rancher應(yīng)用商店部署的EFK開啟用戶認(rèn)證(k8s環(huán)境)

前言:

? 目前項(xiàng)目上了rancher的K8S,rancher自帶的應(yīng)用商店可以一鍵部署EFK集群,但是生產(chǎn)環(huán)境有安全性的需求,這里需要對(duì)這個(gè)EFK集群進(jìn)行改造,增加用戶名密碼的驗(yàn)證登陸.

1.efk基礎(chǔ)設(shè)置

這里采用的是rancher自帶的應(yīng)用商店里的efk离例,并自定義了鏡像地址(harbor轉(zhuǎn)儲(chǔ))

所有鏡像均取自elastic的官方源,鏡像版本均為7.7.1:

鏡像下載地址:https://www.docker.elastic.co/

由于日志數(shù)據(jù)不太重要丁恭,就沒有選擇持久化數(shù)據(jù)宁昭,這樣性能也會(huì)相對(duì)好一點(diǎn)兴泥,缺點(diǎn)是如果重新部署摧扇,elasticsearch的數(shù)據(jù)都會(huì)清空。目前rancher自己的分布式存儲(chǔ)longhorn也正式發(fā)布了,配置也簡(jiǎn)單,有條件的可以考慮將數(shù)據(jù)存放到分布式存儲(chǔ)上.

2.配置信息變更

2.1 elasticsearch 的StatefulSet配置變更:

變更的參數(shù):

env: ES_JAVA_OPTS跟認(rèn)證無關(guān)岖赋,默認(rèn)配置資源太少,容易o(hù)om鞭莽;ELASTIC_USERNAME双炕,ELASTIC_PASSWORD是為了elasticsearch集群的狀態(tài)檢測(cè)準(zhǔn)備的

        - name: ES_JAVA_OPTS
          value: -Xmx4g -Xms4g
        - name: xpack.security.enabled
          value: "true"
        - name: ELASTIC_USERNAME
          value: elastic
        - name: ELASTIC_PASSWORD
          value: elasticpassword

resource:跟開啟用戶認(rèn)證無關(guān),默認(rèn)配置資源太少撮抓,容易o(hù)om

        resources:
          limits:
            cpu: "4"
            memory: 8Gi
          requests:
            cpu: 100m
            memory: 8Gi

附上rancher上完整的yaml文件:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  annotations:
    esMajorVersion: "7"
    field.cattle.io/publicEndpoints: '[{"addresses":["10.1.99.51"],"port":80,"protocol":"HTTP","serviceName":"efk:elasticsearch-master-headless","ingressName":"efk:elastic-ingress","hostname":"elastic-prod.hlet.com","allNodes":true}]'
  creationTimestamp: "2020-06-03T08:34:13Z"
  generation: 4
  labels:
    app: elasticsearch-master
    chart: elasticsearch-7.3.0
    heritage: Tiller
    io.cattle.field/appId: efk
    release: efk
  name: elasticsearch-master
  namespace: efk
  resourceVersion: "22963322"
  selfLink: /apis/apps/v1/namespaces/efk/statefulsets/elasticsearch-master
  uid: 03f40362-4e89-4bd1-b8d3-285a36cbce35
spec:
  podManagementPolicy: Parallel
  replicas: 5
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: elasticsearch-master
  serviceName: elasticsearch-master-headless
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: elasticsearch-master
        chart: elasticsearch-7.3.0
        heritage: Tiller
        release: efk
      name: elasticsearch-master
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - elasticsearch-master
            topologyKey: kubernetes.io/hostname
      containers:
      - env:
        - name: node.name
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: cluster.initial_master_nodes
          value: elasticsearch-master-0,elasticsearch-master-1,elasticsearch-master-2,elasticsearch-master-3,elasticsearch-master-4,
        - name: discovery.seed_hosts
          value: elasticsearch-master-headless
        - name: cluster.name
          value: elasticsearch
        - name: network.host
          value: 0.0.0.0
        - name: ES_JAVA_OPTS
          value: -Xmx4g -Xms4g
        - name: node.data
          value: "true"
        - name: node.ingest
          value: "true"
        - name: node.master
          value: "true"
        - name: xpack.security.enabled
          value: "true"
        - name: ELASTIC_USERNAME
          value: elastic
        - name: ELASTIC_PASSWORD
          value: elasticpassword
        image: 10.1.99.42/ranchercharts/elasticsearch-elasticsearch:7.7.1
        imagePullPolicy: IfNotPresent
        name: elasticsearch
        ports:
        - containerPort: 9200
          name: http
          protocol: TCP
        - containerPort: 9300
          name: transport
          protocol: TCP
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - |
              #!/usr/bin/env bash -e
              # If the node is starting up wait for the cluster to be ready (request params: 'wait_for_status=green&timeout=1s' )
              # Once it has started only check that the node itself is responding
              START_FILE=/tmp/.es_start_file

              http () {
                  local path="${1}"
                  if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
                    BASIC_AUTH="-u ${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
                  else
                    BASIC_AUTH=''
                  fi
                  curl -XGET -s -k --fail ${BASIC_AUTH} http://127.0.0.1:9200${path}
              }

              if [ -f "${START_FILE}" ]; then
                  echo 'Elasticsearch is already running, lets check the node is healthy'
                  http "/"
              else
                  echo 'Waiting for elasticsearch cluster to become cluster to be ready (request params: "wait_for_status=green&timeout=1s" )'
                  if http "/_cluster/health?wait_for_status=green&timeout=1s" ; then
                      touch ${START_FILE}
                      exit 0
                  else
                      echo 'Cluster is not yet ready (request params: "wait_for_status=green&timeout=1s" )'
                      exit 1
                  fi
              fi
          failureThreshold: 3
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 3
          timeoutSeconds: 5
        resources:
          limits:
            cpu: "4"
            memory: 8Gi
          requests:
            cpu: 100m
            memory: 8Gi
        securityContext:
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          runAsUser: 1000
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      initContainers:
      - command:
        - sysctl
        - -w
        - vm.max_map_count=262144
        image: 10.1.99.42/ranchercharts/elasticsearch-elasticsearch:7.7.1
        imagePullPolicy: IfNotPresent
        name: configure-sysctl
        resources: {}
        securityContext:
          privileged: true
          runAsUser: 0
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1000
      terminationGracePeriodSeconds: 120
  updateStrategy:
    type: RollingUpdate
status:
  collisionCount: 0
  currentReplicas: 5
  currentRevision: elasticsearch-master-85f58497dd
  observedGeneration: 4
  readyReplicas: 5
  replicas: 5
  updateRevision: elasticsearch-master-85f58497dd
  updatedReplicas: 5

配置完后點(diǎn)擊保存妇斤,elasticsearch集群會(huì)自動(dòng)重新部署

注意:如果集群一直不能初始化完成,建議一次性刪除所有elastic節(jié)點(diǎn)丹拯,讓節(jié)點(diǎn)完全重新初始化


待重新部署完成后站超,我們需要初始化一下elastic內(nèi)置的賬戶密碼:

登陸任意一臺(tái)elastic,執(zhí)行命令:

elasticsearch-setup-passwords interactive

至此乖酬,elasticsearch集群初始化完成

2.2 kibana 配置變更

因?yàn)槭鞘褂玫膽?yīng)用商店自動(dòng)部署的死相,所以會(huì)自動(dòng)生成兩個(gè)service,分別是efk-kibana和kibana-http咬像,

在實(shí)際配置中算撮,將service應(yīng)用到ingress的時(shí)候,出現(xiàn)了無法訪問的問題县昂,具體的問題是在kibana本地訪問http://0.0.0.0:5601 是可以訪問的肮柜,但是使用http://efk-kibana:5601 訪問就不通,后來就重新加了一個(gè)efk-kibana-headless的無頭服務(wù)倒彰,并應(yīng)用至kibana的ingress配置上去就好了审洞。后來晚些時(shí)候service自己又恢復(fù)正常了。待讳。芒澜。

[root@hlet-prod-k8s-rancher ~]# kubectl get svc -n efk
NAME                            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
efk-kibana                      ClusterIP   10.43.127.11    <none>        5601/TCP            17d
efk-kibana-headless             ClusterIP   None            <none>        5601/TCP            130m
elasticsearch-apm               ClusterIP   10.43.238.31    <none>        8200/TCP            52d
elasticsearch-heartbeat         ClusterIP   10.43.172.214   <none>        9200/TCP            2d
elasticsearch-master            ClusterIP   10.43.21.168    <none>        9200/TCP,9300/TCP   17d
elasticsearch-master-headless   ClusterIP   None            <none>        9200/TCP,9300/TCP   17d
kibana-http                     ClusterIP   10.43.71.157    <none>        80/TCP              174m

ingress配置:


image-20200612173912785.png

svc配置自帶的就不貼了

kibana的yaml主要修改了兩塊:

ENV:兩組用戶名密碼分別是連接elastic集群的用戶名密碼和存活檢測(cè)腳本調(diào)用

        - name: xpack.security.enabled
          value: "true"
        - name: ELASTICSEARCH_USERNAME
          value: kibana
        - name: ELASTIC_USERNAME
          value: kibana
        - name: ELASTICSEARCH_PASSWORD
          value: elasticpassword
        - name: ELASTIC_PASSWORD
          value: elasticpassword

存活檢測(cè):就改了最后一行,默認(rèn)的地址在開啟認(rèn)證后沒有登陸會(huì)一直報(bào)404

        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - |
              #!/usr/bin/env bash -e
              http () {
                  local path="${1}"
                  set -- -XGET -s --fail

                  if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
                    set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
                  fi

                  curl -k "$@" "http://localhost:5601${path}"
              }

              http "/login"

附上完整的Deployment的yaml配置:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "23"
    field.cattle.io/publicEndpoints: '[{"addresses":["10.1.99.51"],"port":80,"protocol":"HTTP","serviceName":"efk:kibana-http","ingressName":"efk:kibana-ingress","hostname":"kibana-prod.hlet.com","allNodes":true}]'
  creationTimestamp: "2020-05-26T00:53:53Z"
  generation: 49
  labels:
    app: kibana
    io.cattle.field/appId: efk
    release: efk
  name: efk-kibana
  namespace: efk
  resourceVersion: "23026049"
  selfLink: /apis/apps/v1/namespaces/efk/deployments/efk-kibana
  uid: 85017148-3738-46f9-8e29-65d072549a92
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: kibana
      release: efk
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        cattle.io/timestamp: "2020-06-09T00:17:32Z"
        field.cattle.io/ports: '[[{"containerPort":80,"dnsName":"efk-kibana","kind":"ClusterIP","name":"http","protocol":"TCP"}],[{"containerPort":5601,"dnsName":"efk-kibana","kind":"ClusterIP","name":"5601tcp2","protocol":"TCP"}]]'
        field.cattle.io/publicEndpoints: '[{"addresses":["10.1.99.51"],"allNodes":true,"hostname":"kibana-prod.hlet.com","ingressId":"efk:kibana-ingress","port":80,"protocol":"HTTP","serviceId":"efk:kibana-http"}]'
      creationTimestamp: null
      labels:
        app: kibana
        release: efk
    spec:
      containers:
      - args:
        - nginx
        - -g
        - daemon off;
        - -c
        - /nginx/nginx.conf
        image: rancher/nginx:1.15.8-alpine
        imagePullPolicy: IfNotPresent
        name: kibana-proxy
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /nginx/
          name: kibana-nginx
      - env:
        - name: ELASTICSEARCH_HOSTS
          value: http://elasticsearch-master:9200
        - name: I18N_LOCALE
          value: zh-CN
        - name: LOGGING_QUIET
          value: "true"
        - name: SERVER_HOST
          value: 0.0.0.0
        - name: xpack.security.enabled
          value: "true"
        - name: ELASTICSEARCH_USERNAME
          value: kibana
        - name: ELASTIC_USERNAME
          value: kibana
        - name: ELASTICSEARCH_PASSWORD
          value: elasticpassword
        - name: ELASTIC_PASSWORD
          value: elasticpassword
        image: 10.1.99.42/ranchercharts/kibana-kibana:7.7.1
        imagePullPolicy: IfNotPresent
        name: kibana
        ports:
        - containerPort: 5601
          name: 5601tcp2
          protocol: TCP
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - |
              #!/usr/bin/env bash -e
              http () {
                  local path="${1}"
                  set -- -XGET -s --fail

                  if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
                    set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
                  fi

                  curl -k "$@" "http://localhost:5601${path}"
              }

              http "/login"
          failureThreshold: 3
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 3
          timeoutSeconds: 5
        resources:
          limits:
            cpu: "1"
            memory: 1Gi
          requests:
            cpu: 100m
            memory: 500m
        securityContext:
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          runAsUser: 1000
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1000
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          items:
          - key: nginx.conf
            mode: 438
            path: nginx.conf
          name: efk-kibana-nginx
        name: kibana-nginx
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2020-06-12T07:46:09Z"
    lastUpdateTime: "2020-06-12T07:46:09Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2020-06-12T07:29:26Z"
    lastUpdateTime: "2020-06-12T07:46:09Z"
    message: ReplicaSet "efk-kibana-9884bd66b" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 49
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

到這里就可以嘗試登陸kibana了登陸界面:


image-20200721112715807.png

2.3 apm 配置變更

由于我們elastic的組件還使用到了apm,繼續(xù)修改apm相關(guān)設(shè)置

原始部署相關(guān)步驟:

apm是不包含在應(yīng)用商店中的创淡,部署相關(guān)yaml:

部署順序:

kubectl create configmap elasticsearch-apm --from-file=apm-server.docker.yml -n efk 
kubectl apply -f elasticsearch-apm-server.yaml

apm-server.docker.yml:

apm-server:
  host: "0.0.0.0:8200"
  kibana.enabled: true
  kibana.host: "efk-kibana:5601"
  kibana.protocol: "http"
logging.level: warning
output.elasticsearch:
  hosts: ["elasticsearch-master-headless:9200"]

apm.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
  labels:
    app: elasticsearch-apm
  name: elasticsearch-apm
  namespace: efk
spec:
  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: elasticsearch-apm
  template:
    metadata:
      labels:
        app: elasticsearch-apm
    spec:
      containers:
      - image: 10.1.99.42/docker.elastic.co/apm/apm-server:7.7.1
        imagePullPolicy: IfNotPresent
        name: elasticsearch-apm
        ports:
        - containerPort: 8200
          protocol: TCP
        resources:
          limits:
            cpu: "1"
          requests:
            cpu: 25m
            memory: 512Mi
        volumeMounts:
        - mountPath: /usr/share/apm-server/apm-server.yml
          name: config
          subPath: apm-server.docker.yml
      volumes:
      - configMap:
          defaultMode: 420
          name: elasticsearch-apm
        name: config
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: elasticsearch-apm
  name: elasticsearch-apm
  namespace: efk
spec:
  ports:
  - name: elasticsearch-apm
    port: 8200
    protocol: TCP
  selector:
    app: elasticsearch-apm

修改配置文件痴晦,適配用戶認(rèn)證

修改elasticsearch-apm這個(gè)configmap

apm-server.docker.yml

apm-server:
  host: "0.0.0.0:8200"
  kibana.enabled: true
  kibana.host: "efk-kibana-headless:5601"
  kibana.username: "elastic"
  kibana.password: "elasticpassword"
  kibana.protocol: "http"
logging.level: warning
#logging.level: info
output.elasticsearch:
  hosts: ["elasticsearch-master-headless:9200"]
  username: "elastic"
  password: "elasticpassword"

修改完成后,重新部署一下即可琳彩。

2.4 filebeat 配置變更

應(yīng)用商店自帶的誊酌,直接修改相應(yīng)的configmap即可

修改efk-filebeat-config這個(gè)configmap

filebeat.yml:

filebeat.inputs:
- type: docker
  containers.ids:
  - '*'
  processors:
  - add_kubernetes_metadata:
      in_cluster: true

output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'
  username: "elastic"
  password: "elasticpassword"
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 人面猴
    序言:七十年代末,一起剝皮案震驚了整個(gè)濱河市汁针,隨后出現(xiàn)的幾起案子术辐,更是在濱河造成了極大的恐慌砚尽,老刑警劉巖,帶你破解...
    沈念sama閱讀 206,378評(píng)論 6 481
  • 死咒
    序言:濱河連續(xù)發(fā)生了三起死亡事件,死亡現(xiàn)場(chǎng)離奇詭異医瘫,居然都是意外死亡竭贩,警方通過查閱死者的電腦和手機(jī)瑞躺,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 88,356評(píng)論 2 382
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進(jìn)店門,熙熙樓的掌柜王于貴愁眉苦臉地迎上來兴想,“玉大人幢哨,你說我怎么就攤上這事∩┍悖” “怎么了捞镰?”我有些...
    開封第一講書人閱讀 152,702評(píng)論 0 342
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵,是天一觀的道長(zhǎng)毙替。 經(jīng)常有香客問我岸售,道長(zhǎng),這世上最難降的妖魔是什么厂画? 我笑而不...
    開封第一講書人閱讀 55,259評(píng)論 1 279
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任凸丸,我火速辦了婚禮,結(jié)果婚禮上袱院,老公的妹妹穿的比我還像新娘屎慢。我一直安慰自己,他們只是感情好忽洛,可當(dāng)我...
    茶點(diǎn)故事閱讀 64,263評(píng)論 5 371
  • 惡毒庶女頂嫁案:這布局不是一般人想出來的
    文/花漫 我一把揭開白布腻惠。 她就那樣靜靜地躺著,像睡著了一般欲虚。 火紅的嫁衣襯著肌膚如雪妖枚。 梳的紋絲不亂的頭發(fā)上,一...
    開封第一講書人閱讀 49,036評(píng)論 1 285
  • 城市分裂傳說
    那天苍在,我揣著相機(jī)與錄音绝页,去河邊找鬼。 笑死寂恬,一個(gè)胖子當(dāng)著我的面吹牛续誉,可吹牛的內(nèi)容都是我干的。 我是一名探鬼主播初肉,決...
    沈念sama閱讀 38,349評(píng)論 3 400
  • 雙鴛鴦連環(huán)套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開眼酷鸦,長(zhǎng)吁一口氣:“原來是場(chǎng)噩夢(mèng)啊……” “哼!你這毒婦竟也來了牙咏?” 一聲冷哼從身側(cè)響起臼隔,我...
    開封第一講書人閱讀 36,979評(píng)論 0 259
  • 萬榮殺人案實(shí)錄
    序言:老撾萬榮一對(duì)情侶失蹤,失蹤者是張志新(化名)和其女友劉穎妄壶,沒想到半個(gè)月后摔握,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體,經(jīng)...
    沈念sama閱讀 43,469評(píng)論 1 300
  • ?護(hù)林員之死
    正文 獨(dú)居荒郊野嶺守林人離奇死亡丁寄,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 35,938評(píng)論 2 323
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年氨淌,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了泊愧。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點(diǎn)故事閱讀 38,059評(píng)論 1 333
  • 活死人
    序言:一個(gè)原本活蹦亂跳的男人離奇死亡盛正,死狀恐怖删咱,靈堂內(nèi)的尸體忽然破棺而出,到底是詐尸還是另有隱情豪筝,我是刑警寧澤痰滋,帶...
    沈念sama閱讀 33,703評(píng)論 4 323
  • ?日本核電站爆炸內(nèi)幕
    正文 年R本政府宣布,位于F島的核電站续崖,受9級(jí)特大地震影響即寡,放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜袜刷,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 39,257評(píng)論 3 307
  • 男人毒藥:我在死后第九天來索命
    文/蒙蒙 一聪富、第九天 我趴在偏房一處隱蔽的房頂上張望。 院中可真熱鬧著蟹,春花似錦墩蔓、人聲如沸。這莊子的主人今日做“春日...
    開封第一講書人閱讀 30,262評(píng)論 0 19
  • 一樁弒父案奸披,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽。三九已至涮雷,卻和暖如春阵面,著一層夾襖步出監(jiān)牢的瞬間,已是汗流浹背洪鸭。 一陣腳步聲響...
    開封第一講書人閱讀 31,485評(píng)論 1 262
  • 情欲美人皮
    我被黑心中介騙來泰國(guó)打工样刷, 沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留,地道東北人览爵。 一個(gè)月前我還...
    沈念sama閱讀 45,501評(píng)論 2 354
  • 代替公主和親
    正文 我出身青樓置鼻,卻偏偏與公主長(zhǎng)得像,于是被迫代替她去往敵國(guó)和親蜓竹。 傳聞我的和親對(duì)象是個(gè)殘疾皇子箕母,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 42,792評(píng)論 2 345