diff --git a/.env.sample b/.env.sample index 5d7d411..ef4c9a9 100644 --- a/.env.sample +++ b/.env.sample @@ -12,3 +12,6 @@ GITEA_ACTIONS_TOKEN=placeholder # Flux Operator Web OIDC 凭据(Gitea 启动后创建 OAuth2 应用获取,Redirect URI: https://cd.dev.cm/oauth2/callback) FLUX_WEB_OIDC_CLIENT_ID=placeholder FLUX_WEB_OIDC_CLIENT_SECRET=placeholder + +# Penpot 凭据 +PENPOT_API_SECRET_KEY=placeholder diff --git a/flux/README.md b/flux/README.md index 9580391..390c7f5 100644 --- a/flux/README.md +++ b/flux/README.md @@ -5,16 +5,21 @@ ``` flux/ ├── clusters/ -│ └── dev-cm/ # 集群级别编排 -│ ├── kustomization.yaml # 资源列表 -│ ├── sources.yaml # HelmRepository 源 -│ ├── kube-system.yaml # CoreDNS / NodeLocalDNS -│ ├── infra-devops.yaml # cert-manager / reflector / velero -│ ├── infra-data.yaml # CNPG / Valkey -│ ├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail) -│ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale -│ ├── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web) -│ └── apps.yaml # Halo / RustDesk / Fillcode / SinceAI +│ ├── base/ # 基础集群编排,仅部署 infrastructure +│ │ ├── kustomization.yaml # infrastructure 资源列表 +│ │ ├── sources.yaml # infrastructure HelmRepository 源 +│ │ ├── kube-system.yaml # CoreDNS / NodeLocalDNS +│ │ ├── infra-devops.yaml # cert-manager / reflector / velero +│ │ ├── infra-data.yaml # CNPG / Valkey +│ │ ├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail) +│ │ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale +│ │ └── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web) +│ └── dev-cm/ # dev-cm 集群 overlay,额外部署 apps +│ ├── kustomization.yaml # 引入 base,并追加 apps / app 依赖层 +│ ├── apps-sources.yaml # app HelmRepository 源 +│ ├── apps-secrets.yaml # apps namespace 与 app 专属 Secret +│ ├── apps.yaml # Halo / RustDesk / Penpot / Fillcode / SinceAI +│ └── apps-post.yaml # CDN Ingress(依赖 apps) ├── infrastructure/ │ ├── sources/ # 所有 HelmRepository 定义 │ ├── kube-system/ # CoreDNS 自定义 + NodeLocalDNS @@ -24,12 +29,18 @@ flux/ │ │ ├── post-1/ # PG Cluster / ObjectStore / databases / LB │ │ └── post-2/ # Reflector secret annotations │ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书 -│ │ └── post/ # CDN Ingress(依赖 apps,打破循环) │ ├── infra-monitor/ # Loki, Prometheus+Grafana │ │ └── post/ # Promtail(依赖 infra-net,打破循环) │ └── infra-gitops/ # Gitea │ └── post/ # Gitea Actions + flux-operator Web(OIDC/Ingress) -└── apps/ # Halo, RustDesk, Whoami, 证书, Ingress +└── apps/ + ├── sources/ # app HelmRepository 定义 + ├── secrets/ # apps namespace 与 app 专属 Secret + ├── post/ # CDN Ingress(依赖 apps,且引用部分 infra 服务) + ├── helmrelease-halo.yaml # Halo + ├── helmrelease-rustdesk.yaml # RustDesk + ├── helmrelease-penpot.yaml # Penpot + └── ... # app 证书与 Ingress ``` ## 前置准备 @@ -62,12 +73,12 @@ sources → secrets → kube-system → infra-devops → infra-data → infra-da → infra-monitor → infra-net → infra-devops-post → infra-monitor-post (Promtail) → infra-gitops - → apps - → infra-net-post (CDN Ingress) + → apps-sources → apps-secrets → apps + → apps-post (CDN Ingress) → infra-gitops-post (suspend=true,需手工凭据) ``` -Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。 +`clusters/base` 只包含到 `infra-gitops-post` 为止的 infrastructure 部署;`apps-sources`、`apps-secrets`、`apps`、`apps-post` 只在 `clusters/dev-cm` 中声明。Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。 ## 部署后手工步骤(infra-gitops-post) @@ -128,4 +139,5 @@ spec: - **`infra-devops-post`**:cert-manager 首次安装时不能依赖 `ServiceMonitor` CRD;post 层只在监控栈就绪后下发 `ClusterIssuer` 与可选 values ConfigMap,避免多个 Kustomization 共同管理同一个 HelmRelease。 - **`infra-monitor-post` (Promtail)**:Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Pod(ingress-nginx);而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`,打破循环。 +- **`apps-post` (CDN Ingress)**:CDN Ingress 会引用 `apps`、`infra-gitops`、`infra-monitor` 中的服务,因此不属于 base;只在 `dev-cm` 中声明,并依赖对应服务层。 - **`infra-gitops-post` (Gitea Actions + Flux Web)**:凭据必须在 Gitea 启动后手工创建;放在 post 层并默认 suspend,避免阻塞 bootstrap。 diff --git a/flux/apps/helmrelease-penpot.yaml b/flux/apps/helmrelease-penpot.yaml new file mode 100644 index 0000000..b002f05 --- /dev/null +++ b/flux/apps/helmrelease-penpot.yaml @@ -0,0 +1,74 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: penpot + namespace: apps +spec: + interval: 30m + timeout: 15m + chart: + spec: + chart: penpot + version: 0.43.0 + sourceRef: + kind: HelmRepository + name: penpot + namespace: infra-gitops + interval: 12h + postRenderers: + - kustomize: + patches: + - target: + kind: Deployment + name: penpot-backend + patch: | + - op: add + path: /spec/template/spec/containers/0/env/8 + value: + name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: valkey-cluster-sh + key: valkey-password + - target: + kind: Deployment + name: penpot-exporter + patch: | + - op: add + path: /spec/template/spec/containers/0/env/2 + value: + name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: valkey-cluster-sh + key: valkey-password + values: + global: + postgresqlEnabled: false + valkeyEnabled: false + redisEnabled: false + config: + publicUri: https://penpot.dev.cm + existingSecret: penpot + secretKeys: + apiSecretKey: api-secret-key + postgresql: + host: cnpg17-cluster-sh-rw.infra-data + port: 5432 + database: penpot + existingSecret: cnpg17-cluster-sh-app + secretKeys: + usernameKey: username + passwordKey: password + redis: + host: :$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data + port: 6379 + database: 0 + backend: + podAnnotations: + backup.velero.io/backup-volumes: app-data + ingress: + enabled: true + className: nginx + hosts: + - penpot.dev.cm diff --git a/flux/apps/ingress-halo-static.yaml b/flux/apps/ingress-halo-static.yaml index 1766567..cce53ce 100644 --- a/flux/apps/ingress-halo-static.yaml +++ b/flux/apps/ingress-halo-static.yaml @@ -4,8 +4,8 @@ metadata: name: halo-static namespace: apps annotations: - nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/proxy-buffering: "on" + nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_cache cache; proxy_cache_valid 200 302 7d; @@ -17,9 +17,6 @@ metadata: add_header X-Cache-Status $upstream_cache_status; spec: ingressClassName: nginx - tls: - - hosts: - - dev.cm rules: - host: dev.cm http: @@ -31,3 +28,6 @@ spec: name: halo port: number: 80 + tls: + - hosts: + - dev.cm diff --git a/flux/apps/ingress-sinceai-shop.yaml b/flux/apps/ingress-sinceai-shop.yaml index 46f37bc..1816293 100644 --- a/flux/apps/ingress-sinceai-shop.yaml +++ b/flux/apps/ingress-sinceai-shop.yaml @@ -4,7 +4,6 @@ metadata: name: sinceai-shop namespace: apps annotations: - # 302 跳转到https://sinceai.taobao.com/ nginx.ingress.kubernetes.io/configuration-snippet: | rewrite ^/(.*)$ https://sinceai.taobao.com/$1? permanent; spec: diff --git a/flux/apps/kustomization.yaml b/flux/apps/kustomization.yaml index a7c442d..34e8bc7 100644 --- a/flux/apps/kustomization.yaml +++ b/flux/apps/kustomization.yaml @@ -1,7 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml - certificate-fillcode-com.yaml - certificate-sinceai-com.yaml - helmrelease-halo.yaml @@ -11,3 +10,4 @@ resources: - ingress-sinceai-shop.yaml - helmrelease-whoami.yaml - helmrelease-rustdesk.yaml + - helmrelease-penpot.yaml diff --git a/flux/infrastructure/infra-net/post/ingress-cdn.yaml b/flux/apps/post/ingress-cdn.yaml similarity index 100% rename from flux/infrastructure/infra-net/post/ingress-cdn.yaml rename to flux/apps/post/ingress-cdn.yaml diff --git a/flux/infrastructure/infra-net/post/kustomization.yaml b/flux/apps/post/kustomization.yaml similarity index 100% rename from flux/infrastructure/infra-net/post/kustomization.yaml rename to flux/apps/post/kustomization.yaml diff --git a/flux/apps/secrets/kustomization.yaml b/flux/apps/secrets/kustomization.yaml new file mode 100644 index 0000000..51268d8 --- /dev/null +++ b/flux/apps/secrets/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespaces.yaml + - penpot.yaml diff --git a/flux/apps/namespace.yaml b/flux/apps/secrets/namespaces.yaml similarity index 100% rename from flux/apps/namespace.yaml rename to flux/apps/secrets/namespaces.yaml diff --git a/flux/apps/secrets/penpot.yaml b/flux/apps/secrets/penpot.yaml new file mode 100644 index 0000000..89769e9 --- /dev/null +++ b/flux/apps/secrets/penpot.yaml @@ -0,0 +1,10 @@ +# Penpot runtime secrets +apiVersion: v1 +kind: Secret +metadata: + name: penpot + namespace: apps +type: Opaque +stringData: + api-secret-key: |- + ${PENPOT_API_SECRET_KEY} diff --git a/flux/apps/sources/helm-repositories.yaml b/flux/apps/sources/helm-repositories.yaml new file mode 100644 index 0000000..90213c1 --- /dev/null +++ b/flux/apps/sources/helm-repositories.yaml @@ -0,0 +1,32 @@ +# whoami +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cowboysysop + namespace: infra-gitops +spec: + interval: 168h + timeout: 5m + url: https://cowboysysop.github.io/charts/ +--- +# halo +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: halo + namespace: infra-gitops +spec: + interval: 168h + timeout: 5m + url: https://halo-sigs.github.io/charts/ +--- +# penpot +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: penpot + namespace: infra-gitops +spec: + interval: 168h + timeout: 5m + url: https://helm.penpot.app diff --git a/flux/apps/sources/kustomization.yaml b/flux/apps/sources/kustomization.yaml new file mode 100644 index 0000000..df39355 --- /dev/null +++ b/flux/apps/sources/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-repositories.yaml diff --git a/flux/clusters/base/infra-net.yaml b/flux/clusters/base/infra-net.yaml index 4feeec9..b4980c7 100644 --- a/flux/clusters/base/infra-net.yaml +++ b/flux/clusters/base/infra-net.yaml @@ -18,22 +18,3 @@ spec: - name: infra-devops - name: infra-devops-post - name: infra-monitor - ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: infra-net-post - namespace: infra-gitops -spec: - interval: 30m - timeout: 15m - retryInterval: 1m - sourceRef: - kind: GitRepository - name: flux - path: ./flux/infrastructure/infra-net/post - prune: true - wait: true - dependsOn: - - name: apps diff --git a/flux/clusters/base/kustomization.yaml b/flux/clusters/base/kustomization.yaml index 00a9802..625bc36 100644 --- a/flux/clusters/base/kustomization.yaml +++ b/flux/clusters/base/kustomization.yaml @@ -9,4 +9,3 @@ resources: - infra-net.yaml - infra-monitor.yaml - infra-gitops.yaml - - apps.yaml diff --git a/flux/clusters/base/apps.yaml b/flux/clusters/dev-cm/apps-post.yaml similarity index 74% rename from flux/clusters/base/apps.yaml rename to flux/clusters/dev-cm/apps-post.yaml index e52f4bb..204ec02 100644 --- a/flux/clusters/base/apps.yaml +++ b/flux/clusters/dev-cm/apps-post.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: apps + name: apps-post namespace: infra-gitops spec: interval: 30m @@ -10,9 +10,11 @@ spec: sourceRef: kind: GitRepository name: flux - path: ./flux/apps + path: ./flux/apps/post prune: true + wait: true dependsOn: - - name: infra-data-post-2 - name: infra-net - name: infra-gitops + - name: infra-monitor + - name: apps diff --git a/flux/clusters/dev-cm/apps-secrets.yaml b/flux/clusters/dev-cm/apps-secrets.yaml new file mode 100644 index 0000000..007ddc8 --- /dev/null +++ b/flux/clusters/dev-cm/apps-secrets.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps-secrets + namespace: infra-gitops +spec: + interval: 30m + timeout: 15m + retryInterval: 1m + sourceRef: + kind: GitRepository + name: flux + path: ./flux/apps/secrets + prune: false + wait: true + dependsOn: + - name: apps-sources + postBuild: + substituteFrom: + - kind: Secret + name: flux-env diff --git a/flux/clusters/dev-cm/apps-sources.yaml b/flux/clusters/dev-cm/apps-sources.yaml new file mode 100644 index 0000000..d88c5a5 --- /dev/null +++ b/flux/clusters/dev-cm/apps-sources.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps-sources + namespace: infra-gitops +spec: + interval: 30m + timeout: 15m + retryInterval: 1m + sourceRef: + kind: GitRepository + name: flux + path: ./flux/apps/sources + prune: true + wait: true + dependsOn: + - name: sources diff --git a/flux/clusters/dev-cm/apps.yaml b/flux/clusters/dev-cm/apps.yaml index 7961ecb..afbd6ad 100644 --- a/flux/clusters/dev-cm/apps.yaml +++ b/flux/clusters/dev-cm/apps.yaml @@ -2,7 +2,21 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: apps + namespace: infra-gitops spec: + interval: 30m + timeout: 15m + retryInterval: 1m + sourceRef: + kind: GitRepository + name: flux + path: ./flux/apps + prune: true + dependsOn: + - name: apps-sources + - name: apps-secrets + - name: infra-data-post-2 + - name: infra-net patches: - target: kind: HelmRelease @@ -40,3 +54,57 @@ spec: values: nodeSelector: kubernetes.io/hostname: tcd + - target: + kind: HelmRelease + name: penpot + patch: | + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: penpot + spec: + values: + backend: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - homea + frontend: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - homea + exporter: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - homea + mcp: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - homea diff --git a/flux/clusters/dev-cm/infra-data/post-1/databases.yaml b/flux/clusters/dev-cm/infra-data/post-1/databases.yaml index 299885b..a9fe35c 100644 --- a/flux/clusters/dev-cm/infra-data/post-1/databases.yaml +++ b/flux/clusters/dev-cm/infra-data/post-1/databases.yaml @@ -11,6 +11,17 @@ spec: --- apiVersion: postgresql.cnpg.io/v1 kind: Database +metadata: + name: cnpg17-cluster-sh-penpot + namespace: infra-data +spec: + name: penpot + owner: app + cluster: + name: cnpg17-cluster-sh +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database metadata: name: cnpg17-cluster-sh-grafana namespace: infra-data diff --git a/flux/clusters/dev-cm/infra-data/post-2/reflector-secret-annotations.yaml b/flux/clusters/dev-cm/infra-data/post-2/reflector-secret-annotations.yaml index 7e73b7c..7c4e6ad 100644 --- a/flux/clusters/dev-cm/infra-data/post-2/reflector-secret-annotations.yaml +++ b/flux/clusters/dev-cm/infra-data/post-2/reflector-secret-annotations.yaml @@ -20,9 +20,9 @@ metadata: kustomize.toolkit.fluxcd.io/prune: disabled kustomize.toolkit.fluxcd.io/ssa: Merge reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops,infra-monitor" reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops,infra-monitor" --- apiVersion: v1 kind: Secret @@ -33,6 +33,6 @@ metadata: kustomize.toolkit.fluxcd.io/prune: disabled kustomize.toolkit.fluxcd.io/ssa: Merge reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops" reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops" diff --git a/flux/clusters/dev-cm/kustomization.yaml b/flux/clusters/dev-cm/kustomization.yaml index 06550f2..9c1fff6 100644 --- a/flux/clusters/dev-cm/kustomization.yaml +++ b/flux/clusters/dev-cm/kustomization.yaml @@ -2,6 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../base + - apps-sources.yaml + - apps-secrets.yaml + - apps.yaml + - apps-post.yaml patches: - target: kind: Kustomization @@ -43,7 +47,3 @@ patches: kind: Kustomization name: infra-gitops-post path: infra-gitops-post.yaml - - target: - kind: Kustomization - name: apps - path: apps.yaml diff --git a/flux/infrastructure/infra-data/post-2/reflector-secret-annotations.yaml b/flux/infrastructure/infra-data/post-2/reflector-secret-annotations.yaml index 0818108..71b7b08 100644 --- a/flux/infrastructure/infra-data/post-2/reflector-secret-annotations.yaml +++ b/flux/infrastructure/infra-data/post-2/reflector-secret-annotations.yaml @@ -7,9 +7,9 @@ metadata: kustomize.toolkit.fluxcd.io/prune: disabled kustomize.toolkit.fluxcd.io/ssa: Merge reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-net,infra-gitops,infra-monitor" reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-net,infra-gitops,infra-monitor" --- apiVersion: v1 kind: Secret diff --git a/flux/infrastructure/sources/helm-repositories.yaml b/flux/infrastructure/sources/helm-repositories.yaml index f64a184..85d664f 100644 --- a/flux/infrastructure/sources/helm-repositories.yaml +++ b/flux/infrastructure/sources/helm-repositories.yaml @@ -131,24 +131,3 @@ spec: timeout: 5m url: https://dl.gitea.com/charts --- -# whoami -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: cowboysysop - namespace: infra-gitops -spec: - interval: 168h - timeout: 5m - url: https://cowboysysop.github.io/charts/ ---- -# halo -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: halo - namespace: infra-gitops -spec: - interval: 168h - timeout: 5m - url: https://halo-sigs.github.io/charts/