diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index 00fba33..793839f 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -13,6 +13,7 @@ ha_server_url: "{{ lookup('env', 'HA_SERVER_URL') | default('', true) }}" # K3s Server URL (优先使用 HA_SERVER_URL,否则动态使用 init 节点地址) k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}" k3s_version: "v1.34.2+k3s1" +tailscale_version: "1.96.4" # ETCD 配置 etcd_snapshot_retention: 1 @@ -44,4 +45,3 @@ registry_mirrors: - "k8s.m.daocloud.io" quay.io: - "quay.m.daocloud.io" - diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml index f6dd177..70d3521 100644 --- a/ansible/playbooks/site.yml +++ b/ansible/playbooks/site.yml @@ -167,3 +167,37 @@ {{ nodes.stdout }} ══════════════════════════════════════════════════════════════ when: cluster_init | default(false) + +# ============================================ +# K3s 卸载 (需显式指定: --tags uninstall) +# ============================================ +- name: Uninstall K3s agents + hosts: agents + gather_facts: false + tags: [uninstall, never] + tasks: + - name: Check agent uninstall script + ansible.builtin.stat: + path: /usr/local/bin/k3s-agent-uninstall.sh + register: agent_uninstall_script + + - name: Run k3s-agent-uninstall.sh + ansible.builtin.command: /usr/local/bin/k3s-agent-uninstall.sh + when: agent_uninstall_script.stat.exists + changed_when: true + +- name: Uninstall K3s masters + hosts: masters + gather_facts: false + serial: 1 + tags: [uninstall, never] + tasks: + - name: Check server uninstall script + ansible.builtin.stat: + path: /usr/local/bin/k3s-uninstall.sh + register: server_uninstall_script + + - name: Run k3s-uninstall.sh + ansible.builtin.command: /usr/local/bin/k3s-uninstall.sh + when: server_uninstall_script.stat.exists + changed_when: true diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 66379db..94706c8 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -37,6 +37,20 @@ failed_when: false changed_when: false +- name: Check current Tailscale version + ansible.builtin.shell: tailscale version | head -1 + register: common_tailscale_version + failed_when: false + changed_when: false + when: common_tailscale_check.rc == 0 + +- name: Set Tailscale install flag + ansible.builtin.set_fact: + tailscale_needs_install: "{{ + common_tailscale_check.rc != 0 or + (common_tailscale_version.stdout | default('') is not search(tailscale_version)) + }}" + - name: Download Tailscale install script ansible.builtin.get_url: url: https://tailscale.com/install.sh @@ -44,11 +58,20 @@ mode: "0755" when: common_tailscale_check.rc != 0 -- name: Install Tailscale +- name: Install Tailscale via install script ansible.builtin.command: /tmp/tailscale-install.sh when: common_tailscale_check.rc != 0 changed_when: true +- name: Install specific Tailscale version + ansible.builtin.apt: + name: + - "tailscale={{ tailscale_version }}" + - "tailscaled={{ tailscale_version }}" + state: present + allow_downgrade: true + when: tailscale_needs_install + - name: Remove Tailscale install script ansible.builtin.file: path: /tmp/tailscale-install.sh diff --git a/ansible/roles/k3s/tasks/main.yml b/ansible/roles/k3s/tasks/main.yml index 768471d..017b6f1 100644 --- a/ansible/roles/k3s/tasks/main.yml +++ b/ansible/roles/k3s/tasks/main.yml @@ -110,7 +110,7 @@ - name: Wait for K3s server ready ansible.builtin.wait_for: path: /var/lib/rancher/k3s/server/node-token - timeout: 120 + timeout: 300 when: "'masters' in group_names" # 保存 kubeconfig (仅 cluster-init) diff --git a/flux/apps/helmrelease-halo.yaml b/flux/apps/helmrelease-halo.yaml index bef05fb..9556764 100644 --- a/flux/apps/helmrelease-halo.yaml +++ b/flux/apps/helmrelease-halo.yaml @@ -5,6 +5,7 @@ metadata: namespace: apps spec: interval: 30m + timeout: 15m chart: spec: chart: halo @@ -47,11 +48,11 @@ spec: enabled: false externalDatabase: platform: postgresql - host: cnpg17-cluster-hk-rw.infra-data + host: cnpg17-cluster-rw.infra-data port: 5432 user: app password: from-secret database: halo - existingSecret: cnpg17-cluster-hk-app + existingSecret: cnpg17-cluster-app haloUsername: rohow haloExternalUrl: https://dev.cm diff --git a/flux/apps/helmrelease-rustdesk.yaml b/flux/apps/helmrelease-rustdesk.yaml index b05ebb6..e3aa4f9 100644 --- a/flux/apps/helmrelease-rustdesk.yaml +++ b/flux/apps/helmrelease-rustdesk.yaml @@ -5,6 +5,7 @@ metadata: namespace: apps spec: interval: 30m + timeout: 15m chart: spec: chart: rustdesk-server diff --git a/flux/apps/helmrelease-whoami.yaml b/flux/apps/helmrelease-whoami.yaml index b279fb0..9b4853d 100644 --- a/flux/apps/helmrelease-whoami.yaml +++ b/flux/apps/helmrelease-whoami.yaml @@ -5,6 +5,7 @@ metadata: namespace: apps spec: interval: 30m + timeout: 15m chart: spec: chart: whoami diff --git a/flux/clusters/base/apps.yaml b/flux/clusters/base/apps.yaml index 22eeebe..85b9d57 100644 --- a/flux/clusters/base/apps.yaml +++ b/flux/clusters/base/apps.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/clusters/base/infra-data.yaml b/flux/clusters/base/infra-data.yaml index faa93f5..18faf26 100644 --- a/flux/clusters/base/infra-data.yaml +++ b/flux/clusters/base/infra-data.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository @@ -24,6 +25,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/clusters/base/infra-devops.yaml b/flux/clusters/base/infra-devops.yaml index 6089ef9..48625bd 100644 --- a/flux/clusters/base/infra-devops.yaml +++ b/flux/clusters/base/infra-devops.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository @@ -24,6 +25,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/clusters/base/infra-gitops.yaml b/flux/clusters/base/infra-gitops.yaml index 91ec4c8..e9e6c66 100644 --- a/flux/clusters/base/infra-gitops.yaml +++ b/flux/clusters/base/infra-gitops.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository @@ -24,6 +25,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m suspend: true sourceRef: diff --git a/flux/clusters/base/infra-monitor.yaml b/flux/clusters/base/infra-monitor.yaml index 99384b2..78c262e 100644 --- a/flux/clusters/base/infra-monitor.yaml +++ b/flux/clusters/base/infra-monitor.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository @@ -24,6 +25,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/clusters/base/infra-net.yaml b/flux/clusters/base/infra-net.yaml index 97d31f3..4feeec9 100644 --- a/flux/clusters/base/infra-net.yaml +++ b/flux/clusters/base/infra-net.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository @@ -26,6 +27,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/clusters/base/kube-system.yaml b/flux/clusters/base/kube-system.yaml index 036e261..2a63a7c 100644 --- a/flux/clusters/base/kube-system.yaml +++ b/flux/clusters/base/kube-system.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/clusters/base/secrets.yaml b/flux/clusters/base/secrets.yaml index e30274c..6849209 100644 --- a/flux/clusters/base/secrets.yaml +++ b/flux/clusters/base/secrets.yaml @@ -7,6 +7,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/clusters/base/sources.yaml b/flux/clusters/base/sources.yaml index 01f8d4d..c976adb 100644 --- a/flux/clusters/base/sources.yaml +++ b/flux/clusters/base/sources.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m retryInterval: 1m sourceRef: kind: GitRepository diff --git a/flux/infrastructure/infra-data/post/cnpg17-cluster-hk.yaml b/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml similarity index 100% rename from flux/infrastructure/infra-data/post/cnpg17-cluster-hk.yaml rename to flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml diff --git a/flux/infrastructure/infra-data/post/cnpg17-cluster-sh.yaml b/flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml similarity index 100% rename from flux/infrastructure/infra-data/post/cnpg17-cluster-sh.yaml rename to flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml diff --git a/flux/clusters/dev-cm/infra-data-post/cnpg17-objectstore-hw.yaml b/flux/clusters/dev-cm/infra-data-post/cnpg17-objectstore-hw.yaml new file mode 100644 index 0000000..06a3f90 --- /dev/null +++ b/flux/clusters/dev-cm/infra-data-post/cnpg17-objectstore-hw.yaml @@ -0,0 +1,20 @@ +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: cnpg17-objectstore-hw + namespace: infra-data +spec: + retentionPolicy: "7d" + configuration: + destinationPath: s3://devcm/cnpg/ + endpointURL: https://obs.cn-east-3.myhuaweicloud.com + s3Credentials: + accessKeyId: + name: s3-devcm-hw + key: ACCESS_KEY_ID + secretAccessKey: + name: s3-devcm-hw + key: ACCESS_SECRET_KEY + wal: + compression: gzip + maxParallel: 8 diff --git a/flux/clusters/dev-cm/infra-data-post/databases.yaml b/flux/clusters/dev-cm/infra-data-post/databases.yaml new file mode 100644 index 0000000..299885b --- /dev/null +++ b/flux/clusters/dev-cm/infra-data-post/databases.yaml @@ -0,0 +1,43 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-sh-gitea + namespace: infra-data +spec: + name: gitea + owner: app + cluster: + name: cnpg17-cluster-sh +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-sh-grafana + namespace: infra-data +spec: + name: grafana + owner: app + cluster: + name: cnpg17-cluster-sh +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-hk-halo + namespace: infra-data +spec: + name: halo + owner: app + cluster: + name: cnpg17-cluster-hk +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-hk-crowdsec + namespace: infra-data +spec: + name: crowdsec + owner: app + cluster: + name: cnpg17-cluster-hk diff --git a/flux/clusters/dev-cm/infra-data-post/kustomization.yaml b/flux/clusters/dev-cm/infra-data-post/kustomization.yaml new file mode 100644 index 0000000..10ec5ec --- /dev/null +++ b/flux/clusters/dev-cm/infra-data-post/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cnpg17-objectstore-hw.yaml + - cnpg17-cluster-hk.yaml + - cnpg17-cluster-sh.yaml + - databases.yaml + - loadbalancer-hk.yaml + - loadbalancer-sh.yaml + - reflector-secret-annotations.yaml diff --git a/flux/infrastructure/infra-data/post/loadbalancer-hk.yaml b/flux/clusters/dev-cm/infra-data-post/loadbalancer-hk.yaml similarity index 100% rename from flux/infrastructure/infra-data/post/loadbalancer-hk.yaml rename to flux/clusters/dev-cm/infra-data-post/loadbalancer-hk.yaml diff --git a/flux/infrastructure/infra-data/post/loadbalancer-sh.yaml b/flux/clusters/dev-cm/infra-data-post/loadbalancer-sh.yaml similarity index 100% rename from flux/infrastructure/infra-data/post/loadbalancer-sh.yaml rename to flux/clusters/dev-cm/infra-data-post/loadbalancer-sh.yaml diff --git a/flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml b/flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml new file mode 100644 index 0000000..b1f60b0 --- /dev/null +++ b/flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml @@ -0,0 +1,41 @@ +# 给CNPG和Valkey自动生成的secrets添加Reflector注解 +# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间 +# +# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec) +# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana) +# valkey-cluster-sh → infra-gitops (gitea) +apiVersion: v1 +kind: Secret +metadata: + name: cnpg17-cluster-hk-app + namespace: infra-data + annotations: + kustomize.toolkit.fluxcd.io/prune: disabled + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net" +--- +apiVersion: v1 +kind: Secret +metadata: + name: cnpg17-cluster-sh-app + namespace: infra-data + annotations: + kustomize.toolkit.fluxcd.io/prune: disabled + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor" +--- +apiVersion: v1 +kind: Secret +metadata: + name: valkey-cluster-sh + namespace: infra-data + annotations: + kustomize.toolkit.fluxcd.io/prune: disabled + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops" diff --git a/flux/clusters/dev-cm/patches/apps.yaml b/flux/clusters/dev-cm/patches/apps.yaml index 7504d05..7961ecb 100644 --- a/flux/clusters/dev-cm/patches/apps.yaml +++ b/flux/clusters/dev-cm/patches/apps.yaml @@ -14,6 +14,9 @@ spec: name: halo spec: values: + externalDatabase: + host: cnpg17-cluster-hk-rw.infra-data + existingSecret: cnpg17-cluster-hk-app affinity: podAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/flux/clusters/dev-cm/patches/infra-data-post.yaml b/flux/clusters/dev-cm/patches/infra-data-post.yaml index 34bf557..9bdd2bd 100644 --- a/flux/clusters/dev-cm/patches/infra-data-post.yaml +++ b/flux/clusters/dev-cm/patches/infra-data-post.yaml @@ -3,6 +3,7 @@ kind: Kustomization metadata: name: infra-data-post spec: + path: ./flux/clusters/dev-cm/infra-data-post patches: - target: kind: Cluster diff --git a/flux/clusters/dev-cm/patches/infra-gitops.yaml b/flux/clusters/dev-cm/patches/infra-gitops.yaml index ef536f1..24b7431 100644 --- a/flux/clusters/dev-cm/patches/infra-gitops.yaml +++ b/flux/clusters/dev-cm/patches/infra-gitops.yaml @@ -14,6 +14,16 @@ spec: name: gitea spec: values: + gitea: + config: + database: + HOST: cnpg17-cluster-sh-rw.infra-data:5432 + additionalConfigFromEnvs: + - name: GITEA__DATABASE__PASSWD + valueFrom: + secretKeyRef: + name: cnpg17-cluster-sh-app + key: password affinity: podAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/flux/clusters/dev-cm/patches/infra-monitor.yaml b/flux/clusters/dev-cm/patches/infra-monitor.yaml index 940eaf5..4dd0eb1 100644 --- a/flux/clusters/dev-cm/patches/infra-monitor.yaml +++ b/flux/clusters/dev-cm/patches/infra-monitor.yaml @@ -55,6 +55,14 @@ spec: nodeSelector: kubernetes.io/hostname: hwa grafana: + envValueFrom: + GF_DATABASE_PASSWORD: + secretKeyRef: + name: cnpg17-cluster-sh-app + key: password + grafana.ini: + database: + host: cnpg17-cluster-sh-rw.infra-data:5432 affinity: podAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/flux/clusters/dev-cm/patches/infra-net.yaml b/flux/clusters/dev-cm/patches/infra-net.yaml index ad749f3..53e11db 100644 --- a/flux/clusters/dev-cm/patches/infra-net.yaml +++ b/flux/clusters/dev-cm/patches/infra-net.yaml @@ -48,6 +48,43 @@ spec: name: crowdsec spec: values: + lapi: + env: + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: cnpg17-cluster-hk-app + key: password + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: topology.kubernetes.io/region + operator: In + values: + - cn-hk + config: + config.yaml.local: | + db_config: + type: postgresql + host: cnpg17-cluster-hk-rw.infra-data + port: 5432 + db_name: crowdsec + user: app + password: ${DB_PASSWORD} + sslmode: require + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" + allowed_ranges: + - "127.0.0.1/32" + - "192.168.0.0/16" + - "172.16.0.0/12" + - "10.0.0.0/8" agent: affinity: podAffinity: @@ -70,17 +107,6 @@ spec: operator: In values: - cn-hk - lapi: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: topology.kubernetes.io/region - operator: In - values: - - cn-hk - target: kind: HelmRelease name: tailscale-derp-hk diff --git a/flux/clusters/restore/infra-devops.yaml b/flux/clusters/restore/infra-devops.yaml deleted file mode 100644 index 3e60eeb..0000000 --- a/flux/clusters/restore/infra-devops.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: infra-devops - namespace: infra-gitops -spec: - interval: 30m - retryInterval: 1m - sourceRef: - kind: GitRepository - name: flux - path: ./flux/infrastructure/infra-devops - prune: true - wait: true - dependsOn: - - name: sources - - name: secrets diff --git a/flux/clusters/restore/secrets.yaml b/flux/clusters/restore/secrets.yaml deleted file mode 100644 index e30274c..0000000 --- a/flux/clusters/restore/secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# 密钥管理层 - 通过postBuild从flux-env Secret注入变量 -# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: secrets - namespace: infra-gitops -spec: - interval: 30m - retryInterval: 1m - sourceRef: - kind: GitRepository - name: flux - path: ./flux/infrastructure/secrets - prune: false - wait: true - dependsOn: - - name: sources - postBuild: - substituteFrom: - - kind: Secret - name: flux-env diff --git a/flux/clusters/restore/sources.yaml b/flux/clusters/restore/sources.yaml deleted file mode 100644 index 01f8d4d..0000000 --- a/flux/clusters/restore/sources.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: sources - namespace: infra-gitops -spec: - interval: 30m - retryInterval: 1m - sourceRef: - kind: GitRepository - name: flux - path: ./flux/infrastructure/sources - prune: true - wait: true diff --git a/flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml b/flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml index 836e31d..58f94a0 100644 --- a/flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml +++ b/flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-data spec: interval: 30m + timeout: 15m dependsOn: - name: cloudnative-pg chart: diff --git a/flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml b/flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml index 0d1018a..3790ae2 100644 --- a/flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml +++ b/flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-data spec: interval: 30m + timeout: 15m chart: spec: chart: cloudnative-pg diff --git a/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml b/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml index b089f24..d0654d5 100644 --- a/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml +++ b/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-data spec: interval: 30m + timeout: 15m chart: spec: chart: valkey-cluster diff --git a/flux/infrastructure/infra-data/post/cnpg17-cluster.yaml b/flux/infrastructure/infra-data/post/cnpg17-cluster.yaml new file mode 100644 index 0000000..d72445d --- /dev/null +++ b/flux/infrastructure/infra-data/post/cnpg17-cluster.yaml @@ -0,0 +1,42 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: cnpg17-cluster + namespace: infra-data +spec: + imageName: ghcr.io/cloudnative-pg/postgresql:17.4 + enableSuperuserAccess: true + enablePDB: false + instances: 1 + storage: + size: 10Gi + postgresql: + parameters: + archive_timeout: 30min + env: + - name: AWS_REQUEST_CHECKSUM_CALCULATION + value: when_required + - name: AWS_RESPONSE_CHECKSUM_VALIDATION + value: when_required + plugins: + - name: barman-cloud.cloudnative-pg.io + isWALArchiver: true + parameters: + barmanObjectName: cnpg17-objectstore-hw + serverName: cnpg17-cluster + +--- +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: cnpg17-cluster-backups + namespace: infra-data +spec: + schedule: "0 0 0 * * *" + immediate: true + backupOwnerReference: self + method: plugin + pluginConfiguration: + name: barman-cloud.cloudnative-pg.io + cluster: + name: cnpg17-cluster diff --git a/flux/infrastructure/infra-data/post/databases.yaml b/flux/infrastructure/infra-data/post/databases.yaml index 299885b..ae2afeb 100644 --- a/flux/infrastructure/infra-data/post/databases.yaml +++ b/flux/infrastructure/infra-data/post/databases.yaml @@ -1,43 +1,43 @@ apiVersion: postgresql.cnpg.io/v1 kind: Database metadata: - name: cnpg17-cluster-sh-gitea + name: cnpg17-cluster-gitea namespace: infra-data spec: name: gitea owner: app cluster: - name: cnpg17-cluster-sh + name: cnpg17-cluster --- apiVersion: postgresql.cnpg.io/v1 kind: Database metadata: - name: cnpg17-cluster-sh-grafana + name: cnpg17-cluster-grafana namespace: infra-data spec: name: grafana owner: app cluster: - name: cnpg17-cluster-sh + name: cnpg17-cluster --- apiVersion: postgresql.cnpg.io/v1 kind: Database metadata: - name: cnpg17-cluster-hk-halo + name: cnpg17-cluster-halo namespace: infra-data spec: name: halo owner: app cluster: - name: cnpg17-cluster-hk + name: cnpg17-cluster --- apiVersion: postgresql.cnpg.io/v1 kind: Database metadata: - name: cnpg17-cluster-hk-crowdsec + name: cnpg17-cluster-crowdsec namespace: infra-data spec: name: crowdsec owner: app cluster: - name: cnpg17-cluster-hk + name: cnpg17-cluster diff --git a/flux/infrastructure/infra-data/post/kustomization.yaml b/flux/infrastructure/infra-data/post/kustomization.yaml index 10ec5ec..01e468e 100644 --- a/flux/infrastructure/infra-data/post/kustomization.yaml +++ b/flux/infrastructure/infra-data/post/kustomization.yaml @@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - cnpg17-objectstore-hw.yaml - - cnpg17-cluster-hk.yaml - - cnpg17-cluster-sh.yaml + - cnpg17-cluster.yaml - databases.yaml - - loadbalancer-hk.yaml - - loadbalancer-sh.yaml + - loadbalancer.yaml - reflector-secret-annotations.yaml diff --git a/flux/infrastructure/infra-data/post/loadbalancer.yaml b/flux/infrastructure/infra-data/post/loadbalancer.yaml new file mode 100644 index 0000000..8bd661c --- /dev/null +++ b/flux/infrastructure/infra-data/post/loadbalancer.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: cnpg17-cluster-lb + namespace: infra-data +spec: + selector: + cnpg.io/cluster: cnpg17-cluster + role: primary + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 + type: LoadBalancer diff --git a/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml b/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml index b1f60b0..3c501eb 100644 --- a/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml +++ b/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml @@ -1,32 +1,19 @@ # 给CNPG和Valkey自动生成的secrets添加Reflector注解 # 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间 # -# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec) -# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana) +# cnpg17-cluster-app → apps (halo), infra-net (crowdsec), infra-gitops (gitea), infra-monitor (grafana) # valkey-cluster-sh → infra-gitops (gitea) apiVersion: v1 kind: Secret metadata: - name: cnpg17-cluster-hk-app + name: cnpg17-cluster-app namespace: infra-data annotations: kustomize.toolkit.fluxcd.io/prune: disabled reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor" reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net" ---- -apiVersion: v1 -kind: Secret -metadata: - name: cnpg17-cluster-sh-app - namespace: infra-data - annotations: - kustomize.toolkit.fluxcd.io/prune: disabled - reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor" - reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" - reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor" --- apiVersion: v1 kind: Secret diff --git a/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml b/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml index f0ce723..788f22c 100644 --- a/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml +++ b/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml @@ -6,6 +6,7 @@ metadata: namespace: infra-devops spec: interval: 30m + timeout: 15m dependsOn: - name: cert-manager chart: diff --git a/flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml b/flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml index b543127..ebd33ca 100644 --- a/flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml +++ b/flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-devops spec: interval: 30m + timeout: 15m chart: spec: chart: cert-manager diff --git a/flux/infrastructure/infra-devops/helmrelease-reflector.yaml b/flux/infrastructure/infra-devops/helmrelease-reflector.yaml index ebf8fc6..07008a8 100644 --- a/flux/infrastructure/infra-devops/helmrelease-reflector.yaml +++ b/flux/infrastructure/infra-devops/helmrelease-reflector.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-devops spec: interval: 30m + timeout: 15m chart: spec: chart: reflector diff --git a/flux/infrastructure/infra-devops/helmrelease-velero.yaml b/flux/infrastructure/infra-devops/helmrelease-velero.yaml index 85f0fc5..c54cc56 100644 --- a/flux/infrastructure/infra-devops/helmrelease-velero.yaml +++ b/flux/infrastructure/infra-devops/helmrelease-velero.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-devops spec: interval: 30m + timeout: 15m chart: spec: chart: velero diff --git a/flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml b/flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml index d3e8848..4d5dc4a 100644 --- a/flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml +++ b/flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml @@ -1,6 +1,3 @@ -# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor -# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在) -# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: diff --git a/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml index 659c03b..2863831 100644 --- a/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml +++ b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m chart: spec: chart: gitea @@ -48,7 +49,7 @@ spec: ROOT_URL: https://git.dev.cm/ database: DB_TYPE: postgres - HOST: cnpg17-cluster-sh-rw.infra-data:5432 + HOST: cnpg17-cluster-rw.infra-data:5432 NAME: gitea USER: app SSL_MODE: disable @@ -83,7 +84,7 @@ spec: - name: GITEA__DATABASE__PASSWD valueFrom: secretKeyRef: - name: cnpg17-cluster-sh-app + name: cnpg17-cluster-app key: password - name: REDIS_PASSWORD valueFrom: diff --git a/flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml b/flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml index 94e8e89..47a0c6a 100644 --- a/flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml +++ b/flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-gitops spec: interval: 30m + timeout: 15m dependsOn: - name: gitea chart: diff --git a/flux/infrastructure/infra-monitor/helmrelease-loki.yaml b/flux/infrastructure/infra-monitor/helmrelease-loki.yaml index 980bf91..1142c22 100644 --- a/flux/infrastructure/infra-monitor/helmrelease-loki.yaml +++ b/flux/infrastructure/infra-monitor/helmrelease-loki.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-monitor spec: interval: 30m + timeout: 15m chart: spec: chart: loki diff --git a/flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml b/flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml index 649ecc2..2e637bb 100644 --- a/flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml +++ b/flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-monitor spec: interval: 30m + timeout: 15m chart: spec: chart: kube-prometheus-stack @@ -52,7 +53,7 @@ spec: envValueFrom: GF_DATABASE_PASSWORD: secretKeyRef: - name: cnpg17-cluster-sh-app + name: cnpg17-cluster-app key: password grafana.ini: server: @@ -65,7 +66,7 @@ spec: news_feed_enabled: false database: type: postgres - host: cnpg17-cluster-sh-rw.infra-data:5432 + host: cnpg17-cluster-rw.infra-data:5432 name: grafana user: app password: $__env{GF_DATABASE_PASSWORD} diff --git a/flux/infrastructure/infra-net/helmrelease-crowdsec.yaml b/flux/infrastructure/infra-net/helmrelease-crowdsec.yaml index 31e68fa..e8badb1 100644 --- a/flux/infrastructure/infra-net/helmrelease-crowdsec.yaml +++ b/flux/infrastructure/infra-net/helmrelease-crowdsec.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-net spec: interval: 30m + timeout: 15m dependsOn: - name: ingress-nginx - name: loki @@ -77,14 +78,14 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: - name: cnpg17-cluster-hk-app + name: cnpg17-cluster-app key: password config: # api config.yaml配置 config.yaml.local: | db_config: type: postgresql - host: cnpg17-cluster-hk-rw.infra-data + host: cnpg17-cluster-rw.infra-data port: 5432 db_name: crowdsec user: app diff --git a/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml b/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml index f9c8d0b..11e4d4c 100644 --- a/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml +++ b/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-net spec: interval: 30m + timeout: 15m chart: spec: chart: ingress-nginx diff --git a/flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml b/flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml index d4a1575..03e196a 100644 --- a/flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml +++ b/flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml @@ -5,6 +5,7 @@ metadata: namespace: infra-net spec: interval: 30m + timeout: 15m chart: spec: chart: tailscale-derp