diff --git a/.env.sample b/.env.sample new file mode 100644 index 0000000..4c68895 --- /dev/null +++ b/.env.sample @@ -0,0 +1,10 @@ +# 华为云OBS S3凭据 (velero备份 + CNPG WAL归档) +S3_ACCESS_KEY_ID=placeholder +S3_ACCESS_SECRET_KEY=placeholder + +# DNSPod API凭据 (cert-manager ACME DNS验证) +DNSPOD_SECRET_ID=placeholder +DNSPOD_SECRET_KEY=placeholder + +# Gitea Actions Runner Token +GITEA_ACTIONS_TOKEN=placeholder diff --git a/.gitignore b/.gitignore index 4fbbe61..0cebe52 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,9 @@ logs *.log +# Secrets +.env + # Editor directories and files .vscode/* !.vscode/extensions.json diff --git a/ansible/.env.example b/ansible/.env.sample similarity index 100% rename from ansible/.env.example rename to ansible/.env.sample diff --git a/flux/clusters/base/apps.yaml b/flux/clusters/base/apps.yaml index bbb9c19..22eeebe 100644 --- a/flux/clusters/base/apps.yaml +++ b/flux/clusters/base/apps.yaml @@ -12,6 +12,6 @@ spec: path: ./flux/apps prune: true dependsOn: - - name: infra-data + - name: infra-data-post - name: infra-net - name: infra-gitops diff --git a/flux/clusters/base/infra-data.yaml b/flux/clusters/base/infra-data.yaml index 31c8f10..faa93f5 100644 --- a/flux/clusters/base/infra-data.yaml +++ b/flux/clusters/base/infra-data.yaml @@ -15,3 +15,22 @@ spec: wait: true dependsOn: - name: infra-devops + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-data-post + namespace: infra-gitops +spec: + interval: 30m + retryInterval: 1m + sourceRef: + kind: GitRepository + name: flux + path: ./flux/infrastructure/infra-data/post + prune: true + force: true + wait: true + dependsOn: + - name: infra-data diff --git a/flux/clusters/base/infra-devops.yaml b/flux/clusters/base/infra-devops.yaml index 5c348b3..6089ef9 100644 --- a/flux/clusters/base/infra-devops.yaml +++ b/flux/clusters/base/infra-devops.yaml @@ -14,6 +14,7 @@ spec: wait: true dependsOn: - name: sources + - name: secrets --- apiVersion: kustomize.toolkit.fluxcd.io/v1 diff --git a/flux/clusters/base/infra-gitops.yaml b/flux/clusters/base/infra-gitops.yaml index 7559fe2..52565b1 100644 --- a/flux/clusters/base/infra-gitops.yaml +++ b/flux/clusters/base/infra-gitops.yaml @@ -13,5 +13,5 @@ spec: prune: true wait: true dependsOn: - - name: infra-data + - name: infra-data-post - name: infra-monitor diff --git a/flux/clusters/base/infra-monitor.yaml b/flux/clusters/base/infra-monitor.yaml index 738ff43..da3fe66 100644 --- a/flux/clusters/base/infra-monitor.yaml +++ b/flux/clusters/base/infra-monitor.yaml @@ -14,4 +14,4 @@ spec: force: true wait: true dependsOn: - - name: infra-data + - name: infra-data-post diff --git a/flux/clusters/base/kustomization.yaml b/flux/clusters/base/kustomization.yaml index f4ef994..00a9802 100644 --- a/flux/clusters/base/kustomization.yaml +++ b/flux/clusters/base/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - sources.yaml + - secrets.yaml - kube-system.yaml - infra-devops.yaml - infra-data.yaml diff --git a/flux/clusters/base/secrets.yaml b/flux/clusters/base/secrets.yaml new file mode 100644 index 0000000..e30274c --- /dev/null +++ b/flux/clusters/base/secrets.yaml @@ -0,0 +1,22 @@ +# 密钥管理层 - 通过postBuild从flux-env Secret注入变量 +# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: secrets + namespace: infra-gitops +spec: + interval: 30m + retryInterval: 1m + sourceRef: + kind: GitRepository + name: flux + path: ./flux/infrastructure/secrets + prune: false + wait: true + dependsOn: + - name: sources + postBuild: + substituteFrom: + - kind: Secret + name: flux-env diff --git a/flux/clusters/dev-cm/kustomization.yaml b/flux/clusters/dev-cm/kustomization.yaml index 228955a..f493dff 100644 --- a/flux/clusters/dev-cm/kustomization.yaml +++ b/flux/clusters/dev-cm/kustomization.yaml @@ -11,6 +11,10 @@ patches: kind: Kustomization name: infra-data path: patches/infra-data.yaml + - target: + kind: Kustomization + name: infra-data-post + path: patches/infra-data-post.yaml - target: kind: Kustomization name: infra-net diff --git a/flux/clusters/dev-cm/patches/infra-data-post.yaml b/flux/clusters/dev-cm/patches/infra-data-post.yaml new file mode 100644 index 0000000..34bf557 --- /dev/null +++ b/flux/clusters/dev-cm/patches/infra-data-post.yaml @@ -0,0 +1,58 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-data-post +spec: + patches: + - target: + kind: Cluster + name: cnpg17-cluster-hk + patch: | + apiVersion: postgresql.cnpg.io/v1 + kind: Cluster + metadata: + name: cnpg17-cluster-hk + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: topology.kubernetes.io/region + operator: In + values: + - "cn-hk" + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - clawhk + - target: + kind: Cluster + name: cnpg17-cluster-sh + patch: | + apiVersion: postgresql.cnpg.io/v1 + kind: Cluster + metadata: + name: cnpg17-cluster-sh + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: topology.kubernetes.io/region + operator: In + values: + - "cn-sh" + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - homea diff --git a/flux/clusters/dev-cm/patches/infra-data.yaml b/flux/clusters/dev-cm/patches/infra-data.yaml index 24047b9..b44719e 100644 --- a/flux/clusters/dev-cm/patches/infra-data.yaml +++ b/flux/clusters/dev-cm/patches/infra-data.yaml @@ -50,58 +50,6 @@ spec: - key: "node-role.kubernetes.io/control-plane" operator: "Exists" effect: "NoSchedule" - - target: - kind: Cluster - name: cnpg17-cluster-hk - patch: | - apiVersion: postgresql.cnpg.io/v1 - kind: Cluster - metadata: - name: cnpg17-cluster-hk - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: topology.kubernetes.io/region - operator: In - values: - - "cn-hk" - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - clawhk - - target: - kind: Cluster - name: cnpg17-cluster-sh - patch: | - apiVersion: postgresql.cnpg.io/v1 - kind: Cluster - metadata: - name: cnpg17-cluster-sh - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: topology.kubernetes.io/region - operator: In - values: - - "cn-sh" - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - homea - target: kind: HelmRelease name: valkey-cluster-sh diff --git a/flux/clusters/local/kustomization.yaml b/flux/clusters/local/kustomization.yaml index 771eb27..27bb5cb 100644 --- a/flux/clusters/local/kustomization.yaml +++ b/flux/clusters/local/kustomization.yaml @@ -2,8 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../base -patches: - - target: - kind: Kustomization - name: infra-devops - path: patches/infra-devops.yaml diff --git a/flux/clusters/local/patches/infra-devops.yaml b/flux/clusters/local/patches/infra-devops.yaml deleted file mode 100644 index 842d9fc..0000000 --- a/flux/clusters/local/patches/infra-devops.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: infra-devops -spec: - wait: false diff --git a/flux/infrastructure/infra-data/kustomization.yaml b/flux/infrastructure/infra-data/kustomization.yaml index 406c8aa..1f6c259 100644 --- a/flux/infrastructure/infra-data/kustomization.yaml +++ b/flux/infrastructure/infra-data/kustomization.yaml @@ -4,10 +4,4 @@ resources: - namespace.yaml - helmrelease-cloudnative-pg.yaml - helmrelease-barman-plugin.yaml - - cnpg17-objectstore-hw.yaml - - cnpg17-cluster-hk.yaml - - cnpg17-cluster-sh.yaml - - loadbalancer-hk.yaml - - loadbalancer-sh.yaml - helmrelease-valkey-cluster.yaml - - reflector-secret-annotations.yaml diff --git a/flux/infrastructure/infra-data/cnpg17-cluster-hk.yaml b/flux/infrastructure/infra-data/post/cnpg17-cluster-hk.yaml similarity index 100% rename from flux/infrastructure/infra-data/cnpg17-cluster-hk.yaml rename to flux/infrastructure/infra-data/post/cnpg17-cluster-hk.yaml diff --git a/flux/infrastructure/infra-data/cnpg17-cluster-sh.yaml b/flux/infrastructure/infra-data/post/cnpg17-cluster-sh.yaml similarity index 100% rename from flux/infrastructure/infra-data/cnpg17-cluster-sh.yaml rename to flux/infrastructure/infra-data/post/cnpg17-cluster-sh.yaml diff --git a/flux/infrastructure/infra-data/cnpg17-objectstore-hw.yaml b/flux/infrastructure/infra-data/post/cnpg17-objectstore-hw.yaml similarity index 100% rename from flux/infrastructure/infra-data/cnpg17-objectstore-hw.yaml rename to flux/infrastructure/infra-data/post/cnpg17-objectstore-hw.yaml diff --git a/flux/infrastructure/infra-data/post/kustomization.yaml b/flux/infrastructure/infra-data/post/kustomization.yaml new file mode 100644 index 0000000..34d2a97 --- /dev/null +++ b/flux/infrastructure/infra-data/post/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cnpg17-objectstore-hw.yaml + - cnpg17-cluster-hk.yaml + - cnpg17-cluster-sh.yaml + - loadbalancer-hk.yaml + - loadbalancer-sh.yaml + - reflector-secret-annotations.yaml diff --git a/flux/infrastructure/infra-data/loadbalancer-hk.yaml b/flux/infrastructure/infra-data/post/loadbalancer-hk.yaml similarity index 100% rename from flux/infrastructure/infra-data/loadbalancer-hk.yaml rename to flux/infrastructure/infra-data/post/loadbalancer-hk.yaml diff --git a/flux/infrastructure/infra-data/loadbalancer-sh.yaml b/flux/infrastructure/infra-data/post/loadbalancer-sh.yaml similarity index 100% rename from flux/infrastructure/infra-data/loadbalancer-sh.yaml rename to flux/infrastructure/infra-data/post/loadbalancer-sh.yaml diff --git a/flux/infrastructure/infra-data/reflector-secret-annotations.yaml b/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml similarity index 100% rename from flux/infrastructure/infra-data/reflector-secret-annotations.yaml rename to flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml diff --git a/flux/infrastructure/secrets/dnspod-secret.yaml b/flux/infrastructure/secrets/dnspod-secret.yaml new file mode 100644 index 0000000..3c8f50e --- /dev/null +++ b/flux/infrastructure/secrets/dnspod-secret.yaml @@ -0,0 +1,11 @@ +# cert-manager DNSPod webhook凭据 +# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入) +apiVersion: v1 +kind: Secret +metadata: + name: dnspod-secret + namespace: infra-devops +type: Opaque +stringData: + secretId: "${DNSPOD_SECRET_ID}" + secretKey: "${DNSPOD_SECRET_KEY}" diff --git a/flux/infrastructure/secrets/gitea-actions.yaml b/flux/infrastructure/secrets/gitea-actions.yaml new file mode 100644 index 0000000..ada23fc --- /dev/null +++ b/flux/infrastructure/secrets/gitea-actions.yaml @@ -0,0 +1,10 @@ +# Gitea Actions Runner Token +# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入) +apiVersion: v1 +kind: Secret +metadata: + name: gitea-actions + namespace: infra-gitops +type: Opaque +stringData: + token: "${GITEA_ACTIONS_TOKEN}" diff --git a/flux/infrastructure/secrets/kustomization.yaml b/flux/infrastructure/secrets/kustomization.yaml new file mode 100644 index 0000000..61a591e --- /dev/null +++ b/flux/infrastructure/secrets/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespaces.yaml + - s3-devcm-hw.yaml + - dnspod-secret.yaml + - gitea-actions.yaml diff --git a/flux/infrastructure/secrets/namespaces.yaml b/flux/infrastructure/secrets/namespaces.yaml new file mode 100644 index 0000000..cabd94d --- /dev/null +++ b/flux/infrastructure/secrets/namespaces.yaml @@ -0,0 +1,16 @@ +# 确保密钥目标命名空间已存在 +# 与各infra层的namespace.yaml幂等 +apiVersion: v1 +kind: Namespace +metadata: + name: infra-devops +--- +apiVersion: v1 +kind: Namespace +metadata: + name: infra-data +--- +apiVersion: v1 +kind: Namespace +metadata: + name: infra-gitops diff --git a/flux/infrastructure/secrets/s3-devcm-hw.yaml b/flux/infrastructure/secrets/s3-devcm-hw.yaml new file mode 100644 index 0000000..f80a356 --- /dev/null +++ b/flux/infrastructure/secrets/s3-devcm-hw.yaml @@ -0,0 +1,23 @@ +# S3凭据 (华为云OBS) +# 用途: velero备份 + CNPG barman WAL归档 +# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入) +apiVersion: v1 +kind: Secret +metadata: + name: s3-devcm-hw + namespace: infra-devops +type: Opaque +stringData: + ACCESS_KEY_ID: "${S3_ACCESS_KEY_ID}" + ACCESS_SECRET_KEY: "${S3_ACCESS_SECRET_KEY}" + +--- +apiVersion: v1 +kind: Secret +metadata: + name: s3-devcm-hw + namespace: infra-data +type: Opaque +stringData: + ACCESS_KEY_ID: "${S3_ACCESS_KEY_ID}" + ACCESS_SECRET_KEY: "${S3_ACCESS_SECRET_KEY}"