chore: add current provisioning state before migration

o-klab/wuji/clusters/oci-reg.k

@@ -0,0 +1,250 @@
+
+_http = OCIRegHTTP {
+    address = "0.0.0.0",
+    port = 5000
+    realm = "zot"
+    tls = OCIRegTLS {
+        cert = "/etc/zot/ssl/fullchain.pem",
+        key = "/etc/zot/ssl/privkey.pem"
+    }
+    auth = OCIRegAuth {
+        htpasswd = OCIRegHtpasswd { path = "/etc/zot/htpasswd" }
+        failDelay = 5
+    }
+}
+_log = OCIRegLog {
+    level = "debug",
+    output = "/var/log/zot/zot.log",
+    audit = "/var/log/zot/zot-audit.log"
+}
+
+if _kys != Undefined and _kys.oci_reg_s3.accesskey != Undefined and _kys.oci_reg_s3.accesskey == "": 
+#if _kys.storageDriver == Undefined:
+    _oci_config = OCIRegConfig {
+        storage = OCIRegStorage {
+            rootDirectory = "/data/zot/"
+            dedupe = True
+            storageDriver = OCIRegStorageDriver {
+                name = "s3",
+                rootdirectory = "/zot",
+                region = "europe-1",
+                bucket = "termas",
+                secure = True,
+                regionendpoint = "https://50bv2.upcloudobjects.com",
+                accesskey = "_kys.oci_reg_s3.accesskey",
+                secretkey = "_kys.oci_reg_s3.secretkey",
+                skipverify = False
+            }
+        }
+        http = _http
+        log = _log
+    } 
+else:
+    _oci_config = OCIRegConfig {
+        storage = OCIRegStorage {
+            rootDirectory = "/data/zot/"
+            gc = True
+            gcDelay = "1h"
+            gcInterval = "6h"
+        }
+        http = _http
+        log = _log
+        extensions = OCIRegExtensions {
+            ui = OCIRegExtUI { enable = True }
+            search = OCIRegExtSearch { enable = True }
+        }
+    } 
+
+service = OCIReg {
+    not_use = False
+    name = "oci-reg"
+    version = "1.0.1"
+    template = "k8s-deploy" 
+    def ="K8sDeploy" 
+    oci_memory_high = 15
+    oci_memory_max = 16
+    copy_paths = ["reg-ssl|ssl"]
+    config = _oci_config
+    #admin_host = "lab-cp-0"
+    # Cluster services admin hosts port to connect via SSH
+    #admin_port = 22
+    # Cluster services admin user connect via SSH
+    #admin_user = "root" 
+    #admin_user = "admin"
+    #local_def_path = "services/web"
+}  
+
+_k8s_dply = provisioning.K8sDefs {
+    name = "reg"
+    domain = "librecloud"
+    ns = "${name}-${domain}"
+    primary_dom = "online"
+    full_domain = "${name}.${domain}.${primary_dom}"
+    cluster_domain = "svc.cluster.local"
+}
+
+k8s_deploy = provisioning.K8sDeploy { 
+    name = "${_k8s_dply.name}"
+    #name_in_files = "${name}"
+    namespace = "${_k8s_dply.ns}"
+    create_ns = True
+    full_domain = "${_k8s_dply.full_domain}"
+    labels = [ 
+        provisioning.K8sKeyVal{key ="app",value= "${name}"},
+        provisioning.K8sKeyVal{key ="target",value = "${_k8s_dply.domain}"},
+        provisioning.K8sKeyVal{key ="registry",value = "oci"},
+    ]
+    spec = provisioning.K8sDeploySpec {
+        replicas = 1
+        #hostUser = False
+        containers = [
+            provisioning.K8sContainers {
+                name = "zot"
+                image = "ghcr.io/project-zot/zot-linux-amd64:v2.0.0"
+                #cmd = ""
+                imagePull = "IfNotPresent"
+                #env = [ 
+                #    provisioning.K8sKeyVal{key ="registry",value = "oci"},
+                #    }
+                #]
+                ports = [ 
+                    provisioning.K8sPort {
+                        name = "main"
+                        typ = ""
+                        container = 5000
+                        #target_port = 0
+                    } 
+                ]
+                volumeMounts = [
+                    provisioning.K8sVolumeMount {
+                        name = "${_k8s_dply.name}-vol-data"
+                        mountPath = "/data"
+                    },
+                    provisioning.K8sVolumeMount {
+                        name = "${_k8s_dply.name}-vol-log"
+                        mountPath = "/var/log/zot"
+                    },
+                    provisioning.K8sVolumeMount {
+                        name = "${_k8s_dply.name}-etc"
+                        readOnly = True
+                        mountPath = "/etc/zot/config.json"
+                        subPath = "config.json"
+                    },
+                    provisioning.K8sVolumeMount {
+                        name = "${_k8s_dply.name}-etc"
+                        readOnly = True
+                        mountPath = "/etc/zot/htpasswd"
+                        subPath = "htpasswd"
+                    },
+                    provisioning.K8sVolumeMount {
+                        name = "${_k8s_dply.name}-certs"
+                        readOnly = True
+                        mountPath = "/etc/zot/ssl"
+                    }
+                ]
+                resources_limits = provisioning.K8sResources { memory = "128Mi", cpu = "500Mi" }
+                resources_requests = provisioning.K8sResources { memory = "64Mi", cpu = "250m" }
+            },
+        ]
+        volumes = [
+            provisioning.K8sVolume {
+                name = "${_k8s_dply.name}-vol-data"
+                typ = "volumeClaim"
+                persitentVolumeClaim = provisioning.K8sVolumeClaim {
+                    name = "${_k8s_dply.name}-claim-data"
+                    storageClassName: "nfs-client"
+                    storage = "5Gi"
+                    reclaimPolicy = "Retain"
+                }
+            },
+            provisioning.K8sVolume {
+                name = "${_k8s_dply.name}-vol-log"
+                typ = "volumeClaim"
+                persitentVolumeClaim = provisioning.K8sVolumeClaim {
+                    name = "${_k8s_dply.name}-claim-log"
+                    storageClassName: "nfs-client"
+                    storage = "1Gi"
+                    reclaimPolicy = "Retain"
+                }
+            },
+            provisioning.K8sVolume {
+                name = "${_k8s_dply.name}-etc"
+                typ = "configMap"
+                items = [ 
+                    provisioning.K8sKeyPath{key = "htpasswd",path = "htpasswd"},
+                    provisioning.K8sKeyPath{key = "config.json",path = "config.json"}
+                ]
+            },
+            provisioning.K8sVolume {
+                name = "${_k8s_dply.name}-certs"
+                typ = "secret"
+                items = [ 
+                    provisioning.K8sKeyPath{key = "tls.crt",path = "fullchain.pem"},
+                    provisioning.K8sKeyPath{key = "tls.key",path = "privkey.pem"}
+                ]
+            },
+        ]
+        secrets = [
+            provisioning.K8sSecret{
+                name = ""
+                items = [ 
+                    provisioning.K8sKeyPath{key = "target",path = "librecloud"}
+                ]
+            }
+        ]
+    }
+    prxy = "istio"
+    prxy_ns = "istio-system"
+    prxyGatewayServers = [
+        provisioning.K8sPrxyGatewayServer{
+            port = provisioning.K8sPrxyPort { name = "http-reg", number = 80, proto = "HTTP" }
+            tls = provisioning.K8sPrxyTLS { httpsRedirect = True, mode = "" }
+            hosts = ["${_k8s_dply.full_domain}"]
+        },
+        provisioning.K8sPrxyGatewayServer{
+            port = provisioning.K8sPrxyPort { name = "https-reg", number = 5000, proto = "HTTPS" }
+            tls = provisioning.K8sPrxyTLS { mode = "PASSTHROUGH" }
+            #tls = provisioning.K8sPrxyTLS { mode = "SIMPLE", credentialName = "${_k8s_dply.name}-credentials" }
+            hosts = ["${_k8s_dply.full_domain}"]
+        },
+    ]
+    prxyVirtualService = provisioning.K8sPrxyVirtualService{
+            hosts = ["${_k8s_dply.full_domain}"]
+            gateways = ["${_k8s_dply.name}-${_k8s_dply.ns}-gwy"]
+            matches = [ 
+                provisioning.K8sPrxyVirtualServiceMatch {
+                    typ = "tcp",
+                    location = [
+                        provisioning.K8sPrxyVirtualServiceMatchURL { port: 443, } #sniHosts = ["${_k8s_dply.full_domain}"]
+                    ],
+                    route_destination = [
+                        provisioning.K8sPrxyVirtualServiceRoute {
+                            port_number = 5000,
+                            host = "${_k8s_dply.name}.${_k8s_dply.ns}.${_k8s_dply.cluster_domain}"
+                        }
+                    ],
+                }
+            ]
+    }
+    tls_path = "ssl"
+    bin_apply = True
+    service = provisioning.K8sService{
+        name = ""
+        typ = "NodePort"
+        ports = [ 
+            provisioning.K8sPort{
+                name = "main"
+                #proto = ""
+                container = 5000
+                #target_port = 0
+            }
+        ]
+    }
+    # backups = [
+    #     provisioning.K8sBackup{
+    #         name = ""
+    #         typ = ""
+    #         mount_path = ""
+    #     }
+    # ]
+}

o-klab/wuji/clusters/oci-reg/default/htpasswd

@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:z2pRx4gFig0pgkzjBMZ2IrcF1g==,iv:yEDr3tTPmYb4P8oEIDBvqyHFsOjIv62utQVx4c43JKo=,tag:25ueeUlj0e0TzDdBeGOPsw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1vjvgsyr2nef6rk60gj54yqqqdjtc7saj63fxr3ec567wycnrlqxscdyw34",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQSzFwSlE4dmtNa2ZIdTlN\nTDhKbGNYaCtvUnZMYXFjekZuY0hTaU1iUGpnCkY2SzhIQ2cza2JSbjlNNnlCeWE5\nbDZST01XR3RvWUwwVll0VHRjSHhjbEEKLS0tIDBqUUJ2aWM4d1h2cElyT0o2OW1E\nR21FVmRwcFgzRGptbnRaQlh6cWpZTkUKgFz4MKYLknxOEt+feDkMmoyo5pQl+bQ6\neSQD/l5ZonsKXC4NNKpW/K6k9M1S+CQSZB6TYIECjhchDs53n5htVw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-01-16T13:51:59Z",
+		"mac": "ENC[AES256_GCM,data:jVByRySNykRCMHMeoIs+lfmlBjNLsK+Kgd9zJ/O4OpCZbAXweLEtFiM352QNutJmr36rXx/LEocPFYiyGtYiM+qvNuKU/fgz341DODagr7A6Ey0lhPqU6bIn3cgmLgkjNTqnn5QQoMjqyWzEuBmkniwQtN1DhiMYcVzlFQQGkc8=,iv:edJIY03Q/QXHVJ0gq8TeGhr1xh7/H8wx3s/43umhwnc=,tag:7JWpQwWAnHL/F8YZxWatlQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

o-klab/wuji/clusters/web.k

@@ -0,0 +1,14 @@
+import provisioning
+service = provisioning.Service {
+  not_use = False
+  name = "web"
+  version = "1.0"
+  profile = "default"
+  #admin_host = "lab-cp-0"
+  # Cluster services admin hosts port to connect via SSH
+  #admin_port = 22
+  # Cluster services admin user connect via SSH
+  #admin_user = "root" 
+  #admin_user = "admin"
+  #local_def_path = "services/web"
+}

o-klab/wuji/clusters/web/default/configMap-etc.yaml

@@ -0,0 +1,126 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: web-etc
+  namespace: cloudnative-zone
+data:
+  htpasswd: |
+    daka:saTqF5QXUuD26
+  nginx.conf: |
+      user nginx;
+
+      # Set to number of CPU cores, auto will try to autodetect.
+      worker_processes auto;
+
+      # Maximum open file descriptors per process. Should be greater than worker_connections.
+      worker_rlimit_nofile 8192;
+
+      events {
+      	# Set the maximum number of connection each worker process can open. Anything higher than this
+      	# will require Unix optimisations.
+      	worker_connections 8000;
+
+      	# Accept all new connections as they're opened.
+      	multi_accept on;
+      }
+
+      http {
+      	# HTTP
+      	#include global/http.conf;
+
+      	# MIME Types
+      	include mime.types;
+      	default_type application/octet-stream;
+
+      	# Limits & Timeouts
+      	#include global/limits.conf;
+
+        # Specifies the main log format.
+        #log_format main '$http_x_real_ip - $real_ip_header - $http_x_forwarder_for - $http_x_real_ip - $remote_addr - $remote_user [$time_local] "$request" '
+        log_format main '$http_x_real_ip - $http_x_forwarder_for - $http_x_real_ip - $remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" ';
+        # Default Logs
+        error_log /var/log/nginx/error.log warn;
+        access_log /var/log/nginx/access.log main;
+
+      	# Gzip
+      	#include global/gzip.conf;
+
+      	# Modules
+      	include /etc/nginx/conf.d/*.conf;
+        #upstream web {
+        #  server auth:8080;
+        #}
+      	# Sites
+      	#include /etc/nginx/sites-enabled/*;
+      }
+  default: |
+    # Define path to cache and memory zone. The memory zone should be unique.
+    # keys_zone=fatstcgi-cache:100m creates the memory zone and sets the maximum size in MBs.
+    # inactive=60m will remove cached items that haven't been accessed for 60 minutes or more.
+    fastcgi_cache_path /cache levels=1:2 keys_zone=fatstcgi-cache:100m inactive=60m;
+    
+    server {
+    	# Ports to listen on, uncomment one.
+      listen 443 ssl http2;
+    	listen [::]:443 ssl http2;
+
+    	# Server name to listen for
+      server_name web.cloudnative.zone;
+
+    	# Path to document root
+    	root   /var/www/static;
+
+      # Paths to certificate files.
+      ssl_certificate /etc/ssl-dom/fullchain.pem;
+      ssl_certificate_key /etc/ssl-dom/privkey.pem;
+
+    	# File to be used as index
+    	index index.php;
+
+    	# Overrides logs defined in nginx.conf, allows per site logs.
+      error_log /dev/stdout warn;
+    	access_log /dev/stdout main;
+    	# Default server block rules
+    	include server/defaults.conf;
+    	# Fastcgi cache rules
+    	include server/fastcgi-cache.conf;
+
+      # SSL rules
+    	include server/ssl.conf;
+    	# disable_symlinks off;
+
+      #Used when a load balancer wants to determine if this server is up or not
+      location /health_check {
+        return 200;
+      }
+      location / {
+           root   /usr/share/nginx/html;
+           index  index.html index.htm;
+      }
+      #location / {
+      #  #auth_basic  "Login";
+      #  #auth_basic_user_file  /etc/nginx/htpasswd;
+      #  proxy_set_header Host $http_host;
+      #  proxy_set_header X-Real-IP $remote_addr;
+      #  proxy_set_header X-Forwarded-For
+      #  $proxy_add_x_forwarded_for;
+      #  proxy_redirect off;
+      #  proxy_pass web;
+      #}  
+    }
+
+    # Redirect http to https
+    server {
+      listen 80;
+    	listen [::]:80;
+    	server_name web.cloudnative.zone;
+      #server_name localhost;
+      #return 301 https://web.cloudnative.zone$request_uri;
+    	#return 301 https://fatstcgi-cache$request_uri;
+      location / {
+           root   /usr/share/nginx/html;
+           index  index.html index.htm;
+      }
+    }

o-klab/wuji/clusters/web/default/html-root/index.html

@@ -0,0 +1 @@
+<h1>Cloud Native Web Service </h1>

o-klab/wuji/clusters/web/default/install-web.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+kubectl apply -f ns
+kubectl apply -f volumes
+
+_install_html() {
+  local src=$1
+  local target=$2
+  local ns 
+  local pod_id
+  ns="cloudnative-zone"  
+  pod_id=$(kubectl get pods -n "$ns" | grep -m1 web  | cut -f1 -d" ")
+  if [ -n "$pod_id" ] ; then 
+     echo "wait for container state ..."
+     sleep 8
+     if kubectl cp $src/* -n $ns $pod_id:$target  ; then
+        echo "$src files copied to $pod_id:$target"
+     fi
+  fi
+}
+
+sudo chown -R devadm $(dirname "$0") 
+
+[ -r "bin/apply.sh" ] && ./bin/apply.sh  &&  [ -d "html-root" ] && _install_html html-root /usr/share/nginx/html
+
+exit 0
+

o-klab/wuji/clusters/web/default/ssl/cert.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgISA1MWgZgaRq4SWl/sDqQTbwXQMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMzA5MTIyMDQ2MjNaFw0yMzEyMTEyMDQ2MjJaMB8xHTAbBgNVBAMT
+FHdlYi5jbG91ZG5hdGl2ZS56b25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+GqlhmZQx5sUE3TLQXdn4AgnQk6777RdW+UCv/g3CCKfNDWZr1o4JFVpU5U/iochF
+EgHngWEBKILmnOPatQtpUaOCAhYwggISMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+xIyo45lvkKyFc0FqBCn/nsvOpskwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
+nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
+ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
+VR0RBBgwFoIUd2ViLmNsb3VkbmF0aXZlLnpvbmUwEwYDVR0gBAwwCjAIBgZngQwB
+AgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgC3Pvsk35xNunXyOcW6WPRsXfxC
+z3qfNcSeHQmBJe20mQAAAYqLXBoPAAAEAwBHMEUCIG8Gg2ZNigOTHVU7I0fC42er
+OIgVid0mSapKbpDSyde2AiEAx70vRj9SMsPJU4656gg3V0m+wSFMCfBzqYVKRWO2
+XWoAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYqLXBoZAAAE
+AwBHMEUCIEJxDGfRl5qIgwtS9XGIWxhKj5sytFj+TmMYUfi1sXVoAiEAi7TI8C+p
+c9kKaufc1YQd6X8BhEBQfMBOOYbe7IKlfJ4wDQYJKoZIhvcNAQELBQADggEBAKks
+WdbZGmX7a7MYl6/1zcBdiYEOCDj9373NU+lIaDeTX5JZuYZauymiBJ9Gf2/PE15o
+7AimoDjDyqaA3TGTMNgn6VXf1OwYVRnUF4AWPQYP273chU2OcYBsfaBXrcVmvI84
+pzZjFOfh83d/DcRpeSK2bdFlVzJjSgTuTA6lhQOtmIMKS7KKNHEhM+ZzMUi9JhLn
+sjD2NHLfxjG0KYQFfuEJK8JK5ppnpyu+fstOf7/Gar/Pn5cPW+SqqfpbUR8kV5gs
+uHi8JiW8tRfarWlrxJx/18quooDCS9epEQCPzjvDe1Y+giW46sPBKmo+LwzRDfB0
+IC96trUL+ZZ3g+7/Sd4=
+-----END CERTIFICATE-----

o-klab/wuji/clusters/web/default/ssl/chain.pem

@@ -0,0 +1,61 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----

o-klab/wuji/clusters/web/default/ssl/fullchain.pem

@@ -0,0 +1,86 @@
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgISA1MWgZgaRq4SWl/sDqQTbwXQMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMzA5MTIyMDQ2MjNaFw0yMzEyMTEyMDQ2MjJaMB8xHTAbBgNVBAMT
+FHdlYi5jbG91ZG5hdGl2ZS56b25lMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+GqlhmZQx5sUE3TLQXdn4AgnQk6777RdW+UCv/g3CCKfNDWZr1o4JFVpU5U/iochF
+EgHngWEBKILmnOPatQtpUaOCAhYwggISMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+xIyo45lvkKyFc0FqBCn/nsvOpskwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
+nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
+ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
+VR0RBBgwFoIUd2ViLmNsb3VkbmF0aXZlLnpvbmUwEwYDVR0gBAwwCjAIBgZngQwB
+AgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgC3Pvsk35xNunXyOcW6WPRsXfxC
+z3qfNcSeHQmBJe20mQAAAYqLXBoPAAAEAwBHMEUCIG8Gg2ZNigOTHVU7I0fC42er
+OIgVid0mSapKbpDSyde2AiEAx70vRj9SMsPJU4656gg3V0m+wSFMCfBzqYVKRWO2
+XWoAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYqLXBoZAAAE
+AwBHMEUCIEJxDGfRl5qIgwtS9XGIWxhKj5sytFj+TmMYUfi1sXVoAiEAi7TI8C+p
+c9kKaufc1YQd6X8BhEBQfMBOOYbe7IKlfJ4wDQYJKoZIhvcNAQELBQADggEBAKks
+WdbZGmX7a7MYl6/1zcBdiYEOCDj9373NU+lIaDeTX5JZuYZauymiBJ9Gf2/PE15o
+7AimoDjDyqaA3TGTMNgn6VXf1OwYVRnUF4AWPQYP273chU2OcYBsfaBXrcVmvI84
+pzZjFOfh83d/DcRpeSK2bdFlVzJjSgTuTA6lhQOtmIMKS7KKNHEhM+ZzMUi9JhLn
+sjD2NHLfxjG0KYQFfuEJK8JK5ppnpyu+fstOf7/Gar/Pn5cPW+SqqfpbUR8kV5gs
+uHi8JiW8tRfarWlrxJx/18quooDCS9epEQCPzjvDe1Y+giW46sPBKmo+LwzRDfB0
+IC96trUL+ZZ3g+7/Sd4=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----

o-klab/wuji/clusters/web/default/ssl/privkey.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgup4OYupHZNX1yEIm
+yJ1LwHlbaJWfgXRYTE8s2ko2qJihRANCAAQaqWGZlDHmxQTdMtBd2fgCCdCTrvvt
+F1b5QK/+DcIIp80NZmvWjgkVWlTlT+KhyEUSAeeBYQEoguac49q1C2lR
+-----END PRIVATE KEY-----