日常更新

2026-03-29 09:08:01 +08:00
parent 31709425e2
commit befdefd222
224 changed files with 7240 additions and 3297 deletions
--- a/ansible/files/01-07/README.md
+++ b/ansible/files/01-07/README.md
@@ -0,0 +1,9 @@
+# 01-07 双控制节点 HA（手工演练为主）
+
+本目录用于满足 `doc_id=01-07` 的真源目录一致性约束。
+
+当前 `01-07` 主要是手工 runbook（切换/演练类），自动验证入口为：
+
+- `ansible/playbooks/verify/01-07.yml`（文档存在性与说明提示）
+
+如后续将 01-07 演练步骤自动化，可在本目录新增对应清单与配置文件。
--- a/ansible/files/01-07/haproxy-http.cfg
+++ b/ansible/files/01-07/haproxy-http.cfg
@@ -1,38 +0,0 @@
-# 01-07 HAProxy - 3.2 HTTP 健康检查（80 明文）
-# backend k3s_http 增加 option httpchk GET /
-# 文档：docs/01-07-openwrt-haproxy.md 第 3.2 节
-global
-    log /dev/log local0
-    maxconn 4096
-
-defaults
-    mode http
-    option httplog
-    timeout connect 5s
-    timeout client 30s
-    timeout server 30s
-
-frontend http_in
-    bind *:18080
-    default_backend k3s_http
-
-frontend https_in
-    bind *:18443
-    mode tcp
-    default_backend k3s_https
-
-backend k3s_http
-    option httpchk GET /
-    balance roundrobin
-    server ylc61 192.168.2.61:80 check
-    server ylc62 192.168.2.62:80 check
-    server ylc63 192.168.2.63:80 check
-    server ylc64 192.168.2.64:80 check
-
-backend k3s_https
-    mode tcp
-    balance roundrobin
-    server ylc61 192.168.2.61:443 check
-    server ylc62 192.168.2.62:443 check
-    server ylc63 192.168.2.63:443 check
-    server ylc64 192.168.2.64:443 check
--- a/ansible/files/01-07/haproxy-https.cfg
+++ b/ansible/files/01-07/haproxy-https.cfg
@@ -1,41 +0,0 @@
-# 01-07 HAProxy - 3.4 HTTPS 健康检查（443 应用层，HAProxy 终结 TLS，由 HAProxy 提供证书）
-# frontend 需 bind *:443 ssl，backend mode http 连 K3s:443 做 HTTP over TLS 检查
-# 将 your-ingress.example.com 改为实际 Host；将 /etc/ssl/haproxy.pem 改为实际证书路径
-# 自签/内网 CA 用 verify none，生产建议 ca-file
-# 文档：docs/01-07-openwrt-haproxy.md 第 3.4 节
-global
-    log /dev/log local0
-    maxconn 4096
-
-defaults
-    mode http
-    option httplog
-    timeout connect 5s
-    timeout client 30s
-    timeout server 30s
-
-frontend http_in
-    bind *:18080
-    default_backend k3s_http
-
-frontend https_in
-    bind *:18443 ssl crt /etc/ssl/haproxy.pem
-    mode http
-    default_backend k3s_https
-
-backend k3s_http
-    balance roundrobin
-    server ylc61 192.168.2.61:80 check
-    server ylc62 192.168.2.62:80 check
-    server ylc63 192.168.2.63:80 check
-    server ylc64 192.168.2.64:80 check
-
-backend k3s_https
-    mode http
-    option httpchk GET / HTTP/1.1\r\nHost:\ your-ingress.example.com
-    default-server ssl verify none
-    balance roundrobin
-    server ylc61 192.168.2.61:443 check
-    server ylc62 192.168.2.62:443 check
-    server ylc63 192.168.2.63:443 check
-    server ylc64 192.168.2.64:443 check
--- a/ansible/files/01-07/haproxy-no-check.cfg
+++ b/ansible/files/01-07/haproxy-no-check.cfg
@@ -1,38 +0,0 @@
-# 01-07 OpenWrt HAProxy 负载均衡 - 原生最简（无健康检查）
-# 文档：docs/01-07-openwrt-haproxy.md 第 2 节
-# 将 192.168.2.61～64 按实际 K3s 节点 IP 修改
-# 如需健康检查，见第 3 节对应 cfg
-global
-    log /dev/log local0
-    maxconn 4096
-
-defaults
-    mode http
-    option httplog
-    timeout connect 5s
-    timeout client 30s
-    timeout server 30s
-
-frontend http_in
-    bind *:18080
-    default_backend k3s_http
-
-frontend https_in
-    bind *:18443
-    mode tcp
-    default_backend k3s_https
-
-backend k3s_http
-    balance roundrobin
-    server ylc61 192.168.2.61:80
-    server ylc62 192.168.2.62:80
-    server ylc63 192.168.2.63:80
-    server ylc64 192.168.2.64:80
-
-backend k3s_https
-    mode tcp
-    balance roundrobin
-    server ylc61 192.168.2.61:443
-    server ylc62 192.168.2.62:443
-    server ylc63 192.168.2.63:443
-    server ylc64 192.168.2.64:443
--- a/ansible/files/01-07/haproxy-proxy-http-tls.cfg
+++ b/ansible/files/01-07/haproxy-proxy-http-tls.cfg
@@ -1,39 +0,0 @@
-# 01-07 HAProxy - 健康检查升级（HTTP+TLS）+ PROXY Protocol
-# 组合：k3s_http 用 option httpchk，k3s_https 用 ssl-hello-chk，均带 send-proxy-v2
-# 文档：docs/01-07-openwrt-haproxy.md 第 5 节「健康检查与 PROXY 组合」
-global
-    log /dev/log local0
-    maxconn 4096
-
-defaults
-    mode http
-    option httplog
-    timeout connect 5s
-    timeout client 30s
-    timeout server 30s
-
-frontend http_in
-    bind *:18080
-    default_backend k3s_http
-
-frontend https_in
-    bind *:18443
-    mode tcp
-    default_backend k3s_https
-
-backend k3s_http
-    option httpchk GET /
-    balance roundrobin
-    server ylc61 192.168.2.61:80 check send-proxy-v2
-    server ylc62 192.168.2.62:80 check send-proxy-v2
-    server ylc63 192.168.2.63:80 check send-proxy-v2
-    server ylc64 192.168.2.64:80 check send-proxy-v2
-
-backend k3s_https
-    mode tcp
-    option ssl-hello-chk
-    balance roundrobin
-    server ylc61 192.168.2.61:443 check send-proxy-v2
-    server ylc62 192.168.2.62:443 check send-proxy-v2
-    server ylc63 192.168.2.63:443 check send-proxy-v2
-    server ylc64 192.168.2.64:443 check send-proxy-v2
--- a/ansible/files/01-07/haproxy-tls.cfg
+++ b/ansible/files/01-07/haproxy-tls.cfg
@@ -1,38 +0,0 @@
-# 01-07 HAProxy - 3.3 TLS 健康检查（443 握手，mode tcp）
-# backend k3s_https 增加 option ssl-hello-chk
-# 文档：docs/01-07-openwrt-haproxy.md 第 3.3 节
-global
-    log /dev/log local0
-    maxconn 4096
-
-defaults
-    mode http
-    option httplog
-    timeout connect 5s
-    timeout client 30s
-    timeout server 30s
-
-frontend http_in
-    bind *:18080
-    default_backend k3s_http
-
-frontend https_in
-    bind *:18443
-    mode tcp
-    default_backend k3s_https
-
-backend k3s_http
-    balance roundrobin
-    server ylc61 192.168.2.61:80 check
-    server ylc62 192.168.2.62:80 check
-    server ylc63 192.168.2.63:80 check
-    server ylc64 192.168.2.64:80 check
-
-backend k3s_https
-    mode tcp
-    option ssl-hello-chk
-    balance roundrobin
-    server ylc61 192.168.2.61:443 check
-    server ylc62 192.168.2.62:443 check
-    server ylc63 192.168.2.63:443 check
-    server ylc64 192.168.2.64:443 check