dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

feat(helm): clusters update

浏览代码
这个提交包含在:
rohow
2026-04-20 12:30:10 +08:00
未验证
父节点 f4a771fc93
当前提交 2d44327aa4
修改 52 个文件,包含 342 行新增107 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件
ansible/inventory/group_vars/all.yml
+1 -1
查看文件
@@ -13,6 +13,7 @@ ha_server_url: "{{ lookup('env', 'HA_SERVER_URL') | default('', true) }}"
# K3s Server URL (优先使用 HA_SERVER_URL,否则动态使用 init 节点地址) # K3s Server URL (优先使用 HA_SERVER_URL,否则动态使用 init 节点地址)
k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}" k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}"
k3s_version: "v1.34.2+k3s1" k3s_version: "v1.34.2+k3s1"
tailscale_version: "1.96.4"
# ETCD 配置 # ETCD 配置
etcd_snapshot_retention: 1 etcd_snapshot_retention: 1
@@ -44,4 +45,3 @@ registry_mirrors:
- "k8s.m.daocloud.io" - "k8s.m.daocloud.io"
quay.io: quay.io:
- "quay.m.daocloud.io" - "quay.m.daocloud.io"
ansible/playbooks/site.yml
+34
查看文件
@@ -167,3 +167,37 @@
{{ nodes.stdout }} {{ nodes.stdout }}
══════════════════════════════════════════════════════════════ ══════════════════════════════════════════════════════════════
when: cluster_init | default(false) when: cluster_init | default(false)
# ============================================
# K3s 卸载 (需显式指定: --tags uninstall)
# ============================================
- name: Uninstall K3s agents
hosts: agents
gather_facts: false
tags: [uninstall, never]
tasks:
- name: Check agent uninstall script
ansible.builtin.stat:
path: /usr/local/bin/k3s-agent-uninstall.sh
register: agent_uninstall_script
- name: Run k3s-agent-uninstall.sh
ansible.builtin.command: /usr/local/bin/k3s-agent-uninstall.sh
when: agent_uninstall_script.stat.exists
changed_when: true
- name: Uninstall K3s masters
hosts: masters
gather_facts: false
serial: 1
tags: [uninstall, never]
tasks:
- name: Check server uninstall script
ansible.builtin.stat:
path: /usr/local/bin/k3s-uninstall.sh
register: server_uninstall_script
- name: Run k3s-uninstall.sh
ansible.builtin.command: /usr/local/bin/k3s-uninstall.sh
when: server_uninstall_script.stat.exists
changed_when: true
ansible/roles/common/tasks/main.yml
+24 -1
查看文件
@@ -37,6 +37,20 @@
failed_when: false failed_when: false
changed_when: false changed_when: false
- name: Check current Tailscale version
ansible.builtin.shell: tailscale version | head -1
register: common_tailscale_version
failed_when: false
changed_when: false
when: common_tailscale_check.rc == 0
- name: Set Tailscale install flag
ansible.builtin.set_fact:
tailscale_needs_install: "{{
common_tailscale_check.rc != 0 or
(common_tailscale_version.stdout | default('') is not search(tailscale_version))
}}"
- name: Download Tailscale install script - name: Download Tailscale install script
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://tailscale.com/install.sh url: https://tailscale.com/install.sh
@@ -44,11 +58,20 @@
mode: "0755" mode: "0755"
when: common_tailscale_check.rc != 0 when: common_tailscale_check.rc != 0
- name: Install Tailscale - name: Install Tailscale via install script
ansible.builtin.command: /tmp/tailscale-install.sh ansible.builtin.command: /tmp/tailscale-install.sh
when: common_tailscale_check.rc != 0 when: common_tailscale_check.rc != 0
changed_when: true changed_when: true
- name: Install specific Tailscale version
ansible.builtin.apt:
name:
- "tailscale={{ tailscale_version }}"
- "tailscaled={{ tailscale_version }}"
state: present
allow_downgrade: true
when: tailscale_needs_install
- name: Remove Tailscale install script - name: Remove Tailscale install script
ansible.builtin.file: ansible.builtin.file:
path: /tmp/tailscale-install.sh path: /tmp/tailscale-install.sh
ansible/roles/k3s/tasks/main.yml
+1 -1
查看文件
@@ -110,7 +110,7 @@
- name: Wait for K3s server ready - name: Wait for K3s server ready
ansible.builtin.wait_for: ansible.builtin.wait_for:
path: /var/lib/rancher/k3s/server/node-token path: /var/lib/rancher/k3s/server/node-token
timeout: 120 timeout: 300
when: "'masters' in group_names" when: "'masters' in group_names"
# 保存 kubeconfig (仅 cluster-init) # 保存 kubeconfig (仅 cluster-init)
flux/apps/helmrelease-halo.yaml
+3 -2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: apps namespace: apps
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: halo chart: halo
@@ -47,11 +48,11 @@ spec:
enabled: false enabled: false
externalDatabase: externalDatabase:
platform: postgresql platform: postgresql
host: cnpg17-cluster-hk-rw.infra-data host: cnpg17-cluster-rw.infra-data
port: 5432 port: 5432
user: app user: app
password: from-secret password: from-secret
database: halo database: halo
existingSecret: cnpg17-cluster-hk-app existingSecret: cnpg17-cluster-app
haloUsername: rohow haloUsername: rohow
haloExternalUrl: https://dev.cm haloExternalUrl: https://dev.cm
flux/apps/helmrelease-rustdesk.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: apps namespace: apps
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: rustdesk-server chart: rustdesk-server
flux/apps/helmrelease-whoami.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: apps namespace: apps
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: whoami chart: whoami
flux/clusters/base/apps.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/clusters/base/infra-data.yaml
+2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/clusters/base/infra-devops.yaml
+2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/clusters/base/infra-gitops.yaml
+2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
suspend: true suspend: true
sourceRef: sourceRef:
flux/clusters/base/infra-monitor.yaml
+2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/clusters/base/infra-net.yaml
+2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
@@ -26,6 +27,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/clusters/base/kube-system.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/clusters/base/secrets.yaml
+1
查看文件
@@ -7,6 +7,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/clusters/base/sources.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
retryInterval: 1m retryInterval: 1m
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
flux/infrastructure/infra-data/post/cnpg17-cluster-hk.yaml → flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml
查看文件
flux/infrastructure/infra-data/post/cnpg17-cluster-sh.yaml → flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml
查看文件
flux/clusters/dev-cm/infra-data-post/cnpg17-objectstore-hw.yaml
+20
查看文件
@@ -0,0 +1,20 @@
apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
metadata:
name: cnpg17-objectstore-hw
namespace: infra-data
spec:
retentionPolicy: "7d"
configuration:
destinationPath: s3://devcm/cnpg/
endpointURL: https://obs.cn-east-3.myhuaweicloud.com
s3Credentials:
accessKeyId:
name: s3-devcm-hw
key: ACCESS_KEY_ID
secretAccessKey:
name: s3-devcm-hw
key: ACCESS_SECRET_KEY
wal:
compression: gzip
maxParallel: 8
flux/clusters/dev-cm/infra-data-post/databases.yaml
+43
查看文件
@@ -0,0 +1,43 @@
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-gitea
namespace: infra-data
spec:
name: gitea
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-grafana
namespace: infra-data
spec:
name: grafana
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-halo
namespace: infra-data
spec:
name: halo
owner: app
cluster:
name: cnpg17-cluster-hk
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-crowdsec
namespace: infra-data
spec:
name: crowdsec
owner: app
cluster:
name: cnpg17-cluster-hk
flux/clusters/dev-cm/infra-data-post/kustomization.yaml
+10
查看文件
@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg17-objectstore-hw.yaml
- cnpg17-cluster-hk.yaml
- cnpg17-cluster-sh.yaml
- databases.yaml
- loadbalancer-hk.yaml
- loadbalancer-sh.yaml
- reflector-secret-annotations.yaml
flux/infrastructure/infra-data/post/loadbalancer-hk.yaml → flux/clusters/dev-cm/infra-data-post/loadbalancer-hk.yaml
查看文件
flux/infrastructure/infra-data/post/loadbalancer-sh.yaml → flux/clusters/dev-cm/infra-data-post/loadbalancer-sh.yaml
查看文件
flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml
+41
查看文件
@@ -0,0 +1,41 @@
# 给CNPG和Valkey自动生成的secrets添加Reflector注解
# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
#
# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
# valkey-cluster-sh → infra-gitops (gitea)
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-hk-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
---
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-sh-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
metadata:
name: valkey-cluster-sh
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
flux/clusters/dev-cm/patches/apps.yaml
+3
查看文件
@@ -14,6 +14,9 @@ spec:
name: halo name: halo
spec: spec:
values: values:
externalDatabase:
host: cnpg17-cluster-hk-rw.infra-data
existingSecret: cnpg17-cluster-hk-app
affinity: affinity:
podAffinity: podAffinity:
preferredDuringSchedulingIgnoredDuringExecution: preferredDuringSchedulingIgnoredDuringExecution:
flux/clusters/dev-cm/patches/infra-data-post.yaml
+1
查看文件
@@ -3,6 +3,7 @@ kind: Kustomization
metadata: metadata:
name: infra-data-post name: infra-data-post
spec: spec:
path: ./flux/clusters/dev-cm/infra-data-post
patches: patches:
- target: - target:
kind: Cluster kind: Cluster
flux/clusters/dev-cm/patches/infra-gitops.yaml
+10
查看文件
@@ -14,6 +14,16 @@ spec:
name: gitea name: gitea
spec: spec:
values: values:
gitea:
config:
database:
HOST: cnpg17-cluster-sh-rw.infra-data:5432
additionalConfigFromEnvs:
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-sh-app
key: password
affinity: affinity:
podAffinity: podAffinity:
preferredDuringSchedulingIgnoredDuringExecution: preferredDuringSchedulingIgnoredDuringExecution:
flux/clusters/dev-cm/patches/infra-monitor.yaml
+8
查看文件
@@ -55,6 +55,14 @@ spec:
nodeSelector: nodeSelector:
kubernetes.io/hostname: hwa kubernetes.io/hostname: hwa
grafana: grafana:
envValueFrom:
GF_DATABASE_PASSWORD:
secretKeyRef:
name: cnpg17-cluster-sh-app
key: password
grafana.ini:
database:
host: cnpg17-cluster-sh-rw.infra-data:5432
affinity: affinity:
podAffinity: podAffinity:
preferredDuringSchedulingIgnoredDuringExecution: preferredDuringSchedulingIgnoredDuringExecution:
flux/clusters/dev-cm/patches/infra-net.yaml
+37 -11
查看文件
@@ -48,6 +48,43 @@ spec:
name: crowdsec name: crowdsec
spec: spec:
values: values:
lapi:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-hk-app
key: password
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
config:
config.yaml.local: |
db_config:
type: postgresql
host: cnpg17-cluster-hk-rw.infra-data
port: 5432
db_name: crowdsec
user: app
password: ${DB_PASSWORD}
sslmode: require
api:
server:
auto_registration:
enabled: true
token: "${REGISTRATION_TOKEN}"
allowed_ranges:
- "127.0.0.1/32"
- "192.168.0.0/16"
- "172.16.0.0/12"
- "10.0.0.0/8"
agent: agent:
affinity: affinity:
podAffinity: podAffinity:
@@ -70,17 +107,6 @@ spec:
operator: In operator: In
values: values:
- cn-hk - cn-hk
lapi:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
- target: - target:
kind: HelmRelease kind: HelmRelease
name: tailscale-derp-hk name: tailscale-derp-hk
flux/clusters/restore/infra-devops.yaml
-17
查看文件
@@ -1,17 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-devops
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-devops
prune: true
wait: true
dependsOn:
- name: sources
- name: secrets
flux/clusters/restore/secrets.yaml
-22
查看文件
@@ -1,22 +0,0 @@
# 密钥管理层 - 通过postBuild从flux-env Secret注入变量
# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: secrets
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/secrets
prune: false
wait: true
dependsOn:
- name: sources
postBuild:
substituteFrom:
- kind: Secret
name: flux-env
flux/clusters/restore/sources.yaml
-14
查看文件
@@ -1,14 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sources
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/sources
prune: true
wait: true
flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-data namespace: infra-data
spec: spec:
interval: 30m interval: 30m
timeout: 15m
dependsOn: dependsOn:
- name: cloudnative-pg - name: cloudnative-pg
chart: chart:
flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-data namespace: infra-data
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: cloudnative-pg chart: cloudnative-pg
flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-data namespace: infra-data
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: valkey-cluster chart: valkey-cluster
flux/infrastructure/infra-data/post/cnpg17-cluster.yaml
+42
查看文件
@@ -0,0 +1,42 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cnpg17-cluster
namespace: infra-data
spec:
imageName: ghcr.io/cloudnative-pg/postgresql:17.4
enableSuperuserAccess: true
enablePDB: false
instances: 1
storage:
size: 10Gi
postgresql:
parameters:
archive_timeout: 30min
env:
- name: AWS_REQUEST_CHECKSUM_CALCULATION
value: when_required
- name: AWS_RESPONSE_CHECKSUM_VALIDATION
value: when_required
plugins:
- name: barman-cloud.cloudnative-pg.io
isWALArchiver: true
parameters:
barmanObjectName: cnpg17-objectstore-hw
serverName: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: cnpg17-cluster-backups
namespace: infra-data
spec:
schedule: "0 0 0 * * *"
immediate: true
backupOwnerReference: self
method: plugin
pluginConfiguration:
name: barman-cloud.cloudnative-pg.io
cluster:
name: cnpg17-cluster
flux/infrastructure/infra-data/post/databases.yaml
+8 -8
查看文件
@@ -1,43 +1,43 @@
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Database kind: Database
metadata: metadata:
name: cnpg17-cluster-sh-gitea name: cnpg17-cluster-gitea
namespace: infra-data namespace: infra-data
spec: spec:
name: gitea name: gitea
owner: app owner: app
cluster: cluster:
name: cnpg17-cluster-sh name: cnpg17-cluster
--- ---
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Database kind: Database
metadata: metadata:
name: cnpg17-cluster-sh-grafana name: cnpg17-cluster-grafana
namespace: infra-data namespace: infra-data
spec: spec:
name: grafana name: grafana
owner: app owner: app
cluster: cluster:
name: cnpg17-cluster-sh name: cnpg17-cluster
--- ---
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Database kind: Database
metadata: metadata:
name: cnpg17-cluster-hk-halo name: cnpg17-cluster-halo
namespace: infra-data namespace: infra-data
spec: spec:
name: halo name: halo
owner: app owner: app
cluster: cluster:
name: cnpg17-cluster-hk name: cnpg17-cluster
--- ---
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Database kind: Database
metadata: metadata:
name: cnpg17-cluster-hk-crowdsec name: cnpg17-cluster-crowdsec
namespace: infra-data namespace: infra-data
spec: spec:
name: crowdsec name: crowdsec
owner: app owner: app
cluster: cluster:
name: cnpg17-cluster-hk name: cnpg17-cluster
flux/infrastructure/infra-data/post/kustomization.yaml
+2 -4
查看文件
@@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- cnpg17-objectstore-hw.yaml - cnpg17-objectstore-hw.yaml
- cnpg17-cluster-hk.yaml - cnpg17-cluster.yaml
- cnpg17-cluster-sh.yaml
- databases.yaml - databases.yaml
- loadbalancer-hk.yaml - loadbalancer.yaml
- loadbalancer-sh.yaml
- reflector-secret-annotations.yaml - reflector-secret-annotations.yaml
flux/infrastructure/infra-data/post/loadbalancer.yaml
+14
查看文件
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: cnpg17-cluster-lb
namespace: infra-data
spec:
selector:
cnpg.io/cluster: cnpg17-cluster
role: primary
ports:
- protocol: TCP
port: 5432
targetPort: 5432
type: LoadBalancer
flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml
+4 -17
查看文件
@@ -1,32 +1,19 @@
# 给CNPG和Valkey自动生成的secrets添加Reflector注解 # 给CNPG和Valkey自动生成的secrets添加Reflector注解
# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间 # 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
# #
# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec) # cnpg17-cluster-app → apps (halo), infra-net (crowdsec), infra-gitops (gitea), infra-monitor (grafana)
# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
# valkey-cluster-sh → infra-gitops (gitea) # valkey-cluster-sh → infra-gitops (gitea)
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: cnpg17-cluster-hk-app name: cnpg17-cluster-app
namespace: infra-data namespace: infra-data
annotations: annotations:
kustomize.toolkit.fluxcd.io/prune: disabled kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true" reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net" reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net" reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-sh-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml
+1
查看文件
@@ -6,6 +6,7 @@ metadata:
namespace: infra-devops namespace: infra-devops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
dependsOn: dependsOn:
- name: cert-manager - name: cert-manager
chart: chart:
flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-devops namespace: infra-devops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: cert-manager chart: cert-manager
flux/infrastructure/infra-devops/helmrelease-reflector.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-devops namespace: infra-devops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: reflector chart: reflector
flux/infrastructure/infra-devops/helmrelease-velero.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-devops namespace: infra-devops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: velero chart: velero
flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml
-3
查看文件
@@ -1,6 +1,3 @@
# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor
# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在)
# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease kind: HelmRelease
metadata: metadata:
flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
+3 -2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: gitea chart: gitea
@@ -48,7 +49,7 @@ spec:
ROOT_URL: https://git.dev.cm/ ROOT_URL: https://git.dev.cm/
database: database:
DB_TYPE: postgres DB_TYPE: postgres
HOST: cnpg17-cluster-sh-rw.infra-data:5432 HOST: cnpg17-cluster-rw.infra-data:5432
NAME: gitea NAME: gitea
USER: app USER: app
SSL_MODE: disable SSL_MODE: disable
@@ -83,7 +84,7 @@ spec:
- name: GITEA__DATABASE__PASSWD - name: GITEA__DATABASE__PASSWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: cnpg17-cluster-sh-app name: cnpg17-cluster-app
key: password key: password
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops namespace: infra-gitops
spec: spec:
interval: 30m interval: 30m
timeout: 15m
dependsOn: dependsOn:
- name: gitea - name: gitea
chart: chart:
flux/infrastructure/infra-monitor/helmrelease-loki.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-monitor namespace: infra-monitor
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: loki chart: loki
flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml
+3 -2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-monitor namespace: infra-monitor
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: kube-prometheus-stack chart: kube-prometheus-stack
@@ -52,7 +53,7 @@ spec:
envValueFrom: envValueFrom:
GF_DATABASE_PASSWORD: GF_DATABASE_PASSWORD:
secretKeyRef: secretKeyRef:
name: cnpg17-cluster-sh-app name: cnpg17-cluster-app
key: password key: password
grafana.ini: grafana.ini:
server: server:
@@ -65,7 +66,7 @@ spec:
news_feed_enabled: false news_feed_enabled: false
database: database:
type: postgres type: postgres
host: cnpg17-cluster-sh-rw.infra-data:5432 host: cnpg17-cluster-rw.infra-data:5432
name: grafana name: grafana
user: app user: app
password: $__env{GF_DATABASE_PASSWORD} password: $__env{GF_DATABASE_PASSWORD}
flux/infrastructure/infra-net/helmrelease-crowdsec.yaml
+3 -2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-net namespace: infra-net
spec: spec:
interval: 30m interval: 30m
timeout: 15m
dependsOn: dependsOn:
- name: ingress-nginx - name: ingress-nginx
- name: loki - name: loki
@@ -77,14 +78,14 @@ spec:
- name: DB_PASSWORD - name: DB_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: cnpg17-cluster-hk-app name: cnpg17-cluster-app
key: password key: password
config: config:
# api config.yaml配置 # api config.yaml配置
config.yaml.local: | config.yaml.local: |
db_config: db_config:
type: postgresql type: postgresql
host: cnpg17-cluster-hk-rw.infra-data host: cnpg17-cluster-rw.infra-data
port: 5432 port: 5432
db_name: crowdsec db_name: crowdsec
user: app user: app
flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-net namespace: infra-net
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: ingress-nginx chart: ingress-nginx
flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-net namespace: infra-net
spec: spec:
interval: 30m interval: 30m
timeout: 15m
chart: chart:
spec: spec:
chart: tailscale-derp chart: tailscale-derp