feat(helm): clusters update
这个提交包含在:
rohow
@@ -13,6 +13,7 @@ ha_server_url: "{{ lookup('env', 'HA_SERVER_URL') | default('', true) }}"
|
||||
# K3s Server URL (优先使用 HA_SERVER_URL,否则动态使用 init 节点地址)
|
||||
k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}"
|
||||
k3s_version: "v1.34.2+k3s1"
|
||||
tailscale_version: "1.96.4"
|
||||
|
||||
# ETCD 配置
|
||||
etcd_snapshot_retention: 1
|
||||
@@ -44,4 +45,3 @@ registry_mirrors:
|
||||
- "k8s.m.daocloud.io"
|
||||
quay.io:
|
||||
- "quay.m.daocloud.io"
|
||||
|
||||
|
||||
@@ -167,3 +167,37 @@
|
||||
{{ nodes.stdout }}
|
||||
══════════════════════════════════════════════════════════════
|
||||
when: cluster_init | default(false)
|
||||
|
||||
# ============================================
|
||||
# K3s 卸载 (需显式指定: --tags uninstall)
|
||||
# ============================================
|
||||
- name: Uninstall K3s agents
|
||||
hosts: agents
|
||||
gather_facts: false
|
||||
tags: [uninstall, never]
|
||||
tasks:
|
||||
- name: Check agent uninstall script
|
||||
ansible.builtin.stat:
|
||||
path: /usr/local/bin/k3s-agent-uninstall.sh
|
||||
register: agent_uninstall_script
|
||||
|
||||
- name: Run k3s-agent-uninstall.sh
|
||||
ansible.builtin.command: /usr/local/bin/k3s-agent-uninstall.sh
|
||||
when: agent_uninstall_script.stat.exists
|
||||
changed_when: true
|
||||
|
||||
- name: Uninstall K3s masters
|
||||
hosts: masters
|
||||
gather_facts: false
|
||||
serial: 1
|
||||
tags: [uninstall, never]
|
||||
tasks:
|
||||
- name: Check server uninstall script
|
||||
ansible.builtin.stat:
|
||||
path: /usr/local/bin/k3s-uninstall.sh
|
||||
register: server_uninstall_script
|
||||
|
||||
- name: Run k3s-uninstall.sh
|
||||
ansible.builtin.command: /usr/local/bin/k3s-uninstall.sh
|
||||
when: server_uninstall_script.stat.exists
|
||||
changed_when: true
|
||||
|
||||
@@ -37,6 +37,20 @@
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
|
||||
- name: Check current Tailscale version
|
||||
ansible.builtin.shell: tailscale version | head -1
|
||||
register: common_tailscale_version
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
when: common_tailscale_check.rc == 0
|
||||
|
||||
- name: Set Tailscale install flag
|
||||
ansible.builtin.set_fact:
|
||||
tailscale_needs_install: "{{
|
||||
common_tailscale_check.rc != 0 or
|
||||
(common_tailscale_version.stdout | default('') is not search(tailscale_version))
|
||||
}}"
|
||||
|
||||
- name: Download Tailscale install script
|
||||
ansible.builtin.get_url:
|
||||
url: https://tailscale.com/install.sh
|
||||
@@ -44,11 +58,20 @@
|
||||
mode: "0755"
|
||||
when: common_tailscale_check.rc != 0
|
||||
|
||||
- name: Install Tailscale
|
||||
- name: Install Tailscale via install script
|
||||
ansible.builtin.command: /tmp/tailscale-install.sh
|
||||
when: common_tailscale_check.rc != 0
|
||||
changed_when: true
|
||||
|
||||
- name: Install specific Tailscale version
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- "tailscale={{ tailscale_version }}"
|
||||
- "tailscaled={{ tailscale_version }}"
|
||||
state: present
|
||||
allow_downgrade: true
|
||||
when: tailscale_needs_install
|
||||
|
||||
- name: Remove Tailscale install script
|
||||
ansible.builtin.file:
|
||||
path: /tmp/tailscale-install.sh
|
||||
|
||||
@@ -110,7 +110,7 @@
|
||||
- name: Wait for K3s server ready
|
||||
ansible.builtin.wait_for:
|
||||
path: /var/lib/rancher/k3s/server/node-token
|
||||
timeout: 120
|
||||
timeout: 300
|
||||
when: "'masters' in group_names"
|
||||
|
||||
# 保存 kubeconfig (仅 cluster-init)
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: apps
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: halo
|
||||
@@ -47,11 +48,11 @@ spec:
|
||||
enabled: false
|
||||
externalDatabase:
|
||||
platform: postgresql
|
||||
host: cnpg17-cluster-hk-rw.infra-data
|
||||
host: cnpg17-cluster-rw.infra-data
|
||||
port: 5432
|
||||
user: app
|
||||
password: from-secret
|
||||
database: halo
|
||||
existingSecret: cnpg17-cluster-hk-app
|
||||
existingSecret: cnpg17-cluster-app
|
||||
haloUsername: rohow
|
||||
haloExternalUrl: https://dev.cm
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: apps
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: rustdesk-server
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: apps
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: whoami
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
@@ -24,6 +25,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
@@ -24,6 +25,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
@@ -24,6 +25,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
suspend: true
|
||||
sourceRef:
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
@@ -24,6 +25,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
@@ -26,6 +27,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -7,6 +7,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
apiVersion: barmancloud.cnpg.io/v1
|
||||
kind: ObjectStore
|
||||
metadata:
|
||||
name: cnpg17-objectstore-hw
|
||||
namespace: infra-data
|
||||
spec:
|
||||
retentionPolicy: "7d"
|
||||
configuration:
|
||||
destinationPath: s3://devcm/cnpg/
|
||||
endpointURL: https://obs.cn-east-3.myhuaweicloud.com
|
||||
s3Credentials:
|
||||
accessKeyId:
|
||||
name: s3-devcm-hw
|
||||
key: ACCESS_KEY_ID
|
||||
secretAccessKey:
|
||||
name: s3-devcm-hw
|
||||
key: ACCESS_SECRET_KEY
|
||||
wal:
|
||||
compression: gzip
|
||||
maxParallel: 8
|
||||
@@ -0,0 +1,43 @@
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-sh-gitea
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: gitea
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-sh
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-sh-grafana
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: grafana
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-sh
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-hk-halo
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: halo
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-hk
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-hk-crowdsec
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: crowdsec
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-hk
|
||||
@@ -0,0 +1,10 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- cnpg17-objectstore-hw.yaml
|
||||
- cnpg17-cluster-hk.yaml
|
||||
- cnpg17-cluster-sh.yaml
|
||||
- databases.yaml
|
||||
- loadbalancer-hk.yaml
|
||||
- loadbalancer-sh.yaml
|
||||
- reflector-secret-annotations.yaml
|
||||
@@ -0,0 +1,41 @@
|
||||
# 给CNPG和Valkey自动生成的secrets添加Reflector注解
|
||||
# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
|
||||
#
|
||||
# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
|
||||
# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
|
||||
# valkey-cluster-sh → infra-gitops (gitea)
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cnpg17-cluster-hk-app
|
||||
namespace: infra-data
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cnpg17-cluster-sh-app
|
||||
namespace: infra-data
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: valkey-cluster-sh
|
||||
namespace: infra-data
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
|
||||
@@ -14,6 +14,9 @@ spec:
|
||||
name: halo
|
||||
spec:
|
||||
values:
|
||||
externalDatabase:
|
||||
host: cnpg17-cluster-hk-rw.infra-data
|
||||
existingSecret: cnpg17-cluster-hk-app
|
||||
affinity:
|
||||
podAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
|
||||
@@ -3,6 +3,7 @@ kind: Kustomization
|
||||
metadata:
|
||||
name: infra-data-post
|
||||
spec:
|
||||
path: ./flux/clusters/dev-cm/infra-data-post
|
||||
patches:
|
||||
- target:
|
||||
kind: Cluster
|
||||
|
||||
@@ -14,6 +14,16 @@ spec:
|
||||
name: gitea
|
||||
spec:
|
||||
values:
|
||||
gitea:
|
||||
config:
|
||||
database:
|
||||
HOST: cnpg17-cluster-sh-rw.infra-data:5432
|
||||
additionalConfigFromEnvs:
|
||||
- name: GITEA__DATABASE__PASSWD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: cnpg17-cluster-sh-app
|
||||
key: password
|
||||
affinity:
|
||||
podAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
|
||||
@@ -55,6 +55,14 @@ spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: hwa
|
||||
grafana:
|
||||
envValueFrom:
|
||||
GF_DATABASE_PASSWORD:
|
||||
secretKeyRef:
|
||||
name: cnpg17-cluster-sh-app
|
||||
key: password
|
||||
grafana.ini:
|
||||
database:
|
||||
host: cnpg17-cluster-sh-rw.infra-data:5432
|
||||
affinity:
|
||||
podAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
|
||||
@@ -48,6 +48,43 @@ spec:
|
||||
name: crowdsec
|
||||
spec:
|
||||
values:
|
||||
lapi:
|
||||
env:
|
||||
- name: DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: cnpg17-cluster-hk-app
|
||||
key: password
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 1
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: topology.kubernetes.io/region
|
||||
operator: In
|
||||
values:
|
||||
- cn-hk
|
||||
config:
|
||||
config.yaml.local: |
|
||||
db_config:
|
||||
type: postgresql
|
||||
host: cnpg17-cluster-hk-rw.infra-data
|
||||
port: 5432
|
||||
db_name: crowdsec
|
||||
user: app
|
||||
password: ${DB_PASSWORD}
|
||||
sslmode: require
|
||||
api:
|
||||
server:
|
||||
auto_registration:
|
||||
enabled: true
|
||||
token: "${REGISTRATION_TOKEN}"
|
||||
allowed_ranges:
|
||||
- "127.0.0.1/32"
|
||||
- "192.168.0.0/16"
|
||||
- "172.16.0.0/12"
|
||||
- "10.0.0.0/8"
|
||||
agent:
|
||||
affinity:
|
||||
podAffinity:
|
||||
@@ -70,17 +107,6 @@ spec:
|
||||
operator: In
|
||||
values:
|
||||
- cn-hk
|
||||
lapi:
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 1
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: topology.kubernetes.io/region
|
||||
operator: In
|
||||
values:
|
||||
- cn-hk
|
||||
- target:
|
||||
kind: HelmRelease
|
||||
name: tailscale-derp-hk
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: infra-devops
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: flux
|
||||
path: ./flux/infrastructure/infra-devops
|
||||
prune: true
|
||||
wait: true
|
||||
dependsOn:
|
||||
- name: sources
|
||||
- name: secrets
|
||||
@@ -1,22 +0,0 @@
|
||||
# 密钥管理层 - 通过postBuild从flux-env Secret注入变量
|
||||
# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: secrets
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: flux
|
||||
path: ./flux/infrastructure/secrets
|
||||
prune: false
|
||||
wait: true
|
||||
dependsOn:
|
||||
- name: sources
|
||||
postBuild:
|
||||
substituteFrom:
|
||||
- kind: Secret
|
||||
name: flux-env
|
||||
@@ -1,14 +0,0 @@
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: sources
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: flux
|
||||
path: ./flux/infrastructure/sources
|
||||
prune: true
|
||||
wait: true
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-data
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
dependsOn:
|
||||
- name: cloudnative-pg
|
||||
chart:
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-data
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: cloudnative-pg
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-data
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: valkey-cluster
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Cluster
|
||||
metadata:
|
||||
name: cnpg17-cluster
|
||||
namespace: infra-data
|
||||
spec:
|
||||
imageName: ghcr.io/cloudnative-pg/postgresql:17.4
|
||||
enableSuperuserAccess: true
|
||||
enablePDB: false
|
||||
instances: 1
|
||||
storage:
|
||||
size: 10Gi
|
||||
postgresql:
|
||||
parameters:
|
||||
archive_timeout: 30min
|
||||
env:
|
||||
- name: AWS_REQUEST_CHECKSUM_CALCULATION
|
||||
value: when_required
|
||||
- name: AWS_RESPONSE_CHECKSUM_VALIDATION
|
||||
value: when_required
|
||||
plugins:
|
||||
- name: barman-cloud.cloudnative-pg.io
|
||||
isWALArchiver: true
|
||||
parameters:
|
||||
barmanObjectName: cnpg17-objectstore-hw
|
||||
serverName: cnpg17-cluster
|
||||
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: ScheduledBackup
|
||||
metadata:
|
||||
name: cnpg17-cluster-backups
|
||||
namespace: infra-data
|
||||
spec:
|
||||
schedule: "0 0 0 * * *"
|
||||
immediate: true
|
||||
backupOwnerReference: self
|
||||
method: plugin
|
||||
pluginConfiguration:
|
||||
name: barman-cloud.cloudnative-pg.io
|
||||
cluster:
|
||||
name: cnpg17-cluster
|
||||
@@ -1,43 +1,43 @@
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-sh-gitea
|
||||
name: cnpg17-cluster-gitea
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: gitea
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-sh
|
||||
name: cnpg17-cluster
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-sh-grafana
|
||||
name: cnpg17-cluster-grafana
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: grafana
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-sh
|
||||
name: cnpg17-cluster
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-hk-halo
|
||||
name: cnpg17-cluster-halo
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: halo
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-hk
|
||||
name: cnpg17-cluster
|
||||
---
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Database
|
||||
metadata:
|
||||
name: cnpg17-cluster-hk-crowdsec
|
||||
name: cnpg17-cluster-crowdsec
|
||||
namespace: infra-data
|
||||
spec:
|
||||
name: crowdsec
|
||||
owner: app
|
||||
cluster:
|
||||
name: cnpg17-cluster-hk
|
||||
name: cnpg17-cluster
|
||||
|
||||
@@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- cnpg17-objectstore-hw.yaml
|
||||
- cnpg17-cluster-hk.yaml
|
||||
- cnpg17-cluster-sh.yaml
|
||||
- cnpg17-cluster.yaml
|
||||
- databases.yaml
|
||||
- loadbalancer-hk.yaml
|
||||
- loadbalancer-sh.yaml
|
||||
- loadbalancer.yaml
|
||||
- reflector-secret-annotations.yaml
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: cnpg17-cluster-lb
|
||||
namespace: infra-data
|
||||
spec:
|
||||
selector:
|
||||
cnpg.io/cluster: cnpg17-cluster
|
||||
role: primary
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 5432
|
||||
targetPort: 5432
|
||||
type: LoadBalancer
|
||||
@@ -1,32 +1,19 @@
|
||||
# 给CNPG和Valkey自动生成的secrets添加Reflector注解
|
||||
# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
|
||||
#
|
||||
# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
|
||||
# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
|
||||
# cnpg17-cluster-app → apps (halo), infra-net (crowdsec), infra-gitops (gitea), infra-monitor (grafana)
|
||||
# valkey-cluster-sh → infra-gitops (gitea)
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cnpg17-cluster-hk-app
|
||||
name: cnpg17-cluster-app
|
||||
namespace: infra-data
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cnpg17-cluster-sh-app
|
||||
namespace: infra-data
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
namespace: infra-devops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
dependsOn:
|
||||
- name: cert-manager
|
||||
chart:
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-devops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: cert-manager
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-devops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: reflector
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-devops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: velero
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor
|
||||
# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在)
|
||||
# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: gitea
|
||||
@@ -48,7 +49,7 @@ spec:
|
||||
ROOT_URL: https://git.dev.cm/
|
||||
database:
|
||||
DB_TYPE: postgres
|
||||
HOST: cnpg17-cluster-sh-rw.infra-data:5432
|
||||
HOST: cnpg17-cluster-rw.infra-data:5432
|
||||
NAME: gitea
|
||||
USER: app
|
||||
SSL_MODE: disable
|
||||
@@ -83,7 +84,7 @@ spec:
|
||||
- name: GITEA__DATABASE__PASSWD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: cnpg17-cluster-sh-app
|
||||
name: cnpg17-cluster-app
|
||||
key: password
|
||||
- name: REDIS_PASSWORD
|
||||
valueFrom:
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-gitops
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
dependsOn:
|
||||
- name: gitea
|
||||
chart:
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-monitor
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: loki
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-monitor
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: kube-prometheus-stack
|
||||
@@ -52,7 +53,7 @@ spec:
|
||||
envValueFrom:
|
||||
GF_DATABASE_PASSWORD:
|
||||
secretKeyRef:
|
||||
name: cnpg17-cluster-sh-app
|
||||
name: cnpg17-cluster-app
|
||||
key: password
|
||||
grafana.ini:
|
||||
server:
|
||||
@@ -65,7 +66,7 @@ spec:
|
||||
news_feed_enabled: false
|
||||
database:
|
||||
type: postgres
|
||||
host: cnpg17-cluster-sh-rw.infra-data:5432
|
||||
host: cnpg17-cluster-rw.infra-data:5432
|
||||
name: grafana
|
||||
user: app
|
||||
password: $__env{GF_DATABASE_PASSWORD}
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-net
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
dependsOn:
|
||||
- name: ingress-nginx
|
||||
- name: loki
|
||||
@@ -77,14 +78,14 @@ spec:
|
||||
- name: DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: cnpg17-cluster-hk-app
|
||||
name: cnpg17-cluster-app
|
||||
key: password
|
||||
config:
|
||||
# api config.yaml配置
|
||||
config.yaml.local: |
|
||||
db_config:
|
||||
type: postgresql
|
||||
host: cnpg17-cluster-hk-rw.infra-data
|
||||
host: cnpg17-cluster-rw.infra-data
|
||||
port: 5432
|
||||
db_name: crowdsec
|
||||
user: app
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-net
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: ingress-nginx
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
namespace: infra-net
|
||||
spec:
|
||||
interval: 30m
|
||||
timeout: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: tailscale-derp
|
||||
|
||||
在新议题中引用
屏蔽一个用户