lingyuzeng/rustfs-s3-toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

改用新版方式注册,云端使用通配符证书

Browse Source
This commit is contained in:
hotwa
2025-10-02 21:02:25 +08:00
parent 83ded96b63
commit dce7cb6fc9
3 changed files with 122 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docker/.env
View File

@@ -1,21 +1,14 @@
# 本机(边缘节点)的 Tailscale IP
LOCAL_TS_IP=100.64.0.27
# 这台业务节点在 Tailscale 上的 IP # 云端 Consul Server 的 Tailscale IP 与 DC
SERVICE_IP=100.64.0.27
# 端口
PORT_RUSTFS=9000
PORT_MCP=9009
# Consul主集群信息
CONSUL_SERVER_IP=100.64.0.1 CONSUL_SERVER_IP=100.64.0.1
CONSUL_DC=dc1 CONSUL_DC=dc1
# 服务名(建议分开,避免混入 # 可选:云端 Traefik entrypoint 名称(默认 websecure/tcp
SVC_RUSTFS=rustfs TRAEFIK_HTTP_ENTRYPOINT=websecure
SVC_MCP=rustfs-toolkit TRAEFIK_TCP_ENTRYPOINT=tcp
# 域名Caddy 用 # RustFS 凭据(不要硬编码在 compose
DOMAIN_RUSTFS=rfs.jmsu.top RUSTFS_ACCESS_KEY=lingyuzeng
DOMAIN_MCP=mcp.jmsu.top RUSTFS_SECRET_KEY=rust@Hotwa2020
NODE_NAME=rustfs-100-64-0-27

134
docker/docker-compose.yml
View File

@@ -1,109 +1,87 @@
version: "3.9" version: "3.9"
services: services:
# -------- RustFS 主服务 --------
rustfs: rustfs:
image: rustfs/rustfs:1.0.0-alpha.60 image: rustfs/rustfs:1.0.0-alpha.60
container_name: rustfs_container container_name: rustfs
restart: always restart: unless-stopped
ports:
- "${SERVICE_IP}:${PORT_RUSTFS}:${PORT_RUSTFS}"
volumes: volumes:
- /vol2/1000/rustfs_vol2:/data - /vol2/1000/rustfs_vol2:/data
- ./data:/app/data:rw - ./data:/app/data:rw
environment: environment:
RUSTFS_VOLUMES: /data/rustfs0 RUSTFS_VOLUMES: /data/rustfs0
RUSTFS_ADDRESS: ":${PORT_RUSTFS}" RUSTFS_ADDRESS: ":9000"
RUSTFS_SERVER_DOMAINS: ${DOMAIN_RUSTFS} RUSTFS_SERVER_DOMAINS: rfs.jmsu.top
RUSTFS_ACCESS_KEY: lingyuzeng RUSTFS_ACCESS_KEY: ${RUSTFS_ACCESS_KEY}
RUSTFS_SECRET_KEY: rust@Hotwa2020 RUSTFS_SECRET_KEY: ${RUSTFS_SECRET_KEY}
RUSTFS_CONSOLE_ENABLE: "true" RUSTFS_CONSOLE_ENABLE: "true"
# **仅绑定到本机 Tailscale IP**,供云端 Traefik 反代
ports:
- "${LOCAL_TS_IP}:9000:9000"
# -------- RustFS MCP 接口(假设走 HTTP on :9009--------
rustfs-s3-toolkit: rustfs-s3-toolkit:
image: hotwa/rustfs-s3-toolkit:latest image: hotwa/rustfs-s3-toolkit:latest
build: container_name: rustfs-mcp
context: .. restart: unless-stopped
dockerfile: docker/Dockerfile environment:
container_name: rustfs-s3-toolkit MCP_PORT: "9009"
restart: always
volumes: volumes:
- ./data:/app/data:rw - ./data:/app/data:rw
ports: ports:
- "${SERVICE_IP}:${PORT_MCP}:${PORT_MCP}" - "${LOCAL_TS_IP}:9009:9009"
consul-agent: # -------- Registrar把 :9000 注册到 rfs.jmsu.top --------
registrar-rustfs:
image: hashicorp/consul:1.21 image: hashicorp/consul:1.21
stop_signal: SIGTERM container_name: registrar-rustfs
stop_grace_period: 60s
command:
- agent
- -server=false
- -node=${NODE_NAME}
- -client=0.0.0.0
- -bind=0.0.0.0
- -advertise=${SERVICE_IP}
- -retry-join=${CONSUL_SERVER_IP}
- -datacenter=${CONSUL_DC}
- -data-dir=/consul/data
environment:
CONSUL_LOCAL_CONFIG: '{"leave_on_terminate": true}'
ports:
- "${SERVICE_IP}:8500:8500/tcp"
- "${SERVICE_IP}:8600:8600/tcp"
- "${SERVICE_IP}:8600:8600/udp"
- "${SERVICE_IP}:8301:8301/tcp"
- "${SERVICE_IP}:8301:8301/udp"
healthcheck:
test: ["CMD", "consul", "info"]
interval: 5s
timeout: 3s
retries: 30
start_period: 10s
restart: unless-stopped restart: unless-stopped
# 注册 rustfs9000
registrar_rustfs:
image: hashicorp/consul:1.21
depends_on: depends_on:
consul-agent: - rustfs
condition: service_healthy volumes:
rustfs: - ./registrar.sh:/registrar.sh:ro
condition: service_started
environment: environment:
CONSUL_HTTP_ADDR: "http://consul-agent:8500" # 指向“云端” Consul Server通过 Tailscale
SERVICE_NAME: "${SVC_RUSTFS}" CONSUL_HTTP_ADDR: "http://${CONSUL_SERVER_IP}:8500"
SERVICE_ADDR: "${SERVICE_IP}" # 下面这 4 个由 registrar.sh 必填
SERVICE_PORT: "${PORT_RUSTFS}" SERVICE_NAME: "rustfs"
SERVICE_TAGS: "console" SERVICE_ADDR: "${LOCAL_TS_IP}"
CHECK_TYPE: "tcp" SERVICE_PORT: "9000"
ROUTE_HOST: "rfs.jmsu.top"
# 可选项HTTP/TCP、健康检查、入口等
SERVICE_PROTOCOL: "http"
CHECK_TYPE: "http"
CHECK_PATH: "/"
CHECK_INTERVAL: "10s" CHECK_INTERVAL: "10s"
CHECK_TIMEOUT: "2s" CHECK_TIMEOUT: "2s"
DEREG_AFTER: "1m" DEREG_AFTER: "1m"
TRAEFIK_HTTP_ENTRYPOINT: "websecure"
TRAEFIK_TCP_ENTRYPOINT: "tcp"
# TRAEFIK_CERT_RESOLVER 可在云端用 file/dynamic 统一配置,这里不强制
command: ["/bin/sh","/registrar.sh"]
# -------- Registrar把 :9009 注册到 mcprfs.jmsu.top --------
registrar-mcprfs:
image: hashicorp/consul:1.21
container_name: registrar-mcprfs
restart: unless-stopped
depends_on:
- rustfs-s3-toolkit
volumes: volumes:
- ./registrar.sh:/registrar.sh:ro - ./registrar.sh:/registrar.sh:ro
entrypoint: ["/bin/sh","-lc","/registrar.sh"]
restart: unless-stopped
# 注册 MCP9009
registrar_mcp:
image: hashicorp/consul:1.21
depends_on:
consul-agent:
condition: service_healthy
rustfs-s3-toolkit:
condition: service_started
environment: environment:
CONSUL_HTTP_ADDR: "http://consul-agent:8500" CONSUL_HTTP_ADDR: "http://${CONSUL_SERVER_IP}:8500"
SERVICE_NAME: "${SVC_MCP}" SERVICE_NAME: "mcprfs"
SERVICE_ADDR: "${SERVICE_IP}" SERVICE_ADDR: "${LOCAL_TS_IP}"
SERVICE_PORT: "${PORT_MCP}" SERVICE_PORT: "9009"
SERVICE_TAGS: "toolkit" ROUTE_HOST: "mcprfs.jmsu.top"
CHECK_TYPE: "tcp" SERVICE_PROTOCOL: "http" # 如果 MCP 走 TCP请改成 "tcp" 并把 CHECK_TYPE 改为 tcp
CHECK_TYPE: "http"
CHECK_PATH: "/"
CHECK_INTERVAL: "10s" CHECK_INTERVAL: "10s"
CHECK_TIMEOUT: "2s" CHECK_TIMEOUT: "2s"
DEREG_AFTER: "1m" DEREG_AFTER: "1m"
volumes: TRAEFIK_HTTP_ENTRYPOINT: "websecure"
- ./registrar.sh:/registrar.sh:ro TRAEFIK_TCP_ENTRYPOINT: "tcp"
entrypoint: ["/bin/sh","-lc","/registrar.sh"] command: ["/bin/sh","/registrar.sh"]
restart: unless-stopped
networks: {}

103
docker/registrar.sh
View File

@@ -1,71 +1,82 @@
#!/bin/sh #!/bin/sh
set -eu set -eu
: "${CONSUL_HTTP_ADDR:?need CONSUL_HTTP_ADDR}"
: "${SERVICE_NAME:?need SERVICE_NAME}" : "${SERVICE_NAME:?need SERVICE_NAME}"
: "${SERVICE_ADDR:?need SERVICE_ADDR}" : "${SERVICE_ADDR:?need SERVICE_ADDR}"
: "${SERVICE_PORT:?need SERVICE_PORT}" : "${SERVICE_PORT:?need SERVICE_PORT}"
: "${ROUTE_HOST:?need ROUTE_HOST}"
SERVICE_ID="${SERVICE_ID:-${SERVICE_NAME}-${SERVICE_ADDR}-${SERVICE_PORT}}" CONSUL="${CONSUL_HTTP_ADDR:?need CONSUL_HTTP_ADDR}"
SERVICE_TAGS="${SERVICE_TAGS:-}" SERVICE_PROTOCOL="${SERVICE_PROTOCOL:-http}" # http | tcp
CHECK_TYPE="${CHECK_TYPE:-tcp}" # tcp|http CHECK_TYPE="${CHECK_TYPE:-tcp}" # http | tcp
CHECK_PATH="${CHECK_PATH:-/healthz}" # http 模式才用 CHECK_PATH="${CHECK_PATH:-/}"
CHECK_INTERVAL="${CHECK_INTERVAL:-10s}" CHECK_INTERVAL="${CHECK_INTERVAL:-10s}"
CHECK_TIMEOUT="${CHECK_TIMEOUT:-2s}" CHECK_TIMEOUT="${CHECK_TIMEOUT:-2s}"
DEREG_AFTER="${DEREG_AFTER:-1m}" DEREG_AFTER="${DEREG_AFTER:-1m}"
TRAEFIK_HTTP_ENTRYPOINT="${TRAEFIK_HTTP_ENTRYPOINT:-websecure}"
TRAEFIK_TCP_ENTRYPOINT="${TRAEFIK_TCP_ENTRYPOINT:-tcp}"
# TRAEFIK_CERT_RESOLVER="${TRAEFIK_CERT_RESOLVER:-cf}"
# 组装 Tags 的 JSON 数组 echo "[registrar] consul: $CONSUL, service: $SERVICE_NAME@$SERVICE_ADDR:$SERVICE_PORT"
if [ -n "$SERVICE_TAGS" ]; then
# 逗号分隔转 JSON 数组 # 等云端 Consul Server 可用
TAGS_JSON=$(printf '%s' "$SERVICE_TAGS" | awk -F, ' for i in $(seq 1 90); do
BEGIN{printf "["} if wget -qO- "$CONSUL/v1/status/leader" >/dev/null 2>&1; then
{for(i=1;i<=NF;i++){gsub(/^ *| *$/, "", $i); printf "%s\"%s\"", (i>1?",":""), $i}} break
END{printf "]"} fi
') sleep 1
done
ID="${SERVICE_NAME}-${SERVICE_ADDR}-${SERVICE_PORT}"
# 组装 Traefik tagsConsulCatalog
TAGS="traefik.enable=true"
if [ "$SERVICE_PROTOCOL" = "http" ]; then
TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.rule=Host(\`${ROUTE_HOST}\`)"
TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_HTTP_ENTRYPOINT}"
TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.tls=true"
TAGS="$TAGS,traefik.http.services.${SERVICE_NAME}.loadbalancer.server.scheme=http"
TAGS="$TAGS,traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
# 可选:应用云端 dynamic.yml 的中间件
TAGS="$TAGS,traefik.http.routers.${SERVICE_NAME}.middlewares=gzip-all@file,security-headers@file"
elif [ "$SERVICE_PROTOCOL" = "tcp" ]; then
TAGS="$TAGS,traefik.tcp.routers.${SERVICE_NAME}.rule=HostSNI(\`${ROUTE_HOST}\`)"
TAGS="$TAGS,traefik.tcp.routers.${SERVICE_NAME}.entrypoints=${TRAEFIK_TCP_ENTRYPOINT}"
TAGS="$TAGS,traefik.tcp.services.${SERVICE_NAME}.loadbalancer.server.port=${SERVICE_PORT}"
else else
TAGS_JSON="[]" echo "unsupported SERVICE_PROTOCOL=$SERVICE_PROTOCOL" >&2; exit 2
fi fi
# 组装 Check JSON # 转 JSON 数组(按逗号拆分)
to_json_array() { echo "$1" | awk -v RS=, 'NF{print "\""$0"\""}' | paste -sd, - | sed 's/^/[/' | sed 's/$/]/'; }
TAGS_JSON="$(to_json_array "$TAGS")"
# 健康检查 JSON
if [ "$CHECK_TYPE" = "http" ]; then if [ "$CHECK_TYPE" = "http" ]; then
CHECK_JSON=$(cat <<EOF CHECK_JSON=$(cat <<EOF
{ {"Name":"http","HTTP":"http://${SERVICE_ADDR}:${SERVICE_PORT}${CHECK_PATH}","Interval":"${CHECK_INTERVAL}","Timeout":"${CHECK_TIMEOUT}","DeregisterCriticalServiceAfter":"${DEREG_AFTER}"}
"Name": "http-${SERVICE_PORT}",
"HTTP": "http://${SERVICE_ADDR}:${SERVICE_PORT}${CHECK_PATH}",
"Method": "GET",
"Interval": "${CHECK_INTERVAL}",
"Timeout": "${CHECK_TIMEOUT}",
"DeregisterCriticalServiceAfter": "${DEREG_AFTER}"
}
EOF EOF
) )
else else
CHECK_JSON=$(cat <<EOF CHECK_JSON=$(cat <<EOF
{ {"Name":"tcp","TCP":"${SERVICE_ADDR}:${SERVICE_PORT}","Interval":"${CHECK_INTERVAL}","Timeout":"${CHECK_TIMEOUT}","DeregisterCriticalServiceAfter":"${DEREG_AFTER}"}
"Name": "tcp-${SERVICE_PORT}",
"TCP": "${SERVICE_ADDR}:${SERVICE_PORT}",
"Interval": "${CHECK_INTERVAL}",
"Timeout": "${CHECK_TIMEOUT}",
"DeregisterCriticalServiceAfter": "${DEREG_AFTER}"
}
EOF EOF
) )
fi fi
# 注册 payload # 写 service 定义并注册到"云端" Consul Server
cat > /tmp/service.json <<JSON cat > /tmp/svc.json <<EOF
{ {"service":{"id":"${ID}","name":"${SERVICE_NAME}","address":"${SERVICE_ADDR}","port":${SERVICE_PORT},"tags":${TAGS_JSON},"checks":[${CHECK_JSON}]}}
"Name": "${SERVICE_NAME}", EOF
"ID": "${SERVICE_ID}",
"Address": "${SERVICE_ADDR}",
"Port": ${SERVICE_PORT},
"Tags": ${TAGS_JSON},
"Checks": [ ${CHECK_JSON} ]
}
JSON
echo "[registrar] registering ${SERVICE_ID} -> ${SERVICE_ADDR}:${SERVICE_PORT} ..." echo "[registrar] register ${ID} -\u003e ${CONSUL}"
curl -fsS -X PUT -d @/tmp/service.json "${CONSUL_HTTP_ADDR}/v1/agent/service/register" consul services register -http-addr="$CONSUL" /tmp/svc.json
echo "[registrar] done."
# 阻塞防退出(可选) term() {
tail -f /dev/null echo "[registrar] deregister ${ID}"
consul services deregister -http-addr="$CONSUL" /tmp/svc.json || true
exit 0
}
trap term TERM INT
tail -f /dev/null