Add rsync server

35573537 · TommyLike · a57864f0 · 35573537 · a57864f0 · a57864f0
13 changed file
--- a/cd/repo/README.md
+++ b/cd/repo/README.md
 # Notice
 This folder used to generate final yaml that can be used to setup the openeuler rpm repo service.
-Please update the `values.yaml` at least with key and cert file before applying yaml.
-```$xslt
-  keyFile: "please update this with correct key file url"
-  certFile: "please update this with correct cert file url"
-  loadBalancerIP: "EIP for load balancer"
-  elbID: "load balancer ID"
-```

 # Dockerfile
-There are 3 images used for repo service and they are:
-1. ``Dockerfile``: it's a repo tool image which used to setup up the nginx environment or update the repo
-data via a kubernetes job resource.
-2. ``Dockerfile.nginx_uwsgi_flask``: it's a simple RESTful application and will be deployed along with the main nginx
-deployment, it will expose the 80 port and our CI/CD system can utlize that endpoint to trigger a repo update action.
-3. ``Official nginx dockerfile``: it's used in the main deployment and will expose 443 port to our repo clients.
+There are 2 images used for repo service and they are:
+1. ``rsyncd/Dockerfile``: it contains the rsync server as well as sshd server, it's used to server as a rsync server.
+3. ``Official nginx dockerfile 1.17.5``: it's used in the main deployment and will expose 443 port to our repo clients.

-# Trigger a repo update
-In order to update the repo, an POST request is needed with following parameters:
-```$xslt
-Endpoint: http://<repo-service-ip>:80/republish
-Header:
-Authorization: Basic <base64<username:password>>
-Content-Type: application/json
-Request Body:
-{
-    "projects": [
-        {
-            "localpath": "openeuler/extras",
-            "http_url": "http://119.3.219.20:82/openEuler:/Extras/standard_aarch64/aarch64/"
-        }
-    ]
-}
+# Sync files from rsync server
+Command will be like, note password is required:
+```bash
+sspass -p <password> rsync -avz --info=progress2 rsync://root@<address of rsync server>:873/openeuler .
 ```
-then a k8s job will be created to fetch all rpm files into repo data volume.

 # Generate yaml Command
 ```$xslt
-helm template repo-chart  -f repo-chart/values.yaml --namespace repo --name openeuler  > deployment.yaml
+helm template repo-chart  -f repo-chart/values.yaml --namespace <namespace> --name openeuler  > deployment.yaml
+```
+
+# Secrets required before deploy
+the `website-secrets` is required before deploy the generated yaml, it will contain website certficate as well
+as the private key. the command will be like:
+```bash
+kubectl create secret generic website-secrets --from-file=./fullchain.pem --from-file=./privkey.pem -n <namespace>
 ```
--- a/cd/repo/dockerfiles/Dockerfile
+++ b/cd/repo/dockerfiles/Dockerfile
-FROM centos:centos7
-MAINTAINER tommylike <tommylikehu@gmail.com>
-
-USER root
-
-# Install createrepo
-RUN yum -y install createrepo && \
-    yum -y install epel-release && \
-    yum -y install curl && \
-    yum -y install wget && \
-    yum -y install python36 && \
-    pip3 install pytz
-
-COPY entrypoint.sh /usr/local/bin/
-COPY repo_tools.py /root/
-
-
-ENTRYPOINT ["entrypoint.sh"]
--- a/cd/repo/openeuler.org/deployment.yaml
+++ b/cd/repo/openeuler.org/deployment.yaml
---
-# Source: repo-chart/templates/namespace.yaml
-# Namespace for repo server
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: repo
-  name: repo
-
---
-# Source: repo-chart/templates/config.yaml
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: openeuler-configmap
-  namespace: repo
-data:
-#  update-repo-job.yaml: |
-#    apiVersion: batch/v1
-#    kind: Job
-#    metadata:
-#      name: update-repo-job
-#      namespace: repo
-#    spec:
-#      template:
-#        spec:
-#          containers:
-#            - name: update-repo
-#              image: swr.cn-north-1.myhuaweicloud.com/hwstaff_h00223369/repo-tools:0.0.3
-#              # NOTE: PROJECT_VARIABLE is used to be replaced with actual project list, don't update this only at this place.
-#              args: ["--repo-json", "PROJECT_VARIABLE", "update"]
-#              volumeMounts:
-#                - mountPath: /repo/openeuler
-#                  name: repo-data-volume
-#              env:
-#                - name: WORKING_DIR
-#                  value: /repo/openeuler/repository
-#          restartPolicy: Never
-#          volumes:
-#            - name: repo-data-volume
-#              persistentVolumeClaim:
-#                claimName: cce-efs-import-k410ji5h-hinm
-  default.conf: |
-    server {
-        listen 443 ssl;
-
-        access_log  /var/log/nginx/host.access.log  main;
-
-        server_name repo.openeuler.org;
-        ssl on;
-        ssl_certificate /etc/nginx/ssl/fullchain.pem;
-        ssl_certificate_key  /etc/nginx/ssl/privkey.pem;
-
-        location / {
-            root   /repo/openeuler;
-            autoindex   on;
-        }
-
-        error_page   500 502 503 504  /50x.html;
-
-        location = /50x.html {
-            root   /usr/share/nginx/html;
-        }
-    }
-
-  nginx.conf: |-
-    user  root;
-    worker_processes  1;
-
-    error_log  /var/log/nginx/error.log warn;
-    pid        /var/run/nginx.pid;
-
-
-    events {
-        worker_connections  1024;
-    }
-
-
-    http {
-        include       /etc/nginx/mime.types;
-        default_type  application/octet-stream;
-
-        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                          '$status $body_bytes_sent "$http_referer" '
-                          '"$http_user_agent" "$http_x_forwarded_for"';
-
-        access_log  /var/log/nginx/access.log  main;
-
-        sendfile        on;
-        #tcp_nopush     on;
-
-        keepalive_timeout  65;
-
-        #gzip  on;
-
-        include /etc/nginx/conf.d/*.conf;
-    }
-
-
-
---
-# Source: repo-chart/templates/deployment.yaml
-# Persistent volume claim for deployment
-#---
-#apiVersion: v1
-#kind: PersistentVolumeClaim
-#metadata:
-#  name: openeuler-data-volume
-#  namespace: repo
-#spec:
-#  accessModes:
-#    - ReadWriteMany
-#  resources:
-#    requests:
-#      storage: 100Gi
-#  storageClassName: sas
-
-# ServiceAccount for deployment
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: openeuler-listener
-  namespace: repo
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: openeuler-listener
-rules:
-  - apiGroups: ["batch", "extensions"]
-    resources: ["jobs"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: openeuler-listener
-subjects:
-  - kind: ServiceAccount
-    name: openeuler-listener
-    namespace: repo
-roleRef:
-  kind: ClusterRole
-  name: openeuler-listener
-  apiGroup: rbac.authorization.k8s.io
-
-
-# Deployment for repo service
---
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: openeuler
-  namespace: repo
-  labels:
-    app: repo-nginx-server
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: repo-nginx-pod
-  template:
-    metadata:
-      labels:
-        app: repo-nginx-pod
-    spec:
-      serviceAccount: openeuler-listener
-      containers:
-        - name: repo-nginx
-          image: swr.cn-north-1.myhuaweicloud.com/hwstaff_h00223369/nginx:1.17.5
-          imagePullPolicy: "IfNotPresent"
-          volumeMounts:
-            - name: website-secrets-volume
-              mountPath: /etc/nginx/ssl/fullchain.pem
-              subPath: fullchain.pem
-            - name: website-secrets-volume
-              mountPath: /etc/nginx/ssl/privkey.pem
-              subPath: privkey.pem
-            - mountPath: /etc/nginx/nginx.conf
-              name: repo-nginx-configmap-volume
-              subPath: nginx.conf
-            - mountPath: /etc/nginx/conf.d/default.conf
-              name: repo-nginx-configmap-volume
-              subPath: default.conf
-            - mountPath: /repo/openeuler
-              name: repo-data-volume
-        - name: repo-update-listener
-          image: swr.cn-north-1.myhuaweicloud.com/hwstaff_h00223369/repo-listener:0.0.2
-          env:
-            # base auth for repo listener
-            - name: BASIC_AUTH_USERNAME
-              value: openeuler
-            - name: BASIC_AUTH_PASSWORD
-              value: openeuler
-            - name: K8S_NAMESPACE
-              value: repo
-          imagePullPolicy: "IfNotPresent"
-          volumeMounts:
-            - mountPath: /etc/repo-update/update-repo-job.yaml
-              name: repo-nginx-configmap-volume
-              subPath: update-repo-job.yaml
-      volumes:
-        - name: repo-nginx-configmap-volume
-          configMap:
-            name: openeuler-configmap
-        - name: repo-data-volume
-          persistentVolumeClaim:
-            claimName: cce-efs-import-for-repo-use
-        - name: website-secrets-volume
-          secret:
-            secretName: website-secrets
-
---
-# Source: repo-chart/templates/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: openeuler-service
-  namespace: repo
-  annotations:
-    kubernetes.io/elb.class: union
-    kubernetes.io/elb.id: 161185be-1794-452b-82ca-647db0e9c5b1
-    kubernetes.io/elb.lb-algorithm: ROUND_ROBIN
-spec:
-  externalTrafficPolicy: Cluster
-  ports:
-    - port: 443
-      name: nginx-repo-https
-      targetPort: 443
-    - port: 80
-      name: nginx-repo-listener-http
-      targetPort: 80
-  selector:
-    app: repo-nginx-pod
-  type: LoadBalancer
-  loadBalancerIP: 121.36.97.194
--- a/cd/repo/openeuler.org/deployment_with_rsync_server.yaml
+++ b/cd/repo/openeuler.org/deployment_with_rsync_server.yaml
@@ -189,7 +189,7 @@ metadata:
  namespace: repo2
  annotations:
    kubernetes.io/elb.class: union
-    kubernetes.io/elb.id: b0fa0739-f69c-4abd-bcbf-840c8dd1b44e
+    kubernetes.io/elb.id: 161185be-1794-452b-82ca-647db0e9c5b1
    kubernetes.io/elb.lb-algorithm: ROUND_ROBIN
 spec:
  externalTrafficPolicy: Cluster
@@ -206,4 +206,4 @@ spec:
  selector:
    app: repo-nginx-pod
  type: LoadBalancer
-  loadBalancerIP: 114.116.245.239
+  loadBalancerIP: 121.36.97.194
--- a/cd/repo/repo-chart/config/default.conf
+++ b/cd/repo/repo-chart/config/default.conf
@@ -8,14 +8,8 @@ server {
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key  /etc/nginx/ssl/privkey.pem;

-    location /repository {
+    location / {
        root   /repo/openeuler;
        autoindex   on;
    }
-
-    error_page   500 502 503 504  /50x.html;
-
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
 }
--- a/cd/repo/repo-chart/config/rsyncd.conf
+++ b/cd/repo/repo-chart/config/rsyncd.conf
+log file = /dev/stdout
+    use chroot = yes
+    uid = root
+    gid = root
+    max connections = 10
+    timeout = 600
+    read only = yes
+
+[openeuler]
+    path = /repo/openeuler
+    comment = openeuler repo folder
+    read only = true
+    auth users = root
+    secrets file = /etc/rsyncd.secrets
+    ignore nonreadable = yes
+    refuse options = checksum
+    dont compress = *
\ No newline at end of file
--- a/cd/repo/repo-chart/config/rsyncd.secrets
+++ b/cd/repo/repo-chart/config/rsyncd.secrets
+root:openeuler@1234
\ No newline at end of file
--- a/cd/repo/repo-chart/config/ssh.pub
+++ b/cd/repo/repo-chart/config/ssh.pub
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChSk+/FF79F8ut0hpNuYQ4uhAgUSY4hzRIPvQ2uVTukP0B0A99NYPfDNICp7gLa6e7yzaj+bvCpgWZoZCNAWTBWkq+zHTgDDHrLtUE4zPC1guzuR+Gz3yeIzSt0iAzi9uG2p+qh7jUfl8QAwNOs3wosNenoZj7NmgsCF9M1o85msimRc8Roxnn5caao1RtdNkDHDqhw5QiS9doSUjoxT+esD0CI7RHAyMgMCfSlXXl/phpdSU2hVJSFXsHVBTiymkuMQe8Ylmls+OEmCe8Cy7lIqE/Q+56l62Pxv4UJpOWs9T/SrOEr5vtEPGghZzgo5ViewzAs3dGMaODSO25XhrIiRZ7hjBK9tjLOX7ZXfAsb4DpJljq2aPCrlEaGJsHc2laixKIOKogDbqFffM3eXwgEAxPUevX/mYnuyhAVrsRUl8HXIQnTuVIEeYVdmn2MA8I/y6MPWdN5VbLR5gOiNLOuSVhCq3sQLpTZ9CONF+zq+1layCoaGMIZw5JwYgWCQgCGNclbx8eMVY3+J3slH6VjzE/05Eys18HtpuAMCivBLGgpBGeCVdpQqkHodTn5ZjNZEBAgzHypiOgR/txMHhkTi4+1ZvTmSRWs9hggv4/IcDQFaj1f2JVds6lxGvJyOnoy9k1VUC0q4N6sptpJ/n+ElCJ4UaHE48La3Mu79R6+Q== openeuler_hosts
\ No newline at end of file
--- a/cd/repo/repo-chart/templates/config.yaml
+++ b/cd/repo/repo-chart/templates/config.yaml
@@ -5,32 +5,9 @@ metadata:
  name: {{ .Release.Name }}-configmap
  namespace: {{ .Release.Namespace }}
 data:
-  update-repo-job.yaml: |
-    apiVersion: batch/v1
-    kind: Job
-    metadata:
-      name: update-repo-job
-      namespace: {{ .Release.Namespace }}
-    spec:
-      template:
-        spec:
-          containers:
-            - name: update-repo
-              image: {{ .Values.deployment.initImage }}
-              # NOTE: PROJECT_VARIABLE is used to be replaced with actual project list, don't update this only at this place.
-              args: ["--repo-json", "PROJECT_VARIABLE", "update"]
-              volumeMounts:
-                - mountPath: /repo/openeuler
-                  name: repo-data-volume
-              env:
-                - name: WORKING_DIR
-                  value: /repo/openeuler/repository
-          restartPolicy: Never
-          volumes:
-            - name: repo-data-volume
-              persistentVolumeClaim:
-                claimName: {{ .Release.Name }}-data-volume
-
+  {{- (.Files.Glob .Values.deployment.rsyncSecrets).AsConfig | nindent 2 }}
+  {{- (.Files.Glob .Values.deployment.sshPublicKey).AsConfig | nindent 2 }}
+  {{- (.Files.Glob .Values.deployment.rsyncdConfig).AsConfig | nindent 2 }}
  {{- (.Files.Glob .Values.deployment.defaultConfig).AsConfig | nindent 2 }}
  {{- (.Files.Glob .Values.deployment.nginxConfig).AsConfig | nindent 2 }}

--- a/cd/repo/repo-chart/templates/deployment.yaml
+++ b/cd/repo/repo-chart/templates/deployment.yaml
@@ -13,38 +13,6 @@ spec:
      storage: {{ .Values.storage.size }}
  storageClassName: {{ .Values.storage.className }}

-# ServiceAccount for deployment
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-listener
-  namespace: {{ .Release.Namespace }}
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ .Release.Name }}-listener
-rules:
-  - apiGroups: ["batch", "extensions"]
-    resources: ["jobs"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ .Release.Name }}-listener
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-listener
-    namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: ClusterRole
-  name: {{ .Release.Name }}-listener
-  apiGroup: rbac.authorization.k8s.io
-
-
 # Deployment for repo service
 ---
 kind: Deployment
@@ -64,27 +32,17 @@ spec:
      labels:
        app: repo-nginx-pod
    spec:
-      serviceAccount: {{ .Release.Name }}-listener
-      initContainers:
-        - name: repo-prepare-tool
-          image: {{ .Values.deployment.initImage }}
-          env:
-            # key and cert file used for nginx tls
-            - name: KEY_FILE
-              value: {{ .Values.deployment.keyFile }}
-            - name: CERT_FILE
-              value: {{ .Values.deployment.certFile }}
-          args: ["--key-file", "$(KEY_FILE)","--cert-file", "$(CERT_FILE)", "prepare"]
-          volumeMounts:
-            - mountPath: /etc/nginx/ssl
-              name: repo-nginx-tls-volume
      containers:
        - name: repo-nginx
          image: {{ .Values.deployment.image }}
          imagePullPolicy: "IfNotPresent"
          volumeMounts:
-            - mountPath: /etc/nginx/ssl
-              name: repo-nginx-tls-volume
+            - name: website-secrets-volume
+              mountPath: /etc/nginx/ssl/fullchain.pem
+              subPath: fullchain.pem
+            - name: website-secrets-volume
+              mountPath: /etc/nginx/ssl/privkey.pem
+              subPath: privkey.pem
            - mountPath: /etc/nginx/nginx.conf
              name: repo-nginx-configmap-volume
              subPath: nginx.conf
@@ -92,28 +50,48 @@ spec:
              name: repo-nginx-configmap-volume
              subPath: default.conf
            - mountPath: /repo/openeuler
-              name: repo-data-volume
-        - name: repo-update-listener
-          image: {{ .Values.deployment.listenerImage }}
-          env:
-              # base auth for repo listener
-            - name: BASIC_AUTH_USERNAME
-              value: {{ .Values.deployment.listenerUsername }}
-            - name: BASIC_AUTH_PASSWORD
-              value: {{ .Values.deployment.listenerPassword }}
-            - name: K8S_NAMESPACE
-              value: {{ .Release.Namespace }}
-          imagePullPolicy: "IfNotPresent"
+              name: openeuler-data-volume
+          resources:
+            requests:
+              cpu: 4000m
+              memory: 8000Mi
+        - name: rsync-server
+          image: {{ .Values.deployment.rsyncdImage }}
+          imagePullPolicy: "Always"
          volumeMounts:
-            - mountPath: /etc/repo-update/update-repo-job.yaml
+            - mountPath: /etc/rsyncd.conf
+              name: repo-nginx-configmap-volume
+              subPath: rsyncd.conf
+            - mountPath: /etc/rsyncd.secrets.ro
+              name: repo-nginx-configmap-volume
+              subPath: rsyncd.secrets
+            - mountPath: /repo/openeuler
+              name: openeuler-data-volume
+            - mountPath: /root/.ssh/authorized_keys.ro
              name: repo-nginx-configmap-volume
-              subPath: update-repo-job.yaml
+              subPath: ssh.pub
+          resources:
+            requests:
+              cpu: 4000m
+              memory: 6000Mi
+          command:
+            - /bin/sh
+            - -c
+            - |
+              cp /etc/rsyncd.secrets.ro /etc/rsyncd.secrets
+              chmod 0400 /etc/rsyncd.secrets
+              cp /root/.ssh/authorized_keys.ro /root/.ssh/authorized_keys
+              chmod 0400 /root/.ssh/authorized_keys
+              chown root:root /root/.ssh/authorized_keys
+              /usr/sbin/sshd &
+              exec /usr/bin/rsync --no-detach --daemon --config /etc/rsyncd.conf;
      volumes:
-        - name: repo-nginx-tls-volume
-          emptyDir: {}
        - name: repo-nginx-configmap-volume
          configMap:
            name: {{ .Release.Name }}-configmap
-        - name: repo-data-volume
+        - name: openeuler-data-volume
          persistentVolumeClaim:
            claimName: {{ .Release.Name }}-data-volume
+        - name: website-secrets-volume
+          secret:
+            secretName: website-secrets
--- a/cd/repo/repo-chart/templates/namespace.yaml
+++ b/cd/repo/repo-chart/templates/namespace.yaml
-# Namespace for repo server
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: {{ .Release.Namespace }}
-  name: {{ .Release.Namespace }}
--- a/cd/repo/repo-chart/templates/service.yaml
+++ b/cd/repo/repo-chart/templates/service.yaml
@@ -13,9 +13,12 @@ spec:
    - port: 443
      name: nginx-repo-https
      targetPort: 443
-    - port: 80
-      name: nginx-repo-listener-http
-      targetPort: 80
+    - port: 873
+      name: rsync-server-port
+      targetPort: 873
+    - port: 22
+      name: rsync-ssh-server-port
+      targetPort: 22
  selector:
    app: repo-nginx-pod
  type: LoadBalancer

--- a/cd/repo/repo-chart/values.yaml
+++ b/cd/repo/repo-chart/values.yaml
 service:
-  elbID: 7597fc1d-b0e4-4b81-80b1-e85825fc8aff
-  loadBalancerIP: 119.8.39.193
+  elbID: 161185be-1794-452b-82ca-647db0e9c5b1
+  loadBalancerIP: 121.36.97.194

 deployment:
-  replicaCount: 2
-  initImage: tommylike/repo-tools:0.1.5
-  keyFile: "please update this with correct key file url"
-  certFile:  "please update this with correct key file url"
-  image: nginx:1.17.5
+  replicaCount: 1 #only support 1 now
+  rsyncdImage: swr.cn-north-4.myhuaweicloud.com/openeuler/rsyncd:0.0.5
+  image: swr.cn-north-4.myhuaweicloud.com/openeuler/nginx:1.17.5
  listenerImage: tommylike/repo-listener:0.1.2
  listenerUsername: openeuler
  listenerPassword: openeuler
  nginxConfig: config/nginx.conf
  defaultConfig: config/default.conf
+  rsyncdConfig: config/rsyncd.conf
+  rsyncSecrets: config/rsyncd.secrets
+  sshPublicKey: config/ssh.pub

 storage:
-  size: 1000Gi
+  size: 4000Gi
  className: ssd
\ No newline at end of file