dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

feat(apps): restructure apps deployment, add Penpot HelmRelease, and refactor CDN ingress

浏览代码
这个提交包含在:
rohow
2026-05-22 16:18:32 +08:00
未验证
父节点 c994697d7a
当前提交 15522bbaa8
修改 24 个文件,包含 292 行新增75 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件
.env.sample
+3
查看文件
@@ -12,3 +12,6 @@ GITEA_ACTIONS_TOKEN=placeholder
# Flux Operator Web OIDC 凭据(Gitea 启动后创建 OAuth2 应用获取,Redirect URI: https://cd.dev.cm/oauth2/callback
FLUX_WEB_OIDC_CLIENT_ID=placeholder
FLUX_WEB_OIDC_CLIENT_SECRET=placeholder
# Penpot 凭据
PENPOT_API_SECRET_KEY=placeholder
flux/README.md
+27 -15
查看文件
@@ -5,16 +5,21 @@
```
flux/
├── clusters/
── dev-cm/ # 集群级别编排
├── kustomization.yaml # 资源列表
├── sources.yaml # HelmRepository 源
├── kube-system.yaml # CoreDNS / NodeLocalDNS
├── infra-devops.yaml # cert-manager / reflector / velero
├── infra-data.yaml # CNPG / Valkey
├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail)
├── infra-net.yaml # Nginx / CrowdSec / Tailscale
── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web)
└── apps.yaml # Halo / RustDesk / Fillcode / SinceAI
── base/ # 基础集群编排,仅部署 infrastructure
├── kustomization.yaml # infrastructure 资源列表
├── sources.yaml # infrastructure HelmRepository 源
├── kube-system.yaml # CoreDNS / NodeLocalDNS
├── infra-devops.yaml # cert-manager / reflector / velero
├── infra-data.yaml # CNPG / Valkey
├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail)
├── infra-net.yaml # Nginx / CrowdSec / Tailscale
── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web)
└── dev-cm/ # dev-cm 集群 overlay,额外部署 apps
│ ├── kustomization.yaml # 引入 base,并追加 apps / app 依赖层
│ ├── apps-sources.yaml # app HelmRepository 源
│ ├── apps-secrets.yaml # apps namespace 与 app 专属 Secret
│ ├── apps.yaml # Halo / RustDesk / Penpot / Fillcode / SinceAI
│ └── apps-post.yaml # CDN Ingress(依赖 apps
├── infrastructure/
│ ├── sources/ # 所有 HelmRepository 定义
│ ├── kube-system/ # CoreDNS 自定义 + NodeLocalDNS
@@ -24,12 +29,18 @@ flux/
│ │ ├── post-1/ # PG Cluster / ObjectStore / databases / LB
│ │ └── post-2/ # Reflector secret annotations
│ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书
│ │ └── post/ # CDN Ingress(依赖 apps,打破循环)
│ ├── infra-monitor/ # Loki, Prometheus+Grafana
│ │ └── post/ # Promtail(依赖 infra-net,打破循环)
│ └── infra-gitops/ # Gitea
│ └── post/ # Gitea Actions + flux-operator WebOIDC/Ingress
└── apps/ # Halo, RustDesk, Whoami, 证书, Ingress
└── apps/
├── sources/ # app HelmRepository 定义
├── secrets/ # apps namespace 与 app 专属 Secret
├── post/ # CDN Ingress(依赖 apps,且引用部分 infra 服务)
├── helmrelease-halo.yaml # Halo
├── helmrelease-rustdesk.yaml # RustDesk
├── helmrelease-penpot.yaml # Penpot
└── ... # app 证书与 Ingress
```
## 前置准备
@@ -62,12 +73,12 @@ sources → secrets → kube-system → infra-devops → infra-data → infra-da
→ infra-monitor → infra-net → infra-devops-post
→ infra-monitor-post (Promtail)
→ infra-gitops
→ apps
infra-net-post (CDN Ingress)
apps-sources → apps-secrets → apps
apps-post (CDN Ingress)
→ infra-gitops-post (suspend=true,需手工凭据)
```
Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。
`clusters/base` 只包含到 `infra-gitops-post` 为止的 infrastructure 部署;`apps-sources``apps-secrets``apps``apps-post` 只在 `clusters/dev-cm` 中声明。Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。
## 部署后手工步骤(infra-gitops-post
@@ -128,4 +139,5 @@ spec:
- **`infra-devops-post`**cert-manager 首次安装时不能依赖 `ServiceMonitor` CRD;post 层只在监控栈就绪后下发 `ClusterIssuer` 与可选 values ConfigMap,避免多个 Kustomization 共同管理同一个 HelmRelease。
- **`infra-monitor-post` (Promtail)**Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Podingress-nginx);而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`,打破循环。
- **`apps-post` (CDN Ingress)**CDN Ingress 会引用 `apps`、`infra-gitops`、`infra-monitor` 中的服务,因此不属于 base;只在 `dev-cm` 中声明,并依赖对应服务层。
- **`infra-gitops-post` (Gitea Actions + Flux Web)**:凭据必须在 Gitea 启动后手工创建;放在 post 层并默认 suspend,避免阻塞 bootstrap。
flux/apps/helmrelease-penpot.yaml
+74
查看文件
@@ -0,0 +1,74 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: penpot
namespace: apps
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: penpot
version: 0.43.0
sourceRef:
kind: HelmRepository
name: penpot
namespace: infra-gitops
interval: 12h
postRenderers:
- kustomize:
patches:
- target:
kind: Deployment
name: penpot-backend
patch: |
- op: add
path: /spec/template/spec/containers/0/env/8
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: valkey-cluster-sh
key: valkey-password
- target:
kind: Deployment
name: penpot-exporter
patch: |
- op: add
path: /spec/template/spec/containers/0/env/2
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: valkey-cluster-sh
key: valkey-password
values:
global:
postgresqlEnabled: false
valkeyEnabled: false
redisEnabled: false
config:
publicUri: https://penpot.dev.cm
existingSecret: penpot
secretKeys:
apiSecretKey: api-secret-key
postgresql:
host: cnpg17-cluster-sh-rw.infra-data
port: 5432
database: penpot
existingSecret: cnpg17-cluster-sh-app
secretKeys:
usernameKey: username
passwordKey: password
redis:
host: :$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data
port: 6379
database: 0
backend:
podAnnotations:
backup.velero.io/backup-volumes: app-data
ingress:
enabled: true
className: nginx
hosts:
- penpot.dev.cm
flux/apps/ingress-halo-static.yaml
+4 -4
查看文件
@@ -4,8 +4,8 @@ metadata:
name: halo-static
namespace: apps
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_cache cache;
proxy_cache_valid 200 302 7d;
@@ -17,9 +17,6 @@ metadata:
add_header X-Cache-Status $upstream_cache_status;
spec:
ingressClassName: nginx
tls:
- hosts:
- dev.cm
rules:
- host: dev.cm
http:
@@ -31,3 +28,6 @@ spec:
name: halo
port:
number: 80
tls:
- hosts:
- dev.cm
flux/apps/ingress-sinceai-shop.yaml
-1
查看文件
@@ -4,7 +4,6 @@ metadata:
name: sinceai-shop
namespace: apps
annotations:
# 302 跳转到https://sinceai.taobao.com/
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/(.*)$ https://sinceai.taobao.com/$1? permanent;
spec:
flux/apps/kustomization.yaml
+1 -1
查看文件
@@ -1,7 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- certificate-fillcode-com.yaml
- certificate-sinceai-com.yaml
- helmrelease-halo.yaml
@@ -11,3 +10,4 @@ resources:
- ingress-sinceai-shop.yaml
- helmrelease-whoami.yaml
- helmrelease-rustdesk.yaml
- helmrelease-penpot.yaml
flux/infrastructure/infra-net/post/ingress-cdn.yaml → flux/apps/post/ingress-cdn.yaml
查看文件
flux/infrastructure/infra-net/post/kustomization.yaml → flux/apps/post/kustomization.yaml
查看文件
flux/apps/secrets/kustomization.yaml
+5
查看文件
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespaces.yaml
- penpot.yaml
flux/apps/namespace.yaml → flux/apps/secrets/namespaces.yaml
查看文件
flux/apps/secrets/penpot.yaml
+10
查看文件
@@ -0,0 +1,10 @@
# Penpot runtime secrets
apiVersion: v1
kind: Secret
metadata:
name: penpot
namespace: apps
type: Opaque
stringData:
api-secret-key: |-
${PENPOT_API_SECRET_KEY}
flux/apps/sources/helm-repositories.yaml
+32
查看文件
@@ -0,0 +1,32 @@
# whoami
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cowboysysop
namespace: infra-gitops
spec:
interval: 168h
timeout: 5m
url: https://cowboysysop.github.io/charts/
---
# halo
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: halo
namespace: infra-gitops
spec:
interval: 168h
timeout: 5m
url: https://halo-sigs.github.io/charts/
---
# penpot
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: penpot
namespace: infra-gitops
spec:
interval: 168h
timeout: 5m
url: https://helm.penpot.app
flux/apps/sources/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-repositories.yaml
flux/clusters/base/infra-net.yaml
-19
查看文件
@@ -18,22 +18,3 @@ spec:
- name: infra-devops
- name: infra-devops-post
- name: infra-monitor
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-net-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-net/post
prune: true
wait: true
dependsOn:
- name: apps
flux/clusters/base/kustomization.yaml
-1
查看文件
@@ -9,4 +9,3 @@ resources:
- infra-net.yaml
- infra-monitor.yaml
- infra-gitops.yaml
- apps.yaml
flux/clusters/base/apps.yaml → flux/clusters/dev-cm/apps-post.yaml
+5 -3
查看文件
@@ -1,7 +1,7 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
name: apps-post
namespace: infra-gitops
spec:
interval: 30m
@@ -10,9 +10,11 @@ spec:
sourceRef:
kind: GitRepository
name: flux
path: ./flux/apps
path: ./flux/apps/post
prune: true
wait: true
dependsOn:
- name: infra-data-post-2
- name: infra-net
- name: infra-gitops
- name: infra-monitor
- name: apps
flux/clusters/dev-cm/apps-secrets.yaml
+21
查看文件
@@ -0,0 +1,21 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps-secrets
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/apps/secrets
prune: false
wait: true
dependsOn:
- name: apps-sources
postBuild:
substituteFrom:
- kind: Secret
name: flux-env
flux/clusters/dev-cm/apps-sources.yaml
+17
查看文件
@@ -0,0 +1,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps-sources
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/apps/sources
prune: true
wait: true
dependsOn:
- name: sources
flux/clusters/dev-cm/apps.yaml
+68
查看文件
@@ -2,7 +2,21 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/apps
prune: true
dependsOn:
- name: apps-sources
- name: apps-secrets
- name: infra-data-post-2
- name: infra-net
patches:
- target:
kind: HelmRelease
@@ -40,3 +54,57 @@ spec:
values:
nodeSelector:
kubernetes.io/hostname: tcd
- target:
kind: HelmRelease
name: penpot
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: penpot
spec:
values:
backend:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
frontend:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
exporter:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
mcp:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
flux/clusters/dev-cm/infra-data/post-1/databases.yaml
+11
查看文件
@@ -11,6 +11,17 @@ spec:
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-penpot
namespace: infra-data
spec:
name: penpot
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-grafana
namespace: infra-data
flux/clusters/dev-cm/infra-data/post-2/reflector-secret-annotations.yaml
+4 -4
查看文件
@@ -20,9 +20,9 @@ metadata:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
@@ -33,6 +33,6 @@ metadata:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops"
flux/clusters/dev-cm/kustomization.yaml
+4 -4
查看文件
@@ -2,6 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- apps-sources.yaml
- apps-secrets.yaml
- apps.yaml
- apps-post.yaml
patches:
- target:
kind: Kustomization
@@ -43,7 +47,3 @@ patches:
kind: Kustomization
name: infra-gitops-post
path: infra-gitops-post.yaml
- target:
kind: Kustomization
name: apps
path: apps.yaml
flux/infrastructure/infra-data/post-2/reflector-secret-annotations.yaml
+2 -2
查看文件
@@ -7,9 +7,9 @@ metadata:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-net,infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-net,infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
flux/infrastructure/sources/helm-repositories.yaml
-21
查看文件
@@ -131,24 +131,3 @@ spec:
timeout: 5m
url: https://dl.gitea.com/charts
---
# whoami
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cowboysysop
namespace: infra-gitops
spec:
interval: 168h
timeout: 5m
url: https://cowboysysop.github.io/charts/
---
# halo
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: halo
namespace: infra-gitops
spec:
interval: 168h
timeout: 5m
url: https://halo-sigs.github.io/charts/