From df5547e26cc1121be1e91165338eac2ad279fcbe Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Mon, 12 May 2025 16:25:56 +0800 Subject: [PATCH] config(icp-aliyun): add WireGuard keys and xray client config --- .../roles/vhosts/common/defaults/main.yml | 27 +------- .../vpn-overlay/xray/site/tasks/main.yml | 8 +-- config/sit/vpn-keys.yaml | 18 ++++++ config/sit/vpn-overlay.yaml | 33 ++++++++++ docs/cilium-egress-vxlan-crosscluster.md | 62 +++++++++++++++++++ 5 files changed, 118 insertions(+), 30 deletions(-) create mode 100644 docs/cilium-egress-vxlan-crosscluster.md diff --git a/ansible/playbooks/roles/vhosts/common/defaults/main.yml b/ansible/playbooks/roles/vhosts/common/defaults/main.yml index 3a5203be..aadc9eb6 100644 --- a/ansible/playbooks/roles/vhosts/common/defaults/main.yml +++ b/ansible/playbooks/roles/vhosts/common/defaults/main.yml @@ -1,6 +1,6 @@ enable_set_timezone: true # 默认启用 Set timezone enable_set_hostname: true # 默认启用 Set hostname -enable_install_packages: false # 默认不安装额外的软件包 +enable_install_packages: true # 默认不安装额外的软件包 enable_all_hosts_update: false # 默认不更新所有主机的条目 rsyslog_log_rotation: # 可选的日志管理配置 @@ -16,28 +16,3 @@ journald_log_rotation: # 启用 journald 日志管理 max_file_sec: 1month # 默认日志文件保存的最大时长 system_max_use: 1G # 默认系统日志最大使用空间 runtime_max_use: 500M # 默认运行时日志最大使用空间 - -privoxy: # 系统代理配置 - enable: false # - socks5_host: 127.0.0.1 - socks5_port: 1080 - - #config_temp: - # k8s-node: - # dns_servers: - # - "8.8.8.8" - # - "114.114.114.114" - # swap_off: true - # ip_forward: true - # disk: - # - name: /dev/sdb1 - # mount: /mnt - # - name: /var/lib/containerd - # mount: /mnt/lib/containerd - # type: bind - # - name: /var/log/deepflow - # mount: /mnt/log/deepflow - # type: bind - # selinux_enable: false - # ssh_auth: - # key: /root/.ssh/id_rsa.pub diff --git a/ansible/playbooks/roles/vhosts/vpn-overlay/xray/site/tasks/main.yml b/ansible/playbooks/roles/vhosts/vpn-overlay/xray/site/tasks/main.yml index aa62c5b2..9759f6dc 100644 --- a/ansible/playbooks/roles/vhosts/vpn-overlay/xray/site/tasks/main.yml +++ b/ansible/playbooks/roles/vhosts/vpn-overlay/xray/site/tasks/main.yml @@ -19,10 +19,10 @@ when: debug | default(false) - set_fact: - xray_uuid: "{{ hubs_map[inventory_hostname].xray.uuid }}" - xray_remote_domain: "{{ hubs_map[inventory_hostname].xray.remote_domain }}" - xray_cert_path: "{{ hubs_map[inventory_hostname].xray.cert_path }}" - xray_key_path: "{{ hubs_map[inventory_hostname].xray.key_path }}" + xray_uuid: "{{ sites_map[inventory_hostname].xray.uuid }}" + xray_remote_domain: "{{ sites_map[inventory_hostname].xray.remote_domain }}" + xray_cert_path: "{{ sites_map[inventory_hostname].xray.cert_path }}" + xray_key_path: "{{ sites_map[inventory_hostname].xray.key_path }}" - name: Install Xray using official script shell: | diff --git a/config/sit/vpn-keys.yaml b/config/sit/vpn-keys.yaml index de7875bb..133b8832 100644 --- a/config/sit/vpn-keys.yaml +++ b/config/sit/vpn-keys.yaml @@ -64,3 +64,21 @@ keys: 39653262653638363930383861353262303030373332313538383362393633663562303566373737 3062336434313031613534393033616330333363613863613464 + - name: icp-aliyun + private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34383966663239613361363535616332303432393165643433663461633934363535626137326664 + 6532646433306636393734666164613864636636626630660a636636306435343661366234343661 + 30326362306537633561636265666232373437353034643462656538653835653831303263306662 + 3361323333353935350a316539303863646434336136333862626261363031336232666562326434 + 39303961383563623736383962363330363439313064613632383061313438373330356366323534 + 6533613662373736373131363463663734656261643839383862 + public_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65393861336537646335613534376635343838656233646333386438653766636539333436623665 + 6562396637666365613562373565383263353534343931350a323563346239666534303162353432 + 63646562363362396333333738333664376136303066316135633633323466326233613264623366 + 6166613531623135660a363465636137643337626137386661306237323731353839303734653436 + 32643065663739303161626261393062613764346662633365336162613134633131383062646133 + 6437313463376164386465663365386436633466363633383366 + diff --git a/config/sit/vpn-overlay.yaml b/config/sit/vpn-overlay.yaml index 5bea5532..ca6396ca 100644 --- a/config/sit/vpn-overlay.yaml +++ b/config/sit/vpn-overlay.yaml @@ -96,6 +96,22 @@ hubs: # 各个站点定义 sites: + - name: tky-proxy + interface: ens5 + public_ip: 1.15.155.245 + allowed_ips: "172.16.0.0/16" + wireguard_peer: hub-1 + br_ip: 10.253.253.2 + wg_ip: 172.16.0.10 + local_ip: 172.16.0.10 + remote_ip: 172.16.0.11 + vless: + enabled: false + uuid: "11111111-1111-1111-1111-111111111111" + transport: ws + tls: true + path: /wg + - name: master-1 interface: ens5 public_ip: 1.15.155.245 @@ -154,3 +170,20 @@ sites: transport: ws tls: true path: /xray + + - name: icp-aliyun + interface: eth0 + public_ip: 47.120.61.35 + wg_ip: 172.30.0.11 + br_ip: 10.253.253.11 + local_ip: 172.30.0.11 + remote_ip: 172.30.0.1 + wireguard_peer: cn-hub + allowed_ips: "172.30.0.0/16" + xray: + uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2" + cert_path: "/etc/ssl/onwalk.net.pem" + key_path: "/etc/ssl/onwalk.net.key" + relay_address: "cn-proxy.onwalk.net" + relay_port: '51820' + remote_domain: "cn-proxy.onwalk.net" diff --git a/docs/cilium-egress-vxlan-crosscluster.md b/docs/cilium-egress-vxlan-crosscluster.md new file mode 100644 index 00000000..84036bd1 --- /dev/null +++ b/docs/cilium-egress-vxlan-crosscluster.md @@ -0,0 +1,62 @@ +目标是实现: + +Pod 从 deepflow-demo-k3s 发起访问,跨越 cn-hub-k3s 中转,到达 global-hub-k3s 的服务,支持跨集群的 L3 层流量调度(出站 + 路由 + VXLAN 封装) + +[POD A: deepflow-demo-k3s] + │ + ▼ SNAT (to 10.253.255.100) +[Egress Node @ deepflow-demo-k3s] + │ VXLAN Tunnel + ▼ +[Relay Hub: cn-hub-k3s] + │ VXLAN Mesh + ▼ +[global-hub-k3s Service: 10.253.254.x] + + + +## 1. Cluster Role Planning + +| Cluster Name | Type | Connection Mode | Node Name | VXLAN Bridge IP (`br_ip`) | WireGuard IP (`wg_ip`) | +|----------------------|----------|-----------------------|----------------|------------------------ -|-----------------------| +| `cn-hub-k3s` | Hub | CN Hub | `cn-hub` | `10.253.253.1` | `172.30.0.1` | +| `global-hub-k3s` | Hub | Global Hub | `global-hub` | `10.253.254.1` | `172.31.0.1` | +| `deepflow-demo-k3s` | Site | Connects to CN Hub | `deepflow-demo` | `10.253.253.2` | `172.30.0.10` | + + +流量调度流程拆解 + +1. Pod in deepflow-demo-k3s → 发起请求到 10.253.254.20 +2. Cilium Egress NAT → 将源地址 SNAT 为 10.253.255.100 +3. VXLAN over WireGuard → VXLAN 封装从 deepflow-demo → cn-hub +4. VXLAN Mesh → cn-hub → 转发到 global-hub +5. 目标服务响应 → global-hub 的服务接收流量,返回数据走回原通道 + +核心组件协同(最小集成) +层级 技术 功能 +L3 Cilium Egress Gateway 控制 Pod → SNAT 出站 IP +L2.5 VXLAN + WireGuard 跨集群隧道封装、可穿透中转 +L7(可选) Kong Gateway 可在 global-hub 接入层控制 L7 路由 + + +# Cilium EgressGateway 安装与配置 + + +# CiliumEgressGatewayPolicy 示例 + +apiVersion: cilium.io/v2alpha1 +kind: CiliumEgressGatewayPolicy +metadata: + name: deepflow-to-globalhub +spec: + egress: + - podSelector: + matchLabels: + app: deepflow-agent + destinationCIDRs: + - 10.253.254.0/24 + egressGateway: + nodeSelector: + matchLabels: + egress-gateway: cilium + ip: 10.253.255.100