Merge branch 'main' of git.db34.com:admin/stock2_argocd

2025-04-21 14:04:19 +08:00 · 2025-04-21 14:04:19 +08:00 · b3d1bd3ba8
commit b3d1bd3ba8
parent a0e3b04379 ce453ca909
11 changed files with 63 additions and 13 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+/.idea
--- a/base/basic-auth/http-basic-auth.yaml
+++ b/base/basic-auth/http-basic-auth.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth
+type: Opaque
+data:
+  auth: dXNlcjokYXByMSRPU0JHSXpFbCRFemNTTGk1QkJWVGFBQlhMODlNaXkvCg==
+# This is a base64 encoded string of the format "user:$apr1$OSBGIzEl$EzcSLi5BBVTaABXL89Miy/".
+# password: FVhxOBuqXK800gdmIq
--- a/base/basic-auth/kustomization.yaml
+++ b/base/basic-auth/kustomization.yaml
@ -0,0 +1,2 @@
+resources:
+  - http-basic-auth.yaml
--- a/base/tls/ca-secret.yaml
+++ b/base/tls/ca-secret.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-secret
+  namespace: ingress-nginx
+type: Opaque
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEQVRDQ0FlbWdBd0lCQWdJSUdEYVl2WlhzaVFBd0RRWUpLb1pJaHZjTkFRRUxCUUF3TVRFUU1BNEdBMVVFDQpBeE1IVkdWdVkyNWxkREVMTUFrR0ExVUVCaE1DUTA0eEVEQU9CZ05WQkFvVEIxUmxibU51WlhRd0hoY05NalV3DQpOREUxTWpBME5EQTFXaGNOTWpZd05ERTFNakEwTkRBMVdqQXhNUkF3RGdZRFZRUURFd2RVWlc1amJtVjBNUXN3DQpDUVlEVlFRR0V3SkRUakVRTUE0R0ExVUVDaE1IVkdWdVkyNWxkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEDQpnZ0VQQURDQ0FRb0NnZ0VCQU5tUmlEV2F0WUFtWDJ2RnQzQXNPa3VWMVlhdmlaOXd3MEVkbjNjdlRXODRORm1vDQpic3FzUHRFUTJzaFpHT25nWUhuWWs1aUg2MU5Yc1U4eDl0ZExMSmJwS0J5clVqWmpEWVBoUWN2c1hNUmJSN1JwDQpybVlhMW40WmZjU3ViVVNhM0Uzdk9sZk1ZcWVuMXJhNTRHOEpGcFZRQ1ozbjQ2KzQxWEQ0V0lWTlBOdHR6ajRPDQpsUDdKanJhcmc1R01lblhWQjdLR3ZyUU9od2xod0lFb1RFZkc1Uk4vNGV5YWdLLzlpUzd2aEhVWjNPNVhsR1FIDQpnZG9mNVFTK3drcCtBREY4bnBhQlpYS1ZYMVhRVzFwVHpId1ZPbFRBaHpMN0pMMUJ5SjN4dy85TElqbDlFWnZCDQp6dzZHcG5rbXFSaGc3SWwrcnBrM0N6SmpGK3NSbE0zZExPcmtiZjBDQXdFQUFhTWRNQnN3REFZRFZSMFRCQVV3DQpBd0VCL3pBTEJnTlZIUThFQkFNQ0FvUXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTGFMaXZOTm93R1pVSWtKDQpNbEh1Zk9ac1RyYW5OL3FxTmNUY252V0Mrd1IvSE1EaGc2ellYcmZDY3VWdUtRUU5STE1NaUVYa3M1c2dZMVNnDQpVc3VmS25ZSGNJRmdYaHU0cnRjTzFkVVZSMTNjRE5VVkxPRUp5OE5PK0Fac0VYRUxtQTRXbjZGL1NpbEVYOGl1DQpsNmhWeDRyS2FtSk5mMlI5dFhrT3Q2OHVqVDdIcVpWYkJmcVFjVEpxQnZpMG45bUM3SXlZVStDVmhkU2RPTGV4DQpodkMzRWplY0Q4RFNFQ1V0MlNoeitQbjhiM3o3NkhNMHM1UEdPZjlnM2NhTWJESTBudUJOMHpFV3VpOUpteE1DDQp0aXVHMlZXMGFrZ0JkUDE0N1FZMVFKZXN4Vm4yZ05qNWtiTmsxWlpwc1JvV1gzYzdRaVdRUmwwZVE2cnFxdkJlDQovRThmOUNrPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ0K
--- a/base/tls/kustomization.yaml
+++ b/base/tls/kustomization.yaml
@ -1,2 +1,4 @@
 resources:
-  - kx33-net-cert.yaml
+  - kx33-cert.yaml
+  - ca-secret.yaml
+  - tls-secret.yaml
--- a/base/tls/kx33-cert.yaml
+++ b/base/tls/kx33-cert.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+stringData:
+  qcloud_cert_id: NVLniB9q
+  qcloud_ca_cert_id: NVLg94ze
+kind: Secret
+metadata:
+  name: kx33-cert
+type: Opaque
--- a/base/tls/kx33-net-cert.yaml
+++ b/base/tls/kx33-net-cert.yaml
@ -1,7 +0,0 @@
-apiVersion: v1
-stringData:
-  qcloud_cert_id: ESqefc6J
-kind: Secret
-metadata:
-  name: kx33-net-cert
-type: Opaque
--- a/base/tls/tls-secret.yaml
+++ b/base/tls/tls-secret.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tls-secret
+  namespace: ingress-nginx
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlES1RDQ0FoR2dBd0lCQWdJSUdEYVkwYVM3RWdBd0RRWUpLb1pJaHZjTkFRRUxCUUF3TVRFUU1BNEdBMVVFDQpBeE1IVkdWdVkyNWxkREVMTUFrR0ExVUVCaE1DUTA0eEVEQU9CZ05WQkFvVEIxUmxibU51WlhRd0hoY05NalV3DQpOREUxTWpBME5UTXhXaGNOTWpZd05ERTFNakEwTlRNeFdqQXlNUkV3RHdZRFZRUURFd2dxTG5GeExtTnZiVEVMDQpNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQW9UQjFSbGJtTnVaWFF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBDQpBNElCRHdBd2dnRUtBb0lCQVFEU3lYSzRlMHlHejdHS1dUcTlwMDYvOWVBeVpzUXF4bmhXYTZZcmZlUGNkSTB6DQpDTjZ1RVFBbGk4djlrQ1NINFU1M21BOFJMRm1GL0s0dlRrcE5tQTJJbXdMcHRmR2luTFlHYWhwRDBwUW15aUJjDQptcWJzRURhOGNsajh5NEUzcXA2NU1ydGFxaGhteTdsMmdDMzFCcjYydHZDSlF4b2hMOXZDK1doc2ZwOE1FVS9VDQpmK2hpRXMxU2ROUzZUTG1hc1cvSGFPeVhvYWhZaFFldDhVZXE4bUFSZFF2UmdHdjJWTjgyODgxck55MDRxZG1VDQpQTEdITXBrZzk0elQzZFAyT1RZUHkwcGM5c0JoNnpGT0NDUVpVcXorREk4QUVBOUVUMGQ3bGMrU2drTDA2TjFrDQoyakVmNEV3VWYvMHg5ZHhoQ0c1bzZKWVVIdTJ6Qzk3QzNxRCtQaHZaQWdNQkFBR2pSREJDTUFrR0ExVWRFd1FDDQpNQUF3Q3dZRFZSMFBCQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQk1HQTFVZEVRUU1NQXFDDQpDQ291Y1hFdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFXQUxwT0I3bzJ2d01FUHVtdFhDQVJDUnY2DQpCN3hGeTJIeXR1eTZvK0VYSXRLZmZVQ1BaVjBnR3FySTJEUnYrU0pmMWNxUUFaK2ZlUDl6cXJES3dGQURmNm5BDQpnalo5Nkc0ZnBBcnZPZGZpQVQxeHU3WHBweWM1TFNEbXB3d0dEUFppTFc2NXBLaTk4TmZnaFlnOVIxVHpXVlMxDQpKWVVNQVBUeWZDYjJMSFg0Zi9EdmVGQ0Y5QjZQN3MyN2htelh4OHhCRlFiR0RpVHNzOFRtcUQybXBjWVY5S3lrDQpCNjBxdFgzcUltSXhxSk95K1JycEF1NHhmK1NTQXRYUHl0TkRvNWZSajFNc2RuN3FEcjFSYzI0eGlHQlQ4V1lSDQpGSmN2cXFkRUo5ZjhHdTNpamNpWHNGaUJzQkRuQ0EvTXo3REtRU0tLdFhHVFpsN0lWOGNqeHV0Mjc0SWMNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg==
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJRW93SUJBQUtDQVFFQTBzbHl1SHRNaHMreGlsazZ2YWRPdi9YZ01tYkVLc1o0Vm11bUszM2ozSFNOTXdqZQ0KcmhFQUpZdkwvWkFraCtGT2Q1Z1BFU3haaGZ5dUwwNUtUWmdOaUpzQzZiWHhvcHkyQm1vYVE5S1VKc29nWEpxbQ0KN0JBMnZISlkvTXVCTjZxZXVUSzdXcW9ZWnN1NWRvQXQ5UWErdHJid2lVTWFJUy9id3Zsb2JINmZEQkZQMUgvbw0KWWhMTlVuVFV1a3k1bXJGdngyanNsNkdvV0lVSHJmRkhxdkpnRVhVTDBZQnI5bFRmTnZQTmF6Y3RPS25abER5eA0KaHpLWklQZU0wOTNUOWprMkQ4dEtYUGJBWWVzeFRnZ2tHVktzL2d5UEFCQVBSRTlIZTVYUGtvSkM5T2pkWk5veA0KSCtCTUZILzlNZlhjWVFodWFPaVdGQjd0c3d2ZXd0NmcvajRiMlFJREFRQUJBb0lCQUF1cUplVHJUV1hsa2JJRA0KcVUrdUMwVVlpM211ams2aHIyZDA1N1R0TnJYUUxTTVJRUHJDcW1zRjcvWmNaeFN1STVtTk90Q3JGbG5ZeGE0Mw0KZnR0Q1RBWGdhd3BaVzBqT1FhSjRyc2hvMUZXdXYzeEZ3bkZYRDdGRWtLNXhoaVBxK3ZWTmdDRzVXemdCRTgyaA0KdEdKQTduZmpRQ0VzNUN5UDN0VDNneVRLeHBlbC9YTmtXUjFBQmg2UkV0WlVUTmh0U2RTaDNwZ0pLMUkwN2Nscg0KNzNtMW80b2RydldOSFNUWUM1bFA3Vk5hL0VpczE1dno2ZGJsNXYyWFEvSnpwTHZWZFVKRWRteHhONWVSNmpGSw0KTlBzbWNJUGZLOFUvN3dyRGNwNjE1bVUzVmIwNUFmNjJyWkhySkZKdHBIMG1iOXFSYzRKMy93RytYaWEvNXhPVA0KOXdnc3BlTUNnWUVBNmtsVFJraStEN3pTV1RUNzQyb3R5VUNjaUlsdXdWZWxJdGNxWHc0MjM3ZDYvMGplV3BhQQ0KOU5MaWJNKzd2UXFWVmRJekJ4V2hjd1ZmdEllMzczRWVFMno0MWhJOXNidnVXNFdUbGNESnc0Mk9SSWNJYmZnQQ0KZXRzR0xXY251R1B3dlVoYTdKZnlIdHl6Ym9UU3AwV3hGZncrSTY0c3JENHlNRmdrWmNxTDUxTUNnWUVBNWxLUw0KMzlRTlByZWgzNlRMdUhMTlJUbE5tSzlUcWphTjNUN25vUTdaSFYzSzFpYzl2ZTEzbUhZRnk1YjJWaGN6ZEhWOQ0KQWhNLzJTRUpxUHdjaWQwMmNpdjlHVlRVbDNVWUFoL3dnZSsrOWsyMFNiS3ZZaVRacmhCRWkzZW1aTzF3eW1NZg0KZ1FsMlk1R3N1SFI4SEpmVTNBdzNSUnlGWCtRTmVpUUJDY0R1cHFNQ2dZQVRtUEtZVEhscGc1ZnMwbHZIbUJnZw0KWDRFNGdwWjdJY08wZUY4WStHMXFwVVJxbWtQUFBBdXBid0oxcTZLK20yWUdlY0MrOVBZK1V0TEFuU0dycThDaQ0KUzFrOVB1VmVPcVFqajdiYXJmZXluZUtxcE1qMXVlc0FXOVhXY215R0pnWDdMMVE3dWpJTWx0V0RoeVMvelRxVQ0KNWpha2NXdFhOUlNwcXBYUTFmS0I5UUtCZ1FDcVZkOHhrYzNKMkZ6cTNTR2M0NnBUeTdGTGZqN04zMUxEa1VZVQ0Kb3JxSE1WcFZUdWdta255a1VJU3dzSkMxMHFySE1peWxZRDhVQVk3M1hweHNpU0UvQnJGRURxeTY1bW8vQ0FnQw0KMEovVjRGbTVOMkRsb0lNc2EvT0ZnWk9aaU5DbG5QRXJxU2ZaTTE4ZGUyaGViUnVMTWEyZWV4MVljWHhXSEZKNA0KT0N0SEtRS0JnRnpBbzBoazFMRVlDMVN6cmpmZjBXZHVESEZuQnoyczJROWRFRzMrZmpVRlhsQVh0NlBBQUxDSg0KY2hKMmdGWTNRY1dBR015alBXK3doQU1HY2RPMWF1MlM0SFpLQTZwbkVYZ0VXbjFRQ3FuR0pwT2ZPd2dDcXI3RQ0KQmdZZG1Telo3MEhvZ3RlVUkrSzAvMUdXRE95eVplbHBHeEFnU3hVTmRKU3p6VDh0bTlCTQ0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0NCg==
--- a/gp2504/ingress.yaml
+++ b/gp2504/ingress.yaml
@ -6,10 +6,25 @@ metadata:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
    nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/auth-tls-secret: "gp2504/ca-secret"
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
+    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+#    nginx.ingress.kubernetes.io/auth-type: "basic"
+#    nginx.ingress.kubernetes.io/auth-secret: "basic-auth"
+#    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
 spec:
+  tls:
+    - hosts:
+        - api-g2504.qq.com
+        - h5-g2504.qq.com
+        - admin-g2504.qq.com
+        - agent-g2504.qq.com
+      secretName: tls-secret
  rules:
-    - host: api.g2504.qq.com
+    - host: api-g2504.qq.com
      http:
        paths:
          - path: /
@ -26,7 +41,7 @@ spec:
                name: external-service
                port:
                  number: 80
-    - host: h5.g2504.qq.com
+    - host: h5-g2504.qq.com
      http:
        paths:
          - path: /
@ -50,7 +65,7 @@ spec:
                name: external-service
                port:
                  number: 80
-    - host: admin.g2504.qq.com
+    - host: admin-g2504.qq.com
      http:
        paths:
          - path: /
@ -81,7 +96,7 @@ spec:
                name: external-service
                port:
                  number: 80
-    - host: agent.g2504.qq.com
+    - host: agent-g2504.qq.com
      http:
        paths:
          - path: /
--- a/gp2504/kustomization.yaml
+++ b/gp2504/kustomization.yaml
@ -10,6 +10,8 @@ resources:
  - ../base/projects/stock2
  - ../base/redis
  - ../base/redis-nodeport
+  - ../base/tls
+  - ../base/basic-auth
  - ingress.yaml

 configMapGenerator:
--- a/test.bat
+++ b/test.bat
@ -0,0 +1 @@
+kubectl apply --dry-run=client -k gp2504