feat: CoreDNS IPv4 上游、03-03 Tomcat 修复、HAProxy 与验证脚本

- Ansible: 部署时自动配置 CoreDNS forward 为 IPv4，避免 ACME 解析失败
- 01-01/01-07: 文档增加 CoreDNS 设置说明
- 03-03: Tomcat webapps.dist 复制、HTTP/HTTPS 双 Ingress、显式 Dashboard IngressRoute
- traefik-dashboard-acme: tomcat-acme.yaml、404 排查说明
- HAProxy: 健康检查与 PROXY 配置拆分，18080/18443 部署与验证脚本

Made-with: Cursor

scripts/02-verify-nginx-matrix-individual.sh

@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+# 02 系列逐个验证：清理 → 逐个部署 02-01～02-04 → TLS 矩阵 → onecloud 验证
+# 用法：./scripts/02-verify-nginx-matrix-individual.sh
+# 前置：ssh ylc61、ssh onecloud 可用；OpenWrt HAProxy 18080/18443 已部署
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+REMOTE_HOST="${REMOTE_HOST:-ylc61}"
+REMOTE_USER="${REMOTE_USER:-root}"
+REMOTE_REPO="${REMOTE_REPO:-/root/实验室建设}"
+VERIFY_HOST="${VERIFY_HOST:-onecloud}"
+OPENWRT_IP="${OPENWRT_IP:-192.168.2.1}"
+HTTP_PORT="${HTTP_PORT:-18080}"
+HTTPS_PORT="${HTTPS_PORT:-18443}"
+KUBECONFIG="${KUBECONFIG:-/etc/rancher/k3s/k3s.yaml}"
+
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=10"
+SSH_KEY="${ROOT_DIR}/.ssh/id_ed25519_k3s_192.168.2.61"
+[[ -f "$SSH_KEY" ]] && SSH_OPTS="$SSH_OPTS -i $SSH_KEY"
+SSH_YLC="ssh $SSH_OPTS ${REMOTE_USER}@${REMOTE_HOST}"
+
+echo "=== 02 系列 nginx 矩阵逐个验证（${REMOTE_HOST} + ${VERIFY_HOST}）==="
+
+# 1. 同步 SSH 密钥与 nginx-matrix 到 ylc61
+echo "[0] 同步 SSH 密钥与 ansible 到 ${REMOTE_HOST}..."
+if [[ -d "${ROOT_DIR}/.ssh" ]]; then
+  $SSH_YLC "mkdir -p /root/.ssh && chmod 700 /root/.ssh"
+  for k in "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.61 "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.62 \
+           "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.63 "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.64; do
+    [[ -f "$k" ]] || continue
+    scp -q $SSH_OPTS "$k" "${k}.pub" "${REMOTE_USER}@${REMOTE_HOST}:/root/.ssh/" 2>/dev/null || true
+  done
+  $SSH_YLC "chmod 600 /root/.ssh/id_ed25519_k3s_* 2>/dev/null || true"
+fi
+
+$SSH_YLC "mkdir -p ${REMOTE_REPO}/ansible/files"
+rsync -az -e "ssh $SSH_OPTS" --delete "${ROOT_DIR}/ansible/files/nginx-matrix/" \
+  "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_REPO}/ansible/files/nginx-matrix/" 2>/dev/null || {
+  scp -r $SSH_OPTS "${ROOT_DIR}/ansible/files/nginx-matrix/"* \
+    "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_REPO}/ansible/files/nginx-matrix/"
+}
+
+# 2. 清理所有 nginx 相关资源
+echo "[1] 清理 nginx 矩阵（path-based + TLS）..."
+$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete deployment,svc -n default nginx-m1 nginx-m2 nginx-m3 nginx-m4 --ignore-not-found=true"
+$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete ingress -n default nginx-m1 nginx-m3 nginx-m1-http nginx-m3-http --ignore-not-found=true"
+$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete ingressroute -n default nginx-m2 nginx-m4 nginx-m2-http nginx-m4-http --ignore-not-found=true"
+$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete middleware -n default stripprefix-m1 stripprefix-m2 stripprefix-m3 stripprefix-m4 --ignore-not-found=true"
+$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete configmap -n default nginx-m1-html nginx-m2-html nginx-m3-html nginx-m4-html --ignore-not-found=true"
+sleep 2
+
+# 3. 逐个部署 02-01～02-04 并验证
+MATRIX=(
+  "01-control-ingress.yaml:demo-m1:M1"
+  "02-control-ingressroute.yaml:demo-m2:M2"
+  "03-worker-ingress.yaml:demo-m3:M3"
+  "04-worker-ingressroute.yaml:demo-m4:M4"
+)
+
+for item in "${MATRIX[@]}"; do
+  file="${item%%:*}"
+  rest="${item#*:}"
+  path="${rest%%:*}"
+  expect="${rest##*:}"
+  echo "[2] 部署 ${file}（${path} → ${expect}）..."
+  $SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl apply -f ${REMOTE_REPO}/ansible/files/nginx-matrix/${file}"
+  $SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl wait --for=condition=ready pod -l app=nginx-m${expect#M} -n default --timeout=120s"
+  code=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s -o /dev/null -w '%{http_code}' --max-time 10 'http://${OPENWRT_IP}:${HTTP_PORT}/${path}/' 2>/dev/null" || echo "000")
+  body=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s --max-time 10 'http://${OPENWRT_IP}:${HTTP_PORT}/${path}/' 2>/dev/null" || echo "")
+  if [[ "$code" != "200" ]]; then
+    echo "  [FAIL] /${path}/ 返回 ${code}" >&2
+    exit 1
+  fi
+  if [[ "$body" != *"$expect"* ]]; then
+    echo "  [FAIL] /${path}/ body 不含 ${expect}" >&2
+    exit 1
+  fi
+  echo "  [OK] /${path}/ 200 含 ${expect}"
+done
+
+# 4. 部署 TLS 矩阵
+echo "[3] 部署 nginx TLS 矩阵..."
+"${ROOT_DIR}/scripts/01-08-deploy-nginx-tls-via-ylc61.sh"
+
+# 5. 验证 HTTPS（test01～04）
+echo "[4] 经 ${VERIFY_HOST} 验证 HTTPS（test01～04.jackadam.top:${HTTPS_PORT}）..."
+HTTPS_HOSTS="test01.jackadam.top,test02.jackadam.top,test03.jackadam.top,test04.jackadam.top"
+IFS=',' read -ra HOSTS <<< "$HTTPS_HOSTS"
+for i in "${!HOSTS[@]}"; do
+  host="${HOSTS[$i]}"
+  expect="M$((i+1))"
+  code=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s -o /dev/null -w '%{http_code}' --max-time 10 'https://${host}:${HTTPS_PORT}/' --resolve '${host}:${HTTPS_PORT}:${OPENWRT_IP}' 2>/dev/null" || echo "000")
+  body=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s --max-time 10 'https://${host}:${HTTPS_PORT}/' --resolve '${host}:${HTTPS_PORT}:${OPENWRT_IP}' 2>/dev/null" || echo "")
+  if [[ "$code" != "200" ]]; then
+    echo "  [FAIL] https://${host}:${HTTPS_PORT}/ 返回 ${code}" >&2
+    exit 1
+  fi
+  if [[ "$body" != *"$expect"* ]]; then
+    echo "  [FAIL] https://${host}:${HTTPS_PORT}/ body 不含 ${expect}" >&2
+    exit 1
+  fi
+  echo "  [OK] https://${host}:${HTTPS_PORT}/ 200 含 ${expect}"
+done
+
+echo ""
+echo "[PASS] 02 系列 nginx 矩阵逐个验证通过（02-01～02-04 HTTP path + TLS domain）"