commit baf810745ed8e4e6ab5646aec7ebd15d9843006c
Author: rohow <rohow@foxmail.com>
Date:   Sun Apr 7 19:42:51 2024 +0800

    feat(deploy): 首次提交

diff --git a/apps/README.md b/apps/README.md
new file mode 100644
index 0000000..e0e54cb
--- /dev/null
+++ b/apps/README.md
@@ -0,0 +1,20 @@
+# postgresql-ha
+helm instll postgresql-ha \
+  --set global.postgresql.username=rohow \
+  --set global.postgresql.password=XXX \
+  --set postgresql.postgresPassword=XXX \
+  --set namespaceOverride=infra-data \
+  oci://registry-1.docker.io/bitnamicharts/postgresql-ha --output-dir .
+
+# redis
+helm instll redis \
+  --set replica.replicaCount=0 \
+  --set global.redis.password=XXX \
+  --set namespaceOverride=infra-data \
+  oci://registry-1.docker.io/bitnamicharts/redis --output-dir .
+
+# gitea
+helm instll gitea \
+  --set redis-cluster.enabled=false \
+  --set postgresql-ha.enabled=false \
+  oci://registry-1.docker.io/giteacharts/gitea --output-dir .
\ No newline at end of file
diff --git a/apps/cert-manager/helmchart-dnspod.yaml b/apps/cert-manager/helmchart-dnspod.yaml
new file mode 100644
index 0000000..3641931
--- /dev/null
+++ b/apps/cert-manager/helmchart-dnspod.yaml
@@ -0,0 +1,35 @@
+# 需要提前安装crds
+# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager-webhook-dnspod
+  namespace: infra-cert
+spec:
+  chart: oci://registry-1.docker.io/imroc/cert-manager-webhook-dnspod
+  targetNamespace: infra-cert
+  valuesContent: |-
+    namespace: infra-cert
+    certManager:
+      namespace: infra-cert
+    groupName: cert.dev.cm
+    clusterIssuer:
+      # cnameStrategy: Follow
+      staging: false
+      email: admin@dev.cm
+      secretId: AKIDzmKdvDSfonogKip55pIVR6h7ScjaBWcg
+      secretKey: zudDdtytkPr8HI9oKeniSxIRPCmCe0CD
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: node-role.kubernetes.io/master
+              operator: In
+              values:
+              - "true"
+    tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+   
\ No newline at end of file
diff --git a/apps/cert-manager/helmchart.yaml b/apps/cert-manager/helmchart.yaml
new file mode 100644
index 0000000..f4617fc
--- /dev/null
+++ b/apps/cert-manager/helmchart.yaml
@@ -0,0 +1,54 @@
+# 需要提前安装crds
+# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: infra-cert
+spec:
+  repo: https://charts.jetstack.io
+  chart: cert-manager
+  targetNamespace: infra-cert
+  version: v1.14.4
+  valuesContent: |-
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: node-role.kubernetes.io/master
+              operator: In
+              values:
+              - "true"
+    tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+    webhook:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: In
+                values:
+                - "true"
+      tolerations:
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
+    cainjector:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: In
+                values:
+                - "true"
+      tolerations:
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"
\ No newline at end of file
diff --git a/apps/gitea/configmap-custom.yaml b/apps/gitea/configmap-custom.yaml
new file mode 100644
index 0000000..2752d62
--- /dev/null
+++ b/apps/gitea/configmap-custom.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-custom-templates
+  namespace: infra-devops
+data:
+  home.tmpl: |-
+    {{template "base/head" .}}
+    <div class="page-content home">
+            <div class="ui stackable middle very relaxed page grid">
+                    <div class="sixteen wide center aligned centered column">
+                            <div>
+                                    <img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg"/>
+                            </div>
+                            <div class="hero">
+                                    <h1 class="ui icon header title">
+                                            {{AppName}}
+                                    </h1>
+                                    <h2><a href="https://git.dev.cm">dev.cm</a> - Git 仓库</h2>
+                            </div>
+                    </div>
+            </div>
+    </div>
+    {{template "base/footer" .}}
+
+  extra_links.tmpl: |-
+    <a class="item" href="https://ci.dev.cm" target="_blank">CI</a>
\ No newline at end of file
diff --git a/apps/gitea/helmchart.yaml b/apps/gitea/helmchart.yaml
new file mode 100644
index 0000000..d4ceecd
--- /dev/null
+++ b/apps/gitea/helmchart.yaml
@@ -0,0 +1,61 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: gitea
+  namespace: infra-devops
+spec:
+  repo: https://dl.gitea.com/charts
+  chart: gitea
+  targetNamespace: infra-devops
+  valuesContent: |-
+    redis-cluster:
+      enabled: false
+    postgresql-ha:
+      enabled: false
+    gitea:
+      config:
+        APP_NAME: Git.dev.cm
+        RUN_MODE: prod
+        server:
+          DOMAIN: git.dev.cm
+          ROOT_URL: https://git.dev.cm/
+        database:
+          DB_TYPE: postgres
+          HOST: postgresql-ha-pgpool.infra-data:5432
+          NAME: gitea
+          USER: rohow
+          PASSWD: L#GRtTR2QuL@20pm6+c~
+        session:
+          PROVIDER: redis
+          PROVIDER_CONFIG: redis://:ribiPwYQNU6GWxCYR0Nj@redis-master.infra-data:6379/0
+        cache:
+          ADAPTER: redis
+          HOST: redis://:ribiPwYQNU6GWxCYR0Nj@redis-master.infra-data:6379/0?pool_size=100&idle_timeout=180s
+        queue:
+          TYPE: redis
+          CONN_STR: redis://:ribiPwYQNU6GWxCYR0Nj@redis-master.infra-data:6379/0
+        service:
+          DISABLE_REGISTRATION: true
+          NO_REPLY_ADDRESS: noreply.dev.cm
+        picture:
+          GRAVATAR_SOURCE: https://cravatar.cn/avatar/
+        i18n:
+          LANGS: zh-CN,en-US
+          NAMES: 简体中文,English
+    extraVolumes:
+    - name: gitea-custom-templates-volume
+      configMap:
+        name: gitea-custom-templates
+        items:
+        - key: home.tmpl
+          path: home.tmpl
+        - key: extra_links.tmpl
+          path: custom/extra_links.tmpl
+    extraContainerVolumeMounts:
+    - name: gitea-custom-templates-volume
+      readOnly: true
+      mountPath: /data/gitea/templates
+
+      
+        
+    
\ No newline at end of file
diff --git a/apps/gitea/ingressroute-http.yaml b/apps/gitea/ingressroute-http.yaml
new file mode 100644
index 0000000..79e0b9a
--- /dev/null
+++ b/apps/gitea/ingressroute-http.yaml
@@ -0,0 +1,16 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-http
+  namespace: infra-devops
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - kind: Rule
+    match: Host(`git.dev.cm`)
+    services:
+    - kind: Service
+      name: gitea-http
+      namespace: infra-devops
+      port: 3000
\ No newline at end of file
diff --git a/apps/gitea/ingressroute-ssh.yaml b/apps/gitea/ingressroute-ssh.yaml
new file mode 100644
index 0000000..d6a58ae
--- /dev/null
+++ b/apps/gitea/ingressroute-ssh.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: gitea-ssh
+  namespace: infra-devops
+spec:
+  entryPoints:
+  - ssh
+  routes:
+  - match: HostSNI(`*`)
+    services:
+    - name: gitea-ssh
+      namespace: infra-devops
+      port: 22
\ No newline at end of file
diff --git a/apps/namespaces.yaml b/apps/namespaces.yaml
new file mode 100644
index 0000000..c29c53b
--- /dev/null
+++ b/apps/namespaces.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: apps
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-data
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-cert
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-devops
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-monitor
\ No newline at end of file
diff --git a/apps/nas/todo.yaml b/apps/nas/todo.yaml
new file mode 100644
index 0000000..4570014
--- /dev/null
+++ b/apps/nas/todo.yaml
@@ -0,0 +1,60 @@
+http:
+  routers:
+    router:
+      entryPoints:
+      - websecure
+      rule: "Host(`router.dev.cm`)"
+      service: "router@file"
+      middlewares:
+      - web-base 
+    vm:
+      entryPoints:
+      - websecure
+      rule: "Host(`vm.dev.cm`)"
+      service: "vm@file"
+      middlewares:
+      - web-base       
+    nas:
+      entryPoints:
+      - websecure
+      rule: "Host(`nas.dev.cm`)"
+      service: "nas@file"
+      middlewares:
+      - web-base
+    download:
+      entryPoints:
+      - websecure
+      rule: "Host(`download.dev.cm`)"
+      service: "download@file"
+      middlewares:
+      - traefik-forward-auth
+      - web-base
+    downloadRpc:
+      entryPoints:
+      - websecure
+      rule: "Host(`download.dev.cm`) && PathPrefix(`/jsonrpc`)"
+      service: "downloadRpc@file"
+      middlewares:
+      - web-base    
+      
+  services:
+    router:
+      loadBalancer:
+        servers:
+        - url: "https://192.168.21.1/"
+    vm:
+      loadBalancer:
+        servers:
+        - url: "https://192.168.21.2:8006/"
+    nas:
+      loadBalancer:
+        servers:
+        - url: "http://192.168.21.3/"
+    download:
+      loadBalancer:
+        servers:
+        - url: "http://192.168.21.3:6880/"
+    downloadRpc:
+      loadBalancer:
+        servers:
+        - url: "http://192.168.21.3:6800/"
\ No newline at end of file
diff --git a/apps/postgresql-ha/helmchart.yaml b/apps/postgresql-ha/helmchart.yaml
new file mode 100644
index 0000000..d9b9b4e
--- /dev/null
+++ b/apps/postgresql-ha/helmchart.yaml
@@ -0,0 +1,37 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: postgresql-ha
+  namespace: infra-data
+spec:
+  chart: oci://registry-1.docker.io/bitnamicharts/postgresql-ha
+  targetNamespace: infra-data
+  valuesContent: |-
+    tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+    global:
+      postgresql:
+        username: rohow
+        password: L#GRtTR2QuL@20pm6+c~
+    postgresql:
+      image:
+        debug: true
+      postgresPassword: L#GRtTR2QuL@20pm6+c~
+      nodeAffinityPreset:
+        type: "hard"
+        key: "topology.kubernetes.io/region"
+        values:
+        - "cn-sh"
+    pgpool:
+      image:
+        debug: true
+      nodeAffinityPreset:
+        type: "hard"
+        key: "topology.kubernetes.io/region"
+        values:
+        - "cn-sh"
+    
+        
+    
\ No newline at end of file
diff --git a/apps/postgresql-ha/loadbalancer.yaml b/apps/postgresql-ha/loadbalancer.yaml
new file mode 100644
index 0000000..7b399a7
--- /dev/null
+++ b/apps/postgresql-ha/loadbalancer.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql-ha
+  namespace: infra-data
+spec:
+  selector:
+    app.kubernetes.io/instance: postgresql-ha
+    app.kubernetes.io/name: postgresql-ha
+    app.kubernetes.io/component: pgpool
+  ports:
+    - protocol: TCP
+      port: 65432
+      targetPort: 5432
+  type: LoadBalancer
\ No newline at end of file
diff --git a/apps/redis/helmchart.yaml b/apps/redis/helmchart.yaml
new file mode 100644
index 0000000..eede5dc
--- /dev/null
+++ b/apps/redis/helmchart.yaml
@@ -0,0 +1,17 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: redis
+  namespace: infra-data
+spec:
+  chart: oci://registry-1.docker.io/bitnamicharts/redis
+  targetNamespace: infra-data
+  valuesContent: |-
+    global:
+      redis:
+        password: ribiPwYQNU6GWxCYR0Nj
+    replica:
+      replicaCount: 0
+    
+        
+    
\ No newline at end of file
diff --git a/core/README.md b/core/README.md
new file mode 100644
index 0000000..7106032
--- /dev/null
+++ b/core/README.md
@@ -0,0 +1,8 @@
+### 调试
+kubectl run -i --tty --rm --restart=Never \
+  --overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "tcc"}}}' \
+  --image=busybox:1.28 \
+  debug -- sh
+
+### path core中服务的节点亲和性 使他们只运行在master节点上
+kubectl patch -n kube-system deployment coredns --patch-file=patch-affinity.yaml
\ No newline at end of file
diff --git a/core/coredns/configmap.yaml b/core/coredns/configmap.yaml
new file mode 100644
index 0000000..c7cf6e3
--- /dev/null
+++ b/core/coredns/configmap.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-custom
+  namespace: kube-system
+data:
+  local.override: |
+    # 腾讯云内网DNS会将HINFO解析请求返回本机 造成循环 此处直接屏蔽处理
+    template ANY HINFO . {
+      rcode NXDOMAIN
+    }
+    # 不解析IPV6
+    template ANY AAAA {
+      rcode NXDOMAIN
+    }
+
+  local.server: |
+    #
+               
\ No newline at end of file
diff --git a/core/coredns/nodelocaldns.yaml b/core/coredns/nodelocaldns.yaml
new file mode 100644
index 0000000..8c899fd
--- /dev/null
+++ b/core/coredns/nodelocaldns.yaml
@@ -0,0 +1,213 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-local-dns
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns-upstream
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/name: "KubeDNSUpstream"
+spec:
+  ports:
+    - name: dns
+      port: 53
+      protocol: UDP
+      targetPort: 53
+    - name: dns-tcp
+      port: 53
+      protocol: TCP
+      targetPort: 53
+  selector:
+    k8s-app: kube-dns
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: node-local-dns
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+data:
+  Corefile: |
+    # 腾讯云内网DNS会将HINFO解析请求返回本机 造成循环 此处直接屏蔽处理
+    (disableHINFO) {
+      template ANY HINFO . {
+        rcode NXDOMAIN
+      }
+    }
+    cluster.local:53 {
+      errors
+      cache {
+        success 9984 30
+        denial 9984 5
+      }
+      reload
+      loop
+      bind 169.254.20.10 10.43.0.10
+      forward . __PILLAR__CLUSTER__DNS__ {
+        force_tcp
+      }
+      prometheus :9253
+      health 169.254.20.10:8080
+      import disableHINFO
+    }
+    in-addr.arpa:53 {
+      errors
+      cache 30
+      reload
+      loop
+      bind 169.254.20.10 10.43.0.10
+      forward . __PILLAR__CLUSTER__DNS__ {
+        force_tcp
+      }
+      prometheus :9253
+      import disableHINFO
+    }
+    ip6.arpa:53 {
+      errors
+      cache 30
+      reload
+      loop
+      bind 169.254.20.10 10.43.0.10
+      forward . __PILLAR__CLUSTER__DNS__ {
+        force_tcp
+      }
+      prometheus :9253
+      import disableHINFO
+    }
+    .:53 {
+      errors
+      cache 30
+      reload
+      loop
+      bind 169.254.20.10 10.43.0.10
+      forward . __PILLAR__UPSTREAM__SERVERS__
+      prometheus :9253
+      import disableHINFO
+    }
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: node-local-dns
+  namespace: kube-system
+  labels:
+    k8s-app: node-local-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 10%
+  selector:
+    matchLabels:
+      k8s-app: node-local-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: node-local-dns
+      annotations:
+        prometheus.io/port: "9253"
+        prometheus.io/scrape: "true"
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                - key: svccontroller.k3s.cattle.io/enablelb
+                  operator: In
+                  values:
+                    - "true"
+      priorityClassName: system-node-critical
+      serviceAccountName: node-local-dns
+      hostNetwork: true
+      dnsPolicy: Default  # Don't use cluster DNS.
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - effect: "NoExecute"
+          operator: "Exists"
+        - effect: "NoSchedule"
+          operator: "Exists"
+      containers:
+        - name: node-cache
+          image: registry.k8s.io/dns/k8s-dns-node-cache:1.22.28
+          resources:
+            requests:
+              cpu: 25m
+              memory: 5Mi
+          args: [ "-localip", "169.254.20.10,10.43.0.10", "-conf", "/etc/Corefile", "-upstreamsvc", "kube-dns-upstream" ]
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          ports:
+            - containerPort: 53
+              name: dns
+              protocol: UDP
+            - containerPort: 53
+              name: dns-tcp
+              protocol: TCP
+            - containerPort: 9253
+              name: metrics
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              host: 169.254.20.10
+              path: /health
+              port: 8080
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+          volumeMounts:
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+              readOnly: false
+            - name: config-volume
+              mountPath: /etc/coredns
+            - name: kube-dns-config
+              mountPath: /etc/kube-dns
+      volumes:
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+        - name: kube-dns-config
+          configMap:
+            name: kube-dns
+            optional: true
+        - name: config-volume
+          configMap:
+            name: node-local-dns
+            items:
+              - key: Corefile
+                path: Corefile.base
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/port: "9253"
+    prometheus.io/scrape: "true"
+  labels:
+    k8s-app: node-local-dns
+  name: node-local-dns
+  namespace: kube-system
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9253
+      targetPort: 9253
+  selector:
+    k8s-app: node-local-dns
\ No newline at end of file
diff --git a/core/patch-affinity.yaml b/core/patch-affinity.yaml
new file mode 100644
index 0000000..c58e232
--- /dev/null
+++ b/core/patch-affinity.yaml
@@ -0,0 +1,13 @@
+spec:
+  template:
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: In
+                values:
+                - "true"
+   
\ No newline at end of file
diff --git a/core/traefik/certs/certificate-dev-cm.yaml b/core/traefik/certs/certificate-dev-cm.yaml
new file mode 100644
index 0000000..38d1ed5
--- /dev/null
+++ b/core/traefik/certs/certificate-dev-cm.yaml
@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dev-cm-crt
+  namespace: kube-system
+spec:
+  secretName: dev-cm-crt
+  issuerRef:
+    name: dnspod
+    kind: ClusterIssuer
+    group: cert-manager.io
+  dnsNames:
+  - "dev.cm"
+  - "*.dev.cm"
+  - "*.node.dev.cm"
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: kube-system
+spec:
+  certificates:
+  - secretName: dev-cm-crt
+  defaultCertificate:
+    secretName: dev-cm-crt
\ No newline at end of file
diff --git a/core/traefik/certs/certificate-fillcode-com.yaml b/core/traefik/certs/certificate-fillcode-com.yaml
new file mode 100644
index 0000000..17a6da0
--- /dev/null
+++ b/core/traefik/certs/certificate-fillcode-com.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fillcode-com-crt
+  namespace: kube-system
+spec:
+  secretName: fillcode-com-crt
+  issuerRef:
+    name: dnspod
+    kind: ClusterIssuer
+    group: cert-manager.io
+  dnsNames:
+  - "fillcode.com"
+  - "*.fillcode.com"
\ No newline at end of file
diff --git a/core/traefik/helmchartconfig.yaml b/core/traefik/helmchartconfig.yaml
new file mode 100644
index 0000000..ee4ac51
--- /dev/null
+++ b/core/traefik/helmchartconfig.yaml
@@ -0,0 +1,53 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: svccontroller.k3s.cattle.io/enablelb
+              operator: In
+              values:
+              - "true"
+    tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+    deployment:
+      kind: DaemonSet
+      dnsPolicy: None
+      dnsConfig:
+        nameservers:
+        - 169.254.20.10
+        - 10.43.0.10
+    hostNetwork: true
+    service:
+      spec:
+        externalTrafficPolicy: Local
+    ports:
+      web:
+        forwardedHeaders:
+          insecure: true
+        proxyProtocol:
+          insecure: true
+      websecure:
+        forwardedHeaders:
+          insecure: true
+        proxyProtocol:
+          insecure: true
+        http3:
+          enabled: false
+      ssh:
+        port: 8022
+        expose: true
+        exposedPort: 22
+        
+    updateStrategy:
+      rollingUpdate:
+        maxUnavailable: 1
+        maxSurge: 0
\ No newline at end of file
diff --git a/core/traefik/ingressroute-https-only.yaml b/core/traefik/ingressroute-https-only.yaml
new file mode 100644
index 0000000..30b8ac3
--- /dev/null
+++ b/core/traefik/ingressroute-https-only.yaml
@@ -0,0 +1,17 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: https-only
+  namespace: kube-system
+spec:
+  entryPoints:
+    - web
+  routes:
+    - kind: Rule
+      match: PathPrefix(`/`)
+      priority: 1
+      middlewares:
+        - name: https-only
+      services:
+        - kind: TraefikService
+          name: noop@internal
\ No newline at end of file
diff --git a/core/traefik/ingressroute-internal.yaml b/core/traefik/ingressroute-internal.yaml
new file mode 100644
index 0000000..033b28e
--- /dev/null
+++ b/core/traefik/ingressroute-internal.yaml
@@ -0,0 +1,29 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gateway
+  namespace: kube-system
+spec:
+  entryPoints:
+  - websecure
+  routes:
+    - kind: Rule
+      match: Host(`gateway.dev.cm`)
+      services:
+      - kind: TraefikService
+        name: dashboard@internal
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gateway-api
+  namespace: kube-system
+spec:
+  entryPoints:
+  - websecure
+  routes:
+    - kind: Rule
+      match: Host(`gateway.dev.cm`) && PathPrefix(`/api`)
+      services:
+      - kind: TraefikService
+        name: api@internal
\ No newline at end of file
diff --git a/core/traefik/middleware/middleware-compress.yaml b/core/traefik/middleware/middleware-compress.yaml
new file mode 100644
index 0000000..cc17c83
--- /dev/null
+++ b/core/traefik/middleware/middleware-compress.yaml
@@ -0,0 +1,7 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: compress
+  namespace: kube-system
+spec:
+  compress: {}
\ No newline at end of file
diff --git a/core/traefik/middleware/middleware-https-only.yaml b/core/traefik/middleware/middleware-https-only.yaml
new file mode 100644
index 0000000..c0456c2
--- /dev/null
+++ b/core/traefik/middleware/middleware-https-only.yaml
@@ -0,0 +1,9 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: https-only
+  namespace: kube-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
\ No newline at end of file
diff --git a/install/README.md b/install/README.md
new file mode 100644
index 0000000..272d626
--- /dev/null
+++ b/install/README.md
@@ -0,0 +1,38 @@
+### 替换hostname
+hostnamectl set-hostname node && reboot
+
+### 安装tailscale
+curl -fsSL https://tailscale.com/install.sh | sh
+
+### 开启tailscale的自动更新
+tailscale set --auto-update
+
+### 开启ip转发
+echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
+echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
+sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
+
+### 新建目录 将不同节点类型的config写入
+mkdir -p /etc/rancher/k3s && nano /etc/rancher/k3s/config.yaml
+
+### 安装k3s 此处注意安装类型 是server 还是 agent
+curl -sfL https://get.k3s.io | \
+  INSTALL_K3S_MIRROR=cn  \
+  sh -s - server
+
+### 国内安装加速 & 镜像加速地址
+https://rancher-mirror.rancher.cn/k3s/k3s-install.sh
+nano /etc/rancher/k3s/registries.yaml
+
+### 查看serverToken 记得在config中替换最新的token
+cat /var/lib/rancher/k3s/server/node-token
+
+### 查看api server config 需要替换到.kube/config中 注意将其中的server地址替换为高可用地址
+cat /etc/rancher/k3s/k3s.yaml
+
+### 给node添加地域标签
+kubectl label nodes tca topology.kubernetes.io/region=cn-sh
+kubectl label nodes tca svccontroller.k3s.cattle.io/enablelb="true"
+
+### 给master节点添加污点
+kubectl taint nodes tca node-role.kubernetes.io/master:NoSchedule
\ No newline at end of file
diff --git a/install/agent.config.yaml b/install/agent.config.yaml
new file mode 100644
index 0000000..4be797b
--- /dev/null
+++ b/install/agent.config.yaml
@@ -0,0 +1,10 @@
+# worker 工作节点
+server: "https://k3s.dev.cm:6443"
+token: "K10cdbe82226583b6e0c8f80c203f3a2d79580aaf9c2f61d0aebea4a28c1ff3897f::server:35e7d0dc0b8c2427fdb42bb90bb85d5a"
+
+# 网络相关
+vpn-auth: "name=tailscale,joinKey=tskey-auth-ksJXXH4CNTRL-4WRkX448yC6W6yhytK1FD68HMDK4zStw"
+
+# 节点相关
+# 保留节点资源 根据节点做不同配置 如不需要可以注释掉
+kubelet-arg:  kube-reserved=cpu=5000
\ No newline at end of file
diff --git a/install/master-init.config.yaml b/install/master-init.config.yaml
new file mode 100644
index 0000000..60a2195
--- /dev/null
+++ b/install/master-init.config.yaml
@@ -0,0 +1,7 @@
+# server 主节点
+cluster-init: true
+tls-san:
+  - "k3s.dev.cm,k3s.fillcode.com"
+
+# 网络相关
+vpn-auth: "name=tailscale,joinKey=tskey-auth-ksJXXH4CNTRL-4WRkX448yC6W6yhytK1FD68HMDK4zStw"
\ No newline at end of file
diff --git a/install/master.config.yaml b/install/master.config.yaml
new file mode 100644
index 0000000..e43edc4
--- /dev/null
+++ b/install/master.config.yaml
@@ -0,0 +1,8 @@
+# server 从节点
+server: "https://tca:6443"
+token: "K10cdbe82226583b6e0c8f80c203f3a2d79580aaf9c2f61d0aebea4a28c1ff3897f::server:35e7d0dc0b8c2427fdb42bb90bb85d5a"
+tls-san:
+  - "k3s.dev.cm,k3s.fillcode.com"
+
+# 网络相关
+vpn-auth: "name=tailscale,joinKey=tskey-auth-ksJXXH4CNTRL-4WRkX448yC6W6yhytK1FD68HMDK4zStw"
\ No newline at end of file
diff --git a/install/registries.yaml b/install/registries.yaml
new file mode 100644
index 0000000..90b29e7
--- /dev/null
+++ b/install/registries.yaml
@@ -0,0 +1,7 @@
+mirrors:
+  "docker.io":
+    endpoint:
+      - "https://mirror.ccs.tencentyun.com"
+  "registry.k8s.io":
+    endpoint:
+      - "k8s.m.daocloud.io"