🎨 大部分的 make 指令

pkg/resource/emqx.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: db-emqx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: emqx
+  namespace: db-emqx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: emqx
+  template:
+    metadata:
+      labels:
+        app: emqx
+    spec:
+      containers:
+        - name: emqx
+          image: hub.yizhisec.com/external/emqx:5.1
+          ports:
+            - containerPort: 1883
+              name: mqtt
+            - containerPort: 8883
+              name: mqtt-ssl
+            - containerPort: 18083
+              name: dashboard
+            - containerPort: 18084
+              name: websocket
+          env:
+            - name: EMQX_NODE_NAME
+              value: "emqx@single-node"
+            - name: EMQX_DASHBOARD__DEFAULT_PASSWORD
+              value: "YizhiSEC@123"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: emqx-service
+  namespace: db-emqx
+spec:
+  selector:
+    app: emqx
+  type: ClusterIP
+  ports:
+    - name: mqtt
+      port: 1883
+      targetPort: 1883
+    - name: mqtt-ssl
+      port: 8883
+      targetPort: 8883
+    - name: dashboard
+      port: 18083
+      targetPort: 18083
+    - name: websocket
+      port: 18084
+      targetPort: 18084
+

pkg/resource/es.yaml

@@ -0,0 +1,121 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: db-es
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: elasticsearch
+  namespace: db-es
+spec:
+  serviceName: elasticsearch
+  replicas: 1
+  selector:
+    matchLabels:
+      app: elasticsearch
+  template:
+    metadata:
+      labels:
+        app: elasticsearch
+    spec:
+      volumes:
+        - name: shared-data
+          emptyDir: {}
+      securityContext:
+        fsGroup: 1000
+      initContainers:
+        - name: fix-permissions
+          image: hub.yizhisec.com/hybridscope/v2/es-init-helper:alpine-3.22.2
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+          args: 
+            - | 
+              #/bin/sh
+              cp -rf /data/plugins/* /app/shared/
+              chown -R 1000:1000 /usr/share/elasticsearch/data           
+          volumeMounts:
+            - name: es-data
+              mountPath: /usr/share/elasticsearch/data
+            - name: shared-data
+              mountPath: /app/shared
+          securityContext:
+            runAsUser: 0
+      containers:
+        - name: elasticsearch
+          image: hub.yizhisec.com/external/elasticsearch:7.17.28
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: discovery.type
+              value: single-node
+            - name: ES_JAVA_OPTS
+              value: "-Xms%dg -Xmx%dg"
+            - name: node.name
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          ports:
+            - containerPort: 9200
+              name: http
+            - containerPort: 9300
+              name: transport
+          volumeMounts:
+            - name: es-data
+              mountPath: /usr/share/elasticsearch/data
+            - name: shared-data
+              mountPath: /usr/share/elasticsearch/plugins
+          resources:
+            requests:
+              memory: "%dGi"
+              cpu: "%d"
+            limits:
+              memory: "%dGi"
+              cpu: "%d"
+  volumeClaimTemplates:
+    - metadata:
+        name: es-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: %dGi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: es-service
+  namespace: db-es
+spec:
+  type: ClusterIP
+  selector:
+    app: elasticsearch
+  ports:
+    - name: http
+      protocol: TCP
+      port: 9200
+      targetPort: http
+    - name: transport
+      protocol: TCP
+      port: 9300
+      targetPort: transport
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: es-init-job
+  namespace: db-es
+spec:
+  template:
+    spec:
+      containers:
+        - name: es-init
+          image: hub.yizhisec.com/hybridscope/v2/es-init-helper:alpine-3.22.2
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - /data/create_index.sh
+      restartPolicy: Never
+  backoffLimit: 2

pkg/resource/flannel.yaml

@@ -0,0 +1,214 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    k8s-app: flannel
+    pod-security.kubernetes.io/enforce: privileged
+  name: kube-flannel
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+  namespace: kube-flannel
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+  - kind: ServiceAccount
+    name: flannel
+    namespace: kube-flannel
+---
+apiVersion: v1
+data:
+  cni-conf.json: |
+    {
+      "name": "cbr0",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "flannel",
+          "delegate": {
+            "hairpinMode": true,
+            "isDefaultGateway": true
+          }
+        },
+        {
+          "type": "portmap",
+          "capabilities": {
+            "portMappings": true
+          }
+        }
+      ]
+    }
+  net-conf.json: |
+    {
+      "Network": "10.244.0.0/16",
+      "EnableNFTables": false,
+      "Backend": {
+        "Type": "vxlan"
+      }
+    }
+kind: ConfigMap
+metadata:
+  labels:
+    app: flannel
+    k8s-app: flannel
+    tier: node
+  name: kube-flannel-cfg
+  namespace: kube-flannel
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: flannel
+    k8s-app: flannel
+    tier: node
+  name: kube-flannel-ds
+  namespace: kube-flannel
+spec:
+  selector:
+    matchLabels:
+      app: flannel
+      k8s-app: flannel
+  template:
+    metadata:
+      labels:
+        app: flannel
+        k8s-app: flannel
+        tier: node
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+      containers:
+        - args:
+            - --ip-masq
+            - --kube-subnet-mgr
+          command:
+            - /opt/bin/flanneld
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: EVENT_QUEUE_DEPTH
+              value: "5000"
+            - name: CONT_WHEN_CACHE_NOT_READY
+              value: "false"
+          image: ghcr.io/flannel-io/flannel:v0.27.4
+          name: kube-flannel
+          resources:
+            requests:
+              cpu: 100m
+              memory: 50Mi
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - NET_RAW
+            privileged: false
+          volumeMounts:
+            - mountPath: /run/flannel
+              name: run
+            - mountPath: /etc/kube-flannel/
+              name: flannel-cfg
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+      hostNetwork: true
+      initContainers:
+        - args:
+            - -f
+            - /flannel
+            - /opt/cni/bin/flannel
+          command:
+            - cp
+          image: ghcr.io/flannel-io/flannel-cni-plugin:v1.8.0-flannel1
+          name: install-cni-plugin
+          volumeMounts:
+            - mountPath: /opt/cni/bin
+              name: cni-plugin
+        - args:
+            - -f
+            - /etc/kube-flannel/cni-conf.json
+            - /etc/cni/net.d/10-flannel.conflist
+          command:
+            - cp
+          image: ghcr.io/flannel-io/flannel:v0.27.4
+          name: install-cni
+          volumeMounts:
+            - mountPath: /etc/cni/net.d
+              name: cni
+            - mountPath: /etc/kube-flannel/
+              name: flannel-cfg
+      priorityClassName: system-node-critical
+      serviceAccountName: flannel
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      volumes:
+        - hostPath:
+            path: /run/flannel
+          name: run
+        - hostPath:
+            path: /opt/cni/bin
+          name: cni-plugin
+        - hostPath:
+            path: /etc/cni/net.d
+          name: cni
+        - configMap:
+            name: kube-flannel-cfg
+          name: flannel-cfg
+        - hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+          name: xtables-lock

pkg/resource/kibana.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kibana
+  namespace: db-es
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app: kibana
+  template:
+    metadata:
+      labels:
+        app: kibana
+    spec:
+      containers:
+        - name: kibana
+          image: hub.yizhisec.com/external/kibana:7.17.28
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ELASTICSEARCH_HOSTS
+              value: http://es-service:9200
+            - name: SERVER_HOST
+              value: 0.0.0.0
+          ports:
+            - containerPort: 5601
+              name: http
+          resources:
+            limits:
+              memory: 2Gi
+              cpu: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kibana-service
+  namespace: db-es
+spec:
+  type: NodePort
+  selector:
+    app: kibana
+  ports:
+    - name: http
+      protocol: TCP
+      port: 5601
+      targetPort: 5601
+      nodePort: 31601

pkg/resource/less-dns.yaml

@@ -0,0 +1,83 @@
+# k8s-hs-less-dns.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hs-net
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-less-dns
+  namespace: hs-net
+data:
+  config.yml: |
+    {
+      "log": {
+        "level": "info"
+      },
+      "vnet4": "100.64.0.1/10",
+      "vnet6": "fc00:eeaa:0000:0000::/48",
+      "redis": {
+        "custom": [
+          {
+            "username": null,
+            "password": "HybridScope0xRed1s.",
+            "host": "redis-master.db-redis",
+            "port": 6379,
+            "tls_insecure": null,
+            "db": 10
+          }
+        ]
+      },
+      "mqtt": {
+        "client_id": "dns_mqtt_client",
+        "protocol": "tls",
+        "host": "emqx-service.db-emqx",
+        "port": 1883,
+        "cert": "",
+        "key": "",
+        "keep_alive": 60
+      }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: less-dns
+  namespace: hs-net
+  labels:
+    app: less-dns
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: less-dns
+  template:
+    metadata:
+      labels:
+        app: less-dns
+    spec:
+      topologySpreadConstraints:
+      - maxSkew: 1 
+        topologyKey: kubernetes.io/hostname 
+        whenUnsatisfiable: ScheduleAnyway 
+        labelSelector:
+          matchLabels:
+            app: less-dns
+      containers:
+      - name: less-dns
+        image: hub.yizhisec.com/hybridscope/less_dns_service:latest
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/less_dns_service
+        securityContext:
+          privileged: true
+      volumes:
+      - name: config-volume
+        configMap:
+          name: config-less-dns
+          items:
+          - key: config.yml
+            path: config.yml
+      restartPolicy: Always

pkg/resource/resource.go

@@ -0,0 +1,28 @@
+package resource
+
+import (
+	_ "embed"
+)
+
+var (
+	//go:embed flannel.yaml
+	YAMLFlannel []byte
+
+	//go:embed es.yaml
+	YAMLES string
+
+	//go:embed kibana.yaml
+	YAMLKibana []byte
+
+	//go:embed es.init.sh
+	BashESInit []byte
+
+	//go:embed emqx.yaml
+	YAMLEMQX []byte
+
+	//go:embed yosguard.create.sql
+	SQLYosguard []byte
+
+	//go:embed less-dns.yaml
+	YAMLLessDNS []byte
+)

pkg/resource/yosguard.create.sql

@@ -0,0 +1,36 @@
+CREATE TABLE IF NOT EXISTS `pkg`
+(
+    `id`                INTEGER PRIMARY KEY AUTOINCREMENT,
+    `path`              TEXT,
+    `installed`         INTEGER,
+    `create_timestamp`  INTEGER,
+    `install_timestamp` INTEGER
+);
+
+CREATE TABLE IF NOT EXISTS `patch`
+(
+    `id`                INTEGER PRIMARY KEY AUTOINCREMENT,
+    `path`              TEXT,
+    `verified`          INTEGER,
+    `installed`         INTEGER,
+    `create_timestamp`  INTEGER,
+    `verify_timestamp`  INTEGER,
+    `install_timestamp` INTEGER
+);
+
+-- 记录注册的机器的信息
+CREATE TABLE IF NOT EXISTS `machine`
+(
+    `id`               INTEGER PRIMARY KEY AUTOINCREMENT,
+    `uuid`             CHAR(32),
+    `create_timestamp` INTEGER
+);
+
+-- 记录下发的指令
+CREATE TABLE IF NOT EXISTS `action`
+(
+    `id`               INTEGER PRIMARY KEY AUTOINCREMENT,
+    `uuid`             CHAR(32),
+    `action`           INTEGER, -- 要下发的指令
+    `create_timestamp` INTEGER  -- 下发命令的时间戳，秒为单位
+);