【字节跳动】# 一、Yao 完整 Dockerfile(生产可直接构建)
·
一、Yao 完整 Dockerfile(生产可直接构建)
FROM debian:12-slim
# 基础依赖
RUN apt update && apt install -y --no-install-recommends ca-certificates curl openssl tzdata && \
rm -rf /var/lib/apt/lists/*
ENV TZ=Asia/Shanghai
WORKDIR /app
# 拉取 Yao 稳定二进制
RUN curl -fsSL https://github.com/YaoApp/yao/releases/latest/download/yao-linux-amd64 -o /app/yao && \
chmod +x /app/yao
# 数据持久化目录
VOLUME ["/app/data", "/app/models", "/app/scripts", "/app/public"]
# 内网服务端口
EXPOSE 8080 8081
# 启动命令
CMD ["/app/yao", "start", "--host", "0.0.0.0", "--port", "8080"]
二、K8s 全套部署 YAML(ns-cmdb 命名空间)
1. namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: ns-cmdb
labels:
biz: cmdb
env: prod
2. ConfigMap:Yao 全局配置 configmap-yao.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: yao-config
namespace: ns-cmdb
data:
.env: |
# 内网域名
YAO_APP_NAME=IDC资产管控平台
YAO_HOST=0.0.0.0
YAO_PORT=8080
# 内网DNS
DNS_SERVER=10.0.30.10
# K8s APIServer 地址(堡垒机代理访问)
K8S_API=https://10.0.40.9:6443
# 堡垒机集群VIP
BASTION_URL=https://10.0.30.5:443
BASTION_SSH=10.0.30.5:2222
# ELK日志地址
ELK_LOG=http://log.internal.local:9200
# LDAP统一账号
LDAP_ADDR=ldap://10.0.30.10:389
k8s-api.ts: |
export async function GetK8sToken() {
return Process.env.K8S_BEARER_TOKEN
}
export async function ListAllNode() {
const token = await GetK8sToken()
const resp = await Fetch(Process.env.K8S_API + "/api/v1/nodes", {
headers: {
"Authorization": `Bearer ${token}`,
"Content-Type": "application/json"
},
timeout: 10000
})
return resp.items
}
3. Secret:存储敏感密钥 secret-yao.yaml
apiVersion: v1
kind: Secret
metadata:
name: yao-secret
namespace: ns-cmdb
type: Opaque
data:
# K8s ServiceAccount Token base64
K8S_BEARER_TOKEN: c2FtLXJlbXBsYWNlLXRva2Vu
# 堡垒机API密钥
BASTION_API_KEY: YmFzdGlvbjE5OTkwNjIw
# MFA加密密钥
MFA_SECRET: eWFvY21kYl9zZWN1cmU=
4. StorageClass 持久化 PVC pvc-yao.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: yao-data-pvc
namespace: ns-cmdb
spec:
storageClassName: cephfs-prod
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi
5. Deployment 主应用 deployment-yao.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: yao-cmdb
namespace: ns-cmdb
labels:
app: yao
spec:
replicas: 2
selector:
matchLabels:
app: yao
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: yao
spec:
securityContext:
runAsUser: 1000
fsGroup: 1000
containers:
- name: yao
image: yao-cmdb:v0.10.2
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: yao-config
- secretRef:
name: yao-secret
volumeMounts:
- name: data-storage
mountPath: /app/data
- name: script-config
mountPath: /app/scripts
subPath: k8s-api.ts
ports:
- containerPort: 8080
name: web
- containerPort: 8081
name: api
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 1500m
memory: 2Gi
livenessProbe:
httpGet:
path: /ping
port: web
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: web
initialDelaySeconds: 10
periodSeconds: 5
volumes:
- name: data-storage
persistentVolumeClaim:
claimName: yao-data-pvc
- name: script-config
configMap:
name: yao-config
items:
- key: k8s-api.ts
path: k8s-api.ts
6. Service service-yao.yaml
apiVersion: v1
kind: Service
metadata:
name: yao-svc
namespace: ns-cmdb
spec:
selector:
app: yao
ports:
- port: 80
targetPort: web
name: http
- port: 8081
targetPort: api
name: api
type: ClusterIP
7. 内网Ingress ingress-yao.yaml(仅内网解析)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: yao-ingress
namespace: ns-cmdb
annotations:
kubernetes.io/ingress.class: internal-nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.30.0/24,办公专线网段"
spec:
tls:
- hosts:
- yao.cmdb.internal.local
secretName: internal-tls-cert
rules:
- host: yao.cmdb.internal.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: yao-svc
port:
name: http
三、堡垒机资产同步完整 TS 脚本 scripts/bastion-sync.ts
// 同步堡垒机服务器资产、账号、审计日志到Yao CMDB
export async function SyncBastionAsset() {
const apiHost = Process.env.BASTION_URL
const apiKey = Process.env.BASTION_API_KEY
const headers = {
"Authorization": `Bearer ${apiKey}`,
"Content-Type": "application/json"
}
// 1. 同步主机资产列表
const assetResp = await Fetch(`${apiHost}/api/v1/assets`, { headers })
const assets = assetResp.data
// 批量写入CMDB Asset表
for (const item of assets) {
await DB.Save("asset", {
asset_type: item.category,
ip_addr: item.ip,
vlan_id: item.vlan,
zone: item.idc_zone,
admin_user: item.owner,
hostname: item.hostname
})
}
// 2. 同步审计操作日志
const logResp = await Fetch(`${apiHost}/api/v1/audit/logs?limit=1000`, { headers })
const logs = logResp.data
for (const log of logs) {
await DB.Save("audit_log", {
asset_id: log.asset_id,
operator: log.username,
cmd: log.command,
login_ip: log.source_ip,
operate_time: log.operate_at,
risk_level: log.risk
})
}
return {
sync_asset_count: assets.length,
sync_log_count: logs.length,
update_at: new Date()
}
}
// 定时同步入口,配置Yao定时任务每30分钟执行
export async function CronSyncTask() {
return await SyncBastionAsset()
}
四、部署执行顺序
kubectl apply -f namespace.yamlkubectl apply -f configmap-yao.yamlkubectl apply -f secret-yao.yamlkubectl apply -f pvc-yao.yamlkubectl apply -f deployment-yao.yamlkubectl apply -f service-yao.yamlkubectl apply -f ingress-yao.yaml
五、配套 Yao 资产模型 model/asset.mod.yao
{
"name": "Asset",
"label": "IDC资产台账",
"columns": [
{"name":"hostname","type":"string","label":"主机名"},
{"name":"asset_type","type":"enum","option":["server","k8s_node","firewall","bastion","storage","mysql","redis"],"label":"资产类型"},
{"name":"ip_addr","type":"string","label":"内网IP"},
{"name":"vlan_id","type":"integer","label":"VLAN"},
{"name":"zone","type":"string","label":"机房区域"},
{"name":"admin_user","type":"string","label":"负责人"},
{"name":"expire_time","type":"datetime","label":"租期到期时间"}
],
"relations": {
"audit_logs": {"type":"hasMany","model":"AuditLog","foreign":"asset_id"}
},
"option": {
"timestamps": true
}
}
智能硬件社区聚焦AI智能硬件技术生态,汇聚嵌入式AI、物联网硬件开发者,打造交流分享平台,同步全国赛事资讯、开展 OPC 核心人才招募,助力技术落地与开发者成长。
更多推荐
1
0- 0
已为社区贡献4条内容
所有评论(0)