From 5c333f51d52a35daf48df9c33f88a2868dfdad79 Mon Sep 17 00:00:00 2001 From: TommyLike Date: Thu, 23 Jan 2020 17:10:40 +0800 Subject: [PATCH] Add yaml and dockerfile for repo server --- cd/repo/dockerfiles/rsyncd/Dockerfile | 19 ++ cd/repo/dockerfiles/rsyncd/entrypoint.sh | 16 ++ cd/repo/openeuler.org/deployment.yaml | 240 ++++++++++++++++++ .../deployment_with_rsync_server.yaml | 221 ++++++++++++++++ 4 files changed, 496 insertions(+) create mode 100644 cd/repo/dockerfiles/rsyncd/Dockerfile create mode 100755 cd/repo/dockerfiles/rsyncd/entrypoint.sh create mode 100644 cd/repo/openeuler.org/deployment.yaml create mode 100644 cd/repo/openeuler.org/deployment_with_rsync_server.yaml diff --git a/cd/repo/dockerfiles/rsyncd/Dockerfile b/cd/repo/dockerfiles/rsyncd/Dockerfile new file mode 100644 index 0000000..47a0148 --- /dev/null +++ b/cd/repo/dockerfiles/rsyncd/Dockerfile @@ -0,0 +1,19 @@ +FROM ubuntu:14.04 +MAINTAINER tommylikehu@gmail.com + +EXPOSE 873 + +RUN apt-get update && \ + apt-get -y install rsync && \ + apt-get -y install net-tools && \ + apt-get -y install openssh-server + +EXPOSE 22 +RUN mkdir /var/run/sshd +RUN sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/' /etc/ssh/sshd_config +RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd +ENV NOTVISIBLE "in users profile" +RUN echo "export VISIBLE=now" >> /etc/profile + +COPY entrypoint.sh /usr/local/bin/ +CMD ["entrypoint.sh"] \ No newline at end of file diff --git a/cd/repo/dockerfiles/rsyncd/entrypoint.sh b/cd/repo/dockerfiles/rsyncd/entrypoint.sh new file mode 100755 index 0000000..d126cc0 --- /dev/null +++ b/cd/repo/dockerfiles/rsyncd/entrypoint.sh @@ -0,0 +1,16 @@ +#!/bin/bash +set -e + +if [[ ! -e "/etc/rsyncd.conf" ]]; then + echo "/etc/rsyncd.conf not exists" + exit 1 +fi + +#setting up sshd server +if [[ -e "/root/.ssh/authorized_keys" ]]; then + chmod 0400 /root/.ssh/authorized_keys + chown root:root /root/.ssh/authorized_keys +fi +exec /usr/sbin/sshd & + +exec /usr/bin/rsync --no-detach --daemon --config /etc/rsyncd.conf "$@" \ No newline at end of file diff --git a/cd/repo/openeuler.org/deployment.yaml b/cd/repo/openeuler.org/deployment.yaml new file mode 100644 index 0000000..7731444 --- /dev/null +++ b/cd/repo/openeuler.org/deployment.yaml @@ -0,0 +1,240 @@ +--- +# Source: repo-chart/templates/namespace.yaml +# Namespace for repo server +apiVersion: v1 +kind: Namespace +metadata: + labels: + name: repo + name: repo + +--- +# Source: repo-chart/templates/config.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: openeuler-configmap + namespace: repo +data: +# update-repo-job.yaml: | +# apiVersion: batch/v1 +# kind: Job +# metadata: +# name: update-repo-job +# namespace: repo +# spec: +# template: +# spec: +# containers: +# - name: update-repo +# image: swr.cn-north-1.myhuaweicloud.com/hwstaff_h00223369/repo-tools:0.0.3 +# # NOTE: PROJECT_VARIABLE is used to be replaced with actual project list, don't update this only at this place. +# args: ["--repo-json", "PROJECT_VARIABLE", "update"] +# volumeMounts: +# - mountPath: /repo/openeuler +# name: repo-data-volume +# env: +# - name: WORKING_DIR +# value: /repo/openeuler/repository +# restartPolicy: Never +# volumes: +# - name: repo-data-volume +# persistentVolumeClaim: +# claimName: cce-efs-import-k410ji5h-hinm + default.conf: | + server { + listen 443 ssl; + + access_log /var/log/nginx/host.access.log main; + + server_name repo.openeuler.org; + ssl on; + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + + location / { + root /repo/openeuler; + autoindex on; + } + + error_page 500 502 503 504 /50x.html; + + location = /50x.html { + root /usr/share/nginx/html; + } + } + + nginx.conf: |- + user root; + worker_processes 1; + + error_log /var/log/nginx/error.log warn; + pid /var/run/nginx.pid; + + + events { + worker_connections 1024; + } + + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + } + + + +--- +# Source: repo-chart/templates/deployment.yaml +# Persistent volume claim for deployment +#--- +#apiVersion: v1 +#kind: PersistentVolumeClaim +#metadata: +# name: openeuler-data-volume +# namespace: repo +#spec: +# accessModes: +# - ReadWriteMany +# resources: +# requests: +# storage: 100Gi +# storageClassName: sas + +# ServiceAccount for deployment +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: openeuler-listener + namespace: repo +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openeuler-listener +rules: + - apiGroups: ["batch", "extensions"] + resources: ["jobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openeuler-listener +subjects: + - kind: ServiceAccount + name: openeuler-listener + namespace: repo +roleRef: + kind: ClusterRole + name: openeuler-listener + apiGroup: rbac.authorization.k8s.io + + +# Deployment for repo service +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: openeuler + namespace: repo + labels: + app: repo-nginx-server +spec: + replicas: 2 + selector: + matchLabels: + app: repo-nginx-pod + template: + metadata: + labels: + app: repo-nginx-pod + spec: + serviceAccount: openeuler-listener + containers: + - name: repo-nginx + image: swr.cn-north-1.myhuaweicloud.com/hwstaff_h00223369/nginx:1.17.5 + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: website-secrets-volume + mountPath: /etc/nginx/ssl/fullchain.pem + subPath: fullchain.pem + - name: website-secrets-volume + mountPath: /etc/nginx/ssl/privkey.pem + subPath: privkey.pem + - mountPath: /etc/nginx/nginx.conf + name: repo-nginx-configmap-volume + subPath: nginx.conf + - mountPath: /etc/nginx/conf.d/default.conf + name: repo-nginx-configmap-volume + subPath: default.conf + - mountPath: /repo/openeuler + name: repo-data-volume + - name: repo-update-listener + image: swr.cn-north-1.myhuaweicloud.com/hwstaff_h00223369/repo-listener:0.0.2 + env: + # base auth for repo listener + - name: BASIC_AUTH_USERNAME + value: openeuler + - name: BASIC_AUTH_PASSWORD + value: openeuler + - name: K8S_NAMESPACE + value: repo + imagePullPolicy: "IfNotPresent" + volumeMounts: + - mountPath: /etc/repo-update/update-repo-job.yaml + name: repo-nginx-configmap-volume + subPath: update-repo-job.yaml + volumes: + - name: repo-nginx-configmap-volume + configMap: + name: openeuler-configmap + - name: repo-data-volume + persistentVolumeClaim: + claimName: cce-efs-import-for-repo-use + - name: website-secrets-volume + secret: + secretName: website-secrets + +--- +# Source: repo-chart/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: openeuler-service + namespace: repo + annotations: + kubernetes.io/elb.class: union + kubernetes.io/elb.id: 161185be-1794-452b-82ca-647db0e9c5b1 + kubernetes.io/elb.lb-algorithm: ROUND_ROBIN +spec: + externalTrafficPolicy: Cluster + ports: + - port: 443 + name: nginx-repo-https + targetPort: 443 + - port: 80 + name: nginx-repo-listener-http + targetPort: 80 + selector: + app: repo-nginx-pod + type: LoadBalancer + loadBalancerIP: 121.36.97.194 diff --git a/cd/repo/openeuler.org/deployment_with_rsync_server.yaml b/cd/repo/openeuler.org/deployment_with_rsync_server.yaml new file mode 100644 index 0000000..08e3ac9 --- /dev/null +++ b/cd/repo/openeuler.org/deployment_with_rsync_server.yaml @@ -0,0 +1,221 @@ +# Source: repo-chart/templates/config.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: openeuler-configmap + namespace: repo2 +data: + rsyncd.secrets: | + root:openeuler@!234 + rsyncd.conf: | + log file = /dev/stdout + use chroot = yes + uid = root + gid = root + max connections = 10 + timeout = 600 + read only = yes + + [openeuler] + path = /repo/openeuler + comment = openeuler repo folder + read only = true + auth users = root + secrets file = /etc/rsyncd.secrets + ignore nonreadable = yes + refuse options = checksum + dont compress = * + default.conf: | + server { + listen 443 ssl; + + access_log /var/log/nginx/host.access.log main; + + server_name repo.openeuler.org; + ssl on; + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + + location / { + root /repo/openeuler; + autoindex on; + } + + error_page 500 502 503 504 /50x.html; + + location = /50x.html { + root /usr/share/nginx/html; + } + } + + nginx.conf: |- + user root; + worker_processes 1; + + error_log /var/log/nginx/error.log warn; + pid /var/run/nginx.pid; + + + events { + worker_connections 1024; + } + + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + } + + + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openeuler-data-volume + namespace: repo2 +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 4000Gi + storageClassName: ssd +# Deployment for repo service +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: openeuler + namespace: repo2 + labels: + app: repo-nginx-server +spec: + replicas: 1 + selector: + matchLabels: + app: repo-nginx-pod + template: + metadata: + labels: + app: repo-nginx-pod + spec: + containers: + - name: repo-nginx + image: swr.cn-north-4.myhuaweicloud.com/openeuler/nginx:1.17.5 + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: website-secrets-volume + mountPath: /etc/nginx/ssl/fullchain.pem + subPath: fullchain.pem + - name: website-secrets-volume + mountPath: /etc/nginx/ssl/privkey.pem + subPath: privkey.pem + - mountPath: /etc/nginx/nginx.conf + name: repo-nginx-configmap-volume + subPath: nginx.conf + - mountPath: /etc/nginx/conf.d/default.conf + name: repo-nginx-configmap-volume + subPath: default.conf + - mountPath: /repo/openeuler + name: openeuler-data-volume + resources: + requests: + cpu: 8000m + memory: 8000Mi + - name: rsync-server + image: swr.cn-north-4.myhuaweicloud.com/openeuler/rsyncd:0.0.4 + imagePullPolicy: "IfNotPresent" + volumeMounts: + - mountPath: /etc/rsyncd.conf + name: repo-nginx-configmap-volume + subPath: rsyncd.conf + - mountPath: /etc/rsyncd.secrets.ro + name: repo-nginx-configmap-volume + subPath: rsyncd.secrets + - mountPath: /repo/openeuler + name: openeuler-data-volume + resources: + requests: + cpu: 4000m + memory: 8000Mi + command: + - /bin/sh + - -c + - | + cp /etc/rsyncd.secrets.ro /etc/rsyncd.secrets; + chmod 0400 /etc/rsyncd.secrets; + exec /usr/bin/rsync --no-detach --daemon --config /etc/rsyncd.conf; + - name: rsync-client + image: swr.cn-north-4.myhuaweicloud.com/openeuler/rsyncd:0.0.4 + imagePullPolicy: "IfNotPresent" + volumeMounts: + - mountPath: /etc/rsyncd.conf + name: repo-nginx-configmap-volume + subPath: rsyncd.conf + - mountPath: /etc/rsyncd.secrets + name: repo-nginx-configmap-volume + subPath: rsyncd.secrets + - mountPath: /repo/openeuler + name: openeuler-data-volume + command: + - /bin/sh + - -c + - | + /usr/sbin/sshd & + tail -f /dev/null; + volumes: + - name: repo-nginx-configmap-volume + configMap: + name: openeuler-configmap + - name: openeuler-data-volume + persistentVolumeClaim: + claimName: openeuler-data-volume + - name: website-secrets-volume + secret: + secretName: website-secrets + defaultMode: 400 + +--- +# Source: repo-chart/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: openeuler-service + namespace: repo2 + annotations: + kubernetes.io/elb.class: union + kubernetes.io/elb.id: + kubernetes.io/elb.lb-algorithm: ROUND_ROBIN +spec: + externalTrafficPolicy: Cluster + ports: + - port: 443 + name: nginx-repo-https + targetPort: 443 + - port: 873 + name: rsync-server-port + targetPort: 873 + - port: 22 + name: rsync-ssh-server-port + targetPort: 22 + selector: + app: repo-nginx-pod + type: LoadBalancer + loadBalancerIP: -- GitLab