feat(helm): clusters update

2026-04-20 12:30:10 +08:00
@@ -5,6 +5,7 @@ metadata:
  namespace: apps
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: halo
@@ -47,11 +48,11 @@ spec:
      enabled: false
    externalDatabase:
      platform: postgresql
-      host: cnpg17-cluster-hk-rw.infra-data
+      host: cnpg17-cluster-rw.infra-data
      port: 5432
      user: app
      password: from-secret
      database: halo
-      existingSecret: cnpg17-cluster-hk-app
+      existingSecret: cnpg17-cluster-app
    haloUsername: rohow
    haloExternalUrl: https://dev.cm
@@ -5,6 +5,7 @@ metadata:
  namespace: apps
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: rustdesk-server
@@ -5,6 +5,7 @@ metadata:
  namespace: apps
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: whoami
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  suspend: true
  sourceRef:
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -26,6 +27,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -7,6 +7,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
@@ -0,0 +1,20 @@
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  name: cnpg17-objectstore-hw
+  namespace: infra-data
+spec:
+  retentionPolicy: "7d"
+  configuration:
+    destinationPath: s3://devcm/cnpg/
+    endpointURL: https://obs.cn-east-3.myhuaweicloud.com
+    s3Credentials:
+      accessKeyId:
+        name: s3-devcm-hw
+        key: ACCESS_KEY_ID
+      secretAccessKey:
+        name: s3-devcm-hw
+        key: ACCESS_SECRET_KEY
+    wal:
+      compression: gzip
+      maxParallel: 8
@@ -0,0 +1,43 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-sh-gitea
+  namespace: infra-data
+spec:
+  name: gitea
+  owner: app
+  cluster:
+    name: cnpg17-cluster-sh
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-sh-grafana
+  namespace: infra-data
+spec:
+  name: grafana
+  owner: app
+  cluster:
+    name: cnpg17-cluster-sh
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-hk-halo
+  namespace: infra-data
+spec:
+  name: halo
+  owner: app
+  cluster:
+    name: cnpg17-cluster-hk
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-hk-crowdsec
+  namespace: infra-data
+spec:
+  name: crowdsec
+  owner: app
+  cluster:
+    name: cnpg17-cluster-hk
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cnpg17-objectstore-hw.yaml
+  - cnpg17-cluster-hk.yaml
+  - cnpg17-cluster-sh.yaml
+  - databases.yaml
+  - loadbalancer-hk.yaml
+  - loadbalancer-sh.yaml
+  - reflector-secret-annotations.yaml
@@ -0,0 +1,41 @@
+# 给CNPG和Valkey自动生成的secrets添加Reflector注解
+# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
+#
+# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
+# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
+# valkey-cluster-sh → infra-gitops (gitea)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cnpg17-cluster-hk-app
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cnpg17-cluster-sh-app
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: valkey-cluster-sh
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
@@ -14,6 +14,9 @@ spec:
          name: halo
        spec:
          values:
+            externalDatabase:
+              host: cnpg17-cluster-hk-rw.infra-data
+              existingSecret: cnpg17-cluster-hk-app
            affinity:
              podAffinity:
                preferredDuringSchedulingIgnoredDuringExecution:
@@ -3,6 +3,7 @@ kind: Kustomization
 metadata:
  name: infra-data-post
 spec:
+  path: ./flux/clusters/dev-cm/infra-data-post
  patches:
    - target:
        kind: Cluster
@@ -14,6 +14,16 @@ spec:
          name: gitea
        spec:
          values:
+            gitea:
+              config:
+                database:
+                  HOST: cnpg17-cluster-sh-rw.infra-data:5432
+              additionalConfigFromEnvs:
+                - name: GITEA__DATABASE__PASSWD
+                  valueFrom:
+                    secretKeyRef:
+                      name: cnpg17-cluster-sh-app
+                      key: password
            affinity:
              podAffinity:
                preferredDuringSchedulingIgnoredDuringExecution:
@@ -55,6 +55,14 @@ spec:
              nodeSelector:
                kubernetes.io/hostname: hwa
            grafana:
+              envValueFrom:
+                GF_DATABASE_PASSWORD:
+                  secretKeyRef:
+                    name: cnpg17-cluster-sh-app
+                    key: password
+              grafana.ini:
+                database:
+                  host: cnpg17-cluster-sh-rw.infra-data:5432
              affinity:
                podAffinity:
                  preferredDuringSchedulingIgnoredDuringExecution:
@@ -48,6 +48,43 @@ spec:
          name: crowdsec
        spec:
          values:
+            lapi:
+              env:
+                - name: DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: cnpg17-cluster-hk-app
+                      key: password
+              affinity:
+                nodeAffinity:
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 1
+                      preference:
+                        matchExpressions:
+                          - key: topology.kubernetes.io/region
+                            operator: In
+                            values:
+                              - cn-hk
+            config:
+              config.yaml.local: |
+                db_config:
+                  type: postgresql
+                  host: cnpg17-cluster-hk-rw.infra-data
+                  port: 5432
+                  db_name: crowdsec
+                  user: app
+                  password: ${DB_PASSWORD}
+                  sslmode: require
+                api:
+                  server:
+                    auto_registration:
+                      enabled: true
+                      token: "${REGISTRATION_TOKEN}"
+                      allowed_ranges:
+                        - "127.0.0.1/32"
+                        - "192.168.0.0/16"
+                        - "172.16.0.0/12"
+                        - "10.0.0.0/8"
            agent:
              affinity:
                podAffinity:
@@ -70,17 +107,6 @@ spec:
                            operator: In
                            values:
                              - cn-hk
-            lapi:
-              affinity:
-                nodeAffinity:
-                  preferredDuringSchedulingIgnoredDuringExecution:
-                    - weight: 1
-                      preference:
-                        matchExpressions:
-                          - key: topology.kubernetes.io/region
-                            operator: In
-                            values:
-                              - cn-hk
    - target:
        kind: HelmRelease
        name: tailscale-derp-hk
@@ -1,17 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: infra-devops
-  namespace: infra-gitops
-spec:
-  interval: 30m
-  retryInterval: 1m
-  sourceRef:
-    kind: GitRepository
-    name: flux
-  path: ./flux/infrastructure/infra-devops
-  prune: true
-  wait: true
-  dependsOn:
-    - name: sources
-    - name: secrets
@@ -1,22 +0,0 @@
-# 密钥管理层 - 通过postBuild从flux-env Secret注入变量
-# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: secrets
-  namespace: infra-gitops
-spec:
-  interval: 30m
-  retryInterval: 1m
-  sourceRef:
-    kind: GitRepository
-    name: flux
-  path: ./flux/infrastructure/secrets
-  prune: false
-  wait: true
-  dependsOn:
-    - name: sources
-  postBuild:
-    substituteFrom:
-      - kind: Secret
-        name: flux-env
@@ -1,14 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: sources
-  namespace: infra-gitops
-spec:
-  interval: 30m
-  retryInterval: 1m
-  sourceRef:
-    kind: GitRepository
-    name: flux
-  path: ./flux/infrastructure/sources
-  prune: true
-  wait: true
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-data
 spec:
  interval: 30m
+  timeout: 15m
  dependsOn:
    - name: cloudnative-pg
  chart:
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-data
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: cloudnative-pg
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-data
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: valkey-cluster
@@ -0,0 +1,42 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: cnpg17-cluster
+  namespace: infra-data
+spec:
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.4
+  enableSuperuserAccess: true
+  enablePDB: false
+  instances: 1
+  storage:
+    size: 10Gi
+  postgresql:
+    parameters:
+      archive_timeout: 30min
+  env:
+    - name: AWS_REQUEST_CHECKSUM_CALCULATION
+      value: when_required
+    - name: AWS_RESPONSE_CHECKSUM_VALIDATION
+      value: when_required
+  plugins:
+    - name: barman-cloud.cloudnative-pg.io
+      isWALArchiver: true
+      parameters:
+        barmanObjectName: cnpg17-objectstore-hw
+        serverName: cnpg17-cluster
+
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: cnpg17-cluster-backups
+  namespace: infra-data
+spec:
+  schedule: "0 0 0 * * *"
+  immediate: true
+  backupOwnerReference: self
+  method: plugin
+  pluginConfiguration:
+    name: barman-cloud.cloudnative-pg.io
+  cluster:
+    name: cnpg17-cluster
@@ -1,43 +1,43 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
-  name: cnpg17-cluster-sh-gitea
+  name: cnpg17-cluster-gitea
  namespace: infra-data
 spec:
  name: gitea
  owner: app
  cluster:
-    name: cnpg17-cluster-sh
+    name: cnpg17-cluster
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
-  name: cnpg17-cluster-sh-grafana
+  name: cnpg17-cluster-grafana
  namespace: infra-data
 spec:
  name: grafana
  owner: app
  cluster:
-    name: cnpg17-cluster-sh
+    name: cnpg17-cluster
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
-  name: cnpg17-cluster-hk-halo
+  name: cnpg17-cluster-halo
  namespace: infra-data
 spec:
  name: halo
  owner: app
  cluster:
-    name: cnpg17-cluster-hk
+    name: cnpg17-cluster
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
-  name: cnpg17-cluster-hk-crowdsec
+  name: cnpg17-cluster-crowdsec
  namespace: infra-data
 spec:
  name: crowdsec
  owner: app
  cluster:
-    name: cnpg17-cluster-hk
+    name: cnpg17-cluster
@@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - cnpg17-objectstore-hw.yaml
-  - cnpg17-cluster-hk.yaml
-  - cnpg17-cluster-sh.yaml
+  - cnpg17-cluster.yaml
  - databases.yaml
-  - loadbalancer-hk.yaml
-  - loadbalancer-sh.yaml
+  - loadbalancer.yaml
  - reflector-secret-annotations.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cnpg17-cluster-lb
+  namespace: infra-data
+spec:
+  selector:
+    cnpg.io/cluster: cnpg17-cluster
+    role: primary
+  ports:
+    - protocol: TCP
+      port: 5432
+      targetPort: 5432
+  type: LoadBalancer
@@ -1,32 +1,19 @@
 # 给CNPG和Valkey自动生成的secrets添加Reflector注解
 # 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
 #
-# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
-# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
+# cnpg17-cluster-app → apps (halo), infra-net (crowdsec), infra-gitops (gitea), infra-monitor (grafana)
 # valkey-cluster-sh → infra-gitops (gitea)
 apiVersion: v1
 kind: Secret
 metadata:
-  name: cnpg17-cluster-hk-app
+  name: cnpg17-cluster-app
  namespace: infra-data
  annotations:
    kustomize.toolkit.fluxcd.io/prune: disabled
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cnpg17-cluster-sh-app
-  namespace: infra-data
-  annotations:
-    kustomize.toolkit.fluxcd.io/prune: disabled
-    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
-    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
 ---
 apiVersion: v1
 kind: Secret
@@ -6,6 +6,7 @@ metadata:
  namespace: infra-devops
 spec:
  interval: 30m
+  timeout: 15m
  dependsOn:
    - name: cert-manager
  chart:
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-devops
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: cert-manager
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-devops
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: reflector
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-devops
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: velero
@@ -1,6 +1,3 @@
-# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor
-# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在)
-# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: gitea
@@ -48,7 +49,7 @@ spec:
          ROOT_URL: https://git.dev.cm/
        database:
          DB_TYPE: postgres
-          HOST: cnpg17-cluster-sh-rw.infra-data:5432
+          HOST: cnpg17-cluster-rw.infra-data:5432
          NAME: gitea
          USER: app
          SSL_MODE: disable
@@ -83,7 +84,7 @@ spec:
        - name: GITEA__DATABASE__PASSWD
          valueFrom:
            secretKeyRef:
-              name: cnpg17-cluster-sh-app
+              name: cnpg17-cluster-app
              key: password
        - name: REDIS_PASSWORD
          valueFrom:
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 30m
+  timeout: 15m
  dependsOn:
    - name: gitea
  chart:
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-monitor
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: loki
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-monitor
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: kube-prometheus-stack
@@ -52,7 +53,7 @@ spec:
      envValueFrom:
        GF_DATABASE_PASSWORD:
          secretKeyRef:
-            name: cnpg17-cluster-sh-app
+            name: cnpg17-cluster-app
            key: password
      grafana.ini:
        server:
@@ -65,7 +66,7 @@ spec:
          news_feed_enabled: false
        database:
          type: postgres
-          host: cnpg17-cluster-sh-rw.infra-data:5432
+          host: cnpg17-cluster-rw.infra-data:5432
          name: grafana
          user: app
          password: $__env{GF_DATABASE_PASSWORD}
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-net
 spec:
  interval: 30m
+  timeout: 15m
  dependsOn:
    - name: ingress-nginx
    - name: loki
@@ -77,14 +78,14 @@ spec:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
-              name: cnpg17-cluster-hk-app
+              name: cnpg17-cluster-app
              key: password
    config:
      # api config.yaml配置
      config.yaml.local: |
        db_config:
          type: postgresql
-          host: cnpg17-cluster-hk-rw.infra-data
+          host: cnpg17-cluster-rw.infra-data
          port: 5432
          db_name: crowdsec
          user: app
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-net
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: ingress-nginx
@@ -5,6 +5,7 @@ metadata:
  namespace: infra-net
 spec:
  interval: 30m
+  timeout: 15m
  chart:
    spec:
      chart: tailscale-derp