ai-workspace-infra/iac_modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

config(icp-aliyun): add WireGuard keys and xray client config

Browse Source
This commit is contained in:
Haitao Pan 2025-05-12 16:25:56 +08:00
parent 68b4a30c7e
commit df5547e26c
5 changed files with 118 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
ansible/playbooks/roles/vhosts/common/defaults/main.yml
View File

@ -1,6 +1,6 @@
enable_set_timezone: true # 默认启用 Set timezone
enable_set_hostname: true # 默认启用 Set hostname
enable_install_packages: false # 默认不安装额外的软件包
enable_install_packages: true # 默认不安装额外的软件包
enable_all_hosts_update: false # 默认不更新所有主机的条目
rsyslog_log_rotation: # 可选的日志管理配置
@ -16,28 +16,3 @@ journald_log_rotation: # 启用 journald 日志管理
max_file_sec: 1month # 默认日志文件保存的最大时长
system_max_use: 1G # 默认系统日志最大使用空间
runtime_max_use: 500M # 默认运行时日志最大使用空间
privoxy: # 系统代理配置
enable: false #
socks5_host: 127.0.0.1
socks5_port: 1080
#config_temp:
# k8s-node:
# dns_servers:
# - "8.8.8.8"
# - "114.114.114.114"
# swap_off: true
# ip_forward: true
# disk:
# - name: /dev/sdb1
# mount: /mnt
# - name: /var/lib/containerd
# mount: /mnt/lib/containerd
# type: bind
# - name: /var/log/deepflow
# mount: /mnt/log/deepflow
# type: bind
# selinux_enable: false
# ssh_auth:
# key: /root/.ssh/id_rsa.pub

8
ansible/playbooks/roles/vhosts/vpn-overlay/xray/site/tasks/main.yml
View File

@ -19,10 +19,10 @@
when: debug | default(false)
- set_fact:
xray_uuid: "{{ hubs_map[inventory_hostname].xray.uuid }}"
xray_remote_domain: "{{ hubs_map[inventory_hostname].xray.remote_domain }}"
xray_cert_path: "{{ hubs_map[inventory_hostname].xray.cert_path }}"
xray_key_path: "{{ hubs_map[inventory_hostname].xray.key_path }}"
xray_uuid: "{{ sites_map[inventory_hostname].xray.uuid }}"
xray_remote_domain: "{{ sites_map[inventory_hostname].xray.remote_domain }}"
xray_cert_path: "{{ sites_map[inventory_hostname].xray.cert_path }}"
xray_key_path: "{{ sites_map[inventory_hostname].xray.key_path }}"
- name: Install Xray using official script
shell: |

18
config/sit/vpn-keys.yaml
View File

@ -64,3 +64,21 @@ keys:
39653262653638363930383861353262303030373332313538383362393633663562303566373737
3062336434313031613534393033616330333363613863613464
- name: icp-aliyun
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34383966663239613361363535616332303432393165643433663461633934363535626137326664
6532646433306636393734666164613864636636626630660a636636306435343661366234343661
30326362306537633561636265666232373437353034643462656538653835653831303263306662
3361323333353935350a316539303863646434336136333862626261363031336232666562326434
39303961383563623736383962363330363439313064613632383061313438373330356366323534
6533613662373736373131363463663734656261643839383862
public_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
65393861336537646335613534376635343838656233646333386438653766636539333436623665
6562396637666365613562373565383263353534343931350a323563346239666534303162353432
63646562363362396333333738333664376136303066316135633633323466326233613264623366
6166613531623135660a363465636137643337626137386661306237323731353839303734653436
32643065663739303161626261393062613764346662633365336162613134633131383062646133
6437313463376164386465663365386436633466363633383366

33
config/sit/vpn-overlay.yaml
View File

@ -96,6 +96,22 @@ hubs:
# 各个站点定义
sites:
- name: tky-proxy
interface: ens5
public_ip: 1.15.155.245
allowed_ips: "172.16.0.0/16"
wireguard_peer: hub-1
br_ip: 10.253.253.2
wg_ip: 172.16.0.10
local_ip: 172.16.0.10
remote_ip: 172.16.0.11
vless:
enabled: false
uuid: "11111111-1111-1111-1111-111111111111"
transport: ws
tls: true
path: /wg
- name: master-1
interface: ens5
public_ip: 1.15.155.245
@ -154,3 +170,20 @@ sites:
transport: ws
tls: true
path: /xray
- name: icp-aliyun
interface: eth0
public_ip: 47.120.61.35
wg_ip: 172.30.0.11
br_ip: 10.253.253.11
local_ip: 172.30.0.11
remote_ip: 172.30.0.1
wireguard_peer: cn-hub
allowed_ips: "172.30.0.0/16"
xray:
uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
cert_path: "/etc/ssl/onwalk.net.pem"
key_path: "/etc/ssl/onwalk.net.key"
relay_address: "cn-proxy.onwalk.net"
relay_port: '51820'
remote_domain: "cn-proxy.onwalk.net"

62
docs/cilium-egress-vxlan-crosscluster.md Normal file
View File

@ -0,0 +1,62 @@
目标是实现:
Pod 从 deepflow-demo-k3s 发起访问,跨越 cn-hub-k3s 中转,到达 global-hub-k3s 的服务,支持跨集群的 L3 层流量调度(出站 + 路由 + VXLAN 封装)
[POD A: deepflow-demo-k3s]
▼ SNAT (to 10.253.255.100)
[Egress Node @ deepflow-demo-k3s]
│ VXLAN Tunnel
[Relay Hub: cn-hub-k3s]
│ VXLAN Mesh
[global-hub-k3s Service: 10.253.254.x]
## 1. Cluster Role Planning
| Cluster Name | Type | Connection Mode | Node Name | VXLAN Bridge IP (`br_ip`) | WireGuard IP (`wg_ip`) |
|----------------------|----------|-----------------------|----------------|------------------------ -|-----------------------|
| `cn-hub-k3s` | Hub | CN Hub | `cn-hub` | `10.253.253.1` | `172.30.0.1` |
| `global-hub-k3s` | Hub | Global Hub | `global-hub` | `10.253.254.1` | `172.31.0.1` |
| `deepflow-demo-k3s` | Site | Connects to CN Hub | `deepflow-demo` | `10.253.253.2` | `172.30.0.10` |
流量调度流程拆解
1. Pod in deepflow-demo-k3s → 发起请求到 10.253.254.20
2. Cilium Egress NAT → 将源地址 SNAT 为 10.253.255.100
3. VXLAN over WireGuard → VXLAN 封装从 deepflow-demo → cn-hub
4. VXLAN Mesh → cn-hub → 转发到 global-hub
5. 目标服务响应 → global-hub 的服务接收流量,返回数据走回原通道
核心组件协同(最小集成)
层级 技术 功能
L3 Cilium Egress Gateway 控制 Pod → SNAT 出站 IP
L2.5 VXLAN + WireGuard 跨集群隧道封装、可穿透中转
L7可选 Kong Gateway 可在 global-hub 接入层控制 L7 路由
# Cilium EgressGateway 安装与配置
# CiliumEgressGatewayPolicy 示例
apiVersion: cilium.io/v2alpha1
kind: CiliumEgressGatewayPolicy
metadata:
name: deepflow-to-globalhub
spec:
egress:
- podSelector:
matchLabels:
app: deepflow-agent
destinationCIDRs:
- 10.253.254.0/24
egressGateway:
nodeSelector:
matchLabels:
egress-gateway: cilium
ip: 10.253.255.100