dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

test: flux local cluster setup with infra-devops post

浏览代码
这个提交包含在:
rohow
2026-03-25 12:08:55 +08:00
未验证
父节点 cddcd02d1b
当前提交 eb32e5755d
修改 94 个文件,包含 1567 行新增1023 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件
flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml
+195
查看文件
@@ -0,0 +1,195 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingress-nginx
namespace: infra-net
spec:
interval: 30m
chart:
spec:
chart: ingress-nginx
version: 4.13.2
sourceRef:
kind: HelmRepository
name: ingress-nginx
namespace: infra-gitops
interval: 12h
values:
fullnameOverride: ingress-nginx
controller:
image:
registry: docker.io
image: crowdsecurity/controller
tag: v1.13.2
digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56
labels:
devcm-log-collecting/enabled: "true"
kind: DaemonSet
hostNetwork: true
hostPort:
enabled: true
service:
enabled: false
publishService:
enabled: false
# 禁用默认的注解验证以防止冲突
enableAnnotationValidations: false
config:
use-forwarded-headers: "true"
enable-real-ip: "true"
forwarded-for-header: "X-Dev-Cm-Real-IP"
proxy-real-ip-cidr: "0.0.0.0/0"
allow-snippet-annotations: "true"
annotations-risk-level: Critical
# 启用http2
use-http2: "true"
# http to https重定向
ssl-redirect: "true"
# 自定义错误页面
custom-http-errors: "403,404,502,503"
# 全局限速配置
limit-req-status-code: "429"
limit-conn-status-code: "429"
http-snippet: |
# lua插件配置
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# 缓存配置
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
proxy_cache_key $uri$is_args$args;
proxy_cache_lock on;
proxy_cache_use_stale updating;
# 全局限速配置
limit_req_zone $binary_remote_addr zone=global_limit:20m rate=20r/s;
limit_req zone=global_limit burst=50 nodelay;
server-snippet: |
# dns配置 配置在http块下会出现重复配置 所以配置在server块下
resolver 169.254.20.10 10.43.0.10 ipv6=off;
# 代理全局静态资源 可提供serviceWorker的支持
location ^~ /__static/ {
proxy_pass http://ingress-nginx-defaultbackend.infra-net.svc.cluster.local/static/;
proxy_set_header Host $host;
add_header Service-Worker-Allowed "/";
}
# 启用geoip2模块
use-geoip: "false"
use-geoip2: "true"
# 日志配置
log-format-escape-json: "true"
log-format-upstream: '{
"msec": "$msec",
"connection": "$connection",
"connection_requests": "$connection_requests",
"pid": "$pid",
"request_id": "$request_id",
"request_length": "$request_length",
"remote_addr": "$remote_addr",
"remote_user": "$remote_user",
"remote_port": "$remote_port",
"time_local": "$time_local",
"time_iso8601": "$time_iso8601",
"request": "$request",
"request_uri": "$request_uri",
"args": "$args",
"status": "$status",
"body_bytes_sent": "$body_bytes_sent",
"bytes_sent": "$bytes_sent",
"http_referer": "$http_referer",
"http_user_agent": "$http_user_agent",
"http_x_forwarded_for": "$http_x_forwarded_for",
"http_host": "$http_host",
"http_upgrade": "$http_upgrade",
"server_name": "$server_name",
"request_time": "$request_time",
"upstream": "$upstream_addr",
"upstream_connect_time": "$upstream_connect_time",
"upstream_header_time": "$upstream_header_time",
"upstream_response_time": "$upstream_response_time",
"upstream_response_length": "$upstream_response_length",
"upstream_cache_status": "$upstream_cache_status",
"ssl_protocol": "$ssl_protocol",
"ssl_cipher": "$ssl_cipher",
"scheme": "$scheme",
"request_method": "$request_method",
"server_protocol": "$server_protocol",
"pipe": "$pipe",
"gzip_ratio": "$gzip_ratio",
"http_cf_ray": "$http_cf_ray",
"geoip_country_code": "$geoip2_city_country_code",
"geoip_city": "$geoip2_city",
"geoip_org": "$geoip2_org",
"geoip_longitude": "$geoip2_longitude",
"geoip_latitude": "$geoip2_latitude",
"level": "info"
}'
# crowdsec插件配置
plugins: "crowdsec"
lua-shared-dicts: "crowdsec_cache: 50m"
# 启用geoip2模块
maxmindLicenseKey: ""
extraArgs:
default-ssl-certificate: "infra-net/dev-cm-crt"
# crowdsec插件配置
extraInitContainers:
- name: init-clone-crowdsec-bouncer
image: crowdsecurity/lua-bouncer-plugin:v1.1.2
imagePullPolicy: IfNotPresent
env:
- name: SHELL
value: "/bin/sh"
- name: API_URL
value: "http://crowdsec-service.infra-net.svc.cluster.local:8080"
- name: API_KEY
value: "ImxBThnyiNm224V5DHYPY63KPAcyJ+WF0rm18Gr4M80"
- name: BOUNCER_CONFIG
value: "/crowdsec/crowdsec-bouncer.conf"
- name: MODE
value: "live"
- name: CACHE_EXPIRATION
value: "3"
- name: UPDATE_FREQUENCY
value: "10"
- name: REQUEST_TIMEOUT
value: "1000"
- name: CAPTCHA_PROVIDER
value: "turnstile"
- name: SITE_KEY
value: "0x4AAAAAAAxJ2RPNWzn2LCc-"
- name: SECRET_KEY
value: "0x4AAAAAAAxJ2dwFOaNg5ae3c6wYTmWH0bU"
- name: CAPTCHA_TEMPLATE_PATH
value: /etc/nginx/static/captcha.html
command: ['/bin/sh', '-c']
args: ['sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/']
volumeMounts:
- name: crowdsec-bouncer-plugin
mountPath: /lua_plugins
extraVolumes:
- name: crowdsec-bouncer-plugin
emptyDir: {}
- name: static
configMap:
name: static
extraVolumeMounts:
- name: crowdsec-bouncer-plugin
mountPath: /etc/nginx/lua/plugins/crowdsec
subPath: crowdsec
- name: static
mountPath: /etc/nginx/static
defaultBackend:
enabled: true
image:
registry: docker.io
image: devcm/default-backend
tag: v0.2.0
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
extraVolumes:
- name: static
configMap:
name: static
extraVolumeMounts:
- name: static
mountPath: /app/static