0000000..4680a3b
--- /dev/null
+++ "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202110080900_1__TABLE.sql"
@@ -0,0 +1,12 @@
+-- V1.2.0009_202110080900_1__TABLE.sql
+
+
+ALTER TABLE `TB_B_ACCOUNT` ADD INDEX `IDX_ACCOUNT_USERNAME` (`USER_NAME` ASC);
+
+ALTER TABLE `TB_B_ORGANIZATION` ADD INDEX `IDX_ORG_NAME` (`NAME` ASC);
+
+ALTER TABLE `TB_B_IDENTITY_TYPE` ADD UNIQUE INDEX `UQ_ID_TYPE_CODE` (`CODE` ASC);
+ALTER TABLE `TB_B_IDENTITY_TYPE` ADD INDEX `IDX_ID_TYPE_NAME` (`NAME` ASC);
+
+ALTER TABLE TB_B_ACCOUNT ADD COLUMN ACCOUNT_NAME_PAD VARCHAR(255) NOT NULL DEFAULT(LPAD(ACCOUNT_NAME, 20, ' '));
+ALTER TABLE TB_B_ACCOUNT ADD INDEX ACCOUNT_NAME_PAD(ACCOUNT_NAME_PAD);
diff --git "a/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql" "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql"
new file mode 100644
index 0000000..8f048dc
--- /dev/null
+++ "b/project/nwpu/1.2.6_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql"
@@ -0,0 +1,18 @@
+-- V1.2.0010_202110121800_1__TABLE_TB_B_IDENTITY_PIC.sql
+
+
+ALTER TABLE `TB_B_IDENTITY_PIC`
+CHANGE COLUMN `IDENTITY_PIC_1` `IDENTITY_PIC_1` VARCHAR(500) NOT NULL COMMENT '证照图片1';
+
+ALTER TABLE `TB_B_IDENTITY_PIC`
+CHANGE COLUMN `IDENTITY_PIC_2` `IDENTITY_PIC_2` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片2';
+
+ALTER TABLE `TB_B_IDENTITY_PIC`
+CHANGE COLUMN `IDENTITY_PIC_3` `IDENTITY_PIC_3` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片3';
+
+ALTER TABLE `TB_B_IDENTITY_PIC`
+CHANGE COLUMN `IDENTITY_PIC_4` `IDENTITY_PIC_4` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片4';
+
+ALTER TABLE `TB_B_IDENTITY_PIC`
+CHANGE COLUMN `IDENTITY_PIC_5` `IDENTITY_PIC_5` VARCHAR(500) NULL DEFAULT NULL COMMENT '证照图片5';
+
diff --git "a/project/nwpu/1.2.7_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202109041000_1__TABLE_USER.sql" "b/project/nwpu/1.2.7_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202109041000_1__TABLE_USER.sql"
new file mode 100644
index 0000000..99f9cbb
--- /dev/null
+++ "b/project/nwpu/1.2.7_db\345\215\207\347\272\247\350\204\232\346\234\254/user/V1.2.0009_202109041000_1__TABLE_USER.sql"
@@ -0,0 +1,19 @@
+-- V1.2.0009_202109041000_1__TABLE_USER.sql
+
+
+ALTER TABLE `TB_B_USER`
+ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID';
+
+ALTER TABLE `TB_B_ACCOUNT`
+ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID';
+
+ALTER TABLE `TB_B_ORGANIZATION`
+ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID';
+
+ALTER TABLE `TB_B_GROUP`
+ADD COLUMN `EXTERNAL_ID` VARCHAR(64) NULL COMMENT '外部ID';
+
+ALTER TABLE `TB_B_USER` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC);
+ALTER TABLE `TB_B_ACCOUNT` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC);
+ALTER TABLE `TB_B_ORGANIZATION` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC);
+ALTER TABLE `TB_B_GROUP` ADD UNIQUE INDEX `UQ_EXTERNAL_ID` (`EXTERNAL_ID` ASC);
diff --git "a/project/nwpu/k8s-rancher/0.1.0.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\351\203\250\347\275\262\346\236\266\346\236\204.md" "b/project/nwpu/k8s-rancher/0.1.0.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\351\203\250\347\275\262\346\236\266\346\236\204.md"
new file mode 100644
index 0000000..27ca2d8
--- /dev/null
+++ "b/project/nwpu/k8s-rancher/0.1.0.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\351\203\250\347\275\262\346\236\266\346\236\204.md"
@@ -0,0 +1,4 @@
+
+# 认证授权服务部署架构
+
+
diff --git "a/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md" "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
new file mode 100644
index 0000000..a92e6a0
--- /dev/null
+++ "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.md"
@@ -0,0 +1,970 @@
+
+# 安装部署手册
+
+**业务中台之认证授权服务**
+
+
+* 修订历史
+
+版本 | 作者 | 日期 | 备注
+- | - | - | -
+v1 | 刘洪青 | 2020-06-10 | 初稿
+
+
+[TOC]
+
+
+## 安装准备
+
+### MySQL 初始配置及相关基础命令
+
+数据文件目录:/var/lib/mysql
+
+* 安装完成后,调整 mysql 服务的配置参数
+
+ 查看当前配置:show variables;
+
+ 最大连接数 max_connections
+ 操作日志的保留时长 binlog_expire_logs_seconds
+
+ 参考命令:
+ ```
+ set global max_connections = 1000;
+ set persist max_connections = 1000;
+
+ // 7天 86400 * 7
+ // 1天 86400
+ set global binlog_expire_logs_seconds = 86400 * 7;
+ set persist binlog_expire_logs_seconds = 86400 * 7;
+ ```
+
+ 时区设置
+
+ 确保MySQL 的时区设置为 GMT+8
+
+
+* 创建数据库帐号
+
+ 参考命令:
+ ```
+ create user 'user'@'%' identified with mysql_native_password by 'your_password';
+ ```
+
+
+* 创建 database
+
+ 参考命令:
+ ```
+ create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+ ```
+
+
+* 授予权限
+
+ 将 database 的权限授予对应的帐号
+
+ 参考命令:
+ ```
+ grant all privileges on `user`.* to 'user'@'%' with grant option;
+ ```
+
+
+* 授予 SUPER 权限
+ 由于 部分帐号 需要创建 触发器,故,需要 SUPER 权限
+ 涉及帐号有 user、user_authz、cas_server
+
+ 参考命令:
+ ```
+ grant SUPER on *.* to 'user'@'%';
+ grant SUPER on *.* to 'user_authz'@'%';
+ grant SUPER on *.* to 'cas_server'@'%';
+
+ grant SUPER on *.* to 'tmp_data'@'%';
+ ```
+
+
+* 备份与还原
+
+ 参考命令:
+ 备份:
+ ```
+ mysqldump -u root -p cas_server > cas_server.sql
+ mysqldump -u root -p token_server > token_server.sql
+ mysqldump -u root -p user > user.sql
+ mysqldump -u root -p user_authz > user_authz.sql
+ mysqldump -u root -p agent_service > agent_service.sql
+ ```
+
+ 还原:
+ ```
+ mysql -u root -p cas_server < cas_server.sql
+ mysql -u root -p token_server < token_server.sql
+ mysql -u root -p user < user.sql
+ mysql -u root -p user_authz < user_authz.sql
+ mysql -u root -p agent_service < agent_service.sql
+ ```
+
+
+### Harbor 准备及相关说明
+
+* 创建 devops 帐号
+
+ 用于 rancher 部署时拉取镜像
+
+ 用户管理 下 创建用户
+ 如 devops
+
+
+* 镜像同步
+
+ 从 https://harbor.supwisdom.com 中同步镜像
+
+ 仓库管理 下 新建目标
+ ```
+ supwisdom https://harbor.supwisdom.com rancher.devops / PWMgP85qiLFC
+ ```
+
+ 同步管理 下 新建规则
+
+ ```
+ admin-portal admin-portal/*
+ authx-service authx-service/*
+
+ thirdparty-agent-service thirdparty-agent-service/*
+
+ user-data-service goa/*
+ user-authorization-service user-authorization-service/*
+ cas-server cas-server/*
+ token-server token-server/*
+
+ jobs-server jobs-server/*
+
+ personal-security-center personal-security-center/*
+ ```
+
+ 同步规则,创建完成后,进行镜像同步
+
+ 选择某个同步规则,点击 同步,等待任务完成
+
+
+* 授予 devops 帐号 对各个项目的 访客 权限
+
+ 项目 下,点击 项目名称,进入到 成员,添加用户,查找用户 devops,选择角色 访客,确定,添加即可
+
+
+### Rancher 准备及相关说明
+
+* 创建项目
+
+ 进入 全局 - 集群(具体名称视项目安装而定) - 项目/命名空间,添加项目
+
+ 输入 项目名称,保存
+
+
+* 创建命名空间
+
+ 进入 全局 - 集群(具体名称视项目安装而定) - 项目/命名空间
+
+ 在新建的项目中,添加命名空间
+
+ 输入 名称,保存
+
+
+* 导入YAML
+
+ 进入 全局 - 集群(具体名称视项目安装而定) - 项目(某个项目)
+
+ 进入 资源 - 工作负载
+
+
+### 域名准备
+
+* 确定域名
+
+ 首先明确是否使用泛域名,如:`*.paas.xxx.edu.cn`,或 直接使用学校域名 `xxx.edu.cn`
+
+ 本产品安装需要的域名如下:
+ ```
+ cas.paas.xxx.edu.cn 认证(视具体情况,可调整)
+ token.paas.xxx.edu.cn 认证(APP适用)
+
+ personal-security-center.paas.xxx.edu.cn 个人安全中心后端API
+
+ security-center.paas.xxx.edu.cn 安全中心前端UI(帐号激活、忘记密码)
+
+ authx-minio.paas.xxx.edu.cn 文件服务
+ ```
+
+ 如果使用 学校域名,则去除 .paas 即可,同时申请开通相关域名
+
+
+### 应用配置项说明
+
+#### 公共配置项
+
+* JVM 相关
+
+ ConfigMap,jvm-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ MAX_RAM_PERCENTAGE | JAVA 应用,JVM内存 占 POD内存的比例 | 75.0
+
+
+* 数据库连接配置相关
+
+ Secret,datasource-env-secret
+
+ key | 说明 | 配置示例
+ - | - | -
+ JDBC_URL | 数据源连接配置(base64加密) | amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdXNlcj9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp
+ JDBC_USERNAME | 数据库用户(base64加密) | dXNlcg==
+ JDBC_PASSWORD | 数据库密码(base64加密) | a2luZ3N0YXI=
+
+
+* redis 连接配置相关
+
+ Secret,redis-env-secret
+
+ key | 说明 | 配置示例
+ - | - | -
+ SPRING_REDIS_HOST | redis 服务(base64加密),默认为 redis-server | cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT | redis 服务端口(base64加密),默认为 6379 | NjM3OQ==
+ SPRING_REDIS_PASSWORD | redis 服务密码(base64加密) |
+
+
+* rabbit mq 连接配置相关
+
+ Secret,rabbitmq-env-secret
+
+ key | 说明 | 配置示例
+ - | - | -
+ SPRING_RABBITMQ_HOST | rabbit mq 服务(base64加密),默认为 rabbitmq-server | cmFiYml0bXEtc2VydmVy
+ SPRING_RABBITMQ_PORT | rabbit mq 服务端口(base64加密),默认为 5672 | NTY3Mg==
+ SPRING_RABBITMQ_USERNAME | rabbit mq 服务用户(base64加密) |
+ SPRING_RABBITMQ_PASSWORD | rabbit mq 服务密码(base64加密) |
+
+
+#### 服务配置项
+
+注:
+外部访问地址,一般为域名地址,需要根据学校域名进行修改
+k8s集群内部地址,为集群内部,跨namespace访问的域名地址,一般无须修改
+
+
+* auth-service 下的 authx-service-minio
+
+ Secret,minio-env-secret
+
+ key | 说明 | 配置示例
+ - | - | -
+ MINIO_ACCESS_KEY | minio帐号(base64加密),默认为 1y8N@8R@a_2u | MXk4TkA4UkBhXzJ1
+ MINIO_SECRET_KEY | minio密钥(base64加密),默认为 8pxlIe9#lN7Q | OHB4bEllOSNsTjdR
+
+
+* auth-service 下的 poa-api-docs-installer
+
+ ConfigMap,poa-api-docs-installer-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ POA_SERVER_URL | POA网关地址(外部访问地址) | http://poa.paas.xxx.edu.cn
+ POA_SA_SERVER_URL | POA管理接口地址(k8s集群内部地址) | http://poa-sa-svc.poa.svc.cluster.local:8443
+ - | - | -
+ USER_API_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-poa-svc.user-data-service.svc.cluster.local:8080
+ USER_AUTHZ_API_SERVER_URL | 授权服务开放接口地址(k8s集群内部地址) | http://user-authorization-poa-svc.user-authorization-service.svc.cluster.local:8080
+ COMMUNICATE_API_SERVER_URL | 通信服务开放接口地址(k8s集群内部地址) | http://communicate-center-poa-svc.communicate-center.svc.cluster.local:8080
+
+
+* thirdparty-agent-service 下的 thirdparty-agent-service
+
+ ConfigMap,agent-service-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ FILE_MINIO_AUTOCONFIGURE_ENABLED | minio 服务开启开关 | true、false
+ FILE_MINIO_ENDPOINT | minio 服务地址(k8s集群内部地址) | http://minio-svc.authx-service.svc.cluster.local:9000
+ - | - | -
+ MAIL_SMTP_AUTOCONFIGURE_ENABLED | smtp 服务开启开关 | true、false
+ MAIL_SMTP_HOST | smtp 服务地址 | smtp.mxhichina.com
+ MAIL_SMTP_PORT | smtp 服务端口 | 25
+ MAIL_SMTP_SECURE_MODE | smtp 服务的安全模式(NONE,无;SSL,安全) | NONE
+ MAIL_SMTP_USERNAME | smtp 服务帐号 | security.institute@supwisdom.com
+ MAIL_SMTP_PASSWORD | smtp 服务密码 | Security2019
+ MAIL_SMTP_FROM | 发件人邮箱 | security.institute@supwisdom.com
+ MAIL_SMTP_FROM_PERSONAL | 发件人名称 | 智慧校园
+ - | - | -
+ SMS_ALIYUN_AUTOCONFIGURE_ENABLED | 阿里云短信服务开启开关 | true、false
+ SMS_ALIYUN_REGION_ID | 区域 | cn-hangzhou
+ SMS_ALIYUN_ACCESS_KEY_ID | 阿里云短信服务的帐号 |
+ SMS_ALIYUN_ACCESS_SECRET | 阿里云短信服务的密钥 |
+
+ Secret,agent-service-env-secret
+
+ key | 说明 | 配置示例
+ - | - | -
+ FILE_MINIO_ACCESSKEY | minio 服务帐号(base64加密),默认为 1y8N@8R@a_2u | MXk4TkA4UkBhXzJ1
+ FILE_MINIO_SECRETKEY | minio 服务密钥(base64加密),默认为 8pxlIe9#lN7Q | OHB4bEllOSNsTjdR
+
+
+* user-data-service 下的 user-data-service-poa
+
+ ConfigMap,user-data-service-poa-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ - | - | -
+ TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+
+
+* user-data-service 下的 user-data-service-goa
+
+ ConfigMap,user-data-service-goa-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ PASSWORD_ENCODER_IMPL | 密码加密算法的实现<br/>default:支持 bcrypt 等加密算法,默认; <br/>SHA-256:支持 SHA-256 加密算法 | default、SHA-256
+ - | - | -
+ JOBS_RABBITMQ_ENABLED | 是否推送数据到 jobs-server 的 rabbit mq | true、false
+ JOBS_RABBITMQ_HOST | rabbit mq 服务地址(k8s集群内部地址) | rabbitmq-server.jobs-server.svc.cluster.local
+ JOBS_RABBITMQ_PORT | rabbit mq 服务端口 | 5672
+ JOBS_RABBITMQ_USERNAME | rabbit mq 服务用户 |
+ JOBS_RABBITMQ_PASSWORD | rabbit mq 服务密码 |
+ JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步帐号数据至 jobs 的 MQ | true、false
+ JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSSYNCPASSWORDRABBITSENDER_ENABLED | 是否同步密码(明文密码)到 jobs 的 MQ | true、false
+ JOBS_RABBITMQ_ORGANIZATIONUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步组织机构数据至 jobs 的 MQ | true、false
+ JOBS_RABBITMQ_GROUPUSERSVC2JOBSRABBITSENDER_ENABLED | 是否同步用户组数据至 jobs 的 MQ | true、false
+
+
+* user-data-service 下的 user-data-service-biz
+
+ ConfigMap,user-data-service-biz-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ - | - | -
+ TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+
+
+* user-authorization-service 下的 user-authorization-service-poa
+
+ ConfigMap,user-authorization-service-poa-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ USER_DATA_SERVICE_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+
+
+* user-authorization-service 下的 user-authorization-service-sa
+
+ ConfigMap,user-authorization-service-sa-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ 暂无 | |
+
+
+* cas-server 下的 cas-server-sa-api
+
+ ConfigMap,cas-server-sa-api-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ SERVICE_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新应用对接数据<br/>默认:true | true、false
+ ACCOUNT_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新帐号数据<br/>默认:false | true、false
+ FEDERATION_REFRESH_REDIS_TIMER_ENABLED | 是否定时刷新联合登录帐号绑定数据<br/>默认:true | true、false
+ - | - | -
+ USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+
+
+* cas-server 下的 cas-server-security-engine
+
+ ConfigMap,cas-server-security-engine-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务开放接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+
+
+* cas-server 下的 cas-server-site-webapp
+
+ ConfigMap,cas-server-site-webapp-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ LOGGING_CONFIG | 日志配置文件路径 | file:/etc/cas/log4j2-file.xml
+ - | - | -
+ CAS_SERVER_NAME | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn
+ CAS_TGC_SECURE | TGC cookie 安全设置<br/>true:https安全<br/>false: | true、false
+ CAS_TICKET_TGT_MAX_TIME_TO_LIVE_IN_SECONDS | TGT的最大生命周期<br/>默认:14天 | 1209600
+ CAS_TICKET_TGT_TIME_TO_KILL_IN_SECONDS | TGT的失效时长<br/>默认:2天 | 172800
+ CAS_AUTHN_TOKEN_CRYPTO_SIGNING_KEY | jwt格式的ticket的签名密钥 | `(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2`
+ SPRING_THYMELEAF_PREFIX | 登录页面UI的代码目录 | classpath:/templates/themes/classic/
+ - | - | -
+ CASSERVER_FEDERATION_QQ_ENABLED | 联合登录 QQ,是否启用 | true、false
+ CASSERVER_FEDERATION_QQ_APPID | 联合登录 QQ,appid |
+ CASSERVER_FEDERATION_QQ_APPKEY | 联合登录 QQ,appkey |
+ - | - | -
+ CASSERVER_FEDERATION_OPENWEIXIN_ENABLED | 联合登录 微信,是否启用 | true、false
+ CASSERVER_FEDERATION_OPENWEIXIN_APPID | 联合登录 微信,appid |
+ CASSERVER_FEDERATION_OPENWEIXIN_APPSECRET | 联合登录 微信,appsecret |
+ - | - | -
+ CASSERVER_FEDERATION_WORKWEIXIN_ENABLED | 联合登录 企业微信,是否启用 | true、false
+ CASSERVER_FEDERATION_WORKWEIXIN_CORPID | 联合登录 企业微信,企业ID |
+ CASSERVER_FEDERATION_WORKWEIXIN_AGENTID | 联合登录 企业微信,应用AgentId |
+ CASSERVER_FEDERATION_WORKWEIXIN_SECRET | 联合登录 企业微信,Secret |
+ - | - | -
+ CASSERVER_FEDERATION_ALIPAY_ENABLED | 联合登录 支付宝,是否启用 | true、false
+ CASSERVER_FEDERATION_ALIPAY_APPID | 联合登录 支付宝,appid |
+ CASSERVER_FEDERATION_ALIPAY_APPPRIVATEKEY | 联合登录 支付宝,应用私钥 |
+ CASSERVER_FEDERATION_ALIPAY_ALIPAYPUBLICKEY | 联合登录 支付宝,支付宝公钥 |
+ - | - | -
+ CASSERVER_JWT_ISS | idToken 签发者标识 | cas.paas.xxx.edu.cn
+ CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8 | idToken 签名私钥(pkcs8),参考 certs/jwt/readme.md 生成公私钥pem |
+ CASSERVER_JWT_PUBLIC_KEY_PEM | idToken 签名公钥,参考 certs/jwt/readme.md 生成公私钥pem |
+ - | - | -
+ CASSERVERSITE_CAPTCHA_ENABLED | 是否启用登录验证码 | true、false
+ CASSERVERSITE_ACCOUNT_SERVICE_IMPL | 帐号服务的实现<br/>redis:帐号数据存放在redis中<br/>user-sa:帐号数据从用户服务获取 | user-sa
+ CASSERVERSITE_ROLE_SERVICE_IMPL | 角色服务的实现<br/>redis:角色数据存放在redis中<br/>user-authz-sa:角色数据从授权服务获取 | user-authz-sa
+ CASSERVERSITE_SMS_SENDER_IMPL | 动态密码的短信发送实现<br/>default:控制台输出<br/>agent-service:代理服务 | agent-service
+ CASSERVERSITE_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS | 动态密码失效时长<br/>默认:5分钟 | 300
+ CASSERVERSITE_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心
+ CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
+ - | - | -
+ TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | /api/v1/tpas/sms/console/send
+ TPAS_AGENT_SERVICE_FILE_PATH | 文件服务地址<br/>默认:minio文件服务 | /api/v1/tpas/file/minio
+ - | - | -
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ - | - | -
+ USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ USER_AUTHZ_SERVICE_SA_API_SERVER_URL | 授权服务管理接口地址(k8s集群内部地址) | http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ - | - | -
+ SUPERAPP_TOKEN_SIGNING_KEY_URL | TOKEN认证验签公钥地址(外部访问地址) | https://token.paas.xxx.edu.cn/jwt/publicKey
+
+
+* cas-server 下的 cas-server-site-scheme
+
+ ConfigMap,cas-server-site-scheme-config
+
+ key | 说明 | 配置示例
+ - | - | -
+ SCHEME_COLOR | UI 主题色 | 409EFF
+ - | - | -
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务开放接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+
+ 注:若配置了 CASSERVER_SA_API_SERVER_URL,则使用配置表中的配置;否则,使用 SCHEME_COLOR 指定的设置。
+
+
+* token-server 下的 token-server
+
+ ConfigMap,token-server-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ TOKEN_SERVER_PREFIX | TOKEN认证地址(外部访问地址) | https://token.paas.xxx.edu.cn
+ - | - | -
+ TOKEN_SERVER_SECURITY_JWT_ISS | idToken签发者标识 | token.paas.xxx.edu.cn
+ TOKEN_SERVER_SECURITY_JWT_EXPIRATION | idToken 失效时长<br/>默认:30天 | 2592000
+ TOKEN_SERVER_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8 | idToken 签名私钥(pkcs8),参考 certs/jwt/readme.md 生成公私钥pem<br/>可以与CAS认证一致 |
+ TOKEN_SERVER_SECURITY_JWT_PUBLIC_KEY_PEM | idToken 签名公钥,参考 certs/jwt/readme.md 生成公私钥pem<br/>可以与CAS认证一致 |
+ - | - | -
+ TOKEN_SERVER_FACE_SOURCE_TYPE | 人脸服务<br>aiface:新开普人脸<br/>aipface:百度人脸 | aiface
+ 若须对接新开普人脸,须由新开普人脸系统提供相关配置 |
+ TOKEN_SERVER_FACE_AIFACE_URL | |
+ TOKEN_SERVER_FACE_AIFACE_APPKEY | |
+ TOKEN_SERVER_FACE_AIFACE_APPSECRET | |
+ TOKEN_SERVER_FACE_AIFACE_SECRETKEY | |
+ TOKEN_SERVER_FACE_AIFACE_TERM_CODE | |
+ 若须对接百度人脸,须在百度开放平台注册应用 |
+ TOKEN_SERVER_FACE_AIPFACE_APPID | |
+ TOKEN_SERVER_FACE_AIPFACE_APIKEY | |
+ TOKEN_SERVER_FACE_AIPFACE_SECRETKEY | |
+ - | - | -
+ TOKEN_SERVER_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS | 动态密码失效时长<br/>默认:5分钟 | 300
+ TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE | 动态密码的短信模板 | 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
+ TOKEN_SERVER_PASSWORDLESS_SMS_FROM | 动态密码的短信发送者 | 认证中心
+ - | - | -
+ MESSAGECENTER_ENABLED | 是否对接消息平台<br/>默认:false| true、false
+ MESSAGECENTER_APP_ID | 应用ID(由消息平台生成)|
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN | 消息类型代码(APP 登录) | APP_LOGIN
+ - | - | -
+ POA_SERVER_URL | POA网关地址(外部访问地址) | https://poa.paas.xxx.edu.cn
+ POA_CLIENT_ID | client id |
+ POA_CLIENT_SECRET | client secret |
+ POA_SCOPES | api 接口的 scope | messagecenter:v1:sendMessage
+ - | - | -
+ TPAS_AGENT_SERVICE_SERVER_URL | 代理服务接口地址(k8s集群内部地址) | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH | 短信发送服务地址<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | /api/v1/tpas/sms/console/send
+ - | - | -
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ - | - | -
+ USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务管理接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+
+
+* personal-security-center 下的 personal-security-center-bff
+
+ ConfigMap,personal-security-center-bff-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ PERSONAL_SECURITY_CENTER_SERVER_PREFIX | 个人安全中心访问地址(外部访问地址) | https://personal-security-center.paas.xxx.edu.cn
+ CAS_SERVER_PREFIX | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn
+ - | - | -
+ CASSERVER_SITE_SERVER_URL | CAS认证接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ - | - | -
+ CASSERVER_SA_API_SERVER_URL | CAS认证服务管理接口地址(k8s集群内部地址) | http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ - | - | -
+ USER_DATA_SERVICE_SA_API_SERVER_URL | 用户服务开放接口地址(k8s集群内部地址) | http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ - | - | -
+ TPAS_FILE_API_URL | 文件服务接口地址(k8s集群内部地址)<br/>默认:minio文件服务 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ TPAS_MAIL_API_URL | 邮件发送服务地址(k8s集群内部地址)<br/>console:控制台输出,默认<br/>smtp:SMTP服务<br/>其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp
+ TPAS_SMS_API_URL | 短信发送服务地址(k8s集群内部地址)<br/>console:控制台输出,默认<br/>aliyun:阿里云短信服务<br/>其他,支持学校定制接口 | http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console
+
+ ConfigMap,personal-security-center-bff-template-env
+ 邮件内容模板、短信内容模板
+
+ key | 说明 | 配置示例
+ - | - | -
+ EMAIL_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_EMAIL_ADDRESS | 邮件内容模板-激活帐号 | {name}:您正在激活帐号,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_FORGOT_PASSWORD_SEND_CODE | 邮件内容模板-找回密码 | {name}:您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ - | - | -
+ EMAIL_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE | 邮件内容模板-修改密码 | {name}:您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE | 邮件内容模板-修改安全邮箱 | {name}:您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE_BY_EMAIL_ADDRESS | 邮件内容模板-修改安全邮箱-验证邮箱 | {name}:您正在修改安全邮箱,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE | 邮件内容模板-修改安全手机 | {name}:您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ - | - | -
+ EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE | 邮件内容模板-绑定QQ | {name}:您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ | 邮件内容模板-解绑QQ | {name}:您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE | 邮件内容模板-绑定微信 | {name}:您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN | 邮件内容模板-解绑微信 | {name}:您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE | 邮件内容模板-绑定企业微信 | {name}:您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN | 邮件内容模板-解绑企业微信 | {name}:您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE | 邮件内容模板-绑定支付宝 | {name}:您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY | 邮件内容模板-解绑支付宝 | {name}:您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ - | - | -
+ SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_PRE_MOBILE | 短信内容模板-激活帐号-预留手机身份验证 | {prefix}您正在激活帐号,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_MOBILE | 短信内容模板-激活帐号 | {prefix}您正在激活帐号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_FORGOT_PASSWORD_SEND_CODE| 短信内容模板-找回密码 | {prefix}您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ - | - | -
+ SMS_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE | 短信内容模板-修改密码 | {prefix}您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE | 短信内容模板-修改安全邮箱 | {prefix}您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE | 短信内容模板-修改安全手机 | {prefix}您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE_BY_MOBILE | 短信内容模板-修改安全手机-验证手机 | {prefix}您正在修改安全手机,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。
+ - | - | -
+ SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE | 邮件内容模板-绑定QQ | {prefix}您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ | 邮件内容模板-解绑QQ | {prefix}您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE | 邮件内容模板-绑定微信 | {prefix}您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN | 邮件内容模板-解绑微信 | {prefix}您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE | 邮件内容模板-绑定企业微信 | {prefix}您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN | 邮件内容模板-解绑企业微信 | {prefix}您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE | 邮件内容模板-绑定支付宝 | {prefix}您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY | 邮件内容模板-解绑支付宝 | {prefix}您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。
+ - | - | -
+ SMS_TEMPLATE_ACCOUNT_INFO_SEND_CODE_BY_MOBILE | 帐号查询-验证手机 | {prefix}您当前正在查询账号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_ACCOUNT_INFO_SEND_ACCOUNT_NAME | 帐号查询-发送帐号名 | {prefix}您当前正在查询账号,查询结果为:{accountName},账号是您在学校中的重要信息,请妥善保管。'
+ - | - | -
+ SMS_TEMPLATE_PREFIX | 短信签名、前缀 |
+
+
+* personal-security-center 下的 personal-security-center-zuul
+
+ ConfigMap,personal-security-center-zuul-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ APP_SERVER_HOST_URL | 个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn
+ CAS_SERVER_HOST_URL | CAS认证地址(外部访问地址) | https://cas.paas.xxx.edu.cn
+ - | - | -
+ APPLICATION_INDEX_REDIRECT_URI | 网关服务的默认首页,安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn
+
+
+* personal-security-center 下的 security-center-ui
+
+ ConfigMap,security-center-ui-env
+
+ key | 说明 | 配置示例
+ - | - | -
+ RESOURCE_PREFIX | LOGO、FAVICON 等资源地址 | http://authx-minio.paas.xxx.edu.cn/security-center-ui
+ MAIN_SERVER | 安全中心访问地址(外部访问地址) | http://security-center.paas.xxx.edu.cn
+ - | - | -
+ PERSONAL_CENTER_API | 后端API,个人安全中心访问地址(外部访问地址) | http://personal-security-center.paas.xxx.edu.cn
+ - | - | -
+ AUTH_CAS | CAS认证地址(外部访问地址) | http://cas.paas.xxx.edu.cn/cas
+ JWT_ISS | JWT Token 签名方标识 | http://cas.paas.xxx.edu.cn/cas
+ JWT_SECRET | JWT Token 签名密钥 | 固定值,`(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2`
+
+
+## 开始安装
+
+
+### 数据库创建
+
+* 数据库帐号
+
+ 以下是 各服务对应的数据库帐号
+
+ 服务 | 数据库帐号
+ - | -
+ 用户服务 user-data-service | user
+ 授权服务 user-authorization-service | user_authz
+ 认证服务 cas-server | cas_server
+ 认证服务(APP适用) token-server | token_server
+ - | -
+ 第三方代理服务 thridparty-agent-service | agent_service
+ - | -
+ v4认证迁移数据 | tmp_data
+
+ 命令:
+ **请修改命令中的 `your_password` 为实际的数据库帐号的密码**
+ ```
+ create user 'user'@'%' identified with mysql_native_password by 'your_password';
+ create user 'user_authz'@'%' identified with mysql_native_password by 'your_password';
+ create user 'cas_server'@'%' identified with mysql_native_password by 'your_password';
+ create user 'token_server'@'%' identified with mysql_native_password by 'your_password';
+
+ create user 'agent_service'@'%' identified with mysql_native_password by 'your_password';
+
+ create user 'tmp_data'@'%' identified with mysql_native_password by 'your_password';
+ ```
+
+
+* 数据库
+
+ 以下是 各服务对应的数据库
+
+ 服务 | 数据库
+ - | -
+ 用户服务 user-data-service | user
+ 授权服务 user-authorization-service | user_authz
+ 认证服务 cas-server | cas_server
+ 认证服务(APP适用) token-server | token_server
+ - | -
+ 第三方代理服务 thridparty-agent-service | agent_service
+ - | -
+ v4认证迁移数据 | tmp_data
+
+ 命令:
+ ```
+ create database `user` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+ create database `user_authz` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+ create database `cas_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+ create database `token_server` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
+ create database `agent_service` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+
+ create database `tmp_data` DEFAULT CHARSET utf8 COLLATE utf8_general_ci;
+ ```
+
+
+* 数据库权限授予
+
+ 将 database 的权限授予对应的帐号
+
+ 命令:
+ ```
+ grant all privileges on `user`.* to 'user'@'%' with grant option;
+ grant all privileges on `user_authz`.* to 'user_authz'@'%' with grant option;
+ grant all privileges on `cas_server`.* to 'cas_server'@'%' with grant option;
+ grant all privileges on `token_server`.* to 'token_server'@'%' with grant option;
+
+ grant all privileges on `agent_service`.* to 'agent_service'@'%' with grant option;
+
+ grant all privileges on `tmp_data`.* to 'tmp_data'@'%' with grant option;
+ ```
+
+
+* SUPER 权限授予
+
+ 由于 部分帐号 需要创建 触发器,故,需要 SUPER 权限
+ 涉及帐号有 user、user_authz、cas_server
+
+ 命令:
+ ```
+ grant SUPER on *.* to 'user'@'%';
+ grant SUPER on *.* to 'user_authz'@'%';
+ grant SUPER on *.* to 'cas_server'@'%';
+
+ grant SUPER on *.* to 'tmp_data'@'%';
+ ```
+
+
+* 用户数据的交换帐号
+
+ **待部署完成后操作**
+
+ 如果,存在数据交换 须将组织机构数据、帐号数据 同步到用户服务的数据库的
+ 则,需要创建一个 交换用的数据库帐号(user_trans),并为该帐号授予 表 user.TMP_ORGANIZATION_ORIGIN、user.TMP_ACCOUNT_ORIGIN 的读写操作的权限
+
+ 命令:
+ ```
+ create user 'user_trans'@'%' identified with mysql_native_password by 'your_password';
+
+ grant select on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%';
+ grant insert on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%';
+ grant update on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%';
+ grant delete on `user`.`TMP_ORGANIZATION_ORIGIN` to 'user_trans'@'%';
+
+ grant select on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%';
+ grant insert on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%';
+ grant update on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%';
+ grant delete on `user`.`TMP_ACCOUNT_ORIGIN` to 'user_trans'@'%';
+
+ grant select on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%';
+ grant insert on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%';
+ grant update on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%';
+ grant delete on `user`.`TMP_ORGANIZATION_TRANS` to 'user_trans'@'%';
+
+ grant select on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%';
+ grant insert on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%';
+ grant update on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%';
+ grant delete on `user`.`TMP_ACCOUNT_TRANS` to 'user_trans'@'%';
+ ```
+
+
+### rancher 容器部署
+
+* 修改 yaml 中的相关配置
+
+ 具体参考 yaml 文件中的说明
+
+ 0.infras
+
+ 基础设施,目前包含 MySQL数据库的Web管理端、SpringBoot服务的管理端
+
+ ```
+ 0.0.0.infras-base.yaml 请修改 harbor-registry 的帐号密码
+
+ 0.0.1.infras-mysql.yaml 请修改 MySQL数据库 的地址、IP,mysql-adminer 访问域名
+
+ 0.0.2.infras-sba.yaml 请修改 docker 镜像地址
+
+ ```
+
+ 1.authx-service
+
+ 业务中台 之 认证授权服务
+
+ 参考 yaml 中的说明,修改相关配置
+
+ ```
+ 在各个服务的安装脚本目录下,修改以下文件(若存在)中的配置
+ 0.*-base.yaml 请修改 harbor-registry 的帐号密码
+
+ 4.x.*.yaml, 5.*-datax-job.yaml 请修改 docker 镜像地址
+
+ 1.*-env.yaml, 5.*-datax-job.yaml 请修改 数据库密码
+
+ 2.*-ingresses.yaml 请修改 访问域名
+
+ 0.0.trans-service-v4
+
+ 此为 认证v4 的数据迁移服务(可选)
+
+ 将 认证v4 的数据导入到 tmp_data 下
+
+ 数据迁移后,还需要手动编写脚本,将数据迁移至 用户服务、授权服务 的数据库中
+
+ 0.authx-service
+
+ 此为 公共基础服务
+
+ 如:MySQL 服务地址(Endpoints)、文件存储服务
+
+ 1.authx-service-mysql.yaml
+
+ 请修改 mysql 的服务地址 IP
+
+ 2.authx-service-minio.yaml
+
+ 请修改 minio 的 `MINIO_ACCESS_KEY`、`MINIO_SECRET_KEY`
+
+ 根据情况修改 pvc 的 storageClassName
+
+ 9.poa-api-docs_install.yaml
+
+ 用于将 认证授权服务的 poa 接口文档,导入到 poa-sa 中,**请在 poa 安装完成后处理**
+
+ 请修改 poa 的服务地址 `POA_SERVER_URL`
+
+ 1.thirdparty-agent-service
+
+ 此为 第三方服务的代理服务
+
+ file-minio
+
+ 修改 minio 的 `FILE_MINIO_ACCESSKEY`、`FILE_MINIO_SECRETKEY`
+
+ mail-smtp
+
+ 获取 学校的 smtp 服务地址,邮箱帐号,用于发送邮件
+
+ sms-aliyun
+
+ 如果 学校使用 阿里云的短信服务,提供 `ACCESS_KEY_ID`、`ACCESS_SECRET`;
+ 否则,提供相关的短信平台,进行定制开发
+
+ 2.user-data-service
+
+ 此为 用户服务
+
+ user-data-service-goa
+
+ 如果 须将用户数据的变更下发到 Openldap 等第三方业务中,则须配置 `JOBS_RABBITMQ_*` 为开启(ENABLED=true)
+
+ 3.user-authorization-service
+
+ 此为 授权服务
+
+ 4.cas-server
+
+ 此为 认证服务
+
+ cas-server-site-webapp
+
+ 生成公私钥证书,参考 certs/jwt/readme.md 生成公私钥pem,修改相关配置 `CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8`、`CASSERVER_JWT_PUBLIC_KEY_PEM`
+
+ 修改 认证服务的外网访问地址 `CAS_SERVER_NAME`
+
+ 修改 CAT TGC 的安全,若 使用 https,则须修改 `CAS_TGC_SECURE: "true"`
+
+ 修改 安全中心(帐号激活、找回密码)的链接地址 `CASSERVERSITE_FORGOT_PASSWORD_URL`、`CASSERVERSITE_ACTIVE_ACCOUNT_URL`
+
+ 联合登录(QQ、微信、企业微信、支付宝等)配置 `CASSERVER_FEDERATION_*`
+
+ 动态密码认证 相关配置
+ 1. 短信模板(动态密码) `CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE`
+ 2. 短信接口地址 `TPAS_AGENT_SERVICE_SMS_SENDER_PATH`
+
+ 如果 须与 超级APP 对接,须修改 Token 验签公钥地址 `SUPERAPP_TOKEN_SIGNING_KEY_URL`
+
+ 如果 须开启图片验证码,修改 `CASSERVERSITE_CAPTCHA_ENABLED: "true"`
+
+ 5.token-server
+
+ 此为 认证服务(适用于APP,可选)
+
+ token-server
+
+ 生成公私钥证书(与cas-server保持一致),参考 certs/jwt/readme.md 生成公私钥pem,修改相关配置 `TOKEN_SERVER_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8`、`TOKEN_SERVER_SECURITY_JWT_PUBLIC_KEY_PEM`
+
+ 修改 认证服务的外网访问地址 `TOKEN_SERVER_PREFIX`
+
+ 修改 认证服务 Id-Token 的签发者标识 `TOKEN_SERVER_SECURITY_JWT_ISS`
+
+ 动态密码认证 相关配置(与cas-server保持一致)
+ 1. 短信模板(动态密码) `TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE`
+ 2. 短信接口地址 `TPAS_AGENT_SERVICE_SMS_SENDER_PATH`
+
+ 人脸认证,须配置人脸服务,目前支持 新开普人脸服务、百度人脸服务,根据情况获取相关配置参数
+
+ APP 登录信息 个推,使用了消息服务的接口,该接口由 POA 提供,故须
+ 1. 注册 POA client,获取 `clientId`、`clientSecret`,申请 Scope `messagecenter:v1:sendMessage`
+ 2. 获取 消息服务的 `appId`
+
+ 6.personal-security-center
+
+ 此为 个人安全中心 后端API,安全中心 前端UI
+
+ 提供个人帐号相关的操作的接口,以及 帐号激活、密码找回 等功能
+
+ TODO: 修改 bff、zuul 配置
+ TODO: 修改 security-center-ui 配置
+
+ 9.jobs-server
+
+ 此为 任务调度服务
+
+ 基于 定时任务、触发任务 等,完成 用户数据的同步
+
+ 如:
+ * 源头数据进入到临时表后,写入用户的正式表
+ * 用户数据更新后,通过消息队列,增量更新 Openldap 数据
+
+ ```
+
+
+* 添加项目、命名空间
+
+ 项目
+ ```
+ infras # 基础设施(可选,方便实施工作)
+
+ authx-service # 认证授权服务
+
+ admin-platform # 管理平台
+
+ ```
+
+ 命名空间
+
+ 在项目 infras 下创建 命名空间:
+
+ ```
+ base
+
+ ```
+
+ 在项目 authx-service 下创建 命名空间:
+
+ ```
+ trans-service(认证v4的数据迁移服务,可选)
+
+ authx-service
+
+ thirdparty-agent-service
+
+ user-data-service
+
+ user-authorization-service
+
+ cas-server
+
+ token-server
+
+ personal-security-center
+
+ jobs-server
+
+ ```
+
+
+* 导入YAML
+
+ 在项目 infras 中,将 0.infras 下的 yaml 按编号依次导入
+
+ ```
+ 0.0.0.infras-base.yaml
+
+ 0.0.1.infras-mysql.yaml mysql web管理
+
+ 0.0.2.infras-sba.yaml
+
+ ```
+
+ 在项目 authx-service 中,将 1.authx-service 下的 yaml 按编号依次导入
+
+ **务必确保 `4.0.*-installer.yaml` 执行成功**
+
+
+### 数据配置
+
+ 数据脚本初始化
+
+ 先修改 脚本中的域名(如果存在)
+
+
+* 可选,1.authx-service/10.0.tmp.sql
+
+ 若通过交换同步组织机构、帐号数据的,须执行该数据库脚本
+
+
+* 可选,1.authx-service/10.1.init-flow.sql
+
+ 若部署了 流程平台 的产品
+
+ 可默认创建几个管理员帐号,以及初始授权
+
diff --git "a/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf" "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
new file mode 100644
index 0000000..35bc552
--- /dev/null
+++ "b/project/nwpu/k8s-rancher/0.1.1.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\256\211\350\243\205\351\203\250\347\275\262\346\211\213\345\206\214.pdf"
Binary files differ
diff --git "a/project/nwpu/k8s-rancher/0.1.2.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.0-V1.2\357\274\211.md" "b/project/nwpu/k8s-rancher/0.1.2.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.0-V1.2\357\274\211.md"
new file mode 100644
index 0000000..9590b2e
--- /dev/null
+++ "b/project/nwpu/k8s-rancher/0.1.2.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.0-V1.2\357\274\211.md"
@@ -0,0 +1,246 @@
+
+# 认证授权服务升级文档(V1.0 ~ V1.2)
+
+
+## 部署变更说明
+
+对本次升级进行的简要说明,具体的升级步骤,详见 **升级说明**
+
+1. 新增 StatefulSet authx-service/redis-server
+
+2. 新增 Deployment authx-service/rabbitmq-server , 用于将 user-data-service,user-authorization-service,jobs-server 连接的 rabbitmq-server 进行合并
+
+3. 新增 Deployment authx-service/authx-service-bff
+
+
+4. 删除 Deployment user-data-service/rabbitmq-server
+
+5. 修改 Secret user-data-service/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local
+
+6. 修改 ConfigMap user-data-service/user-data-service-goa-env , 将 JOBS_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local
+
+7. 修改 Deployment user-data-service/user-data-service-biz , 增加 环境变量 rabbitmq-env-secret
+
+
+8. 删除 Deployment user-data-service/rabbitmq-server
+
+9. 修改 Secret user-authorization-service/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local
+
+10. 修改 ConfigMap user-authorization-service/user-authorization-sa-env , 将 USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local
+
+
+11. 删除 Deployment jobs-server/rabbitmq-server
+
+12. 修改 Secret jobs-server/rabbitmq-env-secret , 将 SPRING_RABBITMQ_HOST 修改为 rabbitmq-server.authx-service.svc.cluster.local
+
+13. 新增 Secret token-server/rabbitmq-env-secret
+14. 修改 Deployment token-server/token-server, 增加 环境变量 secretRef rabbitmq-env-secret
+
+13. 变更 CronJob user-data-service/user-data-service-datax-job 的定时 schedule 为 `30 */4 * * *`
+14. 变更 CronJob user-authorization-service/user-authorization-datax-job 的定时 schedule 为 `30 */4 * * *`
+
+15. 变更 CronJob cas-server/cas-server-datax-job 的定时 schedule 为 `5 */2 * * *`
+
+
+16. 删除 Job authx-service/poa-api-docs-installer ,由各服务下独立部署
+17. 新增 Job user-data-service/api-docs-installer
+18. 新增 Job user-authorization-service/api-docs-installer
+19. 新增 Job token-server/api-docs-installer
+
+
+## 升级说明
+
+1. 数据库脚本进行升级
+
+ 重新执行 Job user-data-service/user-data-service-installer
+
+ 重新执行 Job user-authorization-service/user-authorization-installer
+
+ 重新执行 Job cas-server/cas-server-installer
+
+ 重新执行 Job token-server/token-server-installer
+
+2. 部署 StatefulSet authx-service/redis-server , Deployment authx-service/rabbitmq-server
+
+ 部署yaml 位于 1.authx-service/0.authx-service/0.authx-service-base.yaml, 1.authx-service/0.authx-service/1.authx-service-env.yaml
+
+3. 部署 Deployment authx-service/authx-service-bff
+
+ 部署yaml 位于 1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
+
+4. Secret user-data-service/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST
+
+ ```
+ SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ ```
+
+5. Secret user-authorization-service/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST
+
+ ```
+ SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ ```
+
+6. Secret jobs-server/rabbitmq-env-secret , 修改 SPRING_RABBITMQ_HOST
+
+ ```
+ SPRING_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ ```
+
+7. Deployment user-data-service/user-data-service-biz 下的环境变量中,引用其他资源,添加附加资源 Secret rabbitmq-env-secret
+
+8. ConfigMap user-data-service/user-data-service-goa-env 下,更新 JOBS_RABBITMQ 相关的配置
+
+ ```
+ JOBS_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ ```
+
+9. ConfigMap user-authorization-service/user-authorization-sa-env 下,新增 USER_AUTHORIZATION_SA_USER_RABBITMQ 相关的配置
+
+ ```
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_CONSUMER_ENABLED: "false"
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST: rabbitmq-server.jobs-server.svc.cluster.local
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PORT: "5672"
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_USERNAME: guest
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PASSWORD: guest
+ ```
+
+10. 新增 Secret token-server/rabbitmq-env-secret
+
+ 部署yaml 位于 5.token-server/1.token-server-env.yaml
+
+11. 修改 Deployment token-server/token-server, 增加 环境变量 secretRef rabbitmq-env-secret
+
+12. 修改 x-datax-job 的定时策略
+
+ CronJob user-data-service/user-data-service-datax-job 下,修改 schedule 为 `30 */4 * * *`
+
+ CronJob user-authorization-service/user-authorization-datax-job 下,修改 schedule 为 `30 */4 * * *`
+
+ CronJob CronJob cas-server/cas-server-datax-job 下,修改 schedule 为 `5 */2 * * *`
+
+
+13. 将 工作负载 下的服务 升级到 1.2.x 版本
+
+
+14. 更新 POA 的 api-docs
+
+ 执行 Job user-data-service/api-docs-installer
+
+ 执行 Job user-authorization-service/api-docs-installer
+
+ 执行 Job token-server/api-docs-installer
+
+
+## 初始化脚本
+
+1. 整理 授权服务、云平台管理 下的角色
+
+ **检查 授权服务下的 以下角色 的 APPLICATION_ID 已经更新为 10**
+
+ 在 user_authz 的 TB_ROLE 表中
+
+ 确保 cas-admin, user-admin, user-authz-admin, user-authz-grant-admin, user-authz-man-grant-admin 只有一条记录
+
+ 若 存在 与 上述代码 重复的角色,则删除 APPLICATION_ID = 1 且 ID 不为 20, 30, 40, 41, 42 的 相关角色。
+
+ 同时,在 admin_center 的 TB_MGT_ROLE 表中
+
+ 删除 ID 不为 20, 30, 40, 41, 42 的 相关角色。
+
+ ```sql
+ use user_authz;
+
+ -- 检查 授权服务下的 以下角色 的 APPLICATION_ID 已经更新为 10
+ UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='20';
+
+ UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='30';
+
+ UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='40';
+ UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='41';
+ UPDATE TB_ROLE SET APPLICATION_ID='10' WHERE ID='42';
+
+ use admin_center;
+
+ -- 删除认证授权的角色
+ delete from TB_MGT_ROLE where ID in ('20', '30', '40','41','42');
+
+ commit;
+ ```
+
+2. 更新 接口路由、应用、菜单、角色权限
+
+ 注:如果已经存在,请忽略
+
+ ```sql
+ use admin_center;
+
+ -- 新增接口路由
+
+ insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+ values ('21', 0, 'authx-service-admin-api', '认证授权 - 聚合接口(认证、授权)', '1', '/api/v2/admin', 'http://localhost:8009', 0);
+ insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+ values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0);
+
+ commit;
+
+ update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='21';
+ update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='22';
+
+ commit;
+
+ -- 新增应用
+
+ insert into TB_MGT_APPLICATION (ID, DELETED, CODE, NAME, STATUS)
+ values ('10', 0, '10', '用户授权', '1');
+
+ commit;
+
+ -- 更新现有菜单 的 所属 APPLICATION_ID
+
+ update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '2____';
+ update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '3____';
+ update TB_MGT_PERMISSION set APPLICATION_ID='10' where ID like '4____';
+
+ commit;
+
+ -- 新增功能菜单
+
+ update TB_MGT_PERMISSION
+ set LFT = LFT+10
+ where LFT>=35
+ ;
+
+ update TB_MGT_PERMISSION
+ set RGT = RGT+10
+ where RGT>=35
+ ;
+
+ insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+ values ('20650', 0, 'casConfig', '认证对接配置', '0', '2', 'el-icon-service', '/cas-server/casConfig', '10', '20000', 20650, 2, 35, 36);
+
+ insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+ values ('20700', 0, 'loginPageConfig', '登录页面配置', '1', '2', 'su-icon-tongxunxinxi', '/cas-server/loginPageConfig', '10', '20000', 20700, 2, 37, 38);
+ insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+ values ('20800', 0, 'linkLoginConfig', '联合登录配置', '1', '2', 'su-icon-test', '/cas-server/linkLoginConfig', '10', '20000', 20800, 2, 39, 40);
+
+ insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+ values ('20900', 0, 'infoPerfectConfig', '信息完善配置', '1', '2', 'su-icon-chongxintijiao', '/cas-server/infoPerfectConfig', '10', '20000', 20900, 2, 41, 42);
+
+ insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+ values ('21000', 0, 'lockManagement', '认证锁定管理', '1', '2', 'su-icon-shouquanjiguanli', '/cas-server/lockManagement', '10', '20000', 21000, 2, 43, 44);
+
+ commit;
+
+ insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID)
+
+ select CONCAT('20_', ID) as ID, 0 as DELETED, '20' as ROLE_ID, ID as PERMISSION_ID
+ from TB_MGT_PERMISSION
+ where ID like '2____'
+ and (
+ CONCAT('20_', ID) not in (select CONCAT('20_', PERMISSION_ID) from TB_MGT_ROLE_PERMISSION)
+ or CONCAT('20_', ID) not in (select ID from TB_MGT_ROLE_PERMISSION)
+ )
+ ;
+
+ commit;
+ ```
diff --git "a/project/nwpu/k8s-rancher/0.1.3.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.2-V1.3\357\274\211.md" "b/project/nwpu/k8s-rancher/0.1.3.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.2-V1.3\357\274\211.md"
new file mode 100644
index 0000000..4cf2e08
--- /dev/null
+++ "b/project/nwpu/k8s-rancher/0.1.3.\350\256\244\350\257\201\346\216\210\346\235\203\346\234\215\345\212\241\345\215\207\347\272\247\346\226\207\346\241\243\357\274\210V1.2-V1.3\357\274\211.md"
@@ -0,0 +1,240 @@
+
+# 认证授权服务升级文档(V1.2 ~ V1.3)
+
+
+## 部署变更说明
+
+对本次升级进行的简要说明,具体的升级步骤,详见 **升级说明**
+
+1. 新增 authx-service/authx-management ,用户认证授权管理前端
+
+2. 新增 authx-service/authx-ingress ,提供 authx-management 的外网域名访问,暂用 `admin-platform.paas.nwpu.edu.cn`
+
+
+
+## 升级说明
+
+1. 将 工作负载 下的服务 升级到 1.3.x 版本
+
+2. 部署 Deployment authx-service/authx-management
+
+ 部署yaml 位于 1.authx-service/0.authx-service/4.9.authx-management.yaml
+
+3. 部署 Ingress authx-service/authx-management-ingress
+
+ 部署yaml 位于 1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
+
+ 若无发提供新域名的,可以使用 admin-platform.paas.nwpu.edu.cn
+
+4. 部署成功后,须修改 admin-platform 的相关配置
+
+ 修改 ConfigMap admin-platform/admin-platform-spa-env 下的配置项 `CAS_SERVER_SPA_URL`, `USER_SERVER_SPA_URL`, `AUTH_SERVER_SPA_URL`
+
+ ```
+ CAS_SERVER_SPA_URL: http://admin-platform.paas.nwpu.edu.cn/authx-management/cas-server
+ USER_SERVER_SPA_URL: http://admin-platform.paas.nwpu.edu.cn/authx-management/user-server
+ AUTH_SERVER_SPA_URL: http://admin-platform.paas.nwpu.edu.cn/authx-management/auth-server
+ ```
+
+ http://admin-platform.paas.nwpu.edu.cn/cas-server-spa
+ http://admin-platform.paas.nwpu.edu.cn/user-server-spa
+ http://admin-platform.paas.nwpu.edu.cn/auth-server-spa
+
+
+
+## 初始化数据
+
+
+### 创建菜单
+
+#### 方式一,手动导入
+
+**将 origin 修改为正确的 学校域名**
+
+进入 云平台 - 基础管理 - 菜单管理,导入
+
+所属应用 选择 用户授权
+
+菜单列表(JSON)如下,(复制后粘贴)
+
+
+* 认证管理
+
+```json
+[
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "journalManage", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/cas-server/journalManage", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+]
+```
+
+
+* 授权管理
+
+```json
+[
+ {
+ "id": "41100", "parentIdOrCode":"40000", "code": "accountAuthorizationAudit", "name": "账号授权审计", "memo": "", "status": "1",
+ "icon": "su-icon-zhsqsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/accountAuthorizationAudit", "target": "",
+ "order": 41100, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41200", "parentIdOrCode":"40000", "code": "userAudit", "name": "用户规则权限审计", "memo": "", "status": "0",
+ "icon": "su-icon-yhgzqxsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/userAudit", "target": "",
+ "order": 41200, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41300", "parentIdOrCode":"40000", "code": "rolePermissionAudit", "name": "角色授权审计", "memo": "", "status": "1",
+ "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/rolePermissionAudits", "target": "",
+ "order": 41300, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41350", "parentIdOrCode":"40000", "code": "roleGroupPermissionAudit", "name": "角色组授权审计", "memo": "", "status": "1",
+ "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/roleGroupPermissionAudit", "target": "",
+ "order": 41350, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41400", "parentIdOrCode":"40000", "code": "authOperationsAudit", "name": "权限操作审计", "memo": "", "status": "1",
+ "icon": "su-icon-qxczsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/authOperationsAudit", "target": "",
+ "order": 41400, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41500", "parentIdOrCode":"40000", "code": "authStatisticalMonitor", "name": "授权统计监控", "memo": "", "status": "1",
+ "icon": "su-icon-sqtjjk", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/authStatisticalMonitor", "target": "",
+ "order": 41500, "resourceIdOrCodes": []
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+**将 origin 修改为正确的 学校域名**
+
+进入 admin-center-sa 下的 pod, 执行命令行
+
+
+* 认证管理
+
+```bash
+curl -i -s -X POST "http://localhost:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "applicationId": "10",
+ "menuList":
+ [
+ {
+ "id": "22000", "parentIdOrCode":"20000", "code": "journalManage", "name": "日志管理", "memo": "", "status": "1",
+ "icon": "su-icon-taocanguanli", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/cas-server/journalManage", "target": "",
+ "order": 22000, "resourceIdOrCodes": []
+ }
+ ]
+}
+'
+```
+
+* 授权管理
+
+```bash
+curl -i -s -X POST "http://localhost:8080/v1/admin/menus/importMenu" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "applicationId": "10",
+ "menuList":
+ [
+ {
+ "id": "41100", "parentIdOrCode":"40000", "code": "accountAuthorizationAudit", "name": "账号授权审计", "memo": "", "status": "1",
+ "icon": "su-icon-zhsqsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/accountAuthorizationAudit", "target": "",
+ "order": 41100, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41200", "parentIdOrCode":"40000", "code": "userAudit", "name": "用户规则权限审计", "memo": "", "status": "0",
+ "icon": "su-icon-yhgzqxsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/userAudit", "target": "",
+ "order": 41200, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41300", "parentIdOrCode":"40000", "code": "rolePermissionAudit", "name": "角色授权审计", "memo": "", "status": "1",
+ "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/rolePermissionAudits", "target": "",
+ "order": 41300, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41350", "parentIdOrCode":"40000", "code": "roleGroupPermissionAudit", "name": "角色组授权审计", "memo": "", "status": "1",
+ "icon": "su-icon-jszsqsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/roleGroupPermissionAudit", "target": "",
+ "order": 41350, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41400", "parentIdOrCode":"40000", "code": "authOperationsAudit", "name": "权限操作审计", "memo": "", "status": "1",
+ "icon": "su-icon-qxczsj", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/authOperationsAudit", "target": "",
+ "order": 41400, "resourceIdOrCodes": []
+ },
+ {
+ "id": "41500", "parentIdOrCode":"40000", "code": "authStatisticalMonitor", "name": "授权统计监控", "memo": "", "status": "1",
+ "icon": "su-icon-sqtjjk", "origin": "http://admin-platform.paas.nwpu.edu.cn", "url": "/auth-server/authStatisticalMonitor", "target": "",
+ "order": 41500, "resourceIdOrCodes": []
+ }
+ ]
+}
+'
+```
+
+
+### 关联角色权限
+
+角色由授权服务进行初始化
+
+
+#### 方式一,手动导入(暂不支持)
+
+进入 云平台 - 基础管理 - 角色权限,导入
+
+角色权限(JSON)如下,(复制后粘贴)
+
+```json
+[
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["1", "20000", "20100", "20200", "20300", "20400", "20500", "20600", "20700", "20800", "20900", "21000", "21100", "22000"]
+ },
+ {
+ "roleId": "40", "roleCode": "user-authz-admin",
+ "permissionIdOrCodes": ["1", "40000", "40050", "40100", "40200", "40300", "40500", "40900", "41100", "41200", "41300", "41350", "41400", "41500"]
+ }
+]
+```
+
+
+#### 方式二,bash脚本
+
+进入 admin-center-sa 下的 pod, 执行命令行
+
+```bash
+curl -i -s -X POST "http://localhost:8080/v1/admin/rolePermissions/importRolePermission" -H 'Content-Type: application/json' \
+-d \
+'
+{
+ "roleCodeIdMap": {
+ "cas-admin": "20",
+ "user-admin": "30",
+ "user-authz-admin": "40",
+ "user-authz-grant-admin": "41",
+ "user-authz-man-grant-admin": "42"
+ },
+ "rolePermissionList":
+ [
+ {
+ "roleId": "20", "roleCode":"cas-admin",
+ "permissionIdOrCodes": ["1", "20000", "20100", "20200", "20300", "20400", "20500", "20600", "20700", "20800", "20900", "21000", "21100", "22000"]
+ },
+ {
+ "roleId": "40", "roleCode": "user-authz-admin",
+ "permissionIdOrCodes": ["1", "40000", "40050", "40100", "40200", "40300", "40500", "40900", "41100", "41200", "41300", "41350", "41400", "41500"]
+ }
+ ]
+}
+'
+```
+
diff --git "a/project/nwpu/k8s-rancher/0.2.1.POA\357\274\210\345\271\263\345\217\260OpenAPI\357\274\211\346\234\215\345\212\241\346\263\250\345\206\214.md" "b/project/nwpu/k8s-rancher/0.2.1.POA\357\274\210\345\271\263\345\217\260OpenAPI\357\274\211\346\234\215\345\212\241\346\263\250\345\206\214.md"
new file mode 100644
index 0000000..5dcbbb6
--- /dev/null
+++ "b/project/nwpu/k8s-rancher/0.2.1.POA\357\274\210\345\271\263\345\217\260OpenAPI\357\274\211\346\234\215\345\212\241\346\263\250\345\206\214.md"
@@ -0,0 +1,7 @@
+
+# POA(平台OpenAPI)服务注册
+
+**请确保POA已经安装完成**
+
+根据 9.poa-api-docs 下的 readme.md 的说明进行操作
+
diff --git "a/project/nwpu/k8s-rancher/0.2.2.\347\237\255\344\277\241\345\271\263\345\217\260\345\257\271\346\216\245\350\257\264\346\230\216.md" "b/project/nwpu/k8s-rancher/0.2.2.\347\237\255\344\277\241\345\271\263\345\217\260\345\257\271\346\216\245\350\257\264\346\230\216.md"
new file mode 100644
index 0000000..b786222
--- /dev/null
+++ "b/project/nwpu/k8s-rancher/0.2.2.\347\237\255\344\277\241\345\271\263\345\217\260\345\257\271\346\216\245\350\257\264\346\230\216.md"
@@ -0,0 +1,14 @@
+# 短信平台对接说明
+
+
+## 阿里云短信服务
+
+须申请阿里云短信服务
+
+参考 docs 下的 《阿里云短信申请(签名、模板)》
+
+
+## 第三方短信平台
+
+须进行定制开发
+
diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.0.infras-base.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.0.infras-base.yaml
new file mode 100644
index 0000000..e137c9c
--- /dev/null
+++ b/project/nwpu/k8s-rancher/0.infras/0.0.0.infras-base.yaml
@@ -0,0 +1,18 @@
+# 0.0.0.infras-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: base
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ # 上一行的数据根据项目情况修改完毕后进行base64加密生成dockerconfigjson需要的数值
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.1.infras-mysql.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.1.infras-mysql.yaml
new file mode 100644
index 0000000..fd62f7d
--- /dev/null
+++ b/project/nwpu/k8s-rancher/0.infras/0.0.1.infras-mysql.yaml
@@ -0,0 +1,102 @@
+# 0.0.1.infras-mysql.yaml
+
+# 此服务可选安装,用于MySQL数据库的管理提供Web端
+
+####################################################
+# mysql-server
+####################################################
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: base
+ name: mysql-server
+spec:
+ ports:
+ - name: tcp-mysql
+ port: 3306
+ protocol: TCP
+ targetPort: 3306
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+ namespace: base
+ name: mysql-server
+subsets:
+ - addresses:
+ # 修改实际MySQL服务器的IP地址
+ - ip: 172.30.104.82
+ ports:
+ - name: tcp-mysql
+ port: 3306
+ protocol: TCP
+
+
+####################################################
+# mysql-adminer
+####################################################
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: base
+ name: mysql-adminer
+spec:
+ ports:
+ - name: http
+ port: 8080
+ protocol: TCP
+ targetPort: http
+ selector:
+ app: mysql-adminer
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: base
+ name: mysql-adminer
+spec:
+ selector:
+ matchLabels:
+ app: mysql-adminer
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: mysql-adminer
+ spec:
+ containers:
+ - name: mysql-adminer
+ image: adminer:4
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ env:
+ - name: ADMINER_DEFAULT_SERVER
+ value: mysql-server
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: mysql-adminer-ingress
+ namespace: base
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: mysql-adminer.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: mysql-adminer
+ servicePort: http
+
diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.2.infras-sba.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.2.infras-sba.yaml
new file mode 100644
index 0000000..783247d
--- /dev/null
+++ b/project/nwpu/k8s-rancher/0.infras/0.0.2.infras-sba.yaml
@@ -0,0 +1,112 @@
+# 0.0.2.infras-sba.yaml
+
+# 此服务可选安装,用于开发人员排查问题
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: base
+ name: spring-boot-admin-env
+data:
+ SPRING_BOOT_ADMIN_UI_PUBLIC_URL: /
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: base
+ name: spring-boot-admin-env-secret
+data:
+ # sbaadmin
+ SBA_USERNAME: c2JhYWRtaW4=
+ # sbanimda
+ SBA_PASSWORD: c2JhbmltZGE=
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: base
+ name: spring-boot-admin-svc
+ labels:
+ app: spring-boot-admin
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: spring-boot-admin
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: base
+ name: spring-boot-admin
+spec:
+ selector:
+ matchLabels:
+ app: spring-boot-admin
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: spring-boot-admin
+ spec:
+ containers:
+ - name: spring-boot-admin
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/institute/spring-boot-admin:0.1.0-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - secretRef:
+ name: spring-boot-admin-env-secret
+ - configMapRef:
+ name: spring-boot-admin-env
+ resources:
+ requests:
+ cpu: 200m
+ memory: "256Mi"
+ limits:
+ cpu: 1000m
+ memory: "256Mi"
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 10
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: sba-ingress
+ namespace: base
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: sba.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: spring-boot-admin-svc
+ servicePort: http
diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.x.infras-monitor.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.x.infras-monitor.yaml
new file mode 100644
index 0000000..88c23c2
--- /dev/null
+++ b/project/nwpu/k8s-rancher/0.infras/0.0.x.infras-monitor.yaml
@@ -0,0 +1,21 @@
+#
+
+# 此配置可选安装,用于配置监控
+
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: authx-service-monitor
+ namespace: cattle-prometheus
+spec:
+ selector:
+ matchLabels:
+ needMonitor: 'true'
+ namespaceSelector:
+ matchNames:
+ - user-data-service
+ - user-authorization-service
+ - cas-server
+ endpoints:
+ - port: http-metrics
+ path: /metrics
diff --git a/project/nwpu/k8s-rancher/0.infras/0.0.z.infras-tmp.yaml b/project/nwpu/k8s-rancher/0.infras/0.0.z.infras-tmp.yaml
new file mode 100644
index 0000000..7830e3d
--- /dev/null
+++ b/project/nwpu/k8s-rancher/0.infras/0.0.z.infras-tmp.yaml
@@ -0,0 +1,102 @@
+
+
+# 创建 namespace,如 tmp
+# 并修改以下配置中的 namespace
+
+# 创建 ConfigMap
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ # 修改namespace
+ namespace: tmp
+ name: txt
+data:
+ # 修改 key,value
+ # 其中,
+ # key 为 文件名
+ # value 为 文件内容
+ FWdJ6SLVde.txt: "70976dc348062015aaecd04c4fe393c6"
+
+
+
+# 部署nginx,并将 ConfigMap 挂载成文件
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ # 修改namespace
+ namespace: tmp
+ name: txt-svc
+ labels:
+ app: txt-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: txt
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ # 修改namespace
+ namespace: tmp
+ name: txt
+spec:
+ selector:
+ matchLabels:
+ app: txt
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: txt
+ spec:
+ containers:
+ - name: txt-nginx
+ # 根据情况修改镜像地址
+ image: nginx:latest
+ ports:
+ - containerPort: 80
+ name: http
+ volumeMounts:
+ - name: txt
+ mountPath: /usr/share/nginx/html
+ readOnly: true
+ volumes:
+ - name: txt
+ configMap:
+ # 这个是 ConfigMap 的名称
+ name: txt
+ items:
+ # 将 ConfigMap 中某个 key 的 value 映射为 文件及文件内容
+ - key: FWdJ6SLVde.txt
+ path: FWdJ6SLVde.txt
+
+# 配置ingress
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ # 修改namespace
+ namespace: tmp
+ name: txt-ingress
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: txt.paas.xxx.edu.cn
+ http:
+ paths:
+ # 修改path,对应某个文件路径
+ - path: /FWdJ6SLVde.txt
+ backend:
+ serviceName: txt-svc
+ servicePort: http
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/0.trans-service-v4-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/0.trans-service-v4-base.yaml
new file mode 100644
index 0000000..e37e2d5
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/0.trans-service-v4-base.yaml
@@ -0,0 +1,47 @@
+# 0.trans-service-v4-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: trans-service
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+####################################################
+# mysql-server
+####################################################
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: trans-service
+ name: mysql-server
+spec:
+ ports:
+ - name: tcp-mysql
+ port: 3306
+ protocol: TCP
+ targetPort: 3306
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+ namespace: trans-service
+ name: mysql-server
+subsets:
+ - addresses:
+ # 修改实际MySQL服务器的IP地址
+ - ip: 172.30.104.82
+ ports:
+ - name: tcp-mysql
+ port: 3306
+ protocol: TCP
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/1.trans-service-v4-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/1.trans-service-v4-env.yaml
new file mode 100644
index 0000000..7c65b68
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/1.trans-service-v4-env.yaml
@@ -0,0 +1,26 @@
+# 1.trans-service-v4-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: trans-service
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: trans-service
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/tmp_data?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdG1wX2RhdGE/c2VydmVyVGltZXpvbmU9QXNpYS9TaGFuZ2hhaQ==
+ # tmp_data
+ JDBC_USERNAME: dG1wX2RhdGE=
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/4.0.trans-service-v4-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/4.0.trans-service-v4-installer.yaml
new file mode 100644
index 0000000..f2a99b8
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/4.0.trans-service-v4-installer.yaml
@@ -0,0 +1,46 @@
+# 4.0.trans-service-v4-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: trans-service
+ name: trans-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: trans-installer
+ namespace: trans-service
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: trans-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: trans-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/admin-portal/trans-installer:1.0.0-SNAPSHOT
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: trans-installer-env
+ # resources:
+ # requests:
+ # memory: "256Mi"
+ # limits:
+ # memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/5.trans-service-v4-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/5.trans-service-v4-datax-job.yaml
new file mode 100644
index 0000000..e61d762
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.0.trans-service-v4/5.trans-service-v4-datax-job.yaml
@@ -0,0 +1,55 @@
+# 5.trans-service-v4-datax-job.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: trans-service
+ name: trans-datax-job-env
+data:
+ EANBLED_JOBS: TMP_DM_GENDER,TMP_DM_ORGTYPE,TMP_DM_ACCOUNTTYPE,TMP_DM_IDENTITYTYPE,TMP_ORGANIZE,TMP_PERSON,TMP_ACCOUNT,TMP_REGISTERED_SERVICE,TMP_WEAK_PASSWORD_DICT,TMP_TB_ORGANIZE,TMP_TB_USER,TMP_TB_ACCOUNT,TMP_TB_USERGROUP,TMP_TB_ROLE,TMP_TB_APPLICATION,TMP_TB_FUNCTION,TMP_TB_RIGHT,TMP_TB_ACCOUNTSECURITYEMAIL,TMP_TB_ACCOUNTSECURITYMOBILE,TMP_REF_ORGANIZEUSER,TMP_REF_USERGROUPACCOUNT,TMP_REF_ACCOUNTROLE,TMP_REF_USERGROUPROLE,TMP_REF_USERROLE,TMP_REF_APPLICATIONROLE,TMP_REF_FUNCTIONROLE,TMP_REF_RIGHTROLE
+
+ ORACLEREADER_UNIAUTH_USERNAME: idc_u_uniauth
+ ORACLEREADER_UNIAUTH_PASSWORD: kingstar
+ ORACLEREADER_UNIAUTH_JDBC_URL: jdbc:oracle:thin:@172.30.104.101:1521/xydb
+
+ MYSQLWRITER8_TMP_USERNAME: tmp_data
+ MYSQLWRITER8_TMP_PASSWORD: kingstar
+ MYSQLWRITER8_TMP_JDBC_URL: jdbc:mysql://mysql-server:3306/tmp_data
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: trans-datax-job
+ namespace: trans-service
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: trans-datax-job
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: trans-datax-job
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/admin-portal/trans-datax-job:1.0.0-SNAPSHOT
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: trans-datax-job-env
+ # resources:
+ # requests:
+ # memory: "400Mi"
+ # limits:
+ # memory: "400Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/0.authx-platform-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/0.authx-platform-base.yaml
new file mode 100644
index 0000000..c67ecae
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/0.authx-platform-base.yaml
@@ -0,0 +1,16 @@
+# 0.authx-platform-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: authx-platform
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/2.authx-platform-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/2.authx-platform-ingresses.yaml
new file mode 100644
index 0000000..16aed5d
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/2.authx-platform-ingresses.yaml
@@ -0,0 +1,18 @@
+# 2.authx-platform-ingresses.yaml
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: authx-platform
+ name: authx-platform-docsify-ingress
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: authx-docs.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: authx-platform-docsify-svc
+ servicePort: http
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/4.9.authx-platform-docsify.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/4.9.authx-platform-docsify.yaml
new file mode 100644
index 0000000..144b0f5
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-platform/4.9.authx-platform-docsify.yaml
@@ -0,0 +1,62 @@
+# 4.9.authx-platform-docsify.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-platform
+ name: authx-platform-docsify-env
+data:
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-platform
+ name: authx-platform-docsify-svc
+ labels:
+ app: authx-platform-docsify-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: authx-platform-docsify
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-platform
+ name: authx-platform-docsify
+spec:
+ selector:
+ matchLabels:
+ app: authx-platform-docsify
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: authx-platform-docsify
+ spec:
+ containers:
+ - name: authx-platform-docsify
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/authx-platform/authx-platform-docsify:0.0.1-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 80
+ name: http
+ envFrom:
+ - configMapRef:
+ name: authx-platform-docsify-env
+ resources:
+ requests:
+ memory: "128Mi"
+ limits:
+ memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml
new file mode 100644
index 0000000..b37330a
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/0.authx-service-base.yaml
@@ -0,0 +1,243 @@
+# 0.authx-service-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: authx-service
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+
+####################################################
+# redis-server
+####################################################
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ namespace: authx-service
+ name: redis-data-pvc
+spec:
+ accessModes:
+ - ReadWriteMany
+ # 根据情况修改
+ storageClassName: nfs-client
+ resources:
+ requests:
+ storage: 10Gi
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: authx-service
+ name: redis-server
+ labels:
+ app: redis
+ release: redis-server
+type: Opaque
+data:
+ REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-service
+ name: redis-server
+ labels:
+ app: redis
+ release: redis-server
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: redis
+ selector:
+ app: redis
+ release: redis-server
+ role: master
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ namespace: authx-service
+ name: redis-server
+ labels:
+ app: redis
+ release: redis-server
+spec:
+ podManagementPolicy: OrderedReady
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: redis
+ release: redis-server
+ role: master
+ serviceName: redis-master
+ template:
+ metadata:
+ labels:
+ app: redis
+ release: redis-server
+ role: master
+ spec:
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可,注意这里的缩进,imagePullSecrets要对齐到本行#符号)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ containers:
+ - name: redis-server
+ env:
+ - name: REDIS_DISABLE_COMMANDS
+ value: FLUSHDB,FLUSHALL
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: redis-server
+ key: REDIS_PASSWORD
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/bitnami/redis:4.0
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 6379
+ name: redis
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ volumeMounts:
+ - mountPath: /bitnami/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ # runAsUser: 1001
+ # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+ # runAsUser: 0
+ terminationGracePeriodSeconds: 30
+ volumes:
+ # - name: redis-data
+ # emptyDir: {}
+ - name: redis-data
+ persistentVolumeClaim:
+ claimName: redis-data-pvc
+ updateStrategy:
+ rollingUpdate:
+ partition: 0
+ type: RollingUpdate
+
+
+
+####################################################
+# rabbitmq-server
+####################################################
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: authx-service
+ name: rabbitmq-server
+ labels:
+ app: rabbitmq
+ release: rabbitmq-server
+type: Opaque
+data:
+ RABBITMQ_USERNAME: Z3Vlc3Q=
+ RABBITMQ_PASSWORD: Z3Vlc3Q=
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-service
+ name: rabbitmq-server
+ labels:
+ app: rabbitmq-server
+spec:
+ ports:
+ - port: 5672
+ targetPort: tcp-1
+ protocol: TCP
+ name: tcp-1
+ - port: 15672
+ targetPort: tcp-2
+ protocol: TCP
+ name: tcp-2
+ selector:
+ app: rabbitmq-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-service
+ name: rabbitmq-server
+spec:
+ selector:
+ matchLabels:
+ app: rabbitmq-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: rabbitmq-server
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可,注意对齐、缩进)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ containers:
+ - name: rabbitmq-server
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/library/rabbitmq:management
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ ports:
+ - containerPort: 5672
+ name: tcp-1
+ - containerPort: 15672
+ name: tcp-2
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml
new file mode 100644
index 0000000..ed2a7c2
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-env.yaml
@@ -0,0 +1,35 @@
+# 1.authx-service-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-service
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: authx-service
+ name: redis-env-secret
+type: Opaque
+data:
+ SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT: NjM3OQ==
+ SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: authx-service
+ name: rabbitmq-env-secret
+type: Opaque
+data:
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVy
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-minio.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-minio.yaml
new file mode 100644
index 0000000..46762d7
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-minio.yaml
@@ -0,0 +1,136 @@
+# 1.authx-service-minio.yaml
+
+####################################################
+# minio
+# 文件服务器,对象存储
+####################################################
+
+# 手动初始化默认的图片
+#
+# 访问 https://authx-minio.paas.xxx.edu.cn
+# 登录 1y8N@8R@a_2u , 8pxlIe9#lN7Q
+
+# 创建 bucket: cas-server-site-ui
+# 将 cas-server-site-ui 目录下的 图片,上传到 cas-server-site-ui 中(此为认证登录界面上使用的图片,实际项目中,由UI进行设计后,替换)
+
+# 创建 bucket: portrait ,并设置访问策略 * Read Only
+# 将 portrait 目录下的 图片,上传到 portrait 中(此为用户的默认头像)
+
+# 创建 bucket: security-center-ui ,并设置访问策略 * Read Only
+# 在 security-center-ui 目录下 创建目录 favicon ,上传文件 security-center-ui/favicon/favicon.ico
+# 在 security-center-ui 目录下 创建目录 logo ,上传文件 security-center-ui/logo/logo.png
+# 此为安全中心界面上使用的图片,由UI进行设计后,替换
+
+# 创建 bucket: admin-platform ,并设置访问策略 * Read Only
+# 在 admin-platform 目录下 创建目录 favicon ,上传文件 admin-platform/favicon/sw.ico (ico 的文件名,根据 admin-platform 中配置的 SCHOOL_NAME 来确定)
+# 此为云平台界面上使用的图片,由UI进行设计后,替换
+
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: minio-data-pvc
+ namespace: authx-service
+spec:
+ accessModes:
+ - ReadWriteMany
+ # 根据情况修改
+ storageClassName: nfs-client
+ resources:
+ requests:
+ storage: 50Gi
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: minio-env-secret
+ namespace: authx-service
+type: Opaque
+data:
+ # 修改 access_key,并使用 base64 工具进行编码
+ # 默认值:1y8N@8R@a_2u
+ MINIO_ACCESS_KEY: MXk4TkA4UkBhXzJ1
+ # 修改 secret_key,并使用 base64 工具进行编码
+ # 默认至:8pxlIe9#lN7Q
+ MINIO_SECRET_KEY: OHB4bEllOSNsTjdR
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-service
+ name: minio-svc
+ labels:
+ app: minio
+spec:
+ ports:
+ - port: 9000
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: minio
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-service
+ name: minio
+spec:
+ selector:
+ matchLabels:
+ app: minio
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: minio
+ spec:
+ containers:
+ - name: minio
+ image: minio/minio:RELEASE.2020-04-23T00-58-49Z
+ imagePullPolicy: Always
+ args:
+ - "server"
+ - "/data"
+ ports:
+ - containerPort: 9000
+ name: http
+ envFrom:
+ - secretRef:
+ name: minio-env-secret
+ volumeMounts:
+ - mountPath: /data
+ name: minio-data
+ resources:
+ requests:
+ memory: "256Mi"
+ limits:
+ memory: "256Mi"
+ volumes:
+ - name: minio-data
+ persistentVolumeClaim:
+ claimName: minio-data-pvc
+
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: authx-minio-ingress
+ namespace: authx-service
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-body-size: 8m
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: authx-minio.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: minio-svc
+ servicePort: http
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-mysql.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-mysql.yaml
new file mode 100644
index 0000000..1c799d0
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/1.authx-service-mysql.yaml
@@ -0,0 +1,102 @@
+# 0.0.1.authx-service-mysql.yaml
+
+####################################################
+# mysql-server
+# 外部 MySQL 的服务地址映射
+####################################################
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-service
+ name: mysql-server
+spec:
+ ports:
+ - name: tcp-mysql
+ port: 3306
+ protocol: TCP
+ targetPort: 3306
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+ namespace: authx-service
+ name: mysql-server
+subsets:
+ - addresses:
+ # 修改实际MySQL服务器的IP地址
+ - ip: 10.40.10.52
+ ports:
+ - name: tcp-mysql
+ port: 3306
+ protocol: TCP
+
+
+# 此服务可选安装,用于MySQL数据库的管理提供Web端
+
+####################################################
+# mysql-adminer
+####################################################
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-service
+ name: mysql-adminer
+spec:
+ ports:
+ - name: http
+ port: 8080
+ protocol: TCP
+ targetPort: http
+ selector:
+ app: mysql-adminer
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-service
+ name: mysql-adminer
+spec:
+ selector:
+ matchLabels:
+ app: mysql-adminer
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: mysql-adminer
+ spec:
+ containers:
+ - name: mysql-adminer
+ image: adminer:4
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ env:
+ - name: ADMINER_DEFAULT_SERVER
+ value: mysql-server
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: authx-service
+ name: mysql-adminer-ingress
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: mysql-adminer.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: mysql-adminer
+ servicePort: http
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
new file mode 100644
index 0000000..b78a861
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/2.authx-service-ingresses.yaml
@@ -0,0 +1,22 @@
+# 2.authx-service-ingresses.yaml
+
+# 用户授权管理前端
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: authx-service
+ name: authx-management-ingress
+ annotations:
+ nginx.ingress.kubernetes.io/use-regex: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /$1
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: admin-platform.paas.nwpu.edu.cn
+ http:
+ paths:
+ - path: /authx-management/(.*)
+ backend:
+ serviceName: authx-management-svc
+ servicePort: http
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
new file mode 100644
index 0000000..18160d3
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.4.authx-service-bff.yaml
@@ -0,0 +1,142 @@
+# 4.4.authx-service-bff.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-service
+ name: authx-service-bff-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_AUTHX_SERVICE_BFF: INFO
+
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ TPAS_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-service
+ name: authx-service-bff-svc
+ labels:
+ app: authx-service-bff
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: authx-service-bff
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-service
+ name: authx-service-bff
+spec:
+ selector:
+ matchLabels:
+ app: authx-service-bff
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: authx-service-bff
+ spec:
+ containers:
+ - name: authx-service-bff
+ image: paas.harbor.nwpu.edu.cn/authx-service/authx-service-bff:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: redis-env-secret
+ - configMapRef:
+ name: authx-service-bff-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
new file mode 100644
index 0000000..f1b17fd
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/4.9.authx-management.yaml
@@ -0,0 +1,61 @@
+# 4.9.authx-management.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-service
+ name: authx-management-env
+data:
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-service
+ name: authx-management-svc
+ labels:
+ app: authx-management-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: authx-management
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-service
+ name: authx-management
+spec:
+ selector:
+ matchLabels:
+ app: authx-management
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: authx-management
+ spec:
+ containers:
+ - name: authx-management
+ image: paas.harbor.nwpu.edu.cn/authx-service/authx-management:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 80
+ name: http
+ envFrom:
+ - configMapRef:
+ name: authx-management-env
+ resources:
+ requests:
+ memory: "128Mi"
+ limits:
+ memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/8.echo-server.yaml b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/8.echo-server.yaml
new file mode 100644
index 0000000..0c2de7e
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/8.echo-server.yaml
@@ -0,0 +1,58 @@
+# 8.echo-server.yaml
+
+# 用于环境测试
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: echo-server
+ namespace: default
+ labels:
+ run: echo-server
+spec:
+ type: ClusterIP
+ ports:
+ - port: 80
+ targetPort: 8080
+ protocol: TCP
+ name: http
+ selector:
+ run: echo-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: echo-server
+ namespace: default
+spec:
+ selector:
+ matchLabels:
+ run: echo-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ run: echo-server
+ spec:
+ containers:
+ - name: echo-server
+ # 若使用了学校搭设的私有仓库,请修改
+ image: inanimate/echo-server:latest
+ ports:
+ - containerPort: 8080
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: echo-server-ingress
+ namespace: default
+spec:
+ rules:
+ # **修改** 学校的根域名
+ - host: echo.paas.xxx.edu.cn
+ http:
+ paths:
+ - backend:
+ serviceName: echo-server
+ servicePort: 80
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/admin-platform/favicon/sw.ico b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/admin-platform/favicon/sw.ico
new file mode 100644
index 0000000..ffce864
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/admin-platform/favicon/sw.ico
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/bg.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/bg.png
new file mode 100644
index 0000000..19a2beb
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/bg.png
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/favicon.ico b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/favicon.ico
new file mode 100644
index 0000000..ffce864
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/favicon.ico
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/icon.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/icon.png
new file mode 100644
index 0000000..61a5920
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/icon.png
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/logo.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/logo.png
new file mode 100644
index 0000000..53938d7
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/cas-server-site-ui/logo.png
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/1.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/1.png
new file mode 100644
index 0000000..fd1a680
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/1.png
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/2.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/2.png
new file mode 100644
index 0000000..fd1a680
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/2.png
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/profile.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/profile.png
new file mode 100644
index 0000000..fd1a680
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/portrait/profile.png
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/favicon/favicon.ico b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/favicon/favicon.ico
new file mode 100644
index 0000000..ffce864
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/favicon/favicon.ico
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/logo/logo.png b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/logo/logo.png
new file mode 100644
index 0000000..53938d7
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/0.authx-service/security-center-ui/logo/logo.png
Binary files differ
diff --git a/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/0.thirdparty-agent-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/0.thirdparty-agent-service-base.yaml
new file mode 100644
index 0000000..b6a4f77
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/0.thirdparty-agent-service-base.yaml
@@ -0,0 +1,16 @@
+# thirdparty-agent-service-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: thirdparty-agent-service
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
diff --git a/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/1.thirdparty-agent-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/1.thirdparty-agent-service-env.yaml
new file mode 100644
index 0000000..b568c8a
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/1.thirdparty-agent-service-env.yaml
@@ -0,0 +1,26 @@
+# thirdparty-agent-service-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: thirdparty-agent-service
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: thirdparty-agent-service
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/agent_service?serverTimezone=Asia/Shanghai
+ SPRING_DATASOURCE_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvYWdlbnRfc2VydmljZT9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp
+ # agent_service
+ SPRING_DATASOURCE_USERNAME: YWdlbnRfc2VydmljZQ==
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ SPRING_DATASOURCE_PASSWORD: a2luZ3N0YXI=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
new file mode 100644
index 0000000..a129c1c
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/1.thirdparty-agent-service/4.2.thirdparty-agent-service.yaml
@@ -0,0 +1,156 @@
+# thirdparty-agent-service.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: thirdparty-agent-service
+ name: agent-service-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_TPAS: INFO
+
+ ## file-db
+ FILE_DB_AUTOCONFIGURE_ENABLED: "false"
+
+ ## file-minio
+ FILE_MINIO_AUTOCONFIGURE_ENABLED: "true"
+ FILE_MINIO_ENDPOINT: http://minio-svc.authx-service.svc.cluster.local:9000
+ # FILE_MINIO_ACCESSKEY: ""
+ # FILE_MINIO_SECRETKEY: ""
+
+ ## mail-console
+ MAIL_CONSOLE_AUTOCONFIGURE_ENABLED: "true"
+
+ # 若须对接邮件服务,须提供 SMTP 帐号
+ ## mail-smtp
+ MAIL_SMTP_AUTOCONFIGURE_ENABLED: "false"
+ MAIL_SMTP_HOST: smtp.mxhichina.com
+ MAIL_SMTP_PORT: "25"
+ MAIL_SMTP_SECURE_MODE: NONE
+ MAIL_SMTP_USERNAME: security.institute@supwisdom.com
+ MAIL_SMTP_PASSWORD: Security2019
+ MAIL_SMTP_FROM: security.institute@supwisdom.com
+ MAIL_SMTP_FROM_PERSONAL: 智慧校园
+
+ ## sms-console
+ SMS_CONSOLE_AUTOCONFIGURE_ENABLED: "true"
+
+ # 若须使用阿里云短信服务,须提供帐号
+ ## sms-aliyun
+ SMS_ALIYUN_AUTOCONFIGURE_ENABLED: "false"
+ SMS_ALIYUN_REGION_ID: cn-hangzhou
+ SMS_ALIYUN_ACCESS_KEY_ID: ""
+ SMS_ALIYUN_ACCESS_SECRET: ""
+
+ # 若须对接sms 接口,须进行二开定制
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: thirdparty-agent-service
+ name: agent-service-env-secret
+type: Opaque
+data:
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ ## file-minio
+ FILE_MINIO_ACCESSKEY: MXk4TkA4UkBhXzJ1
+ # 1y8N@8R@a_2u
+ FILE_MINIO_SECRETKEY: OHB4bEllOSNsTjdR
+ # 8pxlIe9#lN7Q
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: thirdparty-agent-service
+ name: agent-service-svc
+ labels:
+ app: agent-service
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: agent-service
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: thirdparty-agent-service
+ name: agent-service
+spec:
+ selector:
+ matchLabels:
+ app: agent-service
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: agent-service
+ spec:
+ containers:
+ - name: agent-service
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/thirdparty-agent-service/agent-service:1.2.0-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: agent-service-env-secret
+ - configMapRef:
+ name: agent-service-env
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.0.init.sql b/project/nwpu/k8s-rancher/1.authx-service/10.0.init.sql
new file mode 100644
index 0000000..0cdc286
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.0.init.sql
@@ -0,0 +1,289 @@
+-- 10.0.init.sql
+
+/*
+将 paas.nwpu.edu.cn 替换为 paas.学校域名.edu.cn
+*/
+
+
+use cas_server;
+
+-- 更新 服务 personal-security-center 的信息
+update TB_SERVICE
+set
+ INFORMATION_URL='http://personal-security-center.paas.nwpu.edu.cn',
+ LOGOUT_URL='http://personal-security-center.paas.nwpu.edu.cn/slo?redirect_uri=http://security-center.paas.nwpu.edu.cn/?clearCertification=clearCertification',
+ SERVICE_ID='http://personal-security-center.paas.nwpu.edu.cn/cas/(.*)'
+where ID='2'; -- todo, modify
+
+
+-- security-center-ui 认证对接信息
+
+INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`,
+ `RESPONSE_TYPE`, `LOGOUT_TYPE`,
+ `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`,
+ `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`,
+ `APPLICATION_ID`, `EXTERNAL_ID`)
+VALUES ('22', '1', 0, 'admin', '2020-07-01 00:00:00',
+ '安全中心', '安全中心', 'https://security-center.paas.nwpu.edu.cn', 'https://security-center.paas.nwpu.edu.cn/?clearCertification=clearCertification',
+ 'REDIRECT', 'FRONT_CHANNEL',
+ 22, '安全中心', 22, 'https://security-center.paas.nwpu.edu.cn/(.*)',
+ 1, 1, 1,
+ '22', '22');
+
+commit;
+
+-- 修改根域名
+update TB_SERVICE
+set
+ INFORMATION_URL='http://security-center.paas.nwpu.edu.cn',
+ LOGOUT_URL='http://security-center.paas.nwpu.edu.cn/?clearCertification=clearCertification',
+ SERVICE_ID='http://security-center.paas.nwpu.edu.cn/(.*)',
+ ID_TOKEN_ENABLED=1,
+ JWT_AS_SERVICE_TICKET=1,
+ APPLICATION_DOMAIN='security-center.paas.nwpu.edu.cn'
+where ID='22'; -- todo, modify
+
+commit;
+
+
+-- 请注意图片的后缀名,须与实际的文件名保持一致
+update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__logo.png' where ID='51'; -- casServer.config.logo
+update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__logo.png' where ID='52'; -- casServer.config.logoM
+
+update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__bg.png' where ID='53'; -- casServer.config.bg
+update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__bg.png' where ID='54'; -- casServer.config.bgM
+
+update TB_CONFIG set CONFIG_VALUE='409EFF' where ID='55'; -- casServer.config.schemeColor
+
+update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__icon.png' where ID='56'; -- casServer.config.iconImageUrl
+
+update TB_CONFIG set CONFIG_VALUE='https://example.com/download.htm' where ID='57'; -- casServer.config.superappDownloadUrl
+update TB_CONFIG set CONFIG_VALUE='超级APP' where ID='57-1'; -- casServer.config.superappName
+
+update TB_CONFIG set CONFIG_VALUE='cas-server-site-ui__favicon.ico' where ID='58'; -- casServer.config.webFavicon
+update TB_CONFIG set CONFIG_VALUE='树维信息' where ID='59'; -- casServer.config.webTitle
+
+update TB_CONFIG set CONFIG_VALUE='' where ID='61'; -- casServer.config.copyrightContent
+update TB_CONFIG set CONFIG_VALUE='' where ID='62'; -- casServer.config.copyrightContentM
+
+
+
+use admin_center;
+
+
+-- 管理接口路由
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('20', 0, 'authx-service-user-api', '认证授权 - 用户接口', '1', '/api/v1/base', 'https://localhost:8022', 0);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('40', 0, 'authx-service-personal-api', '认证授权 - 个人信息接口', '1', '/api/v1/personal', 'http://localhost:8041/api/v1', 1);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('21', 0, 'authx-service-admin-api', '认证授权 - 聚合接口(认证、授权)', '1', '/api/v2/admin', 'http://localhost:8009', 0);
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('22', 0, 'authx-service-open-api', '认证授权 - 聚合接口(公开)', '1', '/api/v2/open', 'http://localhost:8009', 0);
+
+insert into TB_MGT_ROUTE (ID, DELETED, CODE, NAME, STATUS, PATH_PREFIX, URL, STRIP_PREFIX)
+values ('25', 0, 'authx-service-log-api', '认证授权 - 日志接口', '1', '/api/v2/log', 'http://localhost:8009', 0);
+
+commit;
+
+update TB_MGT_ROUTE set URL='http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080' where ID='20';
+
+update TB_MGT_ROUTE set URL='http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1' where ID='40';
+
+update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='21';
+update TB_MGT_ROUTE set URL='http://authx-service-bff-svc.authx-service.svc.cluster.local:8080' where ID='22';
+
+update TB_MGT_ROUTE set URL='http://authx-log-sa-svc.authx-log.svc.cluster.local:8080' where ID='25';
+
+commit;
+
+
+-- 应用
+
+insert into TB_MGT_APPLICATION (ID, DELETED, CODE, NAME, STATUS)
+values ('10', 0, '10', '用户授权', '1');
+
+commit;
+
+
+-- 菜单
+
+/*
+-- 认证管理
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20000', 0, 'cas-server', '认证管理', '1', '2', '', '/', '10', '1', 20000, 1, 18, 33);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20100', 0, 'loginConfig', '登录方式配置', '1', '2', 'su-icon-denglupeizhi', '/cas-server/loginConfig', '10', '20000', 20100, 2, 19, 20);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20200', 0, 'safeLoginConfig', '账号安全配置', '1', '2', 'su-icon-config-security', '/cas-server/safeLoginConfig', '10', '20000', 20200, 2, 21, 22);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20300', 0, 'accountActivationConfiguration', '账号激活配置', '1', '2', 'su-icon-bulb', '/cas-server/accountActivationConfiguration', '10', '20000', 20300, 2, 23, 24);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20400', 0, 'safeConfig', '安全策略配置', '1', '2', 'su-icon-celuepeizhi', '/cas-server/safeConfig', '10', '20000', 20400, 2, 25, 26);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20500', 0, 'passwordConfig', '密码策略配置', '1', '2', 'su-icon-mimacelue', '/cas-server/passwordConfig', '10', '20000', 20500, 2, 27, 28);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20600', 0, 'serverManagement', '应用对接配置', '1', '2', 'el-icon-service', '/cas-server/serverManagement', '10', '20000', 20600, 2, 29, 30);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('21100', 0, 'analyze', '认证统计分析', '1', '2', 'su-icon-renzhengtongjifenxi', '/cas-server/analyze', '10', '20000', 21100, 2, 31, 32);
+
+commit;
+
+-- 用户管理
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30000', 0, 'user-server', '用户管理', '1', '2', '', '/', '10', '1', 30000, 1, 34, 53);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30100', 0, 'dictionary', '字典管理', '1', '2', 'su-icon-zidian', '/user-server/dictionary', '10', '30000', 30100, 2, 35, 36);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30200', 0, 'identity', '身份管理', '1', '2', 'su-icon-shenfen', '/user-server/identity', '10', '30000', 30200, 2, 37, 38);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30300', 0, 'mechanism', '组织机构管理', '1', '2', 'su-icon-department', '/user-server/mechanism', '10', '30000', 30300, 2, 39, 40);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30400', 0, 'person', '人员管理', '1', '2', 'su-icon-people', '/user-server/person', '10', '30000', 30400, 2, 41, 42);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30500', 0, 'label', '标签管理', '1', '2', 'su-icon-biaoqian', '/user-server/label', '10', '30000', 30500, 2, 43, 44);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30600', 0, 'simpleUserGroupManage', '普通用户组管理', '1', '2', 'su-icon-portrait', '/user-server/simpleUserGroupManage', '10', '30000', 30600, 2, 45, 46);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30700', 0, 'postUserGroupManage', '岗位用户组管理', '1', '2', 'su-icon-personnel', '/user-server/postUserGroupManage', '10', '30000', 30700, 2, 47, 48);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30800', 0, 'assignation', '人员分配', '1', '2', 'su-icon-tihuanbanliren', '/user-server/assignation', '10', '30000', 30800, 2, 49, 50);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('31000', 0, 'activateAccount', '账号激活审核', '1', '2', 'su-icon-yonghushouquan', '/user-server/activateAccount', '10', '30000', 31000, 2, 51, 52);
+
+commit;
+
+-- 授权管理
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('40000', 0, 'authorization-server', '授权管理', '1', '2', '', '/', '10', '1', 40000, 1, 54, 77);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('40100', 0, 'applicationRole', '角色授权', '1', '2', 'su-icon-yingyongjuese', '/auth-server/applicationRole', '10', '40000', 40100, 2, 55, 56);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('40200', 0, 'authorizationRoleComponent', '角色组授权', '1', '2', 'su-icon-juesezu', '/auth-server/authorizationRoleComponent', '10', '40000', 40200, 2, 57, 58);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('40300', 0, 'userAuthManagePeople', '用户授权', '1', '2', 'su-icon-yonghushouquan', '/auth-server/userAuthManagePeople', '10', '40000', 40300, 2, 59, 60);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('40400', 0, 'roleAuthManagement', '用户规则授权', '1', '2', 'su-icon-yonghuguize', '/auth-server/roleAuthManagement', '10', '40000', 40400, 2, 61, 62);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('40500', 0, 'userGroupAuth', '用户组授权', '1', '2', 'su-icon-yonghuguize', '/auth-server/userGroupAuth', '10', '40000', 40500, 2, 63, 64);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('40900', 0, 'authorizationAndManagement', '分级授权管理', '1', '2', 'su-icon-shouquanjiguanli', '/auth-server/authorizationAndManagement', '10', '40000', 40900, 2, 65, 66);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('41100', 0, 'accountAuthorizationAudit', '账号授权审计', '1', '2', 'su-icon-zhsqsj', '/auth-server/accountAuthorizationAudit', '10', '40000', 41100, 2, 67, 68);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('41200', 0, 'userAudit', '用户规则权限审计', '1', '2', 'su-icon-yhgzqxsj', '/auth-server/userAudit', '10', '40000', 41200, 2, 69, 70);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('41300', 0, 'rolePermissionAudit', '角色/组授权审计', '1', '2', 'su-icon-jszsqsj', '/auth-server/rolePermissionAudit', '10', '40000', 41300, 2, 71, 72);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('41400', 0, 'authOperationsAudit', '权限操作审计', '1', '2', 'su-icon-qxczsj', '/auth-server/authOperationsAudit', '10', '40000', 41400, 2, 73, 74);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('41500', 0, 'authStatisticalMonitor', '授权统计监控', '1', '2', 'su-icon-sqtjjk', '/auth-server/authStatisticalMonitor', '10', '40000', 41500, 2, 75, 76);
+
+commit;
+*/
+
+/*
+update TB_MGT_PERMISSION
+ set LFT = LFT+2
+where LFT>=51
+;
+
+update TB_MGT_PERMISSION
+ set RGT = RGT+2
+where RGT>=51
+;
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('30750', 0, 'userScope', '用户规则', '1', '1', 'el-icon-guide', '/user-server/userScope', '1', '30000', 30750, 2, 51, 52);
+
+commit;
+*/
+
+
+update TB_MGT_PERMISSION
+ set LFT = LFT+10
+where LFT>=35
+;
+
+update TB_MGT_PERMISSION
+ set RGT = RGT+10
+where RGT>=35
+;
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20650', 0, 'casConfig', '认证对接配置', '1', '2', 'el-icon-service', '/cas-server/casConfig', '10', '20000', 20650, 2, 35, 36);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20700', 0, 'loginPageConfig', '登录页面配置', '1', '2', 'su-icon-tongxunxinxi', '/cas-server/loginPageConfig', '10', '20000', 20700, 2, 37, 38);
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20800', 0, 'linkLoginConfig', '联合登录配置', '1', '2', 'su-icon-test', '/cas-server/linkLoginConfig', '10', '20000', 20800, 2, 39, 40);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('20900', 0, 'infoPerfectConfig', '信息完善配置', '1', '2', 'su-icon-chongxintijiao', '/cas-server/infoPerfectConfig', '10', '20000', 20900, 2, 41, 42);
+
+insert into TB_MGT_PERMISSION (ID, DELETED, CODE, NAME, STATUS, TYPE_, ICON, URL, APPLICATION_ID, PARENT_ID, ORDER_, LEVEL_, LFT, RGT)
+values ('21000', 0, 'lockManagement', '认证锁定管理', '1', '2', 'su-icon-shouquanjiguanli', '/cas-server/lockManagement', '10', '20000', 21000, 2, 43, 44);
+
+commit;
+
+
+
+-- 角色权限
+
+insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID)
+
+select CONCAT('20_', ID) as ID, 0 as DELETED, '20' as ROLE_ID, ID as PERMISSION_ID
+from TB_MGT_PERMISSION
+where ID like '2____' or ID='1'
+;
+
+insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID)
+
+select CONCAT('30_', ID) as ID, 0 as DELETED, '30' as ROLE_ID, ID as PERMISSION_ID
+from TB_MGT_PERMISSION
+where ID like '3____' or ID='1'
+;
+
+insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID)
+
+select CONCAT('40_', ID) as ID, 0 as DELETED, '40' as ROLE_ID, ID as PERMISSION_ID
+from TB_MGT_PERMISSION
+where ID like '4____' or ID='1'
+;
+
+
+insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID)
+
+select CONCAT('41_', ID) as ID, 0 as DELETED, '41' as ROLE_ID, ID as PERMISSION_ID
+from TB_MGT_PERMISSION
+where ID in ('40000', '40100', '40300', '40400', '40500') or ID='1'
+;
+
+
+insert into TB_MGT_ROLE_PERMISSION (ID, DELETED, ROLE_ID, PERMISSION_ID)
+
+select CONCAT('42_', ID) as ID, 0 as DELETED, '41' as ROLE_ID, ID as PERMISSION_ID
+from TB_MGT_PERMISSION
+where ID in ('40000', '40900') or ID='1'
+;
+
+commit;
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.0.tmp.sql b/project/nwpu/k8s-rancher/1.authx-service/10.0.tmp.sql
new file mode 100644
index 0000000..b7aaa52
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.0.tmp.sql
@@ -0,0 +1,206 @@
+
+/*
+ * 若通过交换同步组织机构、帐号数据的,须执行该数据库脚本
+ */
+
+use user;
+
+/*
+
+delete from TB_B_ACCOUNT_ORGANIZATION where ADD_ACCOUNT='trans';
+
+delete from TB_B_SAFETY where ADD_ACCOUNT='trans';
+delete from TB_B_ACCOUNT where ADD_ACCOUNT='trans';
+delete from TB_B_USER where ADD_ACCOUNT='trans';
+
+delete from TMP_ACCOUNT_TRANS;
+
+update TMP_ACCOUNT_ORIGIN set UID=UID;
+*/
+
+
+DROP TRIGGER IF EXISTS after_update_organization_origin;
+
+delimiter //
+create trigger after_update_organization_origin after update on TMP_ORGANIZATION_ORIGIN for each row
+begin
+ declare ID1 varchar(100);
+ declare ID2 varchar(100);
+
+ -- new 代表 表中新增的数据
+ set ID1 = (select ID from TMP_ORGANIZATION_TRANS
+ where ((ID is null and new.ID is null) or ID=new.ID)
+ and ((PARENT_ORGANIZATION_ID is null and new.PARENT_ORGANIZATION_ID is null) or PARENT_ORGANIZATION_ID=new.PARENT_ORGANIZATION_ID)
+ and ((CODE is null and new.CODE is null) or CODE=new.CODE)
+ and ((NAME is null and new.NAME is null) or NAME=new.NAME)
+ and ((DESCRIPTION is null and new.DESCRIPTION is null) or DESCRIPTION=new.DESCRIPTION)
+ and ((TYPE_ID is null and new.TYPE_ID is null) or TYPE_ID=new.TYPE_ID)
+ and ((STATE is null and new.STATE is null) or STATE=new.STATE)
+ and ((ENABLE is null and new.ENABLE is null) or ENABLE=new.ENABLE)
+ and ((IS_DATA_CENTER is null and new.IS_DATA_CENTER is null) or IS_DATA_CENTER=new.IS_DATA_CENTER)
+ );
+ -- into @ID1;
+
+ if ID1 is null then
+ set ID2 = (select ID from TMP_ORGANIZATION_TRANS where ID=new.ID); -- into @ID2;
+
+ if ID2 is null then
+ insert into TMP_ORGANIZATION_TRANS(TRANS_STATUS, TRANS_TIME, PROC_STATUS, PROC_TIME,
+ ID, PARENT_ORGANIZATION_ID,
+ CODE, NAME, DESCRIPTION,
+ TYPE_ID,
+ STATE, ENABLE,
+ IS_DATA_CENTER
+ )
+ values ('1', now(), '0', null,
+ new.ID, new.PARENT_ORGANIZATION_ID,
+ new.CODE, new.NAME, new.DESCRIPTION,
+ new.TYPE_ID,
+ new.STATE, new.ENABLE,
+ new.IS_DATA_CENTER
+ )
+ ;
+
+ else
+ update TMP_ORGANIZATION_TRANS set
+ TRANS_STATUS='2',
+ TRANS_TIME=now(),
+ PROC_STATUS='0',
+ PARENT_ORGANIZATION_ID=new.PARENT_ORGANIZATION_ID,
+ CODE=new.CODE,
+ NAME=new.NAME,
+ DESCRIPTION=new.DESCRIPTION,
+ TYPE_ID=new.TYPE_ID,
+ STATE=new.STATE,
+ ENABLE=new.ENABLE,
+ IS_DATA_CENTER=new.IS_DATA_CENTER
+ where ID=new.ID
+ ;
+
+ end if;
+
+ else
+
+ -- 如果数据没变化,但存在记录,且被处理,则标记未 不更新、不处理
+ update TMP_ORGANIZATION_TRANS set
+ TRANS_STATUS='0',
+ TRANS_TIME=now(),
+ PROC_STATUS='0'
+ where ID=new.ID
+ and PROC_RESULT!='0'
+ ;
+
+ end if;
+
+end //
+delimiter ;
+
+
+DROP TRIGGER IF EXISTS after_update_account_origin;
+
+delimiter //
+create trigger after_update_account_origin after update on TMP_ACCOUNT_ORIGIN for each row
+begin
+ declare ID1 varchar(100);
+ declare ID2 varchar(100);
+
+ -- new 代表 表中新增的数据
+ set ID1 = (select ID from TMP_ACCOUNT_TRANS
+ where ((ID is null and new.ID is null) or ID=new.ID)
+ and ((UID is null and new.UID is null) or UID=new.UID)
+ and ((NAME is null and new.NAME is null) or NAME=new.NAME)
+ and ((NAME_SPELLING is null and new.NAME_SPELLING is null) or NAME_SPELLING=new.NAME_SPELLING)
+ and ((FULL_NAME_SPELLING is null and new.FULL_NAME_SPELLING is null) or FULL_NAME_SPELLING=new.FULL_NAME_SPELLING)
+ and ((CERTIFICATE_TYPE_ID is null and new.CERTIFICATE_TYPE_ID is null) or CERTIFICATE_TYPE_ID=new.CERTIFICATE_TYPE_ID)
+ and ((CERTIFICATE_NUMBER is null and new.CERTIFICATE_NUMBER is null) or CERTIFICATE_NUMBER=new.CERTIFICATE_NUMBER)
+ and ((PHONE_NUMBER is null and new.PHONE_NUMBER is null) or PHONE_NUMBER=new.PHONE_NUMBER)
+ and ((EMAIL is null and new.EMAIL is null) or EMAIL=new.EMAIL)
+ and ((IMAGE_URL is null and new.IMAGE_URL is null) or IMAGE_URL=new.IMAGE_URL)
+ and ((GENDER_ID is null and new.GENDER_ID is null) or GENDER_ID=new.GENDER_ID)
+ and ((NATION_ID is null and new.NATION_ID is null) or NATION_ID=new.NATION_ID)
+ and ((COUNTRY_ID is null and new.COUNTRY_ID is null) or COUNTRY_ID=new.COUNTRY_ID)
+ and ((ADDRESS_ID is null and new.ADDRESS_ID is null) or ADDRESS_ID=new.ADDRESS_ID)
+ and ((ACCOUNT_NAME is null and new.ACCOUNT_NAME is null) or ACCOUNT_NAME=new.ACCOUNT_NAME)
+ and ((ACCOUNT_EXPIRY_DATE is null and new.ACCOUNT_EXPIRY_DATE is null) or ACCOUNT_EXPIRY_DATE=new.ACCOUNT_EXPIRY_DATE)
+ and ((ORGANIZATION_ID is null and new.ORGANIZATION_ID is null) or ORGANIZATION_ID=new.ORGANIZATION_ID)
+ and ((IDENTITY_TYPE_ID is null and new.IDENTITY_TYPE_ID is null) or IDENTITY_TYPE_ID=new.IDENTITY_TYPE_ID)
+ and ((ACTIVATION is null and new.ACTIVATION is null) or ACTIVATION=new.ACTIVATION)
+ and ((STATE is null and new.STATE is null) or STATE=new.STATE)
+ and ((IS_DATA_CENTER is null and new.IS_DATA_CENTER is null) or IS_DATA_CENTER=new.IS_DATA_CENTER)
+ );
+ -- into @ID1;
+
+ if ID1 is null then
+ set ID2 = (select ID from TMP_ACCOUNT_TRANS where ID=new.ID); -- into @ID2;
+
+ if ID2 is null then
+ insert into TMP_ACCOUNT_TRANS(TRANS_STATUS, TRANS_TIME, PROC_STATUS, PROC_TIME,
+ ID, UID,
+ NAME, NAME_SPELLING, FULL_NAME_SPELLING,
+ CERTIFICATE_TYPE_ID, CERTIFICATE_NUMBER,
+ PHONE_NUMBER, EMAIL,
+ IMAGE_URL,
+ GENDER_ID, NATION_ID, COUNTRY_ID, ADDRESS_ID,
+ ACCOUNT_NAME, ACCOUNT_EXPIRY_DATE, ORGANIZATION_ID, IDENTITY_TYPE_ID,
+ ACTIVATION, STATE,
+ IS_DATA_CENTER
+ )
+ values ('1', now(), '0', null,
+ new.ID, new.UID,
+ new.NAME, new.NAME_SPELLING, new.FULL_NAME_SPELLING,
+ new.CERTIFICATE_TYPE_ID, new.CERTIFICATE_NUMBER,
+ new.PHONE_NUMBER, new.EMAIL,
+ new.IMAGE_URL,
+ new.GENDER_ID, new.NATION_ID, new.COUNTRY_ID, new.ADDRESS_ID,
+ new.ACCOUNT_NAME, new.ACCOUNT_EXPIRY_DATE, new.ORGANIZATION_ID, new.IDENTITY_TYPE_ID,
+ new.ACTIVATION, new.STATE,
+ new.IS_DATA_CENTER
+ )
+ ;
+
+ else
+ update TMP_ACCOUNT_TRANS set
+ TRANS_STATUS='2',
+ TRANS_TIME=now(),
+ PROC_STATUS='0',
+ UID=new.UID,
+ NAME=new.NAME,
+ NAME_SPELLING=new.NAME_SPELLING,
+ FULL_NAME_SPELLING=new.FULL_NAME_SPELLING,
+ CERTIFICATE_TYPE_ID=new.CERTIFICATE_TYPE_ID,
+ CERTIFICATE_NUMBER=new.CERTIFICATE_NUMBER,
+ PHONE_NUMBER=new.PHONE_NUMBER,
+ EMAIL=new.EMAIL,
+ IMAGE_URL=new.IMAGE_URL,
+ GENDER_ID=new.GENDER_ID,
+ NATION_ID=new.NATION_ID,
+ COUNTRY_ID=new.COUNTRY_ID,
+ ADDRESS_ID=new.ADDRESS_ID,
+ ACCOUNT_NAME=new.ACCOUNT_NAME,
+ ACCOUNT_EXPIRY_DATE=new.ACCOUNT_EXPIRY_DATE,
+ ORGANIZATION_ID=new.ORGANIZATION_ID,
+ IDENTITY_TYPE_ID=new.IDENTITY_TYPE_ID,
+ ACTIVATION=new.ACTIVATION,
+ STATE=new.STATE,
+ IS_DATA_CENTER=new.IS_DATA_CENTER
+ where ID=new.ID
+ ;
+
+ end if;
+
+ else
+
+ -- 如果数据没变化,但存在记录,且被处理,则标记未 不更新、不处理
+ update TMP_ACCOUNT_TRANS set
+ TRANS_STATUS='0',
+ TRANS_TIME=now(),
+ PROC_STATUS='0'
+ where ID=new.ID
+ and PROC_RESULT!='0'
+ ;
+
+ end if;
+
+end //
+delimiter ;
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.0.trans.sql b/project/nwpu/k8s-rancher/1.authx-service/10.0.trans.sql
new file mode 100644
index 0000000..784af9b
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.0.trans.sql
@@ -0,0 +1,73 @@
+-- 10.0.trans.sql
+
+/*
+ 脚本用于 认证v4 的数据迁移
+*/
+
+--执行前 TB_B_USER.UID 加索引
+
+
+
+-- 更新老认证的密码
+UPDATE user.TB_B_USER u, (
+ select ACCOUNT_NAME, case when ENCODED_PASSWORD is null then PASSWORD else ENCODED_PASSWORD end as PASSWORD
+ from tmp_data.TMP_ACCOUNT
+) a
+SET u.PASSWORD = a.PASSWORD
+WHERE u.UID = a.ACCOUNT_NAME
+
+
+
+-- 更新激活状态
+update user.TB_B_ACCOUNT a, (
+ select TB_B_USER.ID from tmp_data.TMP_ACCOUNT
+ inner join user.TB_B_USER on TMP_ACCOUNT.ACCOUNT_NAME=TB_B_USER.UID
+ where TMP_ACCOUNT.IS_ACTIVATED=1
+) tmp
+set a.ACTIVATION=1
+where a.USER_ID=tmp.ID
+
+
+
+-- 更新老认证的安全邮箱
+update user.TB_B_SAFETY s, (
+ select TB_B_USER.ID, TMP_TB_ACCOUNTSECURITYEMAIL.EMAILACCOUNTID as ACCOUNTID, EMAILINFO
+ from tmp_data.TMP_TB_ACCOUNTSECURITYEMAIL
+ inner join tmp_data.TMP_TB_ACCOUNT on TMP_TB_ACCOUNTSECURITYEMAIL.EMAILACCOUNTID=TMP_TB_ACCOUNT.ACCOUNTKEY
+ inner join user.TB_B_USER on TMP_TB_ACCOUNT.ACCOUNTKEY=TB_B_USER.UID
+ where EMAILINFO is not null and EMAILINFO!='' and EMAILINFO!='-1' and EMAILSTATUS in ('已验证', '待修改')
+) email
+set s.SECURE_EMAIL=email.EMAILINFO
+where s.USER_ID=email.ID
+;
+
+-- 更新老认证的安全手机
+update user.TB_B_SAFETY s, (
+ select TB_B_USER.ID, TMP_TB_ACCOUNTSECURITYMOBILE.MOBILEACCOUNTID as ACCOUNTID, MOBILEINFO
+ from tmp_data.TMP_TB_ACCOUNTSECURITYMOBILE
+ inner join tmp_data.TMP_TB_ACCOUNT on TMP_TB_ACCOUNTSECURITYMOBILE.MOBILEACCOUNTID=TMP_TB_ACCOUNT.ACCOUNTKEY
+ inner join user.TB_B_USER on TMP_TB_ACCOUNT.ACCOUNTKEY=TB_B_USER.UID
+ where MOBILEINFO is not null and MOBILEINFO!='' and MOBILEINFO!='-1' and MOBILESTATUS in ('已验证', '待修改')
+) mobile
+set s.SECURE_PHONE=mobile.MOBILEINFO
+where s.USER_ID=mobile.ID
+;
+
+
+
+
+-- 迁移 微信 绑定信息
+insert into cas_server.TB_FEDERATION (ID, COMPANY_ID, DELETED, ADD_ACCOUNT, USER_NO, FEDERATED_TYPE, FEDERATED_ID)
+select ID, '1', 0, 'trans',
+ ACCOUNT_NAME, 'openweixin', WECHAT_UNIONID
+from tmp_data.TMP_ACCOUNT_WECHAT
+;
+
+
+-- 迁移 QQ 绑定信息
+insert into cas_server.TB_FEDERATION (ID, COMPANY_ID, DELETED, ADD_ACCOUNT, USER_NO, FEDERATED_TYPE, FEDERATED_ID)
+select ID, '1', 0, 'trans',
+ ACCOUNT_NAME, 'qq', QQ_OPENID
+from tmp_data.TMP_ACCOUNT_QQ
+;
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-address-book.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-address-book.sql
new file mode 100644
index 0000000..43f48ec
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-address-book.sql
@@ -0,0 +1,59 @@
+-- 10.1.init-address-book.sql
+
+
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
+
+-- 以下脚本为可选操作
+
+/*
+ * 若部署了通讯录服务产品
+ * 可默认创建几个管理员帐号,以及初始授权
+ */
+
+
+use user;
+
+
+-- 通讯录
+
+insert into `TB_APPLICATION` (ID, DELETED,
+ BUSINESS_DOMAIN_ID, BUSINESS_DOMAIN_NAME, SYSTEM_ID, SYSTEM_NAME,
+ APPLICATION_ID, NAME, DESCRIPTION,
+ ENABLED)
+values ('90', 0,
+ '1', '智慧校园', '1', '业务中台',
+ '90', '通讯录', '',
+ 1
+);
+
+commit;
+
+
+
+use user_authz;
+
+-- 通讯录
+
+INSERT INTO `TB_R_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`,
+ `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`)
+VALUES ('90', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1',
+ 'address-book', '通讯录', '通讯录', 1);
+
+INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`,
+ `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`)
+VALUES ('90', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1', '90',
+ '通讯录', '90', '', 1);
+
+-- 更新应用的定时同步接口的地址
+-- UPDATE `TB_APPLICATION` set `SYNC_URL`='http://message-platform.paas.xxx.edu.cn/roles' WHERE ID='90';
+
+commit;
+
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-flow.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-flow.sql
new file mode 100644
index 0000000..4b1a696
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-flow.sql
@@ -0,0 +1,122 @@
+-- 10.1.init.sql
+
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
+
+-- 以下脚本为可选操作
+
+/*
+ * 若部署了流程平台、门户的产品
+ * 可默认创建几个管理员帐号,以及初始授权
+ */
+
+
+-- 创建管理帐号
+
+use user;
+
+-- flowadmin
+INSERT INTO `TB_B_USER` (`ID`, `DELETED`,
+ `UID`, `PASSWORD`, `NAME`, `NAME_SPELLING`, `FULL_NAME_SPELLING`,
+ `CERTIFICATE_TYPE_ID`, `CERTIFICATE_NUMBER`, `PHONE_NUMBER`, `EMAIL`,
+ `GENDER_ID`, `NATION_ID`, `COUNTRY_ID`, `ADDRESS_ID`)
+VALUES ('50', 0,
+ '50', 'flowadmin', '流程表单管理员', 'flowadmin', 'flowadmin',
+ '20001', '50', null, 'flowadmin@supwisdom.com',
+ '30001', '40001', '50156', '310000');
+
+INSERT INTO `TB_B_ACCOUNT` (`ID`, `DELETED`, `USER_ID`,
+ `ACCOUNT_NAME`, `ACCOUNT_EXPIRY_DATE`, `ORGANIZATION_ID`, `IDENTITY_TYPE_ID`,
+ `ACTIVATION`, `STATE`, `IS_DATA_CENTER`)
+VALUES ('50', 0, '50',
+ 'flowadmin', null, '1', '1',
+ 1, 'NORMAL', 0);
+
+INSERT INTO `TB_B_SAFETY`(`ID`, `DELETED`, `USER_ID`, `SCORE`, `PASSWORD_SCORE`, `SECURE_EMAIL`, `SECURE_PHONE`)
+VALUES ('50', 0, '50', '0', '0', null, null);
+
+INSERT INTO `TB_B_ACCOUNT_ORGANIZATION` (`ID`, `DELETED`,
+ `ROOT_ORGANIZATION_ID`, `ACCOUNT_ID`, `ORGANIZATION_ID`)
+VALUES ('50_1', 0,
+ '0', '50', '1');
+
+INSERT INTO `TB_B_ACCOUNT_LABEL`(`ID`, `DELETED`,
+ `ACCOUNT_ID`, `LABEL_ID`)
+VALUES ('50_1', 0, '50', '1');
+
+commit;
+
+
+-- 创建管理帐号的授权
+
+use user_authz;
+
+-- flow
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('50', '1', 0, 'admin', '2019-07-01 00:00:00', '1', 'flow-admin', '流程管理员', '流程管理员', 1, '50');
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`, `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('51', '1', 0, 'admin', '2019-07-01 00:00:00', '1', 'flow-biz', '流程业务员', '流程业务员', 1, '51');
+
+INSERT INTO `TB_GRANTED_ACCOUNT_ROLE` (`ID`, `COMPANY_ID`, `DELETED`,
+ `ACCOUNT_ID`, `ROLE_ID`,
+ `GRANT_EXPIRED_DATE`)
+VALUES ('50_50', '1', 0,
+ '50', '50',
+ NULL);
+
+INSERT INTO `TB_ROLE_USER` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `ORIGIN_TYPE`, `ORIGIN_PK`,
+ `APPLICATION_ID`, `ROLE_ID`, `ACCOUNT_ID`,
+ `GRANT_EXPIRED_DATE`)
+VALUES ('50_50', '1', 0, 'admin', '2019-07-01 00:00:00',
+ NULL, NULL,
+ '1', '50', '50',
+ NULL);
+
+commit;
+
+
+-- 创建认证帐号、认证对接
+
+use cas_server;
+
+-- flow
+
+INSERT INTO `TB_ACCOUNT` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `USERNAME`, `PASSWORD`, `DESCRIPTION`, `ENABLED`, `ACCOUNT_NON_EXPIRED`, `ACCOUNT_NON_LOCKED`, `CREDENTIALS_NON_EXPIRED`,
+ `IDENTITY`, `USER_NO`, `NAME`, `MOBILE`, `EMAIL_ADDRESS`, `IDENTITY_TYPE`, `IDENTITY_NO`,
+ `EXTERNAL_ID`)
+VALUES ('50', '1', 0, 'admin', '2019-07-01 00:00:00',
+ 'flowadmin', 'flowadmin', '流程管理员', 1, 1, 1, 1,
+ 'admin', '50', '流程管理员', '', 'flowadmin@supwisdom.com', '20001', '',
+ '50');
+
+commit;
+
+INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`,
+ `RESPONSE_TYPE`, `LOGOUT_TYPE`,
+ `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`,
+ `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`,
+ `APPLICATION_ID`, `EXTERNAL_ID`)
+VALUES ('50', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '流程平台', '流程平台', 'https://formflow.paas.example.com', 'https://formflow.paas.example.com/formflow/cas/authen/logout',
+ 'REDIRECT', 'FRONT_CHANNEL',
+ 50, '流程平台', 50, 'https://formflow.paas.example.com/(.*)',
+ 1, 1, 1,
+ '50', '50');
+
+commit;
+
+update TB_SERVICE
+set
+ INFORMATION_URL='http://formflow.paas.example.com',
+ LOGOUT_URL='http://formflow.paas.example.com/formflow/cas/authen/logout',
+ SERVICE_ID='http://formflow.paas.example.com/(.*)',
+ ID_TOKEN_ENABLED=1
+where ID='50'; -- todo, modify
+
+commit;
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message-platform.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message-platform.sql
new file mode 100644
index 0000000..0cd7f6b
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message-platform.sql
@@ -0,0 +1,64 @@
+-- 10.1.init-message-platform.sql
+
+
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
+
+-- 以下脚本为可选操作
+
+/*
+ * 若部署了消息服务产品
+ * 可默认创建几个管理员帐号,以及初始授权
+ */
+
+
+use user;
+
+
+-- 消息平台
+
+insert into `TB_APPLICATION` (ID, DELETED,
+ BUSINESS_DOMAIN_ID, BUSINESS_DOMAIN_NAME, SYSTEM_ID, SYSTEM_NAME,
+ APPLICATION_ID, NAME, DESCRIPTION,
+ ENABLED)
+values ('80', 0,
+ '1', '智慧校园', '1', '业务中台',
+ '80', '消息平台', '',
+ 1
+);
+
+commit;
+
+
+
+use user_authz;
+
+-- 消息平台
+
+INSERT INTO `TB_R_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`,
+ `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`)
+VALUES ('80', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1',
+ 'message-platform', '消息平台', '消息平台', 1);
+
+INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`,
+ `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`)
+VALUES ('80', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1', '80',
+ '消息平台', '80', '', 1);
+
+-- 更新应用的定时同步接口的地址
+UPDATE `TB_APPLICATION` set `SYNC_URL`='http://message-platform.paas.xxx.edu.cn/roles' WHERE ID='80';
+
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('66666', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '80', 'message-publisher', '消息发布员', '消息发布员', 1, '66666');
+
+commit;
+
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message.sql
new file mode 100644
index 0000000..e34383c
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-message.sql
@@ -0,0 +1,88 @@
+-- 10.1.init-message.sql
+
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
+
+-- 以下脚本为可选操作
+
+/*
+ * 若部署了消息服务产品
+ * 可默认创建几个管理员帐号,以及初始授权
+ */
+
+
+-- 创建管理帐号
+
+use user;
+
+-- 消息平台管理
+
+INSERT INTO `TB_B_USER` (`ID`, `DELETED`,
+ `UID`, `PASSWORD`, `NAME`, `NAME_SPELLING`, `FULL_NAME_SPELLING`,
+ `CERTIFICATE_TYPE_ID`, `CERTIFICATE_NUMBER`, `PHONE_NUMBER`, `EMAIL`,
+ `GENDER_ID`, `NATION_ID`, `COUNTRY_ID`, `ADDRESS_ID`)
+VALUES ('80', 0,
+ '80', 'messageadmin', '消息平台管理员', 'messageadmin', 'messageadmin',
+ '20001', '80', null, 'messageadmin@supwisdom.com',
+ '30001', '40001', '50156', '310000');
+
+INSERT INTO `TB_B_ACCOUNT` (`ID`, `DELETED`, `USER_ID`,
+ `ACCOUNT_NAME`, `ACCOUNT_EXPIRY_DATE`, `ORGANIZATION_ID`, `IDENTITY_TYPE_ID`,
+ `ACTIVATION`, `STATE`, `IS_DATA_CENTER`)
+VALUES ('80', 0, '80',
+ 'messageadmin', null, '1', '1',
+ 1, 'NORMAL', 0);
+
+INSERT INTO `TB_B_SAFETY`(`ID`, `DELETED`, `USER_ID`, `SCORE`, `PASSWORD_SCORE`, `SECURE_EMAIL`, `SECURE_PHONE`)
+VALUES ('80', 0, '80', '0', '0', null, null);
+
+INSERT INTO `TB_B_ACCOUNT_ORGANIZATION` (`ID`, `DELETED`,
+ `ROOT_ORGANIZATION_ID`, `ACCOUNT_ID`, `ORGANIZATION_ID`)
+VALUES ('80_1', 0,
+ '0', '80', '1');
+
+INSERT INTO `TB_B_ACCOUNT_LABEL`(`ID`, `DELETED`,
+ `ACCOUNT_ID`, `LABEL_ID`)
+VALUES ('80_1', 0, '80', '1');
+
+commit;
+
+
+
+-- 创建管理帐号的授权
+
+use user_authz;
+
+
+-- 消息平台管理
+
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('80', '1', 0, 'admin', '2020-07-01 00:00:00',
+ '1', 'message-admin', '消息平台管理员', '消息平台管理员', 1, '80');
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('81', '1', 0, 'admin', '2020-07-01 00:00:00',
+ '1', 'message-opt', '消息平台操作员', '消息平台操作员', 1, '81');
+
+INSERT INTO `TB_GRANTED_ACCOUNT_ROLE` (`ID`, `COMPANY_ID`, `DELETED`,
+ `ACCOUNT_ID`, `ROLE_ID`,
+ `GRANT_EXPIRED_DATE`)
+VALUES ('80_80', '1', 0,
+ '80', '80',
+ NULL);
+
+INSERT INTO `TB_ROLE_USER` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `ORIGIN_TYPE`, `ORIGIN_PK`,
+ `APPLICATION_ID`, `ROLE_ID`, `ACCOUNT_ID`,
+ `GRANT_EXPIRED_DATE`)
+VALUES ('80_80', '1', 0, 'admin', '2019-07-01 00:00:00',
+ NULL, NULL,
+ '1', '80', '80',
+ NULL);
+
+commit;
+
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/10.1.init-portal.sql b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-portal.sql
new file mode 100644
index 0000000..61b09d4
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/10.1.init-portal.sql
@@ -0,0 +1,140 @@
+-- 10.1.init.sql
+
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
+
+-- 以下脚本为可选操作
+
+/*
+ * 若部署了流程平台、门户的产品
+ * 可默认创建几个管理员帐号,以及初始授权
+ */
+
+
+-- 创建管理帐号
+
+use user;
+
+-- portaladmin
+INSERT INTO `TB_B_USER` (`ID`, `DELETED`,
+ `UID`, `PASSWORD`, `NAME`, `NAME_SPELLING`, `FULL_NAME_SPELLING`,
+ `CERTIFICATE_TYPE_ID`, `CERTIFICATE_NUMBER`, `PHONE_NUMBER`, `EMAIL`,
+ `GENDER_ID`, `NATION_ID`, `COUNTRY_ID`, `ADDRESS_ID`)
+VALUES ('60', 0,
+ '60', 'portaladmin', '门户管理员', 'portaladmin', 'portaladmin',
+ '20001', '60', null, 'portaladmin@supwisdom.com',
+ '30001', '40001', '50156', '310000');
+
+INSERT INTO `TB_B_ACCOUNT` (`ID`, `DELETED`, `USER_ID`,
+ `ACCOUNT_NAME`, `ACCOUNT_EXPIRY_DATE`, `ORGANIZATION_ID`, `IDENTITY_TYPE_ID`,
+ `ACTIVATION`, `STATE`, `IS_DATA_CENTER`)
+VALUES ('60', 0, '60',
+ 'portaladmin', null, '1', '1',
+ 1, 'NORMAL', 0);
+
+INSERT INTO `TB_B_SAFETY`(`ID`, `DELETED`, `USER_ID`, `SCORE`, `PASSWORD_SCORE`, `SECURE_EMAIL`, `SECURE_PHONE`)
+VALUES ('60', 0, '60', '0', '0', null, null);
+
+INSERT INTO `TB_B_ACCOUNT_ORGANIZATION` (`ID`, `DELETED`,
+ `ROOT_ORGANIZATION_ID`, `ACCOUNT_ID`, `ORGANIZATION_ID`)
+VALUES ('60_1', 0,
+ '0', '60', '1');
+
+INSERT INTO `TB_B_ACCOUNT_LABEL`(`ID`, `DELETED`,
+ `ACCOUNT_ID`, `LABEL_ID`)
+VALUES ('60_1', 0, '60', '1');
+
+commit;
+
+
+-- 创建管理帐号的授权
+
+use user_authz;
+
+-- portal
+INSERT INTO `TB_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`,
+ `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`)
+VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1',
+ 'portal', '门户', '门户', 1);
+
+INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`,
+ `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`)
+VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1', '60',
+ '门户', '60', '', 1);
+
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '60', 'portal-admin', '门户管理员', '门户管理员', 1, '60');
+
+INSERT INTO `TB_ROLE_USER` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `ORIGIN_TYPE`, `ORIGIN_PK`,
+ `APPLICATION_ID`, `ROLE_ID`, `ACCOUNT_ID`,
+ `GRANT_EXPIRED_DATE`)
+VALUES ('60_60_60', '1', 0, 'admin', '2019-07-01 00:00:00',
+ NULL, NULL,
+ '60', '60', '60',
+ NULL);
+
+commit;
+
+
+-- 配置门户角色的同步接口
+
+update TB_APPLICATION
+set
+ SYNC_URL='http://portal.paas.example.com/portal-web/api/open/role/findAll'
+where ID='60'; -- todo, modify
+
+commit;
+
+
+-- 创建认证帐号、认证对接
+
+use cas_server;
+
+-- portal
+
+INSERT INTO `TB_ACCOUNT` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `USERNAME`, `PASSWORD`, `DESCRIPTION`, `ENABLED`, `ACCOUNT_NON_EXPIRED`, `ACCOUNT_NON_LOCKED`, `CREDENTIALS_NON_EXPIRED`,
+ `IDENTITY`, `USER_NO`, `NAME`, `MOBILE`, `EMAIL_ADDRESS`, `IDENTITY_TYPE`, `IDENTITY_NO`,
+ `EXTERNAL_ID`)
+VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00',
+ 'portaladmin', 'portaladmin', '门户管理员', 1, 1, 1, 1,
+ 'admin', '60', '门户管理员', '', 'portaladmin@supwisdom.com', '20001', '',
+ '60');
+
+commit;
+
+
+INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`,
+ `RESPONSE_TYPE`, `LOGOUT_TYPE`,
+ `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`,
+ `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`,
+ `APPLICATION_ID`, `EXTERNAL_ID`)
+VALUES ('60', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '门户', '门户', 'https://ecampus.paas.example.com', 'https://ecampus.paas.example.com/cas/slo',
+ 'REDIRECT', 'FRONT_CHANNEL',
+ 60, '门户', 60, 'https://ecampus.paas.example.com/login',
+ 1, 1, 1,
+ '60', '60');
+
+commit;
+
+update TB_SERVICE
+set
+ INFORMATION_URL='http://ecampus.paas.example.com',
+ LOGOUT_URL='http://ecampus.paas.example.com/cas/slo',
+ SERVICE_ID='http://ecampus.paas.example.com/cas/(.*)',
+ ID_TOKEN_ENABLED=1
+where ID='60'; -- todo, modify
+
+commit;
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/0.user-data-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/0.user-data-service-base.yaml
new file mode 100644
index 0000000..a9d74c3
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/0.user-data-service-base.yaml
@@ -0,0 +1,255 @@
+# user-data-service-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: user-data-service
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+####################################################
+# redis-server
+####################################################
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ namespace: user-data-service
+ name: redis-data-pvc
+spec:
+ accessModes:
+ - ReadWriteMany
+ # 根据情况修改
+ storageClassName: nfs-client
+ resources:
+ requests:
+ storage: 50Gi
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: user-data-service
+type: Opaque
+data:
+ REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: user-data-service
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: redis
+ selector:
+ app: redis
+ release: redis-server
+ role: master
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: user-data-service
+spec:
+ podManagementPolicy: OrderedReady
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: redis
+ release: redis-server
+ role: master
+ serviceName: redis-master
+ template:
+ metadata:
+ labels:
+ app: redis
+ release: redis-server
+ role: master
+ spec:
+ containers:
+ - name: redis-server
+ env:
+ - name: REDIS_DISABLE_COMMANDS
+ value: FLUSHDB,FLUSHALL
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: redis-server
+ key: REDIS_PASSWORD
+ # 若使用了学校搭设的私有仓库,请修改
+ image: bitnami/redis:4.0
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 6379
+ name: redis
+ protocol: TCP
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - mountPath: /bitnami/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 1001
+ # runAsUser: 1001
+ # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+ runAsUser: 0
+ terminationGracePeriodSeconds: 30
+ volumes:
+ # - name: redis-data
+ # emptyDir: {}
+ - name: redis-data
+ persistentVolumeClaim:
+ claimName: redis-data-pvc
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可,注意这里的缩进,imagePullSecrets要对齐到本行#符号)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ updateStrategy:
+ rollingUpdate:
+ partition: 0
+ type: RollingUpdate
+
+
+
+# ####################################################
+# # rabbitmq-server
+# ####################################################
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+# labels:
+# app: rabbitmq
+# release: rabbitmq-server
+# name: rabbitmq-server
+# namespace: user-data-service
+# type: Opaque
+# data:
+# RABBITMQ_USERNAME: Z3Vlc3Q=
+# RABBITMQ_PASSWORD: Z3Vlc3Q=
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+# name: rabbitmq-server
+# namespace: user-data-service
+# labels:
+# app: rabbitmq-server
+# spec:
+# ports:
+# - port: 5672
+# targetPort: tcp-1
+# protocol: TCP
+# name: tcp-1
+# - port: 15672
+# targetPort: tcp-2
+# protocol: TCP
+# name: tcp-2
+# selector:
+# app: rabbitmq-server
+# ---
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+# name: rabbitmq-server
+# namespace: user-data-service
+# spec:
+# selector:
+# matchLabels:
+# app: rabbitmq-server
+# replicas: 1
+# template:
+# metadata:
+# labels:
+# app: rabbitmq-server
+# annotations:
+# sidecar.istio.io/inject: "false"
+# spec:
+# containers:
+# - name: rabbitmq-server
+# env:
+# - name: RABBITMQ_VM_MEMORY_HIGH_WATERMARK
+# value: "0.6"
+# - name: RABBITMQ_DEFAULT_USER
+# valueFrom:
+# secretKeyRef:
+# name: rabbitmq-server
+# key: RABBITMQ_USERNAME
+# - name: RABBITMQ_DEFAULT_PASS
+# valueFrom:
+# secretKeyRef:
+# name: rabbitmq-server
+# key: RABBITMQ_PASSWORD
+# # 若使用了学校搭设的私有仓库,请修改
+# image: rabbitmq:management
+# # 若使用了学校搭设的私有仓库,请修改 为 Always
+# imagePullPolicy: IfNotPresent
+# # imagePullPolicy: Always
+# ports:
+# - containerPort: 5672
+# name: tcp-1
+# - containerPort: 15672
+# name: tcp-2
+# resources:
+# requests:
+# memory: "1024Mi"
+# limits:
+# memory: "1024Mi"
+# # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+# # imagePullSecrets:
+# # - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/1.user-data-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/1.user-data-service-env.yaml
new file mode 100644
index 0000000..0f7e6e2
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/1.user-data-service-env.yaml
@@ -0,0 +1,53 @@
+# user-data-service-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-data-service
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: user-data-service
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdXNlcj9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp
+ # user
+ JDBC_USERNAME: dXNlcg==
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: user-data-service
+ name: redis-env-secret
+type: Opaque
+data:
+ SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT: NjM3OQ==
+ SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: user-data-service
+ name: rabbitmq-env-secret
+type: Opaque
+data:
+ # rabbitmq-server.authx-service.svc.cluster.local
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/2.user-data-service-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/2.user-data-service-ingresses.yaml
new file mode 100644
index 0000000..6680f1f
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/2.user-data-service-ingresses.yaml
@@ -0,0 +1,20 @@
+# user-data-service-ingresses.yaml
+
+# 暂时不使用,直接使用内部地址
+# ---
+# apiVersion: extensions/v1beta1
+# kind: Ingress
+# metadata:
+# namespace: user-data-service
+# name: user-api-ingress
+# spec:
+# rules:
+# # 修改为学校的根域名
+# - host: user-api.paas.xxx.edu.cn
+# http:
+# paths:
+# - path: /
+# backend:
+# serviceName: user-data-service-poa-svc
+# servicePort: http
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
new file mode 100644
index 0000000..0b20099
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.0.user-data-service-installer.yaml
@@ -0,0 +1,55 @@
+# user-data-service-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-data-service
+ name: user-data-service-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: user-data-service-installer
+ namespace: user-data-service
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: user-data-service-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: user-data-service-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/goa/installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ env:
+ - name: DB_TYPE
+ value: mysql8
+ - name: JDBC_URL
+ value: jdbc:mysql://mysql-server:3306/user?serverTimezone=Asia/Shanghai
+ - name: JDBC_USERNAME
+ value: user
+ - name: JDBC_PASSWORD
+ value: Nwpu@Supwisdom123
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ # - secretRef:
+ # name: datasource-env-secret
+ - configMapRef:
+ name: user-data-service-installer-env
+ # resources:
+ # requests:
+ # memory: "256Mi"
+ # limits:
+ # memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
new file mode 100644
index 0000000..3e852e5
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.1.user-data-service-poa.yaml
@@ -0,0 +1,131 @@
+# user-data-service-poa.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-data-service
+ name: user-data-service-poa-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ TPAS_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ # **修改** 学校的根域名
+ FILE_SERVER_TYPE: minio
+ FILE_SERVER_URL: https://authx-minio.paas.xxx.edu.cn
+
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: user-data-service
+ name: user-data-service-poa-svc
+ labels:
+ app: user-data-service-poa
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: user-data-service-poa
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: user-data-service
+ name: user-data-service-poa
+spec:
+ selector:
+ matchLabels:
+ app: user-data-service-poa
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: user-data-service-poa
+ spec:
+ containers:
+ - name: user-data-service-poa
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/goa/poa-api:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: user-data-service-poa-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8888
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
new file mode 100644
index 0000000..92304b1
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.2.user-data-service-goa.yaml
@@ -0,0 +1,166 @@
+# user-data-service-goa.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-data-service
+ name: user-data-service-goa-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "20480"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ # 加密算法的实现,默认 default,支持 bcrypt 等加密算法; SHA-256 支持 SHA-256 加密算法
+ PASSWORD_ENCODER_IMPL: default
+
+ PASSWORD_ENABLE_TRANS_UPDATE_PASSWORD: "false"
+
+ SECURITY_API_SECURITY_ACCOUNT_SERVICE_IMPL: redis
+
+
+ # 推送数据到 jobs-server 的配置
+ JOBS_RABBITMQ_ENABLED: "false"
+ JOBS_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ JOBS_RABBITMQ_PORT: "5672"
+ JOBS_RABBITMQ_USERNAME: guest
+ JOBS_RABBITMQ_PASSWORD: guest
+
+
+ # 是否同步帐号到 openldap(已弃用)
+ # JOBS_RABBITMQ_ACCOUNTUSERSVC2OPENLDAPRABBITSENDER_ENABLED: "false"
+
+ # 是否同步 帐号 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap)
+ JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSRABBITSENDER_ENABLED: "false"
+ # 是否同步 密码(明文密码)到 jobs 的 MQ,由 jobs 再进行分发(如分发到 城市热点)
+ JOBS_RABBITMQ_ACCOUNTUSERSVC2JOBSSYNCPASSWORDRABBITSENDER_ENABLED: "false"
+
+ # 是否同步 组织机构 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap)
+ JOBS_RABBITMQ_ORGANIZATIONUSERSVC2JOBSRABBITSENDER_ENABLED: "false"
+
+ # 是否同步 用户组 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap)
+ JOBS_RABBITMQ_GROUPUSERSVC2JOBSRABBITSENDER_ENABLED: "false"
+
+ # 是否同步 帐号用户组 数据至 jobs 的 MQ,由 jobs 再进行分发(如分发到 openldap)
+ JOBS_RABBITMQ_ACCOUNTGROUPUSERSVC2JOBSRABBITSENDER_ENABLED: "false"
+
+
+ #ipaddr
+ IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+ LOGGING_LEVEL_COM_SUPWISDOM_GOA: INFO
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: user-data-service
+ name: user-data-service-goa-svc
+ labels:
+ app: user-data-service-goa
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: user-data-service-goa
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: user-data-service
+ name: user-data-service-goa
+spec:
+ selector:
+ matchLabels:
+ app: user-data-service-goa
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: user-data-service-goa
+ spec:
+ containers:
+ - name: user-data-service-goa
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/goa/goa-api:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: user-data-service-goa-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8888
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
new file mode 100644
index 0000000..ccfb2b9
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/4.3.user-data-service-biz.yaml
@@ -0,0 +1,137 @@
+# user-data-service-biz.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-data-service
+ name: user-data-service-biz-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ TPAS_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_GOA_COMMON_LOG: INFO
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: user-data-service
+ name: user-data-service-biz-svc
+ labels:
+ app: user-data-service-biz
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: user-data-service-biz
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: user-data-service
+ name: user-data-service-biz
+spec:
+ selector:
+ matchLabels:
+ app: user-data-service-biz
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: user-data-service-biz
+ spec:
+ containers:
+ - name: user-data-service-biz
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/goa/biz-api:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: user-data-service-biz-env
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8888
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
new file mode 100644
index 0000000..a38445a
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/5.user-data-service-datax-job.yaml
@@ -0,0 +1,56 @@
+# user-data-service-datax-job.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-data-service
+ name: user-data-service-datax-job-env
+data:
+ JOB_APPLICATION_AUTHZ2USER_MYSQLREADER8_USERNAME: "user_authz"
+ # 修改为实际的数据库密码
+ JOB_APPLICATION_AUTHZ2USER_MYSQLREADER8_PASSWORD: "kingstar"
+ JOB_APPLICATION_AUTHZ2USER_MYSQLREADER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user_authz?serverTimezone=Asia/Shanghai"
+
+ JOB_APPLICATION_AUTHZ2USER_MYSQLWRITER8_USERNAME: "user"
+ # 修改为实际的数据库密码
+ JOB_APPLICATION_AUTHZ2USER_MYSQLWRITER8_PASSWORD: "kingstar"
+ JOB_APPLICATION_AUTHZ2USER_MYSQLWRITER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: user-data-service-datax-job
+ namespace: user-data-service
+spec:
+ schedule: "30 */4 * * *"
+ jobTemplate:
+ metadata:
+ labels:
+ app: user-data-service-datax-job
+ spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: user-data-service-datax-job
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: user-data-service-datax-job
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/goa/datax-job:1.4.4-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: user-data-service-datax-job-env
+ # resources:
+ # requests:
+ # memory: "400Mi"
+ # limits:
+ # memory: "400Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
new file mode 100644
index 0000000..c3792c6
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/2.user-data-service/9.api-docs-installer.yaml
@@ -0,0 +1,52 @@
+# 9.api-docs-installer.yaml
+
+# 依赖平台OpenAPI的部署
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-data-service
+ name: api-docs-installer-env
+data:
+ ##
+ # 平台OpenAPI的外网访问地址,
+ # **修改** 学校的根域名
+ POA_SERVER_URL: http://poa.paas.nwpu.edu.cn
+
+ # **修改** poa-sa 服务的k8s内部地址
+ POA_SA_SERVER_URL: http://platform-openapi-sa.poa.svc.cluster.local:8443
+
+ USER_API_SERVER_URL: http://user-data-service-poa-svc.user-data-service.svc.cluster.local:8080
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: user-data-service
+ name: api-docs-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: api-docs-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: api-docs-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/goa/api-docs-installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: api-docs-installer-env
+ # resources:
+ # requests:
+ # memory: "256Mi"
+ # limits:
+ # memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/0.user-authorization-service-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/0.user-authorization-service-base.yaml
new file mode 100644
index 0000000..68bb04c
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/0.user-authorization-service-base.yaml
@@ -0,0 +1,88 @@
+# user-authorization-service-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: user-authorization-service
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+
+# ####################################################
+# # rabbitmq-server
+# ####################################################
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+# labels:
+# app: rabbitmq
+# release: rabbitmq-server
+# name: rabbitmq-server
+# namespace: user-data-service
+# type: Opaque
+# data:
+# RABBITMQ_USERNAME: Z3Vlc3Q=
+# RABBITMQ_PASSWORD: Z3Vlc3Q=
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+# name: rabbitmq-server
+# namespace: user-data-service
+# labels:
+# app: rabbitmq-server
+# spec:
+# ports:
+# - port: 5672
+# targetPort: tcp-1
+# protocol: TCP
+# name: tcp-1
+# - port: 15672
+# targetPort: tcp-2
+# protocol: TCP
+# name: tcp-2
+# selector:
+# app: rabbitmq-server
+# ---
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+# name: rabbitmq-server
+# namespace: user-data-service
+# spec:
+# selector:
+# matchLabels:
+# app: rabbitmq-server
+# replicas: 1
+# template:
+# metadata:
+# labels:
+# app: rabbitmq-server
+# annotations:
+# sidecar.istio.io/inject: "false"
+# spec:
+# containers:
+# - name: rabbitmq-server
+# # 若使用了学校搭设的私有仓库,请修改
+# image: rabbitmq:management
+# # 若使用了学校搭设的私有仓库,请修改 为 Always
+# imagePullPolicy: IfNotPresent
+# # imagePullPolicy: Always
+# ports:
+# - containerPort: 5672
+# name: tcp-1
+# - containerPort: 15672
+# name: tcp-2
+# # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+# # imagePullSecrets:
+# # - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/1.user-authorization-service-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/1.user-authorization-service-env.yaml
new file mode 100644
index 0000000..0017035
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/1.user-authorization-service-env.yaml
@@ -0,0 +1,40 @@
+# user-authorization-service-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: jvm-env
+ namespace: user-authorization-service
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: datasource-env-secret
+ namespace: user-authorization-service
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user_authz?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdXNlcl9hdXRoej9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp
+ # user_authz
+ JDBC_USERNAME: dXNlcl9hdXRoeg==
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: rabbitmq-env-secret
+ namespace: user-authorization-service
+type: Opaque
+data:
+ # rabbitmq-server.authx-service.svc.cluster.local
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/2.user-authorization-service-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/2.user-authorization-service-ingresses.yaml
new file mode 100644
index 0000000..95996f6
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/2.user-authorization-service-ingresses.yaml
@@ -0,0 +1,27 @@
+# user-authorization-service-ingresses.yaml
+
+# 创建 ca-secret
+
+# cd PATH/ca/certs/client
+
+# kubectl describe secret ca-secret -n user-authorization-service
+
+# kubectl create secret generic ca-secret --from-file=client.truststore=client.truststore -n user-authorization-service
+
+# 暂时不使用,直接使用内部地址
+# ---
+# apiVersion: extensions/v1beta1
+# kind: Ingress
+# metadata:
+# namespace: user-authorization-service
+# name: user-authz-api-ingress
+# spec:
+# rules:
+# # 修改为学校的根域名
+# - host: user-authz-api.paas.xxx.edu.cn
+# http:
+# paths:
+# - path: /
+# backend:
+# serviceName: user-authorization-poa-svc
+# servicePort: http
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
new file mode 100644
index 0000000..f402cfd
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.0.user-authorization-installer.yaml
@@ -0,0 +1,56 @@
+# user-authorization-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: user-authorization-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: user-authorization-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ env:
+ - name: DB_TYPE
+ value: mysql8
+ - name: JDBC_URL
+ value: jdbc:mysql://mysql-server:3306/user_authz?serverTimezone=Asia/Shanghai
+ - name: JDBC_USERNAME
+ value: user_authz
+ - name: JDBC_PASSWORD
+ value: Nwpu@Supwisdom123
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ # - secretRef:
+ # name: datasource-env-secret
+ - configMapRef:
+ name: user-authorization-installer-env
+ # resources:
+ # requests:
+ # memory: "256Mi"
+ # limits:
+ # memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
new file mode 100644
index 0000000..e2ba731
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.1.user-authorization-poa.yaml
@@ -0,0 +1,119 @@
+# user-authorization-poa.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-poa-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-poa-svc
+ labels:
+ app: user-authorization-poa
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: user-authorization-poa
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-poa
+spec:
+ selector:
+ matchLabels:
+ app: user-authorization-poa
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: user-authorization-poa
+ spec:
+ containers:
+ - name: user-authorization-poa
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-poa:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: jvm-env
+ - configMapRef:
+ name: user-authorization-poa-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8888
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
new file mode 100644
index 0000000..7d0a6f3
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/4.2.user-authorization-sa.yaml
@@ -0,0 +1,123 @@
+# user-authorization-sa.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-sa-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "20480"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_CONSUMER_ENABLED: "false"
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PORT: "5672"
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_USERNAME: guest
+ USER_AUTHORIZATION_SA_USER_RABBITMQ_PASSWORD: guest
+
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_USER_AUTHORIZATION_SERVICE_COMMON_LOG: INFO
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+ # SBA_URL: http://spring-boot-admin-svc.base.svc.cluster.local:8080
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-sa-svc
+ labels:
+ app: user-authorization-sa
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: user-authorization-sa
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-sa
+spec:
+ selector:
+ matchLabels:
+ app: user-authorization-sa
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: user-authorization-sa
+ spec:
+ containers:
+ - name: user-authorization-sa
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-sa:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: user-authorization-sa-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8888
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
new file mode 100644
index 0000000..4eaa1b9
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/5.user-authorization-datax-job.yaml
@@ -0,0 +1,56 @@
+# user-authorization-datax-job.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-authorization-service
+ name: user-authorization-datax-job-env
+data:
+ JOB_USER2AUTHZ_MYSQLREADER8_USERNAME: "user"
+ # 修改为实际的数据库密码
+ JOB_USER2AUTHZ_MYSQLREADER8_PASSWORD: "kingstar"
+ JOB_USER2AUTHZ_MYSQLREADER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+
+ JOB_USER2AUTHZ_MYSQLWRITER8_USERNAME: "user_authz"
+ # 修改为实际的数据库密码
+ JOB_USER2AUTHZ_MYSQLWRITER8_PASSWORD: "kingstar"
+ JOB_USER2AUTHZ_MYSQLWRITER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user_authz?serverTimezone=Asia/Shanghai"
+
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ name: user-authorization-datax-job
+ namespace: user-authorization-service
+spec:
+ schedule: "30 */4 * * *"
+ jobTemplate:
+ metadata:
+ labels:
+ app: user-authorization-datax-job
+ spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: user-authorization-datax-job
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: user-authorization-datax-job
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/user-authorization-service/user-authorization-datax-job:1.4.4-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: user-authorization-datax-job-env
+ # resources:
+ # requests:
+ # memory: "400Mi"
+ # limits:
+ # memory: "400Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
new file mode 100644
index 0000000..c8d1c62
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/3.user-authorization-service/9.api-docs-installer.yaml
@@ -0,0 +1,52 @@
+# 9.api-docs-installer.yaml
+
+# 依赖平台OpenAPI的部署
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: user-authorization-service
+ name: api-docs-installer-env
+data:
+ ##
+ # 平台OpenAPI的外网访问地址,
+ # **修改** 学校的根域名
+ POA_SERVER_URL: http://poa.paas.nwpu.edu.cn
+
+ # **修改** poa-sa 服务的k8s内部地址
+ POA_SA_SERVER_URL: http://platform-openapi-sa.poa.svc.cluster.local:8443
+
+ USER_AUTHZ_API_SERVER_URL: http://user-authorization-poa-svc.user-authorization-service.svc.cluster.local:8080
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: user-authorization-service
+ name: api-docs-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: api-docs-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: api-docs-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/user-authorization-service/api-docs-installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: api-docs-installer-env
+ # resources:
+ # requests:
+ # memory: "256Mi"
+ # limits:
+ # memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml
new file mode 100644
index 0000000..eaf380f
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/0.cas-server-base.yaml
@@ -0,0 +1,234 @@
+# cas-server-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ name: harbor-registry
+ namespace: cas-server
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+####################################################
+# redis-server
+####################################################
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ namespace: cas-server
+ name: redis-data-pvc
+spec:
+ accessModes:
+ - ReadWriteMany
+ # 根据情况修改
+ storageClassName: nfs-client
+ resources:
+ requests:
+ storage: 50Gi
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: cas-server
+type: Opaque
+data:
+ REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: cas-server
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: redis
+ selector:
+ app: redis
+ release: redis-server
+ role: master
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: cas-server
+spec:
+ podManagementPolicy: OrderedReady
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: redis
+ release: redis-server
+ role: master
+ serviceName: redis-master
+ template:
+ metadata:
+ labels:
+ app: redis
+ release: redis-server
+ role: master
+ spec:
+ containers:
+ - name: redis-server
+ env:
+ - name: REDIS_DISABLE_COMMANDS
+ value: FLUSHDB,FLUSHALL
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: redis-server
+ key: REDIS_PASSWORD
+ # 若使用了学校搭设的私有仓库,请修改
+ image: bitnami/redis:4.0
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 6379
+ name: redis
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - mountPath: /bitnami/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 1001
+ # runAsUser: 1001
+ # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+ runAsUser: 0
+ terminationGracePeriodSeconds: 30
+ volumes:
+ # - name: redis-data
+ # emptyDir: {}
+ - name: redis-data
+ persistentVolumeClaim:
+ claimName: redis-data-pvc
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ updateStrategy:
+ rollingUpdate:
+ partition: 0
+ type: RollingUpdate
+
+
+####################################################
+# rabbitmq-server
+####################################################
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: rabbitmq
+ release: rabbitmq-server
+ name: rabbitmq-server
+ namespace: cas-server
+type: Opaque
+data:
+ RABBITMQ_USERNAME: Z3Vlc3Q=
+ RABBITMQ_PASSWORD: Z3Vlc3Q=
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: rabbitmq-server
+ labels:
+ app: rabbitmq-server
+spec:
+ ports:
+ - port: 5672
+ targetPort: tcp-1
+ protocol: TCP
+ name: tcp-1
+ - port: 15672
+ targetPort: tcp-2
+ protocol: TCP
+ name: tcp-2
+ selector:
+ app: rabbitmq-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: rabbitmq-server
+ namespace: cas-server
+spec:
+ selector:
+ matchLabels:
+ app: rabbitmq-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: rabbitmq-server
+ annotations:
+ sidecar.istio.io/inject: "false"
+ spec:
+ containers:
+ - name: rabbitmq-server
+ # 若使用了学校搭设的私有仓库,请修改
+ image: rabbitmq:management
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ ports:
+ - containerPort: 5672
+ name: tcp-1
+ - containerPort: 15672
+ name: tcp-2
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+ # imagePullSecrets:
+ # - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml
new file mode 100644
index 0000000..f8b56ca
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/1.cas-server-env.yaml
@@ -0,0 +1,51 @@
+# cas-server-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/cas_server?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvY2FzX3NlcnZlcj9zZXJ2ZXJUaW1lem9uZT1Bc2lhL1NoYW5naGFp
+ # cas_server
+ JDBC_USERNAME: Y2FzX3NlcnZlcg==
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: redis-env-secret
+type: Opaque
+data:
+ SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT: NjM3OQ==
+ SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: rabbitmq-env-secret
+type: Opaque
+data:
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVy
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
new file mode 100644
index 0000000..9ffc2a6
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/2.cas-server-ingresses.yaml
@@ -0,0 +1,45 @@
+# cas-server-ingresses.yaml
+
+# 创建 ca-secret
+
+# cd PATH/ca/certs/client
+
+# kubectl describe secret ca-secret -n cas-server
+
+# kubectl create secret generic ca-secret --from-file=client.truststore=client.truststore -n cas-server
+
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: cas-server
+ name: cas-ingress
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+ # cert-manager.io/cluster-issuer: "letsencrypt-staging"
+ # nginx.ingress.kubernetes.io/ssl-redirect: "true"
+ # nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+ # nginx.ingress.kubernetes.io/auth-tls-secret: "cas-server/ca-secret"
+ # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
+spec:
+ # tls:
+ # - hosts:
+ # - cas.paas.xxx.edu.cn
+ # secretName: cas-ingress-tls
+ rules:
+ # 修改为学校的根域名
+ - host: cas.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /cas
+ backend:
+ serviceName: cas-server-site-webapp-svc
+ servicePort: http
+ - path: /cas/schemes
+ backend:
+ serviceName: cas-server-site-scheme-svc
+ servicePort: http
+
+
+# TODO: https 配置说明
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
new file mode 100644
index 0000000..f3ec61a
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.0.cas-server-installer.yaml
@@ -0,0 +1,56 @@
+# cas-server-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: cas-server
+ name: cas-server-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: cas-server-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ env:
+ - name: DB_TYPE
+ value: mysql8
+ - name: JDBC_URL
+ value: jdbc:mysql://mysql-server:3306/cas_server?serverTimezone=Asia/Shanghai
+ - name: JDBC_USERNAME
+ value: cas_server
+ - name: JDBC_PASSWORD
+ value: Nwpu@Supwisdom123
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ # - secretRef:
+ # name: datasource-env-secret
+ - configMapRef:
+ name: cas-server-installer-env
+ # resources:
+ # requests:
+ # memory: "256Mi"
+ # limits:
+ # memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
new file mode 100644
index 0000000..48b6733
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.2.cas-server-sa-api.yaml
@@ -0,0 +1,141 @@
+# cas-server-sa-api.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "20"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ SERVICE_REFRESH_REDIS_TIMER_ENABLED: "true"
+ ACCOUNT_REFRESH_REDIS_TIMER_ENABLED: "false"
+ FEDERATION_REFRESH_REDIS_TIMER_ENABLED: "true"
+
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api-env-secret
+type: Opaque
+data:
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: Y2xpZW50
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: Y2xpZW50
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: Y2xpZW50
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api-svc
+ labels:
+ app: cas-server-sa-api
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: cas-server-sa-api
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-sa-api
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-sa-api
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-sa-api
+ spec:
+ containers:
+ - name: cas-server-sa-api
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-sa-api:1.4.4-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: cas-server-sa-api-env
+ - secretRef:
+ name: cas-server-sa-api-env-secret
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
new file mode 100644
index 0000000..af1e69e
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.3.cas-server-security-engine.yaml
@@ -0,0 +1,92 @@
+# cas-server-security-engine.yaml
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine-env-secret
+type: Opaque
+data:
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: Y2xpZW50
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: Y2xpZW50
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: Y2xpZW50
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine-env
+data:
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+
+
+ #ipaddr
+ IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine-svc
+ labels:
+ app: cas-server-security-engine
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: cas-server-security-engine
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-security-engine
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-security-engine
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-security-engine
+ spec:
+ containers:
+ - name: cas-server-security-engine
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-security-engine:1.4.4-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: cas-server-security-engine-env
+ - secretRef:
+ name: cas-server-security-engine-env-secret
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
new file mode 100644
index 0000000..9d87be0
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.5.cas-server-site-webapp.yaml
@@ -0,0 +1,287 @@
+# cas-server-site-webapp.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-site-webapp-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEY_PASSWORD: ""
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ LOGGING_CONFIG: file:/etc/cas/log4j2-file.xml
+
+
+ ##
+ # 认证服务的外网访问地址,
+ # **修改** 学校的根域名
+ CAS_SERVER_NAME: https://cas.paas.xxx.edu.cn
+
+ ##
+ # Ticket Granting Cookie
+ # 若未启用 https,**修改** 为 false
+ CAS_TGC_SECURE: "true"
+
+ # TGT Expiration Policy
+ CAS_TICKET_TGT_MAX_TIME_TO_LIVE_IN_SECONDS: "1209600"
+ CAS_TICKET_TGT_TIME_TO_KILL_IN_SECONDS: "172800"
+
+ # JWT Tickets
+ CAS_AUTHN_TOKEN_CRYPTO_SIGNING_KEY: "(@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2"
+
+ ##
+ # 登录UI,主题
+ SPRING_THYMELEAF_PREFIX: classpath:/templates/themes/classic/
+
+ ##
+ # 测试环境中可使用,正式环境下请配置为空
+ #
+ CAS_AUTHN_ACCEPT_USERS: ""
+
+
+ ## 配置第三方认证的相关参数
+ CASSERVER_FEDERATION_QQ_ENABLED: "true"
+ CASSERVER_FEDERATION_QQ_NAME: QQ
+ CASSERVER_FEDERATION_QQ_APPID: ""
+ CASSERVER_FEDERATION_QQ_APPKEY: ""
+
+ CASSERVER_FEDERATION_OPENWEIXIN_ENABLED: "true"
+ CASSERVER_FEDERATION_OPENWEIXIN_NAME: 微信
+ CASSERVER_FEDERATION_OPENWEIXIN_APPID: ""
+ CASSERVER_FEDERATION_OPENWEIXIN_APPSECRET: ""
+
+ CASSERVER_FEDERATION_WORKWEIXIN_ENABLED: "true"
+ CASSERVER_FEDERATION_WORKWEIXIN_NAME: 企业微信
+ CASSERVER_FEDERATION_WORKWEIXIN_CORPID: ""
+ CASSERVER_FEDERATION_WORKWEIXIN_AGENTID: ""
+ CASSERVER_FEDERATION_WORKWEIXIN_SECRET: ""
+
+ CASSERVER_FEDERATION_ALIPAY_ENABLED: "true"
+ CASSERVER_FEDERATION_ALIPAY_NAME: 支付宝
+ CASSERVER_FEDERATION_ALIPAY_APPID: ""
+ CASSERVER_FEDERATION_ALIPAY_APPPRIVATEKEY: ""
+ CASSERVER_FEDERATION_ALIPAY_ALIPAYPUBLICKEY: ""
+
+ CASSERVER_FEDERATION_DINGTALK_ENABLED: "true"
+ CASSERVER_FEDERATION_DINGTALK_NAME: 钉钉
+ CASSERVER_FEDERATION_DINGTALK_APPID: ""
+ CASSERVER_FEDERATION_DINGTALK_APPSECRET: ""
+
+
+ # **修改**
+ # jwt 的签发方标识,一般为 认证的域名
+ CASSERVER_JWT_ISS: cas.paas.xxx.edu.cn
+ # **修改**
+ # 参考 certs/jwt/readme.md 生成公私钥pem,修改相关配置
+ CASSERVER_JWT_PRIVATE_KEY_PEM_PKCS8: "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgShIdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyqfNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0+Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+95sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtWLiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCPWbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7MsmcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/DmcgSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8lXDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsSDS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr94RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1bLsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dOjAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvistOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38voNcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtksniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNmJMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8evFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Aiut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/cUPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdTWVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8KLdTYUkvPHsEAtxR+kwTAg=="
+ CASSERVER_JWT_PUBLIC_KEY_PEM: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQAB"
+
+ # **视情况修改**
+ ## 是否启用登录验证码
+ CASSERVERSITE_CAPTCHA_ENABLED: "true"
+ CASSERVERSITE_CAPTCHA_SKIP_N: "true"
+
+ CASSERVERSITE_FEDERATED_CAPTCHA_ENABLED: "true"
+
+ ## 配置用户的登录名的正则校验(用于手机、邮箱登录的判断)
+ #CASSERVERSITE_USERNAME_REGEX_MOBILE: ""
+ # \d{11}$
+ #CASSERVERSITE_USERNAME_REGEX_EMAIL_ADDRESS: ""
+ # \w+\.?\w+@\w+\.[a-z]+(\.[a-z]+)?
+
+ ## 配置认证时,帐号服务的实现( redis 帐号数据存放在redis中, user-sa 帐号数据从用户服务获取)
+ CASSERVERSITE_ACCOUNT_SERVICE_IMPL: user-sa
+
+ ## 配置认证时,角色服务的实现( redis 角色数据存放在redis中, user-authz-sa 角色数据从授权服务获取)
+ CASSERVERSITE_ROLE_SERVICE_IMPL: user-authz-sa
+
+ ## 配置认证时,动态码的短信发送实现( default 控制台输出, agent-service 代理服务)
+ CASSERVERSITE_SMS_SENDER_IMPL: agent-service
+
+ # **修改** 学校的根域名
+ CASSERVERSITE_FORGOT_PASSWORD_URL: https://security-center.paas.xxx.edu.cn/find-pwd
+ CASSERVERSITE_ACTIVE_ACCOUNT_URL: https://security-center.paas.xxx.edu.cn/active-account
+
+ ## 动态码登录相关配置
+ CASSERVERSITE_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300"
+ CASSERVERSITE_PASSWORDLESS_SMS_FROM: 认证中心
+ # **修改** 根据实际情况,修改短信模板
+ CASSERVERSITE_PASSWORDLESS_SMS_TEXT_TEMPLATE: 【认证中心】您正在登录统一身份认证,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
+
+
+ ## 密码验证接口(外部接口)
+ CASSERVERSITE_SECURITY_PASSWORD_VERIFY_URL: ""
+ # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword
+
+
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ # **修改**
+ # 若须对接sms 接口,须进行二开定制
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+
+ TPAS_AGENT_SERVICE_FILE_PATH: /api/v1/tpas/file/minio
+
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ USER_AUTHZ_SERVICE_SA_API_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_AUTHZ_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ ##
+ # 超级APP Token 的验签公钥
+ # 如须和 超级APP 进行对接,修改此配置
+ # **修改** 学校的根域名
+ SUPERAPP_TOKEN_SIGNING_KEY_URL: https://token.paas.xxx.edu.cn/jwt/publicKey
+
+
+ ATTEST_SERVER_URL: http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ ATTEST_CLIENT_AUTH_ENABLED: "false"
+ #ATTEST_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #ATTEST_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+ ##
+ # 第三方CAS 认证对接
+ #
+ CASCLIENT_ENABLED: "false"
+ CASCLIENT_CAS_SERVER_URL: http://third-party-cas/cas
+ CASCLIENT_CAS_CLIENT_URL: http://localhost:8080/cas/login
+ CASCLIENT_CAS_CLIENT_LOGOUT_URL: http://localhost:8080/cas/logout
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-site-webapp-svc
+ labels:
+ app: cas-server-site-webapp
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: cas-server-site-webapp
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-site-webapp
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-site-webapp
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-site-webapp
+ spec:
+ containers:
+ - name: cas-server-site-webapp
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-site-webapp:1.4.4-SNAPSHOT
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: cas-server-site-webapp-env
+ resources:
+ requests:
+ memory: "6000Mi"
+ limits:
+ memory: "6000Mi"
+ readinessProbe:
+ tcpSocket:
+ port: 8080
+ initialDelaySeconds: 30
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
new file mode 100644
index 0000000..382a7cb
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/4.6.cas-server-site-scheme.yaml
@@ -0,0 +1,113 @@
+# 4.6.cas-server-site-scheme.yaml
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme-pvc
+spec:
+ accessModes:
+ - ReadWriteMany
+ # 根据情况修改
+ storageClassName: nfs-client
+ resources:
+ requests:
+ storage: 5Gi
+
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme-config
+data:
+ # 当配置了 CASSERVER_SA_API_SERVER_URL,则使用配置表中的配置,否则,使用 SCHEME_COLOR 指定的设置
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ SCHEME_COLOR: ""
+ # 409EFF
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme-svc
+ labels:
+ app: cas-server-site-scheme-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: cas-server-site-scheme
+
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: cas-server
+ name: cas-server-site-scheme
+spec:
+ selector:
+ matchLabels:
+ app: cas-server-site-scheme
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-site-scheme
+ spec:
+ initContainers:
+ - command:
+ - chmod
+ - -R
+ - "777"
+ - /usr/share/nginx/html
+ # 根据情况修改镜像地址
+ image: busybox:1.25.0
+ imagePullPolicy: IfNotPresent
+ name: chmod-html-dir
+ volumeMounts:
+ - name: html
+ mountPath: /usr/share/nginx/html
+ containers:
+ - name: cas-server-site-scheme-nginx
+ # 根据情况修改镜像地址
+ image: nginx:latest
+ ports:
+ - containerPort: 80
+ name: http
+ volumeMounts:
+ - mountPath: /usr/share/nginx/html
+ name: html
+ resources:
+ requests:
+ cpu: 500m
+ memory: "256Mi"
+ limits:
+ cpu: 2000m
+ memory: "256Mi"
+ - name: cas-server-site-scheme-generator
+ # 根据情况修改镜像地址
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-site-scheme:1.4.4-SNAPSHOT
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: cas-server-site-scheme-config
+ volumeMounts:
+ - mountPath: /usr/share/nginx/html
+ name: html
+ volumes:
+ # - name: html
+ # emptyDir: {}
+ - name: html
+ persistentVolumeClaim:
+ claimName: cas-server-site-scheme-pvc
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
new file mode 100644
index 0000000..dea8876
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/5.cas-server-datax-job.yaml
@@ -0,0 +1,57 @@
+# cas-server-datax-job.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: cas-server
+ name: cas-server-datax-job-env
+data:
+ JOB_ACCOUNT_USER2CAS_MYSQLREADER8_USERNAME: "user"
+ # 修改为实际的数据库密码
+ JOB_ACCOUNT_USER2CAS_MYSQLREADER8_PASSWORD: "kingstar"
+ JOB_ACCOUNT_USER2CAS_MYSQLREADER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+
+ JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_USERNAME: "cas_server"
+ # 修改为实际的数据库密码
+ JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_PASSWORD: "kingstar"
+ JOB_ACCOUNT_USER2CAS_MYSQLWRITER8_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/cas_server?serverTimezone=Asia/Shanghai"
+
+
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+ namespace: cas-server
+ name: cas-server-datax-job
+spec:
+ schedule: "5 */2 * * *"
+ jobTemplate:
+ metadata:
+ labels:
+ app: cas-server-datax-job
+ spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: cas-server-datax-job
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: cas-server-datax-job
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/cas-server/cas-server-datax-job:1.4.4-SNAPSHOT
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: cas-server-datax-job-env
+ # resources:
+ # requests:
+ # memory: "400Mi"
+ # limits:
+ # memory: "400Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem
new file mode 100644
index 0000000..e1c0db0
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrV
+SeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3
+tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn
+5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMlto
+PmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0
+MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQABAoIBAFbVhx3B54Cemyt9
+uS0mRpuU80wMG/xOqtcDtjrxjDVAj1m4cJLRh48swl62sulHMx0A4IgIYGR4IHbj
+NphTPqIASR0lmE6P14smZs6egksbzuCxlkCAW38TpQiBqZ5A3najTU3U75rkNpFA
+FVNciYV8NR+T5YvG26ZCJFMYW4+zLJnEmUuF2qo9Y4TlqAc7dUmRKR4A2eJvDBDA
+X4y7vv0kACFhnSZsgDXbFN1f3/w5nIEqru6ExWGYhBciak0cglRyZsiKgDgLah5C
+pyXBn3rq8FCLl+TVanWIY/yTPt5PJVw0cqMgtEAA4Z30fObl1fzp1wlQQvBgAbjD
++A2oh8kCgYEA48I7W1W/40Lq9iWLEg0tLGSN0uF/dvYFlOugMgpZ1DW0SFXDeC8o
+Z6fPnf5vfqFVepA340w57hM+01h6/eERXHnHYr3oc8UR3UZUafiIZrQrc7LT4UuX
+9FOv3ufQq8sYMVfoeYw1LLKJM3c9Wy7JwvPlYCjS9o1V6pLi5Bd0aoUCgYEA46hN
+fOlV96Ho+WJZi5qouC1RRVc6V++XTowBXPpHv0j15tdaO5Y9Tja/rfWSnMLz8fY+
+Tj1yWo22hNkMdSl80zykE+OBnaTr4rLTiUEjacdntNCuEp/+27CavvlCexbZkfoi
+b32Ktbltc+bWlSI4eYYcBbSAVt/L6DXIIQl1bzMCgYAFMEaT5RczATJDG0XYym4O
+BdhpRnPV7PLhmqCSo0O6nuKVh0altUVRXzROoB5AH0LIQQLU7cagEtYqkGh04iy4
+E5okOLlT8dhfVxvTMjNBS7d1skw7ZLJ4gXOPO264iy7o6NzF8BjCBOs1PfEq45z7
+EP1XvHZZ4YxkhKYglhwz1QKBgGcDZiTKlMrb6cbG2QwRrJzCbM76nHzj/kxdj9RZ
+sBN/WT3eXocuAYmdvnhh8bibgrUPHrxak58kFt3gNQHjBweynfAd9y21TcOj9ZJa
+9kJMJ8Iq10m4OiOAs1UNBycZfNPQIrreTODUChHy91A+Tt22cIGoXpZw6ByoEWnZ
+lNj/AoGADQW8aQ09UnciVBbisyef3FDwRczp93jRkaP0Xo10gouUqXfTqE8A4enW
+335O6VFi2B/wRSC1vfkS/LoTLfJnU1lYAyqza3WS3VlATbG/PUrfcfycJbnKoG07
+839BtIf2Yhjc8j4YBgAUa5VlWCHUvCi3U2FJLzx7BALcUfpMEwI=
+-----END RSA PRIVATE KEY-----
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem
new file mode 100644
index 0000000..4c9e224
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_private_key_pkcs8.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgSh
+IdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyq
+fNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0
++Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+9
+5sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtW
+LiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4
+jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCP
+WbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO
+4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7Ms
+mcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/Dmc
+gSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8l
+XDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsS
+DS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr9
+4RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1b
+LsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dO
+jAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvi
+stOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38vo
+NcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1
+RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtk
+sniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNm
+JMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8e
+vFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Ai
+ut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/c
+UPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdT
+WVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8
+KLdTYUkvPHsEAtxR+kwTAg==
+-----END PRIVATE KEY-----
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem
new file mode 100644
index 0000000..7523d69
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/jwt_public_key.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtAL
+iJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qv
+rn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjj
+zP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4
+O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K
+5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginj
+fwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md
new file mode 100644
index 0000000..81ac267
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/4.cas-server/certs/jwt/readme.md
@@ -0,0 +1,98 @@
+# readme.md
+
+
+## 使用 openssl 生成 公私钥
+
+
+1. 生成私钥 App Private Key
+
+必须为 RSA2(SHA256)
+
+```bash
+openssl genrsa -out jwt_private_key.pem 2048
+```
+
+2. 将私钥转换为 PKCS8 格式
+
+```bash
+openssl pkcs8 -topk8 -inform PEM -in jwt_private_key.pem -outform PEM -nocrypt -out jwt_private_key_pkcs8.pem
+```
+
+3. 导出公钥 App Public Key
+
+```bash
+openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pem
+```
+
+4. 将 jwt_public_key.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7V
+FmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD
++vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWr
+BUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlI
+aMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdr
+lO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7P
+rQIDAQAB
+-----END PUBLIC KEY-----
+```
+处理后:
+```language
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB
+-----END PUBLIC KEY-----
+```
+
+4. 将 jwt_private_key_pkcs8.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W+
++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba3
+9FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1
+axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3
+HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQeb
+OHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQ
+IwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkK
+P/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtV
+bQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPB
+pck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+V
+S8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106
+Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30
+mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu
+6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWg
+TP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJ
+S1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu
+7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0
+TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+OR
+NuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7c
+KQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLn
+LVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaV
+m+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8
+ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5
+Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyN
+ZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0
+uNGn7GMQXLxalpCkz4SXRg==
+-----END PRIVATE KEY-----
+```
+处理后:
+```language
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg==
+-----END PRIVATE KEY-----
+```
+
+
+5. (可选)将pem内容进行 base64 编码后,配置到k8s
+
+echo -n '-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwow0APEh9F91vvtAzl7VFmXRAOGhlo+22KX+rqC3ziGg4+yIk8evAL1T97XEuK1huqcAp+p4PIG2t/Rb3FBD+vVJGoXKsyLCMUmT4Sy5/TRhb3TM0CHefvMZTSMwcVzKT07DtxyGgFZj9WsUYZWrBUPcu0vD6s7m5Qe3qFJJWVeRX8NDnVAxySzrz4bI4+1qvtyey/uap3I6txxRxUlIaMyTsD8pl63u14dD2FHRM6JY3tmdEpBEMWI91qmYbl9HkH/D6Xtumg0Hmzh06bdrlO3YNscpr6iN2ug6yGNtAh4/ug4P4ZV9nxImcj8l8Pt3jio1O0IIpf4MUCMD+C7PrQIDAQAB
+-----END PUBLIC KEY-----' |base64
+
+
+echo -n '-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDCjDQA8SH0X3W++0DOXtUWZdEA4aGWj7bYpf6uoLfOIaDj7IiTx68AvVP3tcS4rWG6pwCn6ng8gba39FvcUEP69UkahcqzIsIxSZPhLLn9NGFvdMzQId5+8xlNIzBxXMpPTsO3HIaAVmP1axRhlasFQ9y7S8PqzublB7eoUklZV5Ffw0OdUDHJLOvPhsjj7Wq+3J7L+5qncjq3HFHFSUhozJOwPymXre7Xh0PYUdEzolje2Z0SkEQxYj3WqZhuX0eQf8Ppe26aDQebOHTpt2uU7dg2xymvqI3a6DrIY20CHj+6Dg/hlX2fEiZyPyXw+3eOKjU7Qgil/gxQIwP4Ls+tAgMBAAECggEAaQOlTpza5z5gIKcfZEZsX5q2JvOkddE9sdRolXrLvMkKP/39+0def9ey65OCjO2KQ2bCQ+Gc5YxfRQzySQpKp7yfqWFu+SNaD6DX4kRyYOtVbQRvSin+ICi5D5pfG9IqooSxwLX1JHF9o4wZhFN17XGkRLWxG55zpE12JbXFQiPBpck6hcMfx+r5wk7t4ret/8P/MDcyrPuUavJemd4D2jRrD7AmOGJDvElioFcOKA+VS8oe/uBdpU8cbYJvct68fHOzG9IW3hdqYV18fhNtWqp9WeuUP+F2UMmOXbAtZ106Zcd+V/jsse2G9KvGzmDA61ZGxzHUjt+JNIpN+V2HQQKBgQDkfYb8vIMc2yV0CM30mAaPIapgpw8brYS8v+azQR/jjsuHFJ1CQJAih79y2gwdjKbDl0XByjj/qiHLTPcu6dkuavdsV9MrlFfVqAXUMNDHrWEn5nMahlq3UZbflBqlavTr0gvEA8Da+ZXcRvWgTP5+g5RFrKHJVOyQ+GzgDggQawKBgQDZ+IDRthf0UHvvZsoUbeb37Wut9jdjRgLJS1X4RtH+NPN23lvtTKJmUNfrFxiOfeVBfCXmGep0ibTqDVo0zBeHSu4BFM3BsICu7xafmLafZxZqHcgWuF9keOCWjKN5fzub5xGqd2yge9hGN2zA2U9qp4mltGzeoZ/0TuLuR59GRwKBgCGga7ZUVANyKQ/rn8vod8am0LlKvMl4/vj8UQp+gh/uSvvFR+ORNuUuDznq5y+OHJjacXS0uzC9LB4MZLBtz/2p1mIGhth6C3cxNDJnQMKyPIMvwi7cKQujoU2kMUu48vSlw/+EAeT4KFrzwoBl9GpQGQkr/99udSZcuUE8L2mjAoGAPRLnLVuDTL58a3D2sFC3BcLth/nUPSmxwCsutHlLf5ngme7l/RCa9GY0ibeX9t0JrpaVm+qpCexH18jT/LUu5oa1N3JX0Kye8eUmBqPoj7N30VX06YDRobpI24Yei/19e0p8ZbI+qpzo1YvUGhkJqo21AMwUMTFCO1cbOL6yvyMCgYAHUNBLhSOaIZpvbmyh5uz5Va/IIYU5nJcVAan8ExzdVBqeiDqlIDsUt/4xoV2sWOK1lDmL1QYeOOTOHdVcSUyNZpvB3b/9RZ1bNQZA1trBBxjY7dXNwZZp0ah/bmO+i4dPXl+bU2mUqdyb1emFwcj0uNGn7GMQXLxalpCkz4SXRg==
+-----END PRIVATE KEY-----' |base64
diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/0.token-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/0.token-server-base.yaml
new file mode 100644
index 0000000..0353ee3
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/0.token-server-base.yaml
@@ -0,0 +1,143 @@
+# 0.token-server-base.yaml
+
+####################################################
+# harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ name: harbor-registry
+ namespace: token-server
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+####################################################
+# redis-server
+####################################################
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: token-server
+type: Opaque
+data:
+ REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: token-server
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: redis
+ selector:
+ app: redis
+ release: redis-server
+ role: master
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: token-server
+spec:
+ podManagementPolicy: OrderedReady
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: redis
+ release: redis-server
+ role: master
+ serviceName: redis-master
+ template:
+ metadata:
+ labels:
+ app: redis
+ release: redis-server
+ role: master
+ spec:
+ containers:
+ - name: redis-server
+ env:
+ - name: REDIS_DISABLE_COMMANDS
+ value: FLUSHDB,FLUSHALL
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: redis-server
+ key: REDIS_PASSWORD
+ # 若使用了学校搭设的私有仓库,请修改
+ image: bitnami/redis:4.0
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 6379
+ name: redis
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - mountPath: /bitnami/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 0
+ # fsGroup: 1001
+ # runAsUser: 1001
+ # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+ runAsUser: 0
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir: {}
+ name: redis-data
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ updateStrategy:
+ rollingUpdate:
+ partition: 0
+ type: RollingUpdate
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml
new file mode 100644
index 0000000..304756b
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/1.token-server-env.yaml
@@ -0,0 +1,53 @@
+# 1.token-server-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: token-server
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: token-server
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/token_server?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvdG9rZW5fc2VydmVyP3NlcnZlclRpbWV6b25lPUFzaWEvU2hhbmdoYWk=
+ # token_server
+ JDBC_USERNAME: dG9rZW5fc2VydmVy
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: token-server
+ name: redis-env-secret
+type: Opaque
+data:
+ SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT: NjM3OQ==
+ SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: token-server
+ name: rabbitmq-env-secret
+type: Opaque
+data:
+ # rabbitmq-server.authx-service.svc.cluster.local
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
new file mode 100644
index 0000000..808eb18
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/2.token-server-ingresses.yaml
@@ -0,0 +1,23 @@
+# 2.token-server-ingresses.yaml
+
+
+# 移动端应用认证服务
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: token-server
+ name: token-server-ingress
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: token.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: token-server-svc
+ servicePort: http
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
new file mode 100644
index 0000000..32d907d
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.0.token-server-installer.yaml
@@ -0,0 +1,42 @@
+# 4.0.token-server-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: token-server
+ name: token-server-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: token-server
+ name: token-server-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: token-server-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: token-server-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/token-server/token-server-installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: token-server-installer-env
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
new file mode 100644
index 0000000..666c65c
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/4.1.token-server.yaml
@@ -0,0 +1,246 @@
+# 4.1.token-server.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: token-server
+ name: token-server-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEY_PASSWORD: ""
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSITITUTE_TOKEN_SERVER: INFO
+
+
+ SPRING_DATASOURCE_DRUID_INITIAL_SIZE: "10"
+ SPRING_DATASOURCE_DRUID_MAX_ACTIVE: "50"
+ SPRING_DATASOURCE_DRUID_MIN_IDLE: "10"
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ # **修改** 学校的根域名
+ TOKEN_SERVER_PREFIX: https://token.paas.xxx.edu.cn
+ # **修改** 学校的根域名
+ TOKEN_SERVER_SECURITY_JWT_ISS: token.paas.xxx.edu.cn
+ #TOKEN_SERVER_SECURITY_JWT_EXPIRATION: 2592000
+ #TOKEN_SERVER_SECURITY_JWT_KICKOUT_ENABLED: "false"
+ # **修改**
+ # 请使用与 cas-server 一致的公私钥
+ TOKEN_SERVER_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8: "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKivcJfoDpTgShIdrC0AuImgHQKQmdv/CZWRxVPkSY26kZWtVJ4mjzRkDGyB31LUJlVfFNe0nteOyqfNHrhC+uf612+P0KTmT/pOenoegpT8BDEDe1DlmrDoPqKE87JVXjPhx0rnCPMQE0+Em5OOPM/hVDiHhWx5Y1t+FcYre9J6zyg2flbCiv2vVRsQk/9kwesMnEBzB7QY+95sCoSng7llxO1aer7+qShQHrP/nYScIyW2g+a4wL6jd9Z0gIF/irvShIMKV+6EtWLiZFPYrlRQfx+zER7qg+2S+T29UII5lGajQxeldmIip1k62BwHOf/SbOg13nwrF4jLSCKeN/AgMBAAECggEAVtWHHcHngJ6bK325LSZGm5TzTAwb/E6q1wO2OvGMNUCPWbhwktGHjyzCXray6UczHQDgiAhgZHggduM2mFM+ogBJHSWYTo/XiyZmzp6CSxvO4LGWQIBbfxOlCIGpnkDedqNNTdTvmuQ2kUAVU1yJhXw1H5Pli8bbpkIkUxhbj7MsmcSZS4Xaqj1jhOWoBzt1SZEpHgDZ4m8MEMBfjLu+/SQAIWGdJmyANdsU3V/f/DmcgSqu7oTFYZiEFyJqTRyCVHJmyIqAOAtqHkKnJcGfeurwUIuX5NVqdYhj/JM+3k8lXDRyoyC0QADhnfR85uXV/OnXCVBC8GABuMP4DaiHyQKBgQDjwjtbVb/jQur2JYsSDS0sZI3S4X929gWU66AyClnUNbRIVcN4Lyhnp8+d/m9+oVV6kDfjTDnuEz7TWHr94RFcecdivehzxRHdRlRp+IhmtCtzstPhS5f0U6/e59CryxgxV+h5jDUssokzdz1bLsnC8+VgKNL2jVXqkuLkF3RqhQKBgQDjqE186VX3oej5YlmLmqi4LVFFVzpX75dOjAFc+ke/SPXm11o7lj1ONr+t9ZKcwvPx9j5OPXJajbaE2Qx1KXzTPKQT44GdpOvistOJQSNpx2e00K4Sn/7bsJq++UJ7FtmR+iJvfYq1uW1z5taVIjh5hhwFtIBW38voNcghCXVvMwKBgAUwRpPlFzMBMkMbRdjKbg4F2GlGc9Xs8uGaoJKjQ7qe4pWHRqW1RVFfNE6gHkAfQshBAtTtxqAS1iqQaHTiLLgTmiQ4uVPx2F9XG9MyM0FLt3WyTDtksniBc487briLLujo3MXwGMIE6zU98SrjnPsQ/Ve8dlnhjGSEpiCWHDPVAoGAZwNmJMqUytvpxsbZDBGsnMJszvqcfOP+TF2P1FmwE39ZPd5ehy4BiZ2+eGHxuJuCtQ8evFqTnyQW3eA1AeMHB7Kd8B33LbVNw6P1klr2QkwnwirXSbg6I4CzVQ0HJxl809Aiut5M4NQKEfL3UD5O3bZwgahelnDoHKgRadmU2P8CgYANBbxpDT1SdyJUFuKzJ5/cUPBFzOn3eNGRo/RejXSCi5Spd9OoTwDh6dbffk7pUWLYH/BFILW9+RL8uhMt8mdTWVgDKrNrdZLdWUBNsb89St9x/JwlucqgbTvzf0G0h/ZiGNzyPhgGABRrlWVYIdS8KLdTYUkvPHsEAtxR+kwTAg=="
+ TOKEN_SERVER_SECURITY_JWT_PUBLIC_KEY_PEM: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyor3CX6A6U4EoSHawtALiJoB0CkJnb/wmVkcVT5EmNupGVrVSeJo80ZAxsgd9S1CZVXxTXtJ7XjsqnzR64Qvrn+tdvj9Ck5k/6Tnp6HoKU/AQxA3tQ5Zqw6D6ihPOyVV4z4cdK5wjzEBNPhJuTjjzP4VQ4h4VseWNbfhXGK3vSes8oNn5Wwor9r1UbEJP/ZMHrDJxAcwe0GPvebAqEp4O5ZcTtWnq+/qkoUB6z/52EnCMltoPmuMC+o3fWdICBf4q70oSDClfuhLVi4mRT2K5UUH8fsxEe6oPtkvk9vVCCOZRmo0MXpXZiIqdZOtgcBzn/0mzoNd58KxeIy0ginjfwIDAQAB"
+
+
+ # face
+ # aiface 新开普人脸,aipface 百度人脸
+ TOKEN_SERVER_FACE_SOURCE_TYPE: aiface
+
+ # 若须对接新开普人脸,须由新开普人脸系统提供相关配置
+ TOKEN_SERVER_FACE_AIFACE_URL: ""
+ TOKEN_SERVER_FACE_AIFACE_APPKEY: ""
+ TOKEN_SERVER_FACE_AIFACE_APPSECRET: ""
+ TOKEN_SERVER_FACE_AIFACE_SECRETKEY: ""
+ TOKEN_SERVER_FACE_AIFACE_TERM_CODE: ""
+
+ # 若须对接百度人脸,须在百度开放平台注册应用
+ TOKEN_SERVER_FACE_AIPFACE_APPID: ""
+ TOKEN_SERVER_FACE_AIPFACE_APIKEY: ""
+ TOKEN_SERVER_FACE_AIPFACE_SECRETKEY: ""
+
+
+ # passwordless
+ TOKEN_SERVER_PASSWORDLESS_TOKEN_EXPIRATION_IN_SECONDS: "300"
+ TOKEN_SERVER_PASSWORDLESS_SMS_TEXT_TEMPLATE: 【认证中心】您正在进行登录,本次登录的动态密码为{token},有效期5分钟,请尽快完成登录。
+ TOKEN_SERVER_PASSWORDLESS_SMS_FROM: 认证中心
+
+
+ ## 密码验证接口(外部接口)
+ TOKEN_SERVER_SECURITY_PASSWORD_VERIFY_URL: ""
+ # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword
+
+
+ # **修改** 从消息中心申请
+ MESSAGECENTER_ENABLED: "false"
+ MESSAGECENTER_APP_ID: ""
+ MESSAGECENTER_MESSAGE_TYPE_CODE_APP_LOGIN: APP_LOGIN
+ MESSAGECENTER_MESSAGE_TYPE_CODE_PASSWORD: PASSWORD
+
+ # **修改** 从POA申请
+ POA_SERVER_URL: https://poa.paas.xxx.edu.cn
+ POA_CLIENT_ID: ""
+ POA_CLIENT_SECRET: ""
+ POA_SCOPES: messagecenter:v1:sendMessage
+
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/console/send
+
+
+ ATTEST_SERVER_URL: http://attest-server-svc.attest-server.svc.cluster.local:8080/attest
+ ATTEST_CLIENT_AUTH_ENABLED: "false"
+ #ATTEST_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #ATTEST_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #ATTEST_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ ##
+ # authx-log rabbitmq
+ #
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+ ##
+ # 接收 user 推送的 rabbitmq 数据
+ #
+ USER_RABBITMQ_ENABLED: "true"
+ USER_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ USER_RABBITMQ_PORT: "5672"
+ USER_RABBITMQ_USERNAME: guest
+ USER_RABBITMQ_PASSWORD: guest
+
+ USER_RABBITMQ_CONSUMER_ENABLED: "true"
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: token-server
+ name: token-server-env-secret
+type: Opaque
+data:
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
+ # rabbitmq-server.authx-service.svc.cluster.local
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: token-server
+ name: token-server-svc
+ labels:
+ app: token-server
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: token-server
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: token-server
+ name: token-server
+spec:
+ selector:
+ matchLabels:
+ app: token-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: token-server
+ spec:
+ containers:
+ - name: token-server
+ # 若使用了学校搭设的私有仓库,请 **修改**
+ image: paas.harbor.nwpu.edu.cn/token-server/token-server:1.4.3-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: token-server-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
new file mode 100644
index 0000000..acf45a8
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/5.token-server/9.api-docs-installer.yaml
@@ -0,0 +1,47 @@
+# 9.api-docs-installer.yaml
+
+# 依赖平台OpenAPI的部署
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: token-server
+ name: api-docs-installer-env
+data:
+ ##
+ # 平台OpenAPI的外网访问地址,
+ # **修改** 学校的根域名
+ POA_SERVER_URL: http://poa.paas.nwpu.edu.cn
+
+ # **修改** poa-sa 服务的k8s内部地址
+ POA_SA_SERVER_URL: http://platform-openapi-sa.poa.svc.cluster.local:8443
+
+ TOKEN_API_SERVER_URL: http://token-server-svc.token-server.svc.cluster.local:8080
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: token-server
+ name: api-docs-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: api-docs-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: api-docs-installer
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/token-server/api-docs-installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ envFrom:
+ - configMapRef:
+ name: api-docs-installer-env
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml
new file mode 100644
index 0000000..11139b2
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/0.personal-security-center-base.yaml
@@ -0,0 +1,144 @@
+# personal-security-center-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: personal-security-center
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+####################################################
+# redis-server
+####################################################
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: personal-security-center
+type: Opaque
+data:
+ REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: personal-security-center
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ protocol: TCP
+ targetPort: redis
+ selector:
+ app: redis
+ release: redis-server
+ role: master
+ type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ labels:
+ app: redis
+ release: redis-server
+ name: redis-server
+ namespace: personal-security-center
+spec:
+ podManagementPolicy: OrderedReady
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ app: redis
+ release: redis-server
+ role: master
+ serviceName: redis-master
+ template:
+ metadata:
+ labels:
+ app: redis
+ release: redis-server
+ role: master
+ spec:
+ containers:
+ - name: redis-server
+ env:
+ - name: REDIS_DISABLE_COMMANDS
+ value: FLUSHDB,FLUSHALL
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: redis-server
+ key: REDIS_PASSWORD
+ # 若使用了学校搭设的私有仓库,请修改
+ image: bitnami/redis:4.0
+ # 若使用了学校搭设的私有仓库,请修改 为 Always
+ imagePullPolicy: IfNotPresent
+ # imagePullPolicy: Always
+ livenessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 6379
+ name: redis
+ protocol: TCP
+ readinessProbe:
+ exec:
+ command:
+ - redis-cli
+ - ping
+ failureThreshold: 5
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - mountPath: /bitnami/redis/data
+ name: redis-data
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ securityContext:
+ fsGroup: 1001
+ # runAsUser: 1001
+ # https://github.com/bitnami/bitnami-docker-redis/issues/106#issuecomment-388884372
+ runAsUser: 0
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - emptyDir: {}
+ name: redis-data
+ # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+ # imagePullSecrets:
+ # - name: harbor-registry
+ updateStrategy:
+ rollingUpdate:
+ partition: 0
+ type: RollingUpdate
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml
new file mode 100644
index 0000000..4611488
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/1.personal-security-center-env.yaml
@@ -0,0 +1,22 @@
+# personal-security-center-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: personal-security-center
+ name: redis-env-secret
+type: Opaque
+data:
+ SPRING_REDIS_HOST: cmVkaXMtc2VydmVy
+ SPRING_REDIS_PORT: NjM3OQ==
+ SPRING_REDIS_PASSWORD: OEt1d29zbE9pdXc3SA==
diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
new file mode 100644
index 0000000..2c727c9
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/2.personal-security-center-ingresses.yaml
@@ -0,0 +1,42 @@
+# personal-security-center-ingresses.yaml
+
+
+# 个人中心后端接口
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-ingress
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: personal-security-center.paas.nwpu.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: personal-security-center-zuul-svc
+ servicePort: http
+
+
+# 安全中心前端
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui-ingress
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: security-center.paas.nwpu.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: security-center-ui-svc
+ servicePort: http
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
new file mode 100644
index 0000000..225fa76
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.4.personal-security-center-bff.yaml
@@ -0,0 +1,263 @@
+# personal-security-center-bff.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-template-env
+data:
+ # 根据情况,修改邮件模板
+ EMAIL_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_EMAIL_ADDRESS: '{name}:您正在激活帐号,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_FORGOT_PASSWORD_SEND_CODE: '{name}:您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ EMAIL_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE: '{name}:您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE: '{name}:您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE_BY_EMAIL_ADDRESS: '{name}:您正在修改安全邮箱,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE: '{name}:您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE: '{name}:您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ: '{name}:您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE: '{name}:您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN: '{name}:您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE: '{name}:您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN: '{name}:您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE: '{name}:您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY: '{name}:您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE: '{name}:您正在绑定钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ EMAIL_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE_UNBIND_DINGTALK: '{name}:您正在解绑钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ EMAIL_TEMPLATE_USER_COMPLETED_SECURITY_EMAIL_ADDRESS_SEND_CODE_BY_EMAIL_ADDRESS: '{name}:您正在绑定安全邮箱,须验证邮箱有效,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ # 根据情况,修改短信模板
+ SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_PRE_MOBILE: '{prefix}您正在激活帐号,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_ACTIVE_USER_SEND_CODE_BY_MOBILE: '{prefix}您正在激活帐号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_FORGOT_PASSWORD_SEND_CODE: '{prefix}您正在找回密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ SMS_TEMPLATE_USER_SECURITY_PASSWORD_SEND_CODE: '{prefix}您正在修改密码,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_SECURITY_EMAIL_ADDRESS_SEND_CODE: '{prefix}您正在修改安全邮箱,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE: '{prefix}您正在修改安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_SECURITY_MOBILE_SEND_CODE_BY_MOBILE: '{prefix}您正在修改安全手机,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE: '{prefix}您正在绑定QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_QQ_SEND_CODE_UNBIND_QQ: '{prefix}您正在解绑QQ,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE: '{prefix}您正在绑定微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_OPENWEIXIN_SEND_CODE_UNBIND_OPENWEIXIN: '{prefix}您正在解绑微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE: '{prefix}您正在绑定企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_WORKWEIXIN_SEND_CODE_UNBIND_WORKWEIXIN: '{prefix}您正在解绑企业微信,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE: '{prefix}您正在绑定支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_ALIPAY_SEND_CODE_UNBIND_ALIPAY: '{prefix}您正在解绑支付宝,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE: '{prefix}{name}:您正在绑定钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_USER_FEDERATION_DINGTALK_SEND_CODE_UNBIND_DINGTALK: '{prefix}{name}:您正在解绑钉钉,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ SMS_TEMPLATE_USER_COMPLETED_SECURITY_MOBILE_SEND_CODE: '{name}:您正在绑定安全手机,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ SMS_TEMPLATE_USER_COMPLETED_REALNAME_SEND_CODE_BY_PRE_MOBILE: '{name}:您正在实名认证,须验证身份,验证码{code},有效期5分钟,请尽快完成验证。'
+
+ SMS_TEMPLATE_ACCOUNT_INFO_SEND_CODE_BY_MOBILE: '{prefix}您当前正在查询账号,须验证手机有效,验证码{code},有效期5分钟,请尽快完成验证。'
+ SMS_TEMPLATE_ACCOUNT_INFO_SEND_ACCOUNT_NAME: '{prefix}您当前正在查询账号,查询结果为:{accountName},账号是您在学校中的重要信息,请妥善保管。'
+
+ SMS_TEMPLATE_PREFIX: ''
+
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_PERSONAL_SECURITY_CENTER_BFF: INFO
+
+
+ SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE: 10Mb
+ # SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE: 10Mb
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ # 修改为学校的 personal-security-center 的访问域名
+ PERSONAL_SECURITY_CENTER_SERVER_PREFIX: http://personal-security-center.paas.xxx.edu.cn
+ # 修改为学校的 cas 的访问域名
+ CAS_SERVER_PREFIX: http://cas.paas.xxx.edu.cn/cas
+
+ PERSONAL_SECURITY_BFF_NONCE_STORE_IMPL: redis
+
+
+ ## 密码验证接口(外部接口)
+ PERSONAL_SECURITY_BFF_SECURITY_PASSWORD_VERIFY_URL: ""
+ # http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080/api/v1/security/accounts/verifyAccountPassword
+
+
+ # 新开普人脸对接配置
+ # 修改为实际项目配置
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_URL: "http://117.158.17.228:3003/aiface"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_APPKEY: "GcacXnw46DxMAApNoSTX"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_APPSECRET: "eXl15kcYGBdCYTOCFD21"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_SECRETKEY: "12345678abcdefgh87654321"
+ PERSONAL_SECURITY_BFF_FACE_AIFACE_TERM_CODE: "12"
+
+
+ CASSERVER_SITE_SERVER_URL: http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas
+ CASSERVER_SITE_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SITE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SITE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SITE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SITE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SITE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ CASSERVER_SA_API_SERVER_URL: http://cas-server-sa-api-svc.cas-server.svc.cluster.local:8080
+ CASSERVER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #CASSERVER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #CASSERVER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #CASSERVER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ # PERSONAL_SECURITY_CENTER_SA_API_SERVER_URL: http://personal-security-center-sa-api-svc.personal-security-center.svc.cluster.local:8080
+ # PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #PERSONAL_SECURITY_CENTER_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ TPAS_FILE_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/file/minio
+ TPAS_MAIL_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/mail/smtp
+ TPAS_SMS_API_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080/api/v1/tpas/sms/console
+ TPAS_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ # COMMUNICATOR_EMAIL_MAIL_SERVER_HOST: "smtp.supwisdom.com"
+ # COMMUNICATOR_EMAIL_MAIL_SERVER_PORT: "25"
+ # COMMUNICATOR_EMAIL_USER_NAME: "security.institute@supwisdom.com"
+ # COMMUNICATOR_EMAIL_PASSWORD: "Security2019"
+ # COMMUNICATOR_EMAIL_VALIDATE: "true"
+
+ # COMMUNICATOR_SMS_SENDER_URL: https://agent-service-api.supwisdom.com/api/v1/tpas/sms/console/send
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-env-secret
+type: Opaque
+data:
+
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff-svc
+ labels:
+ app: personal-security-center-bff
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: personal-security-center-bff
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-bff
+spec:
+ selector:
+ matchLabels:
+ app: personal-security-center-bff
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: personal-security-center-bff
+ spec:
+ containers:
+ - name: personal-security-center-bff
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/personal-security-center/personal-security-bff:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: personal-security-center-bff-env-secret
+ - configMapRef:
+ name: personal-security-center-bff-env
+ - configMapRef:
+ name: personal-security-center-bff-template-env
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
new file mode 100644
index 0000000..9b04196
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.5.personal-security-center-zuul.yaml
@@ -0,0 +1,187 @@
+# personal-security-center-zuul.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "5000"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "800"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+ LOGGING_LEVEL_COM_SUPWISDOM_INSTITUTE_PERSONAL_SECURITY_CENTER: INFO
+
+
+ SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE: 10Mb
+ # SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE: 10Mb
+
+ SPRING_REDIS_JEDIS_POOL_MAXACTIVE: "800"
+ SPRING_REDIS_JEDIS_POOL_MAXIDLE: "100"
+ SPRING_REDIS_JEDIS_POOL_MINIDLE: "100"
+
+
+ ZUUL_HOST_MAX_PER_ROUTE_CONNECTIONS: "1000"
+ ZUUL_HOST_MAX_TOTAL_CONNECTIONS: "1000"
+
+ ZUUL_SEMAPHORE_MAX_SEMAPHORES: "10000"
+
+
+ ZUUL_ROUTES_PERSONAL_ME_URL: http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1/me
+ ZUUL_ROUTES_PERSONAL_BFF_URL: http://personal-security-center-bff-svc.personal-security-center.svc.cluster.local:8080/api/v1
+
+ ZUUL_ROUTES_USER_BIZ_URL: http://user-data-service-biz-svc.user-data-service.svc.cluster.local:8080/api/v1/user/biz
+
+ # 修改为学校的 portal 的访问域名
+ ZUUL_ROUTES_PORTAL_URL: http://portal.paas.xxx.edu.cn/portal-web/api
+
+
+ INFRAS_SECURITY_BASIC_ENABLED: "false"
+
+ INFRAS_SECURITY_JWT_ENABLED: "true"
+ #INFRAS_SECURITY_JWT_KEY_ALIAS: "supwisdom-jwt-key"
+ #INFRAS_SECURITY_JWT_KEY_PASSWORD: "changeit"
+ #INFRAS_SECURITY_JWT_KEY_STORE: "file:/certs/jwt/jwt.keystore"
+ #INFRAS_SECURITY_JWT_KEY_STORE_PASSWORD: "changeit"
+
+ INFRAS_SECURITY_JWT_TOKEN_GENERATE_TYPE: cas
+ #INFRAS_SECURITY_JWT_TOKEN_DECRYPT_KEY_PRIVATE_KEY_PEM_PKCS8: ""
+ INFRAS_SECURITY_JWT_TOKEN_SIGNING_KEY_URL: "http://cas-server-site-webapp-svc.cas-server.svc.cluster.local:8080/cas/jwt/publicKey"
+ # 对接 uniauth认证时,使用以下配置
+ #INFRAS_SECURITY_JWT_TOKEN_SIGNING_KEY_URL: "http://uniauth-prod-backend.uniauth.svc.cluster.local:9090/idtoken/publicKey"
+
+
+ INFRAS_SECURITY_CAS_ENABLED: "true"
+ # 修改为学校的 personal-security-center 的访问域名
+ APP_SERVER_HOST_URL: "http://personal-security-center.paas.xxx.edu.cn"
+ #APP_LOGIN_URL: "/cas/login"
+ #APP_LOGOUT_URL: "/cas/logout"
+ # 修改为学校的 cas 的访问域名
+ CAS_SERVER_HOST_URL: "http://cas.paas.xxx.edu.cn/cas"
+
+
+ # 后端API服务,域名访问时,默认跳转地址
+ # 修改为学校的 security-center 安全中心的访问域名
+ APPLICATION_INDEX_REDIRECT_URI: "http://security-center.paas.xxx.edu.cn"
+
+
+ ZUUL_HTTPCLIENT_CLIENT_AUTH_ENABLED: "false"
+ #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEY_PASSWORD: ""
+ #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #ZUUL_HTTPCLIENT_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+
+
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ USER_AUTHZ_SERVICE_SERVER_URL: http://user-authorization-sa-svc.user-authorization-service.svc.cluster.local:8080
+ USER_AUTHZ_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ #USER_AUTHZ_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul-env-secret
+type: Opaque
+data:
+ # 参考 certs/jwt/readme.md 生成公私钥pem,替换相关配置
+ INFRAS_SECURITY_JWT_PUBLIC_KEY_PEM: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDeW9BNzhMbTlHT3NlS1pPL1lZenlWWUJ6cQpaREVzdWlXNVFleXJDL2JFWFZrT2lKc0RnNFRjc2o5Vnp5dGp2MEFZVmxEcmkxdlExaWZhSG9HN0Z1dE40cTVICllxbGZDSzdvOXpNRWo2cU40NFIydUtjR3BCQnd0WlNCZGxWc2tLZ2NOWGlvU3RTRjZZTFp1Q25jWU5HUXZaOSsKeGY5bll5L09scXczWUFQRUx3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQ==
+ INFRAS_SECURITY_JWT_PRIVATE_KEY_PEM_PKCS8: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUNlQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQW1Jd2dnSmVBZ0VBQW9HQkFMS2dEdnd1YjBZNng0cGsKNzloalBKVmdIT3BrTVN5NkpibEI3S3NMOXNSZFdRNkltd09EaE55eVAxWFBLMk8vUUJoV1VPdUxXOURXSjlvZQpnYnNXNjAzaXJrZGlxVjhJcnVqM013U1BxbzNqaEhhNHB3YWtFSEMxbElGMlZXeVFxQncxZUtoSzFJWHBndG00CktkeGcwWkM5bjM3Ri8yZGpMODZXckRkZ0E4UXZBZ01CQUFFQ2dZRUFuakhFczdDSUdlR0t3TlZkMlAwaU5ZU1cKZHp0ZWxhY1NLN3puMWlCVlhsanh1ejVlVXNGU2xJWkVNMEd6d3JZcEZLUzFLN1lURGFQc1RXOUJJNmxMb0FaawpnaU1vOUE5YnMzdW5XOEg3N2M5T3NTUXZpdHM1eGp3MEJ0dFo0dVhwYmdlUlJmS1dFOFp6MngyYWFIeVdyU1ZIClJINGVya3JYSTFrZzZwQTlyaWtDUVFEaVd0VW5kWktpWHFNTkhJb1RrOUpLNXFyaVJqdS9FTzdtVncvRGo4RmEKSVhFOTMvTkhSVllMZ3E2cFY4SUJiNmlhZnpXbittdkplR3AvbEJsaU81dHpBa0VBeWdUMTE4V25jaFl5elNlTAp3NlVDUkhIOHlJRGx6aGwzWFhxTnhDV2M5V1dGbVpZSERIVy92L2x5dnpwUEtmb3VucmhoUTVXY2g4eGVDSDVqCml1WjlWUUpCQUtsRkJkdUJSOHVXZTlaRlBsaFBsZFlmVXpEdEZxYldVZUQ4d0RRZFg1azRJd2dEWGxrdzE1eTUKK0VWNDlBTEE3bFBDeDJ3N2o3bFZERWNsaUNuMnExTUNRQnltSTI4Y0dxajFPUE1iSHBqNk41NFpSQzN6Q2FQMgp2SlRISW4ra2plUEhKL0VsODQzeXpPU2VyWVVzOGJrVVA3UkdsWlNPRFFxOUVzREZtN3hBLzVrQ1FRQ3A1ZldQCnNWbjFsek15ckYxNHJSK0ZSSWZMazBFMnBMdm5aYzV0NjB3OFpzSVFPRGlOTXZvSDRZUEdSemFpcG9LQnlSeE0KazR1WElVVTMxaVN6VGR4ZgotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul-svc
+ labels:
+ app: personal-security-center-zuul
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: personal-security-center-zuul
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: personal-security-center
+ name: personal-security-center-zuul
+spec:
+ selector:
+ matchLabels:
+ app: personal-security-center-zuul
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: personal-security-center-zuul
+ spec:
+ containers:
+ - name: personal-security-center-zuul
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/personal-security-center/personal-security-zuul:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: redis-env-secret
+ - secretRef:
+ name: personal-security-center-zuul-env-secret
+ - configMapRef:
+ name: personal-security-center-zuul-env
+ resources:
+ requests:
+ memory: "512Mi"
+ limits:
+ memory: "512Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
new file mode 100644
index 0000000..1772ef5
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/4.9.security-center-ui.yaml
@@ -0,0 +1,81 @@
+# 4.9.security-center-ui.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui-env
+data:
+ # **修改** 学校的根域名
+ RESOURCE_PREFIX: "" # http://authx-minio.paas.xxx.edu.cn/security-center-ui
+ SCHOOL_NAME: "nwpu"
+ MAIN_SERVER: https://uis.nwpu.edu.cn
+
+ PERSONAL_CENTER_API: https://personal-security-center.nwpu.edu.cn
+
+ # 可选 cas,uniauth
+ AUTH_TYPE: cas
+
+ # AUTH_TYPE 为 uniauth 时,配置
+ # UNIAUTH_IDTOKEN: http://uniauth.paas.xxx.edu.cn/idtoken
+ # UNIAUTH_IDTOKEN_ISS: "uniauth"
+ # UNIAUTH_CLIENT_ID: "22"
+
+ # AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET
+ AUTH_CAS: https://uis.nwpu.edu.cn/cas
+ JWT_ISS: https://uis.nwpu.edu.cn/cas
+ JWT_SECRET: (@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui-svc
+ labels:
+ app: security-center-ui-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: security-center-ui
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: personal-security-center
+ name: security-center-ui
+spec:
+ selector:
+ matchLabels:
+ app: security-center-ui
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: security-center-ui
+ spec:
+ containers:
+ - name: security-center-ui
+ # 若使用了学校搭设的私有仓库,请修改
+ image: paas.harbor.nwpu.edu.cn/personal-security-center/security-center-ui:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 80
+ name: http
+ envFrom:
+ - configMapRef:
+ name: security-center-ui-env
+ resources:
+ requests:
+ memory: "128Mi"
+ limits:
+ memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md
new file mode 100644
index 0000000..3c94b3e
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/6.personal-security-center/certs/jwt/readme.md
@@ -0,0 +1,83 @@
+# readme.md
+
+
+## 使用 openssl 生成 公私钥
+
+
+1. 生成私钥 App Private Key
+
+必须为 RSA2(SHA256)
+
+```bash
+openssl genrsa -out jwt_private_key.pem 1024
+```
+
+2. 将私钥转换为 PKCS8 格式
+
+```bash
+openssl pkcs8 -topk8 -inform PEM -in jwt_private_key.pem -outform PEM -nocrypt -out jwt_private_key_pkcs8.pem
+```
+
+3. 导出公钥 App Public Key
+
+```bash
+openssl rsa -in jwt_private_key.pem -pubout -out jwt_public_key.pem
+```
+
+4. 将 jwt_public_key.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBr5wUHXSlLSFU17T4wDX8ehAI
+2nnZxCc2SnpgfNwuR3jvViSVyr+Pd6JJEeMcl397qKjWqFD/CRlUSB/UEPQRxxbB
+XVlXRB289KE9xteDk04bU17ILgX8Vz/7LFRLn2CpaCSICfWENhoMRJm7xIAodrI3
+FugvRF/6jdTQis2LcQIDAQAB
+-----END PUBLIC KEY-----
+```
+处理后:
+```language
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBr5wUHXSlLSFU17T4wDX8ehAI2nnZxCc2SnpgfNwuR3jvViSVyr+Pd6JJEeMcl397qKjWqFD/CRlUSB/UEPQRxxbBXVlXRB289KE9xteDk04bU17ILgX8Vz/7LFRLn2CpaCSICfWENhoMRJm7xIAodrI3FugvRF/6jdTQis2LcQIDAQAB
+-----END PUBLIC KEY-----
+```
+
+4. 将 jwt_private_key_pkcs8.pem 中的内容,去除换行和空格,转成字符串。
+
+处理前:
+```language
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMGvnBQddKUtIVTX
+tPjANfx6EAjaednEJzZKemB83C5HeO9WJJXKv493okkR4xyXf3uoqNaoUP8JGVRI
+H9QQ9BHHFsFdWVdEHbz0oT3G14OTThtTXsguBfxXP/ssVEufYKloJIgJ9YQ2GgxE
+mbvEgCh2sjcW6C9EX/qN1NCKzYtxAgMBAAECgYBKBSjq7w7jCUpRuFYrMpnvMV7r
+Y0NqG/K4ZuI5+b3T2fC31v4IWQG4fIoCztky1hscUSqlTpIVxY5ujVnMm+YKMXs+
+qW2zyUdvoqUbFNAZstYatg6FQ7QlwXMDnIzlq6w5lEofsO46+0kH/d9IX+cPN0nH
+04J1UKwg0ugyjYVUAQJBAP8di+ECIJkVTbi96JWMCfK1eYdxwe+8DEd7kcW2P6qU
+/0fxP6qExkbFqPWQbJVNvOKmH5tVW5oi4Q7vaT4MzJECQQDCW4kMG7a6yBKRWZ1/
+hAixqumBv5FFCnL/yzqH6a5n8tb91vcQCwBGfu+YeQt8zVI56BTP4AJDF5KQu1vq
+kcDhAkEA+YaHu2QeSDzrEShG5obbcBaKMK1WmEqg5AX8FZrleM5VRqOztvA5Ex3f
+3ZgObJZlinYb8g2yE/fLk5UdpgBU0QJAFw+FU0p2g/L5QQXBCkBAR9RfoGV6dxam
+TnNunnG7n9nQaI35Ao5LmhG1nAHAuy4hc311+rQ5kHxbh5Czd0GUAQJBALxZpqPZ
+y7LrKmTbVLAdd0K1dQ3jWUsqk5HXwlxzrmmypn5ut41zwZQl0znyrv7XcfDZ6dqR
+hh20uoiJ/Hfky6A=
+-----END PRIVATE KEY-----
+```
+处理后:
+```language
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMGvnBQddKUtIVTXtPjANfx6EAjaednEJzZKemB83C5HeO9WJJXKv493okkR4xyXf3uoqNaoUP8JGVRIH9QQ9BHHFsFdWVdEHbz0oT3G14OTThtTXsguBfxXP/ssVEufYKloJIgJ9YQ2GgxEmbvEgCh2sjcW6C9EX/qN1NCKzYtxAgMBAAECgYBKBSjq7w7jCUpRuFYrMpnvMV7rY0NqG/K4ZuI5+b3T2fC31v4IWQG4fIoCztky1hscUSqlTpIVxY5ujVnMm+YKMXs+qW2zyUdvoqUbFNAZstYatg6FQ7QlwXMDnIzlq6w5lEofsO46+0kH/d9IX+cPN0nH04J1UKwg0ugyjYVUAQJBAP8di+ECIJkVTbi96JWMCfK1eYdxwe+8DEd7kcW2P6qU/0fxP6qExkbFqPWQbJVNvOKmH5tVW5oi4Q7vaT4MzJECQQDCW4kMG7a6yBKRWZ1/hAixqumBv5FFCnL/yzqH6a5n8tb91vcQCwBGfu+YeQt8zVI56BTP4AJDF5KQu1vqkcDhAkEA+YaHu2QeSDzrEShG5obbcBaKMK1WmEqg5AX8FZrleM5VRqOztvA5Ex3f3ZgObJZlinYb8g2yE/fLk5UdpgBU0QJAFw+FU0p2g/L5QQXBCkBAR9RfoGV6dxamTnNunnG7n9nQaI35Ao5LmhG1nAHAuy4hc311+rQ5kHxbh5Czd0GUAQJBALxZpqPZy7LrKmTbVLAdd0K1dQ3jWUsqk5HXwlxzrmmypn5ut41zwZQl0znyrv7XcfDZ6dqRhh20uoiJ/Hfky6A=
+-----END PRIVATE KEY-----
+```
+
+
+5. (可选)将pem内容进行 base64 编码后,配置到k8s
+
+echo -n '-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzgNo1jsexpIahW50bbEFcJV6qzOnjjMBum4jMB/CgkJqZHxEh9u1yhdzfdHI+TJREy9RuoqumdRGpVA+YXOwHZnPUU/cHQQkITViPVPSvIHLKA7eqHbmb9FZdQZfFmadBm+AcVpQG+h4SuJgD5yAtye7oRLzxEGXZM+trt8HoFwIDAQAB
+-----END PUBLIC KEY-----' |base64
+
+
+echo -n '-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAPOA2jWOx7GkhqFbnRtsQVwlXqrM6eOMwG6biMwH8KCQmpkfESH27XKF3N90cj5MlETL1G6iq6Z1EalUD5hc7Admc9RT9wdBCQhNWI9U9K8gcsoDt6oduZv0Vl1Bl8WZp0Gb4BxWlAb6HhK4mAPnIC3J7uhEvPEQZdkz62u3wegXAgMBAAECgYEA7mA8veOJsGjs9zd1ZKwki+11cGVrrjxTAbS3RW2cbcNB5RZZslNF/i/3mrUnRb+4AmU8EBalTS4b3RUSs0h8MZV9ObLazZg/c8GlLJeISuRWSuCG7ysvn4NS5ncCj5LW/0w6qKTtzIZqKdMbKfPl1xs+fPCaqlv7mpzIGUYGOKECQQD9125TlH6ftXoR5qaN6CLUuRpdpizjE59pmQMxgL/MQS45G9pUtTHfCZVDKgftqHFZEhL2ysrCbl7TFwHJ2wjHAkEA9ZLqvVPP4RLl78lt/OjLRliGDCeWkw5samzeveIsiaeWItsHzcGqipVw1zCaRRlY/hPs4uHSY0hWWV1+SGr2MQJAcgNdLnU4GovsdDXhAUQOwPUS/pUw/B1IMKnlYUqu2xM7q7Ly8bEg4UjwneY3AWvy3Urc8bRMNeBU/wMKbpvO6QJAVUuZQvdYbdmtidLR5BVLfXyD2rbpYtyQpYp490UWqR1PVX30QPAydv4e+m9ENhnuwhlTnx5Gf/uBGnsRwL9+EQJAcB6ptBg0drWmnpDC3HhFUSWaBVp6BAZic/YeC95pwynlcKScCTI+IY+wXKWRQwcqb2K+STaX4vhsTDLxDZaJAw==
+-----END PRIVATE KEY-----' |base64
diff --git a/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml
new file mode 100644
index 0000000..44f84d4
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/0.attest-server-base.yaml
@@ -0,0 +1,16 @@
+# 0.attest-server-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: attest-server
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJwYWFzLmhhcmJvci5ud3B1LmVkdS5jbiI6eyJwYXNzd29yZCI6IjBuSnExS2lldnJOT3QyR1Q3TCIsInVzZXJuYW1lIjoibndwdS5kZXZvcHMifX19
diff --git a/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml
new file mode 100644
index 0000000..c6be3bc
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/1.attest-server-env.yaml
@@ -0,0 +1,10 @@
+# 1.attest-server-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: attest-server
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
diff --git a/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml
new file mode 100644
index 0000000..5935d11
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/2.attest-server-ingresses.yaml
@@ -0,0 +1,21 @@
+# 2.attest-server-ingresses.yaml
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: attest-server-ingress
+ namespace: attest-server
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: uis.paas.nwpu.edu.cn
+ http:
+ paths:
+ - path: /attest
+ backend:
+ serviceName: attest-server-svc
+ servicePort: http
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml
new file mode 100644
index 0000000..6da9590
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/7.attest-server/4.1.attest-server.yaml
@@ -0,0 +1,176 @@
+# 4.1.attest-server.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: attest-server
+ name: attest-server-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEY_PASSWORD: ""
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+
+ SERVER_SERVLET_CONTEXT_PATH: "/attest"
+
+ SERVER_MAXHTTPHEADERSIZE: "20480"
+
+ SERVER_TOMCAT_ACCEPT_COUNT: "500"
+ SERVER_TOMCAT_MAX_CONNECTIONS: "10000"
+ SERVER_TOMCAT_MAX_THREADS: "500"
+ SERVER_TOMCAT_MIN_SPARE_THREADS: "100"
+
+
+ # **修改** 从POA申请
+ POA_SERVER_URL: https://poa.nwpu.edu.cn
+ POA_CLIENT_ID: ""
+ POA_CLIENT_SECRET: ""
+ POA_SCOPES: appPush:v1:apppushByMessageType
+
+
+ # 修改为学校的根域名
+ ATTEST_SERVER_PREFIX: https://uis.nwpu.edu.cn/attest
+
+
+ # guard
+ # **修改** 根据实际情况,修改短信模板
+ ATTEST_SERVER_SECUREPHONE_SMS_TEXT_TEMPLATE: "【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。"
+ ATTEST_SERVER_SECUREPHONE_SMS_FROM: 认证服务
+
+ # **修改** 根据实际情况,修改邮件模板
+ ATTEST_SERVER_SECUREEMAIL_MAIL_TEXT_TEMPLATE: "【认证服务】{name}:您正在进行验证身份,验证码为{code},有效期5分钟,请尽快完成验证。"
+ ATTEST_SERVER_SECUREEMAIL_MAIL_FROM: 认证服务
+
+ # 在超级APP 中唤起人脸识别的 URL Scheme
+ ATTEST_SERVER_FACEVERIFY_SUPERAPP_URL_SCHEME: superapp
+
+
+ # 超级APP Token 的验签公钥
+ TOKEN_SERVER_TOKEN_SIGNING_KEY_URL: http://token-server-svc.token-server.svc.cluster.local:8080/jwt/publicKey
+
+
+ USER_DATA_SERVICE_SA_API_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_SA_API_CLIENT_AUTH_ENABLED: "false"
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEY_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #USER_DATA_SERVICE_SA_API_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ TPAS_AGENT_SERVICE_SERVER_URL: http://agent-service-svc.thirdparty-agent-service.svc.cluster.local:8080
+ TPAS_AGENT_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #TPAS_AGENT_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+ # **修改**
+ # 若须对接sms 接口,须进行二开定制
+ TPAS_AGENT_SERVICE_SMS_SENDER_PATH: /api/v1/tpas/sms/nwpu/send
+ TPAS_AGENT_SERVICE_MAIL_SENDER_PATH: /api/v1/tpas/mail/smtp/send
+ TPAS_AGENT_SERVICE_FACE_FACEVERIFY_PATH: /api/v1/tpas/face/aiface/faceverify
+
+
+ ##
+ # token-server
+ #
+ TOKEN_SERVER_SERVER_URL: http://token-server-svc.token-server.svc.cluster.local:8080
+
+
+ ##
+ # 将 attest 数据 推送到 rabbitmq
+ #
+ # ATTEST_RABBITMQ_ENABLED: "false"
+ # ATTEST_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ # ATTEST_RABBITMQ_PORT: "5672"
+ # ATTEST_RABBITMQ_USERNAME: guest
+ # ATTEST_RABBITMQ_PASSWORD: guest
+ #
+ # ATTEST_RABBITMQ_APPPUSHATTEST2TOKENRABBITSENDER_ENABLED: "false"
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: attest-server
+ name: attest-server-env-secret
+type: Opaque
+data:
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: attest-server
+ name: attest-server-svc
+ labels:
+ app: attest-server
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: attest-server
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: attest-server
+ name: attest-server
+spec:
+ selector:
+ matchLabels:
+ app: attest-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: attest-server
+ spec:
+ containers:
+ - name: attest-server
+ image: paas.harbor.nwpu.edu.cn/attest-server/attest-server:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - configMapRef:
+ name: attest-server-env
+ - secretRef:
+ name: attest-server-env-secret
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /attest/actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml
new file mode 100644
index 0000000..a82d6b3
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/0.authx-log-base.yaml
@@ -0,0 +1,16 @@
+# 0.authx-log-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ namespace: authx-log
+ name: harbor-registry
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJwYWFzLmhhcmJvci5ud3B1LmVkdS5jbiI6eyJwYXNzd29yZCI6IjBuSnExS2lldnJOT3QyR1Q3TCIsInVzZXJuYW1lIjoibndwdS5kZXZvcHMifX19
diff --git a/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml
new file mode 100644
index 0000000..5be4d22
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/1.authx-log-env.yaml
@@ -0,0 +1,29 @@
+# 1.authx-log-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: authx-log
+ name: datasource-env-secret
+type: Opaque
+data:
+ # jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/authx_log?serverTimezone=Asia/Shanghai
+ JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvYXV0aHhfbG9nP3NlcnZlclRpbWV6b25lPUFzaWEvU2hhbmdoYWk=
+ # JDBC_URL: amRiYzpteXNxbDovL215c3FsLXNlcnZlci5hdXRoeC1zZXJ2aWNlLnN2Yy5jbHVzdGVyLmxvY2FsOjMzMDYvYXV0aHhfbG9nX3Rlc3Q/c2VydmVyVGltZXpvbmU9QXNpYS9TaGFuZ2hhaQ==
+ # authx_log
+ JDBC_USERNAME: YXV0aHhfbG9n
+ # JDBC_USERNAME: YXV0aHhfbG9nX3Rlc3Q=
+ # 修改为实际的数据库密码,并使用 base64 工具进行编码
+ # kingstar
+ JDBC_PASSWORD: a2luZ3N0YXI=
+ # JDBC_PASSWORD: U3Vwd2lzZG9tIU53cHUxMjM=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml
new file mode 100644
index 0000000..b71ac1c
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/4.0.authx-log-installer.yaml
@@ -0,0 +1,49 @@
+# 4.0.authx-log-installer.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: authx-log-installer-env
+data:
+ DB_TYPE: mysql8
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: authx-log
+ name: authx-log-installer
+spec:
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: authx-log-installer
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: authx-log-installer
+ image: paas.harbor.nwpu.edu.cn/authx-log/authx-log-installer:1.4.4-RELEASE
+ imagePullPolicy: Always
+ env:
+ - name: DB_TYPE
+ value: mysql8
+ - name: JDBC_URL
+ value: jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/authx_log?serverTimezone=Asia/Shanghai
+ - name: JDBC_USERNAME
+ value: authx_log
+ - name: JDBC_PASSWORD
+ value: Nwpu@Supwisdom123
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ # - secretRef:
+ # name: datasource-env-secret
+ - configMapRef:
+ name: authx-log-installer-env
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
new file mode 100644
index 0000000..0e8fdbf
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/8.authx-log/4.2.authx-log-sa.yaml
@@ -0,0 +1,119 @@
+# 4.2.authx-log-sa.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: authx-log
+ name: authx-log-sa-env
+data:
+ SERVER_PORT: "8080"
+ SSL_ENABLED: "false"
+ #SSL_KEYSTORE_FILE: file:/certs/server/server.keystore
+ #SSL_KEYSTORE_PASSWORD: ""
+ #SSL_TRUSTSTORE_FILE: file:/certs/server/server.truststore
+ #SSL_TRUSTSTORE_PASSWORD: ""
+
+ SERVER_MAXHTTPHEADERSIZE: "10240"
+
+ #同环境中用户的地址
+ USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+ USER_DATA_SERVICE_CLIENT_AUTH_ENABLED: "false"
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEY_PASSWORD: ""
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/common/common.keystore
+ # USER_DATA_SERVICE_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ # USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/common/common.truststore
+ # USER_DATA_SERVICE_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ #ipaddr
+ IPADDR_API_URL: http://ipaddr.ipaddr.svc.cluster.local:9090/v1/find
+
+ IPADDR_SERVER_URL: http://ipaddr.ipaddr.svc.cluster.local:9090
+ IPADDR_CLIENT_AUTH_ENABLED: "false"
+ #IPADDR_CLIENT_AUTH_KEY_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_KEYSTORE_FILE: file:/certs/client/client.keystore
+ #IPADDR_CLIENT_AUTH_KEYSTORE_PASSWORD: ""
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_FILE: file:/certs/client/client.truststore
+ #IPADDR_CLIENT_AUTH_TRUSTSTORE_PASSWORD: ""
+
+
+ AUTHX_LOG_ENABLED: "true"
+ AUTHX_LOG_RABBITMQ_HOST: rabbitmq-server.authx-service.svc.cluster.local
+ AUTHX_LOG_RABBITMQ_PORT: "5672"
+ AUTHX_LOG_RABBITMQ_USERNAME: guest
+ AUTHX_LOG_RABBITMQ_PASSWORD: guest
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: authx-log
+ name: authx-log-sa-svc
+ labels:
+ app: authx-log-sa
+ needMonitor: 'true'
+spec:
+ ports:
+ - port: 8080
+ targetPort: http
+ protocol: TCP
+ name: http
+ - port: 6060
+ targetPort: http-metrics
+ protocol: TCP
+ name: http-metrics
+ selector:
+ app: authx-log-sa
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: authx-log
+ name: authx-log-sa
+spec:
+ selector:
+ matchLabels:
+ app: authx-log-sa
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: authx-log-sa
+ annotations:
+ co.elastic.logs/enabled: "true"
+ spec:
+ containers:
+ - name: authx-log-sa
+ image: paas.harbor.nwpu.edu.cn/authx-log/authx-log-sa:1.4.4-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8080
+ name: http
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: datasource-env-secret
+ - configMapRef:
+ name: authx-log-sa-env
+ resources:
+ requests:
+ memory: "1024Mi"
+ limits:
+ memory: "1024Mi"
+ readinessProbe:
+ httpGet:
+ path: /actuator/health
+ port: 8080
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 10
+ imagePullSecrets:
+ - name: harbor-registry
diff --git a/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/0.jobs-server-base.yaml b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/0.jobs-server-base.yaml
new file mode 100644
index 0000000..dcf76b5
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/0.jobs-server-base.yaml
@@ -0,0 +1,103 @@
+# jobs-server-base.yaml
+
+####################################################
+# harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+ name: harbor-registry
+ namespace: jobs-server
+data:
+ # 修改harbor仓库配置,并使用 base64 工具进行编码
+ # {"auths":{"harbor.supwisdom.com":{"password":"PWMgP85qiLFC","username":"rancher.devops"}}}
+ .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3Iuc3Vwd2lzZG9tLmNvbSI6eyJwYXNzd29yZCI6IlBXTWdQODVxaUxGQyIsInVzZXJuYW1lIjoicmFuY2hlci5kZXZvcHMifX19
+
+
+# ####################################################
+# # rabbitmq-server
+# ####################################################
+
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+# labels:
+# app: rabbitmq
+# release: rabbitmq-server
+# name: rabbitmq-server
+# namespace: jobs-server
+# type: Opaque
+# data:
+# RABBITMQ_USERNAME: Z3Vlc3Q=
+# RABBITMQ_PASSWORD: Z3Vlc3Q=
+
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+# name: rabbitmq-server
+# namespace: jobs-server
+# labels:
+# app: rabbitmq-server
+# spec:
+# ports:
+# - port: 5672
+# targetPort: tcp-1
+# protocol: TCP
+# name: tcp-1
+# - port: 15672
+# targetPort: tcp-2
+# protocol: TCP
+# name: tcp-2
+# selector:
+# app: rabbitmq-server
+# ---
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+# name: rabbitmq-server
+# namespace: jobs-server
+# spec:
+# selector:
+# matchLabels:
+# app: rabbitmq-server
+# replicas: 1
+# template:
+# metadata:
+# labels:
+# app: rabbitmq-server
+# annotations:
+# sidecar.istio.io/inject: "false"
+# spec:
+# containers:
+# - name: rabbitmq-server
+# env:
+# - name: RABBITMQ_VM_MEMORY_HIGH_WATERMARK
+# value: "0.6"
+# - name: RABBITMQ_DEFAULT_USER
+# valueFrom:
+# secretKeyRef:
+# name: rabbitmq-server
+# key: RABBITMQ_USERNAME
+# - name: RABBITMQ_DEFAULT_PASS
+# valueFrom:
+# secretKeyRef:
+# name: rabbitmq-server
+# key: RABBITMQ_PASSWORD
+# # 若使用了学校搭设的私有仓库,请修改
+# image: rabbitmq:management
+# # 若使用了学校搭设的私有仓库,请修改 为 Always
+# imagePullPolicy: IfNotPresent
+# # imagePullPolicy: Always
+# ports:
+# - containerPort: 5672
+# name: tcp-1
+# - containerPort: 15672
+# name: tcp-2
+# # 若使用了学校搭设的私有仓库,请增加以下配置(取消注释即可)
+# # imagePullSecrets:
+# # - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/1.jobs-server-env.yaml b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/1.jobs-server-env.yaml
new file mode 100644
index 0000000..10ece22
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/1.jobs-server-env.yaml
@@ -0,0 +1,24 @@
+# 1.jobs-server-env.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jvm-env
+data:
+ MAX_RAM_PERCENTAGE: "75.0"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ namespace: jobs-server
+ name: rabbitmq-env-secret
+type: Opaque
+data:
+ # rabbitmq-server.authx-service.svc.cluster.local
+ SPRING_RABBITMQ_HOST: cmFiYml0bXEtc2VydmVyLmF1dGh4LXNlcnZpY2Uuc3ZjLmNsdXN0ZXIubG9jYWw=
+ SPRING_RABBITMQ_PORT: NTY3Mg==
+ SPRING_RABBITMQ_USERNAME: Z3Vlc3Q=
+ SPRING_RABBITMQ_PASSWORD: Z3Vlc3Q=
diff --git a/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/4.1.jobs-server.yaml b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/4.1.jobs-server.yaml
new file mode 100644
index 0000000..c872bd8
--- /dev/null
+++ b/project/nwpu/k8s-rancher/1.authx-service/9.jobs-server/4.1.jobs-server.yaml
@@ -0,0 +1,198 @@
+# 4.1.jobs-server.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-env
+data:
+ LOGGING_LEVEL_COM_SUPWISDOM_INSITITUTE_JOBS_SERVER: INFO
+
+
+---
+# 组织机构数据,定时触发 OrganizationTrans2UserSvcJob
+# 适用于由交换同步到转换表的场景
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-organizationtriggertransjob-env
+data:
+ ORGANIZATIONTRIGGERTRANSJOB_ENABLED: "false"
+ # cron 和 fixedDelay 只能 二选一,配置一个即可
+ # 0 0 2 * * *
+ ORGANIZATIONTRIGGERTRANSJOB_SCHEDULED_CRON: ""
+ # 120 秒
+ ORGANIZATIONTRIGGERTRANSJOB_SCHEDULED_FIXED_DELAY: "1200000"
+ ORGANIZATIONTRIGGERTRANSJOB_WRITER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+ ORGANIZATIONTRIGGERTRANSJOB_WRITER_DATASOURCE_USERNAME: "user"
+ # 修改为实际的数据库密码
+ ORGANIZATIONTRIGGERTRANSJOB_WRITER_DATASOURCE_PASSWORD: "kingstar"
+
+
+---
+# 组织机构数据,临时表 - 正式
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-organizationtrans2usersvcjob-env
+data:
+ ORGANIZATIONTRANS2USERSVCJOB_ENABLED: "false"
+ ORGANIZATIONTRANS2USERSVCJOB_PAGE_SIZE: "1000"
+ ORGANIZATIONTRANS2USERSVCJOB_READER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+ ORGANIZATIONTRANS2USERSVCJOB_READER_DATASOURCE_USERNAME: "user"
+ # 修改为实际的数据库密码
+ ORGANIZATIONTRANS2USERSVCJOB_READER_DATASOURCE_PASSWORD: "kingstar"
+
+ ORGANIZATIONTRANS2USERSVCJOB_WRITE_USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+
+
+---
+# 帐号数据,定时触发 AccountTrans2UserSvcJob
+# 适用于由交换同步到转换表的场景
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-accounttriggertransjob-env
+data:
+ ACCOUNTTRIGGERTRANSJOB_ENABLED: "false"
+ # cron 和 fixedDelay 只能 二选一,配置一个即可
+ # 0 0 2 * * *
+ ACCOUNTTRIGGERTRANSJOB_SCHEDULED_CRON: ""
+ # 120 秒
+ ACCOUNTTRIGGERTRANSJOB_SCHEDULED_FIXED_DELAY: "1200000"
+ ACCOUNTTRIGGERTRANSJOB_WRITER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+ ACCOUNTTRIGGERTRANSJOB_WRITER_DATASOURCE_USERNAME: "user"
+ # 修改为实际的数据库密码
+ ACCOUNTTRIGGERTRANSJOB_WRITER_DATASOURCE_PASSWORD: "kingstar"
+
+
+---
+# 帐号数据,临时表 - 正式
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-accounttrans2usersvcjob-env
+data:
+ ACCOUNTTRANS2USERSVCJOB_ENABLED: "false"
+ ACCOUNTTRANS2USERSVCJOB_PAGE_SIZE: "1000"
+ ACCOUNTTRANS2USERSVCJOB_READER_DATASOURCE_JDBC_URL: "jdbc:mysql://mysql-server.authx-service.svc.cluster.local:3306/user?serverTimezone=Asia/Shanghai"
+ ACCOUNTTRANS2USERSVCJOB_READER_DATASOURCE_USERNAME: "user"
+ # 修改为实际的数据库密码
+ ACCOUNTTRANS2USERSVCJOB_READER_DATASOURCE_PASSWORD: "kingstar"
+
+ ACCOUNTTRANS2USERSVCJOB_WRITE_USER_DATA_SERVICE_SERVER_URL: http://user-data-service-goa-svc.user-data-service.svc.cluster.local:8080
+
+
+
+## 须确保 用户服务 将变更数据推送到 rabbit mq 中
+
+---
+# 帐号,用户服务 - jobs
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-accountusersvc2jobsrabbitreceiver-env
+data:
+ ACCOUNTUSERSVC2JOBSRABBITRECEIVER_ENABLED: "false"
+ ACCOUNTUSERSVC2JOBSRABBITRECEIVER_TRIGGER_EVENTS: ""
+ # jobs2OpenldapEventJob
+
+---
+# 组织机构,用户服务 - jobs
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-organizationusersvc2jobsrabbitreceiver-env
+data:
+ ORGANIZATIONUSERSVC2JOBSRABBITRECEIVER_ENABLED: "false"
+ ORGANIZATIONUSERSVC2JOBSRABBITRECEIVER_TRIGGER_EVENTS: ""
+ # jobs2OpenldapEventJob
+
+---
+# 用户组,用户服务 - jobs
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-groupusersvc2jobsrabbitreceiver-env
+data:
+ GROUPUSERSVC2JOBSRABBITRECEIVER_ENABLED: "false"
+ GROUPUSERSVC2JOBSRABBITRECEIVER_TRIGGER_EVENTS: ""
+ # jobs2OpenldapEventJob
+
+
+---
+# 密码,用户服务 - jobs
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: jobs-server
+ name: jobs-server-accountusersvc2jobssyncpassword-env
+data:
+ ACCOUNTUSERSVC2JOBSSYNCPASSWORD_ENABLED: "false"
+ ACCOUNTUSERSVC2JOBSSYNCPASSWORD_TRIGGER_EVENTS: ""
+ # accountJobsSyncPassword2JciDrCOMEventJob
+
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: jobs-server
+ name: jobs-server
+spec:
+ selector:
+ matchLabels:
+ app: jobs-server
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: jobs-server
+ spec:
+ containers:
+ - name: jobs-server
+ # 若使用了学校搭设的私有仓库,请修改
+ image: harbor.supwisdom.com/jobs-server/jobs-server:1.2.1-RELEASE
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 6060
+ name: http-metrics
+ envFrom:
+ - configMapRef:
+ name: jvm-env
+ - secretRef:
+ name: rabbitmq-env-secret
+ - configMapRef:
+ name: jobs-server-env
+ - configMapRef:
+ name: jobs-server-organizationtriggertransjob-env
+ - configMapRef:
+ name: jobs-server-organizationtrans2usersvcjob-env
+ - configMapRef:
+ name: jobs-server-accounttriggertransjob-env
+ - configMapRef:
+ name: jobs-server-accounttrans2usersvcjob-env
+ - configMapRef:
+ name: jobs-server-accountusersvc2jobssyncpassword-env
+ - configMapRef:
+ name: jobs-server-accountusersvc2jobsrabbitreceiver-env
+ - configMapRef:
+ name: jobs-server-organizationusersvc2jobsrabbitreceiver-env
+ - configMapRef:
+ name: jobs-server-groupusersvc2jobsrabbitreceiver-env
+ resources:
+ requests:
+ memory: "2000Mi"
+ limits:
+ memory: "2000Mi"
+ imagePullSecrets:
+ - name: harbor-registry
+
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml
new file mode 100644
index 0000000..da2e069
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml
@@ -0,0 +1,21 @@
+# 01-account-management-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: account-management
+ name: account-management-svc
+ labels:
+ app: account-management-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: account-management-ui
\ No newline at end of file
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml
new file mode 100644
index 0000000..33d95d0
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml
@@ -0,0 +1 @@
+# 02-account-management-env.yaml
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml
new file mode 100644
index 0000000..5ba7843
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml
@@ -0,0 +1,18 @@
+# 03-account-management-ingresses.yaml
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: account-management
+ name: account-management-ingress
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: account-management.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: account-management-svc
+ servicePort: http
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml
new file mode 100644
index 0000000..a6a7831
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml
@@ -0,0 +1,71 @@
+# 04-1-account-management.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: account-management
+ name: account-management-env
+data:
+ # **修改** 学校的根域名
+ BASE_API: http://personal-security-center.paas.xxx.edu.cn/
+
+ AUTH_TYPE: cas
+
+ # AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET
+ AUTH_CAS: http://cas.paas.xxx.edu.cn/cas
+ JWT_ISS: http://cas.paas.xxx.edu.cn/cas
+ JWT_SECRET: (@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: account-management
+ name: account-management-svc
+ labels:
+ app: account-management-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: account-management
+
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: account-management
+ name: account-management
+spec:
+ selector:
+ matchLabels:
+ app: account-management
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: account-management
+ spec:
+ containers:
+ - name: account-management
+ image: harbor.supwisdom.com/account-management/account-management:0.0.1
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 80
+ name: http
+ envFrom:
+ - configMapRef:
+ name: account-management-env
+ resources:
+ requests:
+ memory: "128Mi"
+ limits:
+ memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-supwisdom
diff --git a/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql b/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql
new file mode 100644
index 0000000..4148c76
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql
@@ -0,0 +1,71 @@
+-- 10.0.init.sql
+
+
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
+
+use cas_server;
+
+-- account-management 认证对接信息
+
+INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`,
+ `RESPONSE_TYPE`, `LOGOUT_TYPE`,
+ `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`,
+ `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`,
+ `APPLICATION_ID`, `EXTERNAL_ID`)
+VALUES ('300', '1', 0, 'admin', '2020-07-01 00:00:00',
+ '帐号分级管理', '帐号分级管理', 'https://account-management.paas.example.com', 'https://account-management.paas.example.com/?clearCertification=clearCertification',
+ 'REDIRECT', 'FRONT_CHANNEL',
+ 300, '帐号分级管理', 300, 'https://account-management.paas.example.com/(.*)',
+ 1, 1, 1,
+ '300', '300');
+
+commit;
+
+-- 修改根域名
+update TB_SERVICE
+set
+ INFORMATION_URL='https://account-management.paas.example.com',
+ LOGOUT_URL='https://account-management.paas.example.com/?clearCertification=clearCertification',
+ SERVICE_ID='https://account-management.paas.example.com/(.*)',
+ ID_TOKEN_ENABLED=1,
+ JWT_AS_SERVICE_TICKET=1,
+ APPLICATION_DOMAIN='account-management.paas.example.com'
+where ID='300'; -- todo, modify
+
+commit;
+
+-- user_authz
+
+use user_authz;
+
+INSERT INTO `TB_R_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`,
+ `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`)
+VALUES ('300', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1',
+ 'user-management-service', '用户管理服务', '用户管理服务', 1);
+
+
+INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`,
+ `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`)
+VALUES ('300', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1', '300',
+ '用户管理服务', '300', '', 1);
+
+
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('300_31', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '300', 'user-management-grant-admin', '用户业务管理员', '用户业务管理员', 1, '31');
+
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('300_32', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '300', 'user-management-man-grant-admin', '用户分级管理员', '用户分级管理员', 1, '32');
+
+commit;
diff --git a/project/nwpu/k8s-rancher/2.account-management/readme.md b/project/nwpu/k8s-rancher/2.account-management/readme.md
new file mode 100644
index 0000000..4446e09
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/readme.md
@@ -0,0 +1,23 @@
+# readme.md
+
+## 帐号分级管理 实施说明
+
+帐号分级管理,主要基于岗位用户组,以 部门 的维度进行分级管理
+
+即,根据 用户业务管理员 所属某个岗位 下的 部门,来控制 其 可以对 哪些 部门(行政部门)下的帐号进行管理
+
+* 部署时,已经初始化了 用户业务管理员 的角色
+
+* 实施时,在授权管理下,将某个岗位用户组 与 用户业务管理员角色 进行授权
+
+* 此时,隶属于 该岗位用户组 下的 帐号,就拥有了 用户业务管理员 的权限,而该帐号 在 此岗位用户组 下的 部门,就是他可管理的 帐号数据 的范围
+
+注意:如果将 用户业务管理员角色 直接授权给 某个帐号时,此帐号 只会有该服务的访问权限,无法看到帐号数据(即没有数据权限)。除非,此帐号 还隶属于 某个授权了 用户业务管理员角色 的岗位用户组
+
+
+## 帐号分级管理 发布说明
+
+* 将此服务的访问地址 (一般为 `https://account-management.paas.xxx.edu.cn` )公布给使用人员。
+
+* 将此服务,由门户的服务管理进行发布,授予访问权限 给 用户业务管理员 角色 即可
+
