Elgato_dark/Olares
1
0
Fork 0
mirror of https://github.com/beclab/Olares synced 2026-05-24 09:18:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

systemserver: combine system providers into one provider pod (#2149)

Browse source 
* feat: combine system provider configurations into a single deployment file

* feat: add auth-provider-nginx-config to system provider deployment

* feat: add auth-provider-nginx-config to system provider deployment
This commit is contained in:
eball 2025-12-04 00:19:28 +08:00 committed by GitHub
parent 36b4e792f6
commit fee742d756
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 371 additions and 156 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

82
framework/authelia/.olares/config/cluster/deploy/auth_backend_provider.yaml Normal file
View file

@ -0,0 +1,82 @@
---
apiVersion: v1
kind: Service
metadata:
name: auth-provider-svc
namespace: {{ .Release.Namespace }}
spec:
type: ClusterIP
selector:
app: system-provider
ports:
- name: server
protocol: TCP
port: 28080
targetPort: 28080
---
# provider role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: backend:auth-provider
annotations:
provider-registry-ref: {{ .Release.Namespace }}/auth-provider-svc
provider-service-ref: auth-provider-svc.{{ .Release.Namespace }}:28080
rules:
- nonResourceURLs:
- "/api/reset/*"
verbs: ["*"]
---
kind: ConfigMap
apiVersion: v1
metadata:
name: auth-provider-nginx-config
namespace: {{ .Release.Namespace }}
annotations:
kubesphere.io/creator: bytetrade.io
data:
auth.conf: |-
server {
listen 8080;
server_name auth-provider-svc.{{ .Release.Namespace }};
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_min_length 1k;
gzip_buffers 16 64k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types *;
index index.html;
location / {
proxy_pass http://authelia-backend.{{ .Release.Namespace }}:9091;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection '$connection_upgrade';
}
}
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: olares-cli-sa
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: backend:{{ .Release.Namespace }}:olares-cli-sa:provider
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: backend:auth-provider
subjects:
- kind: ServiceAccount
name: olares-cli-sa
namespace: {{ .Release.Namespace }}

132
framework/download-server/.olares/config/cluster/deploy/download_provider.yaml
View file

@ -1,57 +1,3 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: download-provider
applications.app.bytetrade.io/author: bytetrade.io
name: download-provider
namespace: {{ .Release.Namespace }}
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: download-provider
strategy:
type: Recreate
template:
metadata:
creationTimestamp: null
labels:
app: download-provider
io.bytetrade.app: "true"
provider: "true"
spec:
containers:
- name: provider-proxy
image: beclab/provider-proxy:0.1.0
imagePullPolicy: IfNotPresent
args:
- --logtostderr
- --insecure-listen-address=:28080
- --upstream=http://download-svc:8090/
ports:
- containerPort: 28080
resources:
requests:
cpu: 10m
memory: 200Mi
limits:
cpu: "500m"
memory: 350Mi
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
priorityClassName: system-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: provider-sa
serviceAccountName: provider-sa
terminationGracePeriodSeconds: 30
---
apiVersion: v1
@ -62,58 +8,13 @@ metadata:
spec:
type: ClusterIP
selector:
app: download-provider
app: system-provider
ports:
- name: server
protocol: TCP
port: 28080
targetPort: 28080
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: provider-sa
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: backend:{{ .Release.Namespace }}:provider
rules:
- apiGroups:
- "*"
resources:
- clusterrolebindings
- clusterroles
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- "*"
resources:
- tokenreviews
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: backend:{{ .Release.Namespace }}:provider
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: backend:{{ .Release.Namespace }}:provider
subjects:
- kind: ServiceAccount
name: provider-sa
namespace: {{ .Release.Namespace }}
---
# provider role
apiVersion: rbac.authorization.k8s.io/v1
@ -126,3 +27,34 @@ metadata:
rules:
- nonResourceURLs: ["/api/download/*"]
verbs: ["*"]
---
kind: ConfigMap
apiVersion: v1
metadata:
name: download-provider-nginx-config
namespace: {{ .Release.Namespace }}
annotations:
kubesphere.io/creator: bytetrade.io
data:
download.conf: |-
server {
listen 8080;
server_name download-provider-svc.{{ .Release.Namespace }};
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_min_length 1k;
gzip_buffers 16 64k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types *;
index index.html;
location / {
proxy_pass http://download-svc.{{ .Release.Namespace }}:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection '$connection_upgrade';
}
}

88
framework/search3/.olares/config/cluster/deploy/search3_provider.yaml
View file

@ -1,58 +1,3 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: search3-provider
applications.app.bytetrade.io/author: bytetrade.io
name: search3-provider
namespace: {{ .Release.Namespace }}
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: search3-provider
strategy:
type: Recreate
template:
metadata:
creationTimestamp: null
labels:
app: search3-provider
io.bytetrade.app: "true"
provider: "true"
spec:
containers:
- name: provider-proxy
image: beclab/provider-proxy:0.1.0
imagePullPolicy: IfNotPresent
args:
- --logtostderr
- --insecure-listen-address=:28080
- --upstream=http://search3:80/
ports:
- containerPort: 28080
resources:
requests:
cpu: 10m
memory: 200Mi
limits:
cpu: "500m"
memory: 350Mi
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
priorityClassName: system-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: provider-sa
serviceAccountName: provider-sa
terminationGracePeriodSeconds: 30
---
apiVersion: v1
kind: Service
@ -62,7 +7,7 @@ metadata:
spec:
type: ClusterIP
selector:
app: search3-provider
app: system-provider
ports:
- name: server
protocol: TCP
@ -85,3 +30,34 @@ rules:
- "/document/delete/*"
- "/document/update/*"
verbs: ["*"]
---
kind: ConfigMap
apiVersion: v1
metadata:
name: search3-provider-nginx-config
namespace: {{ .Release.Namespace }}
annotations:
kubesphere.io/creator: bytetrade.io
data:
search3.conf: |-
server {
listen 8080;
server_name search3-provider-svc.{{ .Release.Namespace }};
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_min_length 1k;
gzip_buffers 16 64k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types *;
index index.html;
location / {
proxy_pass http://search3.{{ .Release.Namespace }}:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection '$connection_upgrade';
}
}

225
framework/system-server/.olares/config/cluster/deploy/system_provider.yaml Normal file
View file

@ -0,0 +1,225 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: system-provider
applications.app.bytetrade.io/author: bytetrade.io
name: system-provider
namespace: {{ .Release.Namespace }}
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: system-provider
strategy:
type: Recreate
template:
metadata:
creationTimestamp: null
labels:
app: system-provider
io.bytetrade.app: "true"
provider: "true"
spec:
containers:
- name: provider-proxy
image: beclab/provider-proxy:0.1.0
imagePullPolicy: IfNotPresent
args:
- --logtostderr
- --insecure-listen-address=:28080
- --upstream=http://127.0.0.1:8080/
ports:
- containerPort: 28080
resources:
requests:
cpu: 10m
memory: 200Mi
limits:
cpu: "500m"
memory: 350Mi
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
- name: system-apps
image: beclab/docker-nginx-headers-more:ubuntu-v0.1.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
command:
- /bin/sh
- -c
- |
rm /etc/nginx/conf.d/default.conf
nginx -g 'daemon off;'
volumeMounts:
- name: system-app-nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: download-provider-nginx-config
mountPath: /etc/nginx/conf.d/download.conf
subPath: download.conf
- name: search3-provider-nginx-config
mountPath: /etc/nginx/conf.d/search3.conf
subPath: search3.conf
- name: auth-provider-nginx-config
mountPath: /etc/nginx/conf.d/auth.conf
subPath: auth.conf
volumes:
- name: system-app-nginx-config
configMap:
name: system-app-nginx-config
items:
- key: nginx.conf
path: nginx.conf
- name: download-provider-nginx-config
configMap:
name: download-provider-nginx-config
items:
- key: download.conf
path: download.conf
- name: search3-provider-nginx-config
configMap:
name: search3-provider-nginx-config
items:
- key: search3.conf
path: search3.conf
- name: auth-provider-nginx-config
configMap:
name: auth-provider-nginx-config
items:
- key: auth.conf
path: auth.conf
dnsPolicy: ClusterFirst
priorityClassName: system-cluster-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: provider-sa
serviceAccountName: provider-sa
terminationGracePeriodSeconds: 30
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: provider-sa
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: backend:{{ .Release.Namespace }}:provider
rules:
- apiGroups:
- "*"
resources:
- clusterrolebindings
- clusterroles
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- "*"
resources:
- tokenreviews
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: backend:{{ .Release.Namespace }}:provider
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: backend:{{ .Release.Namespace }}:provider
subjects:
- kind: ServiceAccount
name: provider-sa
namespace: {{ .Release.Namespace }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: system-app-nginx-config
namespace: {{ .Release.Namespace }}
annotations:
kubesphere.io/creator: bytetrade.io
data:
nginx.conf: |-
user nginx;
worker_processes 2;
worker_rlimit_nofile 65535;
worker_shutdown_timeout 240s;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
multi_accept on;
worker_connections 16384;
use epoll;
}
http {
aio threads;
aio_write on;
tcp_nopush on;
tcp_nodelay on;
log_subrequest on;
reset_timedout_connection on;
keepalive_timeout 75s;
keepalive_requests 100;
client_body_temp_path /tmp/client-body;
fastcgi_temp_path /tmp/fastcgi-temp;
proxy_temp_path /tmp/proxy-temp;
client_max_body_size 1g;
client_header_buffer_size 1k;
client_header_timeout 60s;
large_client_header_buffers 4 8k;
client_body_buffer_size 8k;
client_body_timeout 60s;
types_hash_max_size 2048;
server_names_hash_max_size 4096;
server_names_hash_bucket_size 1024;
map_hash_bucket_size 64;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
variables_hash_bucket_size 256;
variables_hash_max_size 2048;
underscores_in_headers off;
ignore_invalid_headers on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
proxy_ssl_session_reuse on;
sendfile on;
resolver_timeout 30s;
send_timeout 60s;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include /etc/nginx/conf.d/*.conf;
}