dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

比较提交

基准分支: dev.cm/k3s:cddcd02d1b30bf40298a1cc00dde1bae55db405d
分支列表 Git 标签列表
dev.cm/k3s:main dev.cm/k3s:feature-flux
...
比较: dev.cm/k3s:6d909cff34c38f31017d1ae81fd11c6e4444204b
分支列表 Git 标签列表
dev.cm/k3s:main dev.cm/k3s:feature-flux

5 次代码提交
cddcd02d1b ... 6d909cff34

修改 105 个文件,包含 1704 行新增1023 行删除
展开所有文件 折叠所有文件
.env.sample
+10
查看文件
@@ -0,0 +1,10 @@
# 华为云OBS S3凭据 (velero备份 + CNPG WAL归档)
S3_ACCESS_KEY_ID=placeholder
S3_ACCESS_SECRET_KEY=placeholder
# DNSPod API凭据 (cert-manager ACME DNS验证)
DNSPOD_SECRET_ID=placeholder
DNSPOD_SECRET_KEY=placeholder
# Gitea Actions Runner Token
GITEA_ACTIONS_TOKEN=placeholder
.gitignore
+3
查看文件
@@ -2,6 +2,9 @@
logs
*.log
# Secrets
.env
# Editor directories and files
.vscode/*
!.vscode/extensions.json
ansible/.env.example → ansible/.env.sample
查看文件
apps/README.md
-29
查看文件
@@ -1,29 +0,0 @@
### apps
集群服务helm部署的应用,包含一些基础服务和一些业务服务
### 调试集群内服务方法 运行此命令
```shell
kubectl run -i --tty --rm --restart=Never \
--overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "homea"}}}' \
--image=nicolaka/netshoot:latest \
debug -- sh
```
### 密钥相关
可以将helm部署中使用到的密钥放到k8s的secret中
然后使用reflector将secret中的密钥同步到其他namespace中
```shell
kubectl -n infra-data create secret generic s3-devcm-hw \
--from-literal=ACCESS_KEY_ID=xxxxx \
--from-literal=ACCESS_SECRET_KEY=xxxxx
kubectl -n infra-data annotate secret s3-devcm-hw \
reflector.v1.k8s.emberstack.com/reflection-allowed=true \
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces=infra-devops,apps \
reflector.v1.k8s.emberstack.com/reflection-auto-enabled=true --overwrite
```
apps/infra/data/cloudnative-pg/helmchart-plugin-barman.yaml
-25
查看文件
@@ -1,25 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cloudnative-pg-plugin-barman
namespace: infra-data
spec:
repo: https://cloudnative-pg.github.io/charts
chart: plugin-barman-cloud
targetNamespace: infra-data
version: 0.5.0
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
apps/infra/data/cloudnative-pg/helmchart.yaml
-25
查看文件
@@ -1,25 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cloudnative-pg
namespace: infra-data
spec:
repo: https://cloudnative-pg.github.io/charts
chart: cloudnative-pg
targetNamespace: infra-data
version: 0.27.1
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
apps/infra/data/valkey-cluster/helmchart.yaml
-21
查看文件
@@ -1,21 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: valkey-cluster-sh
namespace: infra-data
spec:
chart: oci://registry-1.docker.io/bitnamicharts/valkey-cluster
targetNamespace: infra-data
version: 3.0.23
valuesContent: |-
image:
repository: bitnamilegacy/valkey-cluster
cluster:
nodes: 1
replicas: 0
valkey:
nodeAffinityPreset:
type: hard
key: topology.kubernetes.io/region
values:
- cn-sh
apps/infra/devops/cert-manager/helmchart-dnspod.yaml
-29
查看文件
@@ -1,29 +0,0 @@
# 安装后需要将clusterIssuer的cnameStrategy策略设置为Follow
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager-webhook-dnspod
namespace: infra-devops
spec:
chart: oci://registry-1.docker.io/imroc/cert-manager-webhook-dnspod
targetNamespace: infra-devops
version: 1.4.5
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
image:
tag: "1.5.2"
namespace: infra-devops
certManager:
namespace: infra-devops
groupName: cert.dev.cm
# 此处关闭 选择手动创建 以支持cnameStrategy
clusterIssuer:
enabled: false
apps/infra/devops/cert-manager/helmchart.yaml
-51
查看文件
@@ -1,51 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager
namespace: infra-devops
spec:
repo: https://charts.jetstack.io
chart: cert-manager
targetNamespace: infra-devops
version: v1.19.3
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
webhook:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
cainjector:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
crds:
enabled: true
keep: true
# 在删除证书时同时删除secret
enableCertificateOwnerRef: true
prometheus:
enabled: true
servicemonitor:
enabled: true
interval: 300s
prometheusInstance: kube-prometheus
apps/infra/devops/reflector/helmchart.yaml
-20
查看文件
@@ -1,20 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: reflector
namespace: infra-devops
spec:
repo: https://emberstack.github.io/helm-charts
chart: reflector
targetNamespace: infra-devops
version: 9.1.45
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
apps/infra/monitor/namespaces.yaml
-4
查看文件
@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: infra-monitor
apps/infra/net/nginx/configmap-static-update.sh
-21
查看文件
@@ -1,21 +0,0 @@
#!/bin/bash
# 更新 ConfigMap 中的静态文件
cat > configmap-static.yaml << 'EOF'
apiVersion: v1
kind: ConfigMap
metadata:
name: static
namespace: infra-net
data:
EOF
# 直接遍历 static 目录并追加到文件
for file in static/*; do
filename=$(basename "$file")
echo " $filename: |" >> configmap-static.yaml
sed 's/^/ /' "$file" >> configmap-static.yaml
echo "" >> configmap-static.yaml
done
echo "ConfigMap updated successfully!"
apps/infra/net/nginx/static/captcha.html
-302
查看文件
@@ -1,302 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta content="width=device-width,initial-scale=1,user-scalable=no,viewport-fit=cover" name="viewport">
<title>出于安全原因 请完成验证</title>
<script src="{{captcha_frontend_js}}" async defer></script>
<style>
* {
-webkit-box-sizing: border-box;
box-sizing: border-box
}
body {
padding: 0;
margin: 0
}
#error {
position: relative;
height: 100vh
}
#error .error {
position: absolute;
left: 50%;
top: 50%;
-webkit-transform: translate(-50%, -50%);
-ms-transform: translate(-50%, -50%);
transform: translate(-50%, -50%)
}
#error .error-bg {
position: absolute;
left: 0;
right: 0;
top: 0;
bottom: 0;
overflow: hidden
}
#error .error-bg > div {
position: absolute;
top: 0;
bottom: 0;
width: 1px;
background-color: #eee
}
#error .error-bg > div:nth-child(1) {
left: 20%
}
#error .error-bg > div:nth-child(2) {
left: 40%
}
#error .error-bg > div:nth-child(3) {
left: 60%
}
#error .error-bg > div:nth-child(4) {
left: 80%
}
#error .error-bg > div:after {
content: '';
position: absolute;
top: 0;
left: -.5px;
-webkit-transform: translateY(-160px);
-ms-transform: translateY(-160px);
transform: translateY(-160px);
height: 160px;
width: 2px;
background-color: #1cfafe
}
@-webkit-keyframes drop {
90% {
height: 20px
}
100% {
height: 160px;
-webkit-transform: translateY(calc(100vh + 160px));
transform: translateY(calc(100vh + 160px))
}
}
@keyframes drop {
90% {
height: 20px
}
100% {
height: 160px;
-webkit-transform: translateY(calc(100vh + 160px));
transform: translateY(calc(100vh + 160px))
}
}
#error .error-bg > div:nth-child(1):after {
-webkit-animation: drop 3s infinite linear;
animation: drop 3s infinite linear;
-webkit-animation-delay: .2s;
animation-delay: .2s
}
#error .error-bg > div:nth-child(2):after {
-webkit-animation: drop 2s infinite linear;
animation: drop 2s infinite linear;
-webkit-animation-delay: .7s;
animation-delay: .7s
}
#error .error-bg > div:nth-child(3):after {
-webkit-animation: drop 3s infinite linear;
animation: drop 3s infinite linear;
-webkit-animation-delay: .9s;
animation-delay: .9s
}
#error .error-bg > div:nth-child(4):after {
-webkit-animation: drop 2s infinite linear;
animation: drop 2s infinite linear;
-webkit-animation-delay: 1.2s;
animation-delay: 1.2s
}
.error {
max-width: 520px;
width: 100%;
padding: 20px;
text-align: center
}
.error .error-code {
height: 210px;
line-height: 210px
}
.error .error-code h1 {
font-family: oswald, sans-serif;
font-size: 80px;
font-weight: 700;
margin: 0;
text-shadow: 4px 4px 0 #1cfafe
}
.error h2 {
font-family: oswald, sans-serif;
font-size: 42px;
font-weight: 700;
margin: 0;
text-transform: uppercase;
letter-spacing: 1.6px
}
.error p {
font-family: lato, sans-serif;
color: #000;
font-weight: 400;
margin-top: 20px;
margin-bottom: 25px
}
.error a {
font-family: lato, sans-serif;
padding: 10px 30px;
display: inline-block;
color: #000;
font-weight: 400;
text-transform: uppercase;
-webkit-box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
text-decoration: none;
-webkit-transition: .2s all;
transition: .2s all
}
.error a:not(:first-of-type) {
margin-left: 20px
}
.error a:hover {
background-color: #1cfafe;
-webkit-box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe;
box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe
}
.error-social > a {
width: 40px;
height: 40px;
line-height: 40px;
padding: 0;
margin: 0 5px
}
.error-social > a:hover {
background-color: #1cfafe;
-webkit-box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe;
box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe
}
#captcha-form {
position: relative;
width: 300px;
height: 65px;
overflow: hidden;
margin: 0 auto 30px;
background-color: #fff;
-webkit-box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
}
.loading {
position: absolute;
top: 0;
left: 0;
z-index: 1;
display: flex;
justify-content: center;
align-items: center;
width: 100%;
height: 65px;
gap: 10px;
}
.loading:has(+ *) {
display: none;
}
.loading::before {
content: "";
width: 20px;
height: 20px;
border: 2px solid #000;
border-right-color: #1cfafe;
border-radius: 50%;
animation: spin 1s linear infinite;
}
#captcha {
position: relative;
z-index: 2;
}
@keyframes spin {
from {
transform: rotate(0deg);
}
to {
transform: rotate(360deg);
}
}
@media only screen and (max-width: 480px) {
.error .error-code {
height: 122px;
line-height: 122px
}
.error .error-code h1 {
font-size: 60px
}
.error h2 {
font-size: 26px
}
}
</style>
</head>
<body>
<div id="error">
<div class="error-bg">
<div></div>
<div></div>
<div></div>
<div></div>
</div>
<div class="error">
<div class="error-code">
<h1>FillCode</h1>
</div>
<h2>请完成验证</h2>
<p>请完成下面验证, 页面将会自动跳转到访问页面。</p>
<form id="captcha-form" method="POST">
<div id="captcha" class="{{captcha_frontend_key}}" data-sitekey="{{captcha_site_key}}"
data-callback="captchaCallback" data-size="flexible"></div>
<div class="loading">验证码加载中, 请稍等...</div>
</form>
<a href="mailto:admin@dev.cm">联系我们</a>
</div>
</div>
<script>
function captchaCallback() {
setTimeout(() => document.querySelector('#captcha-form').submit(), 500)
}
</script>
</body>
</html>
apps/infra/net/nginx/static/pwa-cdn.js
-59
查看文件
@@ -1,59 +0,0 @@
'use strict'
// 配置
const pwaCdnConfig = {
cdnUrl: 'https://cdn.fillcode.com/',
serviceWorkerUrl: '/__static/sw-cdn.js',
staticRegex: /\.(js|css|png|jpg|jpeg|gif|svg|webp|woff|woff2|ttf|ico)$/,
debug: false,
}
/**
* PWA 初始化函数
*/
async function initializePWA() {
// 检查支持
if (!('serviceWorker' in navigator)) return console.log('PWA-CDN: Service Worker not supported')
let registration;
try {
// 注册Service Worker - 使用相对路径
registration = await navigator.serviceWorker.register(pwaCdnConfig.serviceWorkerUrl, {scope: '/'})
console.log('PWA-CDN: Service Worker registered')
} catch (error) {
console.error('PWA-CDN: Failed to register Service Worker:', error)
}
// 发送初始配置
const sendConfig = () => {
registration.active.postMessage({type: 'CONFIG', config: pwaCdnConfig})
}
// 如果注册失败,直接返回错误
if(!registration) return console.error('PWA-CDN: Service Worker registration failed, cannot send config')
// 更新配置函数
window.updatePWACDNConfig = (newConfig) => {
Object.assign(pwaCdnConfig, newConfig)
sendConfig()
}
// 等待Service Worker激活后发送配置
if (registration.active) sendConfig()
// 监听Service Worker更新事件
registration.addEventListener('updatefound', () => {
const newWorker = registration.installing
newWorker.addEventListener('statechange', () => {
if (newWorker.state === 'activated') sendConfig()
})
})
}
/**
* 启动 PWA-CDN
* */
initializePWA().catch(console.error)
apps/infra/net/nginx/static/sw-cdn.js
-88
查看文件
@@ -1,88 +0,0 @@
'use strict'
// Service Worker 配置 - 默认值
let config = {
cdnUrl: 'https://cdn.fillcode.com/',
serviceWorkerUrl: '/__static/sw-cdn.js',
staticRegex: /(.*\.(css|js|png|jpg|jpeg|gif|svg|webp|ico|woff|woff2|ttf|eot)|avatars[^/]+)$/,
debug: false,
}
// 监听配置更新消息
self.addEventListener('message', e => {
if (e.data.type !== 'CONFIG') return
config = e.data.config
if (config.debug) console.log('PWA-CDN: Config updated', config)
})
// 拦截网络请求
self.addEventListener('fetch', e => {
const url = new URL(e.request.url)
// 如果请求不是GET方法,直接返回
if (e.request.method !== 'GET') return
// 如果请求的域名不是当前页面的域名
if (url.origin !== self.location.origin) return
// 过滤__static路径下的请求
if (url.pathname.startsWith('/__static/')) return
// 如果请求的路径不匹配静态资源正则表达式,直接返回
if (!config.staticRegex.test(url.pathname)) return
// 判断是否是强制需要同源请求
const requiresSameOrigin = ['worker', 'sharedworker', 'serviceworker'].includes(e.request.destination)
// 如果是强制需要同源请求的资源类型,直接返回
if (requiresSameOrigin) return
// 开始处理静态资源请求
e.respondWith(handleStaticResource(e.request, url))
})
// 处理静态资源请求
async function handleStaticResource(request, url) {
// 生成CDN子路径
const hostname = self.location.hostname
const cdnPath = hostname.replace(/\./g, '-')
const targetUrl = config.cdnUrl + cdnPath + url.pathname + url.search
if (config.debug) console.log('PWA-CDN:', url.href, '->', targetUrl)
try {
// 创建新请求
const newRequest = new Request(targetUrl, {
...request,
mode: 'cors',
redirect: 'error',
})
// 请求目标域名,浏览器会自动处理缓存
const response = await fetch(newRequest)
// 检查响应状态
if (!response.ok) throw new Error('PWA-CDN: Non-2xx response detected')
return response
} catch (error) {
if (config.debug) console.warn('PWA-CDN: Fallback to original request for', url.href, error)
// 失败时回退到原始请求
return fetch(request)
}
}
// Service Worker 生命周期
self.addEventListener('install', () => {
if (config.debug) console.log('PWA-CDN: Service Worker installing')
self.skipWaiting().catch(console.error)
})
self.addEventListener('activate', () => {
if (config.debug) console.log('PWA-CDN: Service Worker activated')
self.clients.claim().catch(console.error)
})
apps/kube/README.md
-4
查看文件
@@ -1,4 +0,0 @@
### path core中服务的节点亲和性 使他们只运行在master节点上
```shell
kubectl patch -n kube-system deployment coredns --patch-file=apps/kube/patch-affinity.yaml
```
apps/kube/patch-affinity.yaml
-12
查看文件
@@ -1,12 +0,0 @@
spec:
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- "true"
flux/README.md
+230
查看文件
@@ -0,0 +1,230 @@
# Flux GitOps 迁移指南
补充一份面向本地演练和远端平滑切换的执行清单,见 [TEST_MIGRATION_PLAN.md](TEST_MIGRATION_PLAN.md)。
## 目录结构
```
flux/
├── clusters/
│ └── dev-cm/ # 集群级别编排
│ ├── kustomization.yaml # 资源列表
│ ├── sources.yaml # HelmRepository 源
│ ├── kube-system.yaml # CoreDNS / NodeLocalDNS
│ ├── infra-devops.yaml # cert-manager / reflector / velero
│ ├── infra-data.yaml # CNPG / Valkey
│ ├── infra-monitor.yaml # Loki / Prometheus
│ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale
│ ├── infra-gitops.yaml # Gitea
│ └── apps.yaml # Halo / RustDesk / Fillcode / SinceAI
├── infrastructure/
│ ├── sources/ # 所有 HelmRepository 定义
│ ├── kube-system/ # CoreDNS 自定义 + NodeLocalDNS
│ ├── infra-devops/ # cert-manager, webhook-dnspod, reflector, velero
│ ├── infra-data/ # CNPG operator, Barman, PG集群, Valkey
│ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书
│ ├── infra-monitor/ # Loki, Promtail, Prometheus+Grafana
│ └── infra-gitops/ # Gitea, Gitea Actions
└── apps/ # Halo, RustDesk, Whoami, 证书, Ingress
```
## 依赖顺序
```
sources (HelmRepository)
├── kube-system (无依赖)
└── infra-devops (cert-manager → webhook-dnspod → ClusterIssuer, reflector, velero)
├── infra-data (CNPG operator → Barman plugin → PG集群 + ObjectStore, Valkey)
│ │
│ ├── infra-monitor (Loki → Promtail, Prometheus+Grafana→PG)
│ │ │
│ │ ├── infra-net (Nginx, 证书, CrowdSec→Loki+PG, Tailscale)
│ │ │
│ │ └── infra-gitops (Gitea→PG+Valkey, Gitea Actions→Gitea)
│ │
│ └───────┴── apps (Halo→PG, RustDesk, Whoami, 证书, Ingress)
```
## K3s 保留项
以下资源**继续由 K3s HelmChart 管理**,不迁移到 Flux
- `k3s/apps/infra/gitops/namespaces.yaml` — infra-gitops 命名空间
- `k3s/apps/infra/gitops/flux/helmchart.yaml` — flux-operator HelmChart
- `k3s/apps/infra/gitops/flux/flux-instance.yaml` — FluxInstance (含 sync 配置)
- `k3s/apps/infra/gitops/flux/networkpolicy.yaml` — flux-operator NetworkPolicy
- `k3s/apps/infra/gitops/flux/clusterrolebinding.yaml` — flux-web RBAC
## 迁移步骤
### 1. 创建 Git 认证 Secret
Flux 需要 HTTPS 凭据来访问 Gitea 仓库。在集群中创建 Secret:
```bash
kubectl -n infra-gitops create secret generic flux-git-auth \
--from-literal=username=<GITEA_USERNAME> \
--from-literal=password=<GITEA_ACCESS_TOKEN>
```
### 2. 确认仓库 URL
检查 `k3s/apps/infra/gitops/flux/flux-instance.yaml` 中的 `sync.url` 字段,确保指向正确的 deploy 仓库地址。当前设置为:
```yaml
sync:
url: https://git.dev.cm/devcm/deploy.git
```
如果组织名或仓库名不同,请修改。
### 3. 提交并推送 Flux 清单
```bash
git add flux/
git add k3s/apps/infra/gitops/flux/flux-instance.yaml
git commit -m "feat: 迁移到 Flux GitOps 管理"
git push origin main
```
### 4. 应用更新后的 FluxInstance
FluxInstance 的 sync 配置更新后,K3s 会自动检测变更并重新应用。也可以手动触发:
```bash
kubectl apply -f k3s/apps/infra/gitops/flux/flux-instance.yaml
```
这会让 flux-operator 创建:
- `GitRepository/flux` — 监听 deploy 仓库
- `Kustomization/flux` — 应用 `flux/clusters/dev-cm/` 路径下的所有资源
### 5. 等待 Flux 完成同步
```bash
# 查看 GitRepository 状态
kubectl -n infra-gitops get gitrepository flux
# 查看所有 Kustomization 状态
kubectl -n infra-gitops get kustomization
# 查看所有 HelmRelease 状态
kubectl get helmrelease -A
# 实时查看 Flux 事件
kubectl -n infra-gitops get events --sort-by='.lastTimestamp' --watch
```
等待所有 Kustomization 和 HelmRelease 状态变为 `Ready`
### 6. 验证资源被 Flux 接管
对于每个已有的 Helm Release,Flux 会检测到已存在的资源并进行接管(adopt)。验证:
```bash
# 检查所有 HelmRelease 是否就绪
kubectl get helmrelease -A -o wide
# 检查某个具体的 release
kubectl -n infra-devops describe helmrelease cert-manager
```
### 7. 清理旧的 K3s HelmChart 资源
确认 Flux 已成功接管所有资源后,删除旧的 K3s HelmChart CR(不会影响已部署的应用):
```bash
# 列出所有 K3s HelmChart
kubectl get helmchart -A
# 逐个删除(保留 flux-operator
kubectl delete helmchart -n infra-devops cert-manager
kubectl delete helmchart -n infra-devops cert-manager-webhook-dnspod
kubectl delete helmchart -n infra-devops reflector
kubectl delete helmchart -n infra-devops velero
kubectl delete helmchart -n infra-data cloudnative-pg
kubectl delete helmchart -n infra-data cloudnative-pg-plugin-barman
kubectl delete helmchart -n infra-data valkey-cluster-sh
kubectl delete helmchart -n infra-net ingress-nginx
kubectl delete helmchart -n infra-net crowdsec
kubectl delete helmchart -n infra-net tailscale-derp-hk
kubectl delete helmchart -n infra-monitor loki
kubectl delete helmchart -n infra-monitor loki-promtail
kubectl delete helmchart -n infra-monitor prometheus
kubectl delete helmchart -n infra-gitops gitea
kubectl delete helmchart -n infra-gitops gitea-actions
kubectl delete helmchart -n apps fillcode-whoami
kubectl delete helmchart -n apps halo
kubectl delete helmchart -n apps rustdesk
```
> **注意**: K3s HelmChart 使用 `helm.cattle.io/v1` API。删除 HelmChart CR 默认**不会**卸载已部署的 Helm release。Flux 的 HelmRelease 会接管这些 release 的后续管理。
### 8. 清理旧的 K3s 清单文件
确认一切正常后,可以移除 `k3s/apps/` 中已迁移到 Flux 的文件(保留 flux 相关的):
```bash
# 保留以下文件(K3s 继续管理):
# k3s/apps/infra/gitops/namespaces.yaml
# k3s/apps/infra/gitops/flux/
# 其余文件可以删除或归档
```
## 资源映射表
| 原 K3s HelmChart | Flux HelmRelease | 命名空间 |
| ---------------------------- | ---------------------------- | ------------- |
| cert-manager | cert-manager | infra-devops |
| cert-manager-webhook-dnspod | cert-manager-webhook-dnspod | infra-devops |
| reflector | reflector | infra-devops |
| velero | velero | infra-devops |
| cloudnative-pg | cloudnative-pg | infra-data |
| cloudnative-pg-plugin-barman | cloudnative-pg-plugin-barman | infra-data |
| valkey-cluster-sh | valkey-cluster-sh | infra-data |
| ingress-nginx | ingress-nginx | infra-net |
| crowdsec | crowdsec | infra-net |
| tailscale-derp-hk | tailscale-derp-hk | infra-net |
| loki | loki | infra-monitor |
| loki-promtail | loki-promtail | infra-monitor |
| prometheus | prometheus | infra-monitor |
| gitea | gitea | infra-gitops |
| gitea-actions | gitea-actions | infra-gitops |
| fillcode-whoami | fillcode-whoami | apps |
| halo | halo | apps |
| rustdesk | rustdesk | apps |
## HelmRelease 内依赖关系
| HelmRelease | dependsOn |
| ---------------------------- | ------------------------------ |
| cert-manager-webhook-dnspod | cert-manager |
| cloudnative-pg-plugin-barman | cloudnative-pg |
| loki-promtail | loki |
| crowdsec | ingress-nginx, loki (cross-ns) |
| gitea-actions | gitea |
## 注意事项
1. **Helm Release 接管**: Flux 默认会检测与 HelmRelease 同名的已存在 Helm release。如果名称不匹配,需要在 `spec.releaseName` 中指定原始名称。
2. **CRD 管理**: cert-manager 和 kube-prometheus-stack 的 HelmRelease 配置了 `install.crds: CreateReplace``upgrade.crds: CreateReplace` 以确保 CRD 被正确管理。
3. **跨命名空间引用**: 所有 HelmRepository 位于 `infra-gitops` 命名空间。HelmRelease 通过 `sourceRef.namespace: infra-gitops` 跨命名空间引用。FluxInstance 配置为单租户模式 (`multitenant: false`),允许此行为。
4. **kube-system 资源**: `prune: false` 用于 kube-system Kustomization,防止 Flux 意外删除系统资源。
5. **Velero CRD**: Velero HelmRelease 保持 `upgradeCRDs: false`,与原始配置一致。
6. **敏感信息**: 以下 Secret 需要手动维护(不在 Git 中管理):
- `flux-git-auth` (Gitea 访问令牌)
- `dnspod-secret` (DNSPod API 凭据)
- `s3-devcm-hw` (华为云 OBS 凭据)
- `cnpg17-cluster-*-app` (PostgreSQL 密码, 由 CNPG 自动管理)
- `valkey-cluster-sh` (Valkey 密码)
- `gitea-actions` (Gitea Actions runner token)
apps/apps/fillcode/certificate-fillcode-com.yaml → flux/apps/certificate-fillcode-com.yaml
查看文件
apps/apps/sinceai/certificate-sinceai-com.yaml → flux/apps/certificate-sinceai-com.yaml
查看文件
apps/apps/halo/helmchart.yaml → flux/apps/helmrelease-halo.yaml
+13 -21
查看文件
@@ -1,25 +1,20 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: halo
namespace: apps
spec:
repo: https://halo-sigs.github.io/charts/
chart: halo
targetNamespace: apps
version: 1.3.2
valuesContent: |-
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-hk
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
interval: 30m
chart:
spec:
chart: halo
version: 1.3.2
sourceRef:
kind: HelmRepository
name: halo
namespace: infra-gitops
interval: 12h
values:
image:
repository: halohub/halo-pro
tag: 2.23.1
@@ -60,6 +55,3 @@ spec:
existingSecret: cnpg17-cluster-hk-app
haloUsername: rohow
haloExternalUrl: https://dev.cm
apps/apps/rustdesk/helmchart.yaml → flux/apps/helmrelease-rustdesk.yaml
+13 -10
查看文件
@@ -1,17 +1,20 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: rustdesk
namespace: apps
spec:
repo: https://devcm-repo.github.io/helm-charts
chart: rustdesk-server
targetNamespace: apps
version: 0.0.7
valuesContent: |-
nodeSelector:
kubernetes.io/hostname: tcd
interval: 30m
chart:
spec:
chart: rustdesk-server
version: 0.0.7
sourceRef:
kind: HelmRepository
name: devcm-repo
namespace: infra-gitops
interval: 12h
values:
rustdeskServer:
encryptedOnly: true
mustLogin: true
apps/apps/fillcode/helmchart-whoami.yaml → flux/apps/helmrelease-whoami.yaml
+13 -9
查看文件
@@ -1,14 +1,20 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: fillcode-whoami
namespace: apps
spec:
repo: https://cowboysysop.github.io/charts/
chart: whoami
targetNamespace: apps
version: 5.1.2
valuesContent: |-
interval: 30m
chart:
spec:
chart: whoami
version: 5.1.2
sourceRef:
kind: HelmRepository
name: cowboysysop
namespace: infra-gitops
interval: 12h
values:
ingress:
enabled: true
ingressClassName: nginx
@@ -20,5 +26,3 @@ spec:
- host: whoami.fillcode.com
paths:
- /
apps/apps/fillcode/ingress.yaml → flux/apps/ingress-fillcode.yaml
-2
查看文件
@@ -3,7 +3,6 @@ kind: Ingress
metadata:
name: fillcode
namespace: apps
annotations:
spec:
ingressClassName: nginx
rules:
@@ -21,4 +20,3 @@ spec:
- hosts:
- fillcode.com
secretName: fillcode-com-crt
apps/apps/halo/ingress-static.yaml → flux/apps/ingress-halo-static.yaml
查看文件
apps/apps/halo/ingress-www.yaml → flux/apps/ingress-halo-www.yaml
-1
查看文件
@@ -20,4 +20,3 @@ spec:
name: halo
port:
number: 80
apps/apps/sinceai/ingress-shop.yaml → flux/apps/ingress-sinceai-shop.yaml
-1
查看文件
@@ -24,4 +24,3 @@ spec:
- hosts:
- shop.sinceai.com
secretName: sinceai-com-crt
flux/apps/kustomization.yaml
+13
查看文件
@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- certificate-fillcode-com.yaml
- certificate-sinceai-com.yaml
- helmrelease-halo.yaml
- ingress-fillcode.yaml
- ingress-halo-www.yaml
- ingress-halo-static.yaml
- ingress-sinceai-shop.yaml
- helmrelease-whoami.yaml
- helmrelease-rustdesk.yaml
apps/apps/namespaces.yaml → flux/apps/namespace.yaml
查看文件
flux/clusters/base/apps.yaml
+17
查看文件
@@ -0,0 +1,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/apps
prune: true
dependsOn:
- name: infra-data-post
- name: infra-net
- name: infra-gitops
flux/clusters/base/infra-data.yaml
+36
查看文件
@@ -0,0 +1,36 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-data
prune: true
force: true
wait: true
dependsOn:
- name: infra-devops
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-post
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-data/post
prune: true
force: true
wait: true
dependsOn:
- name: infra-data
flux/clusters/base/infra-devops.yaml
+36
查看文件
@@ -0,0 +1,36 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-devops
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-devops
prune: true
wait: true
dependsOn:
- name: sources
- name: secrets
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-devops-post
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-devops/post
prune: true
force: true
wait: true
dependsOn:
- name: infra-monitor
flux/clusters/base/infra-gitops.yaml
+17
查看文件
@@ -0,0 +1,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-gitops
prune: true
wait: true
dependsOn:
- name: infra-data-post
- name: infra-monitor
flux/clusters/base/infra-monitor.yaml
+17
查看文件
@@ -0,0 +1,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-monitor
prune: true
force: true
wait: true
dependsOn:
- name: infra-data-post
flux/clusters/base/infra-net.yaml
+19
查看文件
@@ -0,0 +1,19 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-net
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-net
prune: true
wait: true
dependsOn:
- name: kube-system
- name: infra-devops
- name: infra-devops-post
- name: infra-monitor
flux/clusters/base/kube-system.yaml
+14
查看文件
@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kube-system
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/kube-system
prune: false
wait: true
flux/clusters/base/kustomization.yaml
+12
查看文件
@@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- sources.yaml
- secrets.yaml
- kube-system.yaml
- infra-devops.yaml
- infra-data.yaml
- infra-net.yaml
- infra-monitor.yaml
- infra-gitops.yaml
- apps.yaml
flux/clusters/base/secrets.yaml
+22
查看文件
@@ -0,0 +1,22 @@
# 密钥管理层 - 通过postBuild从flux-env Secret注入变量
# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: secrets
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/secrets
prune: false
wait: true
dependsOn:
- name: sources
postBuild:
substituteFrom:
- kind: Secret
name: flux-env
flux/clusters/base/sources.yaml
+14
查看文件
@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sources
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/sources
prune: true
wait: true
flux/clusters/dev-cm/kustomization.yaml
+33
查看文件
@@ -0,0 +1,33 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches:
- target:
kind: Kustomization
name: infra-devops
path: patches/infra-devops.yaml
- target:
kind: Kustomization
name: infra-data
path: patches/infra-data.yaml
- target:
kind: Kustomization
name: infra-data-post
path: patches/infra-data-post.yaml
- target:
kind: Kustomization
name: infra-net
path: patches/infra-net.yaml
- target:
kind: Kustomization
name: infra-monitor
path: patches/infra-monitor.yaml
- target:
kind: Kustomization
name: infra-gitops
path: patches/infra-gitops.yaml
- target:
kind: Kustomization
name: apps
path: patches/apps.yaml
flux/clusters/dev-cm/patches/apps.yaml
+39
查看文件
@@ -0,0 +1,39 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
spec:
patches:
- target:
kind: HelmRelease
name: halo
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: halo
spec:
values:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-hk
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
- target:
kind: HelmRelease
name: rustdesk
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: rustdesk
spec:
values:
nodeSelector:
kubernetes.io/hostname: tcd
flux/clusters/dev-cm/patches/infra-data-post.yaml
+58
查看文件
@@ -0,0 +1,58 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-post
spec:
patches:
- target:
kind: Cluster
name: cnpg17-cluster-hk
patch: |
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cnpg17-cluster-hk
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-hk"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- clawhk
- target:
kind: Cluster
name: cnpg17-cluster-sh
patch: |
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cnpg17-cluster-sh
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
flux/clusters/dev-cm/patches/infra-data.yaml
+68
查看文件
@@ -0,0 +1,68 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data
spec:
patches:
- target:
kind: HelmRelease
name: cloudnative-pg
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- target:
kind: HelmRelease
name: cloudnative-pg-plugin-barman
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg-plugin-barman
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- target:
kind: HelmRelease
name: valkey-cluster-sh
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: valkey-cluster-sh
spec:
values:
valkey:
nodeAffinityPreset:
type: hard
key: topology.kubernetes.io/region
values:
- cn-sh
flux/clusters/dev-cm/patches/infra-devops.yaml
+124
查看文件
@@ -0,0 +1,124 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-devops
spec:
patches:
- target:
kind: HelmRelease
name: cert-manager
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
webhook:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
cainjector:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- target:
kind: HelmRelease
name: cert-manager-webhook-dnspod
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager-webhook-dnspod
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- target:
kind: HelmRelease
name: reflector
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: reflector
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- target:
kind: HelmRelease
name: velero
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: velero
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homeb
nodeAgent:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: NotIn
values:
- "true"
- key: svccontroller.k3s.cattle.io/enablelb
operator: NotIn
values:
- "true"
flux/clusters/dev-cm/patches/infra-gitops.yaml
+51
查看文件
@@ -0,0 +1,51 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops
spec:
patches:
- target:
kind: HelmRelease
name: gitea
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea
spec:
values:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
app.kubernetes.io/name: redis
app.kubernetes.io/component: master
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
- target:
kind: HelmRelease
name: gitea-actions
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea-actions
spec:
values:
statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
flux/clusters/dev-cm/patches/infra-monitor.yaml
+86
查看文件
@@ -0,0 +1,86 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor
spec:
patches:
- target:
kind: HelmRelease
name: loki
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki
spec:
values:
lokiCanary:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
resultsCache:
nodeSelector:
kubernetes.io/hostname: tce
chunksCache:
nodeSelector:
kubernetes.io/hostname: tce
singleBinary:
nodeSelector:
kubernetes.io/hostname: tce
- target:
kind: HelmRelease
name: loki-promtail
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki-promtail
spec:
values:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
- target:
kind: HelmRelease
name: prometheus
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: prometheus
spec:
values:
prometheusOperator:
nodeSelector:
kubernetes.io/hostname: hwa
kube-state-metrics:
nodeSelector:
kubernetes.io/hostname: hwa
grafana:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
persistence:
storageClassName: local-path
prometheus:
prometheusSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storageSpec:
volumeClaimTemplate:
spec:
storageClassName: local-path
alertmanager:
alertmanagerSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storage:
volumeClaimTemplate:
spec:
storageClassName: local-path
flux/clusters/dev-cm/patches/infra-net.yaml
+95
查看文件
@@ -0,0 +1,95 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-net
spec:
patches:
- target:
kind: HelmRelease
name: ingress-nginx
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingress-nginx
spec:
values:
controller:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
dnsPolicy: "None"
dnsConfig:
nameservers:
- "169.254.20.10"
- "10.43.0.10"
maxmindLicenseKey: "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"
defaultBackend:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- "cn-hk"
- target:
kind: HelmRelease
name: crowdsec
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: crowdsec
spec:
values:
agent:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: loki
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
appsec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
lapi:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
- target:
kind: HelmRelease
name: tailscale-derp-hk
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: tailscale-derp-hk
spec:
values:
nodeSelector:
kubernetes.io/hostname: tchk
flux/clusters/local/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
apps/infra/gitops/flux/flux-instance.yaml → flux/flux-instance.yaml
+7
查看文件
@@ -22,6 +22,13 @@ spec:
storage:
class: "local-path"
size: "10Gi"
# Git 仓库同步配置 - 请将 url 替换为实际的 deploy 仓库地址
sync:
kind: GitRepository
url: https://git.dev.cm/devcm/deploy.git
ref: refs/heads/main
path: flux/clusters/dev-cm
pullSecret: flux-git-auth
kustomize:
patches:
- target:
flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml
+18
查看文件
@@ -0,0 +1,18 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg-plugin-barman
namespace: infra-data
spec:
interval: 30m
dependsOn:
- name: cloudnative-pg
chart:
spec:
chart: plugin-barman-cloud
version: 0.5.0
sourceRef:
kind: HelmRepository
name: cloudnative-pg
namespace: infra-gitops
interval: 12h
flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml
+20
查看文件
@@ -0,0 +1,20 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg
namespace: infra-data
spec:
interval: 30m
chart:
spec:
chart: cloudnative-pg
version: 0.27.1
sourceRef:
kind: HelmRepository
name: cloudnative-pg
namespace: infra-gitops
interval: 12h
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
+22
查看文件
@@ -0,0 +1,22 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: valkey-cluster-sh
namespace: infra-data
spec:
interval: 30m
chart:
spec:
chart: valkey-cluster
version: 3.0.23
sourceRef:
kind: HelmRepository
name: bitnami
namespace: infra-gitops
interval: 12h
values:
image:
repository: bitnamilegacy/valkey-cluster
cluster:
nodes: 1
replicas: 0
flux/infrastructure/infra-data/kustomization.yaml
+7
查看文件
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrelease-cloudnative-pg.yaml
- helmrelease-barman-plugin.yaml
- helmrelease-valkey-cluster.yaml
apps/infra/net/namespaces.yaml → flux/infrastructure/infra-data/namespace.yaml
+1 -1
查看文件
@@ -1,4 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: infra-net
name: infra-data
apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml → flux/infrastructure/infra-data/post/cnpg17-cluster-hk.yaml
-17
查看文件
@@ -4,23 +4,6 @@ metadata:
name: cnpg17-cluster-hk
namespace: infra-data
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-hk"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- clawhk
imageName: ghcr.io/cloudnative-pg/postgresql:17.4
enableSuperuserAccess: true
enablePDB: false
apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml → flux/infrastructure/infra-data/post/cnpg17-cluster-sh.yaml
-17
查看文件
@@ -4,23 +4,6 @@ metadata:
name: cnpg17-cluster-sh
namespace: infra-data
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
imageName: ghcr.io/cloudnative-pg/postgresql:17.4
enableSuperuserAccess: true
enablePDB: false
apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml → flux/infrastructure/infra-data/post/cnpg17-objectstore-hw.yaml
查看文件
flux/infrastructure/infra-data/post/kustomization.yaml
+9
查看文件
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg17-objectstore-hw.yaml
- cnpg17-cluster-hk.yaml
- cnpg17-cluster-sh.yaml
- loadbalancer-hk.yaml
- loadbalancer-sh.yaml
- reflector-secret-annotations.yaml
apps/infra/data/cloudnative-pg/loadbalancer-hk.yaml → flux/infrastructure/infra-data/post/loadbalancer-hk.yaml
查看文件
apps/infra/data/cloudnative-pg/loadbalancer-sh.yaml → flux/infrastructure/infra-data/post/loadbalancer-sh.yaml
查看文件
flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml
+41
查看文件
@@ -0,0 +1,41 @@
# 给CNPG和Valkey自动生成的secrets添加Reflector注解
# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
#
# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
# valkey-cluster-sh → infra-gitops (gitea)
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-hk-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
---
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-sh-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
metadata:
name: valkey-cluster-sh
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml
+29
查看文件
@@ -0,0 +1,29 @@
# 安装后需要将clusterIssuer的cnameStrategy策略设置为Follow
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager-webhook-dnspod
namespace: infra-devops
spec:
interval: 30m
dependsOn:
- name: cert-manager
chart:
spec:
chart: cert-manager-webhook-dnspod
version: 1.4.5
sourceRef:
kind: HelmRepository
name: imroc
namespace: infra-gitops
interval: 12h
values:
image:
tag: "1.5.2"
namespace: infra-devops
certManager:
namespace: infra-devops
groupName: cert.dev.cm
# 此处关闭 选择手动创建 以支持cnameStrategy
clusterIssuer:
enabled: false
flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml
+31
查看文件
@@ -0,0 +1,31 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: infra-devops
spec:
interval: 30m
chart:
spec:
chart: cert-manager
version: v1.19.3
sourceRef:
kind: HelmRepository
name: jetstack
namespace: infra-gitops
interval: 12h
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
# 首次install时servicemonitor=false(CRD尚不存在)
# infra-monitor层部署后通过SSA patch开启
values:
crds:
enabled: true
keep: true
enableCertificateOwnerRef: true
prometheus:
enabled: true
servicemonitor:
enabled: false
flux/infrastructure/infra-devops/helmrelease-reflector.yaml
+17
查看文件
@@ -0,0 +1,17 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: reflector
namespace: infra-devops
spec:
interval: 30m
chart:
spec:
chart: reflector
version: 9.1.45
sourceRef:
kind: HelmRepository
name: emberstack
namespace: infra-gitops
interval: 12h
values: {}
apps/infra/devops/velero/helmchart.yaml → flux/infrastructure/infra-devops/helmrelease-velero.yaml
+13 -38
查看文件
@@ -1,31 +1,20 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: velero
namespace: infra-devops
spec:
repo: https://vmware-tanzu.github.io/helm-charts
chart: velero
targetNamespace: infra-devops
version: 11.3.2
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homeb
interval: 30m
chart:
spec:
chart: velero
version: 11.3.2
sourceRef:
kind: HelmRepository
name: vmware-tanzu
namespace: infra-gitops
interval: 12h
values:
# 此处暂时切换关闭upgradeCRDs操作 待官方修复后再开启
upgradeCRDs: false
deployNodeAgent: true
@@ -69,17 +58,3 @@ spec:
name: plugins
nodeAgent:
# 控制面板不启用 lb节点不启用
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: NotIn
values:
- "true"
- key: svccontroller.k3s.cattle.io/enablelb
operator: NotIn
values:
- "true"
flux/infrastructure/infra-devops/kustomization.yaml
+8
查看文件
@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrelease-cert-manager.yaml
- helmrelease-cert-manager-webhook-dnspod.yaml
- helmrelease-reflector.yaml
- helmrelease-velero.yaml
apps/infra/devops/namespaces.yaml → flux/infrastructure/infra-devops/namespace.yaml
查看文件
apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml → flux/infrastructure/infra-devops/post/clusterissuer-dnspod.yaml
查看文件
flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml
+17
查看文件
@@ -0,0 +1,17 @@
# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor
# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在)
# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: infra-devops
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
spec:
values:
prometheus:
servicemonitor:
enabled: true
interval: 300s
prometheusInstance: kube-prometheus
flux/infrastructure/infra-devops/post/kustomization.yaml
+5
查看文件
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- clusterissuer-dnspod.yaml
- helmrelease-cert-manager-patch.yaml
apps/infra/gitops/gitea/configmap-actions-dind.yaml → flux/infrastructure/infra-gitops/configmap-actions-dind.yaml
查看文件
apps/infra/gitops/gitea/configmap-templates.yaml → flux/infrastructure/infra-gitops/configmap-templates.yaml
查看文件
apps/infra/gitops/gitea/helmchart-actions.yaml → flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml
+15 -14
查看文件
@@ -1,18 +1,24 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea-actions
namespace: infra-gitops
spec:
repo: https://dl.gitea.com/charts
chart: actions
targetNamespace: infra-gitops
version: 0.0.2
valuesContent: |-
interval: 30m
dependsOn:
- name: gitea
chart:
spec:
chart: actions
version: 0.0.2
sourceRef:
kind: HelmRepository
name: gitea
namespace: infra-gitops
interval: 12h
values:
enabled: true
statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
actRunner:
config: |
log:
@@ -39,8 +45,3 @@ spec:
giteaRootURL: http://gitea-http.infra-gitops.svc.cluster.local:3000
existingSecret: gitea-actions
existingSecretKey: token
apps/infra/gitops/gitea/helmchart.yaml → flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
+13 -32
查看文件
@@ -1,36 +1,20 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea
namespace: infra-gitops
spec:
repo: https://dl.gitea.com/charts
chart: gitea
targetNamespace: infra-gitops
version: 12.5.0
valuesContent: |-
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
app.kubernetes.io/name: redis
app.kubernetes.io/component: master
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
interval: 30m
chart:
spec:
chart: gitea
version: 12.5.0
sourceRef:
kind: HelmRepository
name: gitea
namespace: infra-gitops
interval: 12h
values:
redis-cluster:
enabled: false
postgresql-ha:
@@ -125,6 +109,3 @@ spec:
- name: gitea-custom-templates-volume
subPath: extra_links.tmpl
mountPath: /data/gitea/templates/custom/extra_links.tmpl
apps/infra/gitops/gitea/ingress-static.yaml → flux/infrastructure/infra-gitops/ingress-static-gitea.yaml
查看文件
flux/infrastructure/infra-gitops/kustomization.yaml
+10
查看文件
@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-gitea.yaml
- helmrelease-gitea-actions.yaml
- configmap-templates.yaml
- configmap-actions-dind.yaml
- ingress-static-gitea.yaml
- loadbalancer-ssh.yaml
- networkpolicy-gitea.yaml
apps/infra/gitops/gitea/loadbalancer-ssh.yaml → flux/infrastructure/infra-gitops/loadbalancer-ssh.yaml
查看文件
apps/infra/gitops/gitea/networkpolicy.yaml → flux/infrastructure/infra-gitops/networkpolicy-gitea.yaml
查看文件
apps/infra/monitor/loki/helmchart-loki.yaml → flux/infrastructure/infra-monitor/helmrelease-loki.yaml
+21 -24
查看文件
@@ -1,32 +1,32 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki
namespace: infra-monitor
spec:
repo: https://grafana.github.io/helm-charts
chart: loki
targetNamespace: infra-monitor
version: 6.53.0
valuesContent: |-
interval: 30m
chart:
spec:
chart: loki
version: 6.53.0
sourceRef:
kind: HelmRepository
name: grafana
namespace: infra-gitops
interval: 12h
values:
deploymentMode: SingleBinary
gateway:
enabled: false
lokiCanary:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
extraArgs:
# 降低测试日志生成条数
- -interval=30s
- -labelname=service_name
- -labelvalue=loki-canary
resultsCache:
nodeSelector:
kubernetes.io/hostname: tce
allocatedMemory: 1024
chunksCache:
nodeSelector:
kubernetes.io/hostname: tce
allocatedMemory: 1024
loki:
auth_enabled: false
@@ -37,24 +37,21 @@ spec:
max_query_series: 10000
volume_enabled: true
storage:
type: 'filesystem'
type: "filesystem"
schemaConfig:
configs:
- from: "2024-01-01"
store: tsdb
index:
prefix: loki_index_
period: 24h
object_store: filesystem
schema: v13
- from: "2024-01-01"
store: tsdb
index:
prefix: loki_index_
period: 24h
object_store: filesystem
schema: v13
singleBinary:
replicas: 1
nodeSelector:
kubernetes.io/hostname: tce
read:
replicas: 0
backend:
replicas: 0
write:
replicas: 0
apps/infra/monitor/prometheus/helmchart.yaml → flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml
+19 -31
查看文件
@@ -1,14 +1,24 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: prometheus
namespace: infra-monitor
spec:
repo: https://prometheus-community.github.io/helm-charts
chart: kube-prometheus-stack
targetNamespace: infra-monitor
version: 81.6.5
valuesContent: |-
interval: 30m
chart:
spec:
chart: kube-prometheus-stack
version: 81.6.5
sourceRef:
kind: HelmRepository
name: prometheus-community
namespace: infra-gitops
interval: 12h
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
values:
kubeControllerManager:
enabled: false
kubeScheduler:
@@ -18,26 +28,11 @@ spec:
kubeEtcd:
enabled: false
prometheusOperator:
nodeSelector:
kubernetes.io/hostname: hwa
prometheusOperator: {}
kube-state-metrics:
nodeSelector:
kubernetes.io/hostname: hwa
kube-state-metrics: {}
grafana:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
ingress:
enabled: true
ingressClassName: nginx
@@ -77,19 +72,15 @@ spec:
persistence:
type: pvc
enabled: true
storageClassName: local-path
accessModes:
- ReadWriteOnce
size: 10Gi
prometheus:
prometheusSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storageSpec:
volumeClaimTemplate:
spec:
storageClassName: local-path
accessModes:
- ReadWriteOnce
resources:
@@ -110,12 +101,9 @@ spec:
alertmanager:
alertmanagerSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storage:
volumeClaimTemplate:
spec:
storageClassName: local-path
accessModes:
- ReadWriteOnce
resources:
apps/infra/monitor/loki/helmchart-promtail.yaml → flux/infrastructure/infra-monitor/helmrelease-promtail.yaml
+18 -10
查看文件
@@ -1,15 +1,21 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki-promtail
namespace: infra-monitor
spec:
repo: https://grafana.github.io/helm-charts
chart: promtail
targetNamespace: infra-monitor
valuesContent: |-
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
interval: 30m
dependsOn:
- name: loki
chart:
spec:
chart: promtail
sourceRef:
kind: HelmRepository
name: grafana
namespace: infra-gitops
interval: 12h
values:
configmap:
enabled: true
config:
@@ -19,10 +25,12 @@ spec:
snippets:
extraRelabelConfigs:
# 匹配 devcm-log-collecting/enabled 标签 只有为true时才收集日志
- source_labels: [__meta_kubernetes_pod_label_devcm_log_collecting_enabled]
- source_labels:
[__meta_kubernetes_pod_label_devcm_log_collecting_enabled]
action: keep
regex: true
# 匹配 devcm-log-collecting/only-errors标签并只保留stderr流
- source_labels: [__meta_kubernetes_pod_label_devcm_log_collecting_only_errors]
- source_labels:
[__meta_kubernetes_pod_label_devcm_log_collecting_only_errors]
action: drop
regex: stdout
apps/infra/monitor/prometheus/ingress-static.yaml → flux/infrastructure/infra-monitor/ingress-static-grafana.yaml
查看文件
flux/infrastructure/infra-monitor/kustomization.yaml
+8
查看文件
@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrelease-loki.yaml
- helmrelease-promtail.yaml
- helmrelease-prometheus.yaml
- ingress-static-grafana.yaml
apps/infra/gitops/namespaces.yaml → flux/infrastructure/infra-monitor/namespace.yaml
+1 -1
查看文件
@@ -1,4 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: infra-gitops
name: infra-monitor
apps/infra/net/nginx/certificate-dev-cm.yaml → flux/infrastructure/infra-net/certificate-dev-cm.yaml
查看文件
apps/infra/net/nginx/configmap-static.yaml → flux/infrastructure/infra-net/configmap-static.yaml
查看文件
apps/infra/net/crowdsec/helmchart.yaml → flux/infrastructure/infra-net/helmrelease-crowdsec.yaml
+17 -39
查看文件
@@ -1,28 +1,28 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: crowdsec
namespace: infra-net
spec:
repo: https://crowdsecurity.github.io/helm-charts
chart: crowdsec
targetNamespace: infra-net
version: 0.22.0
valuesContent: |-
interval: 30m
dependsOn:
- name: ingress-nginx
- name: loki
namespace: infra-monitor
chart:
spec:
chart: crowdsec
version: 0.22.0
sourceRef:
kind: HelmRepository
name: crowdsec
namespace: infra-gitops
interval: 12h
values:
container_runtime: containerd
image:
tag: v1.7.6
agent:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: loki
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
isDeployment: true
additionalAcquisition:
- source: loki
@@ -42,16 +42,6 @@ spec:
config:
enabled: false
appsec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
enabled: false
acquisitions:
- source: appsec
@@ -74,16 +64,6 @@ spec:
- name: COLLECTIONS
value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"
lapi:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
resources:
requests:
cpu: 150m
@@ -235,5 +215,3 @@ spec:
statics:
- meta: sub_type
value: "req_limit_exceeded"
apps/infra/net/nginx/helmchart.yaml → flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml
+14 -30
查看文件
@@ -1,14 +1,20 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingress-nginx
namespace: infra-net
spec:
repo: https://kubernetes.github.io/ingress-nginx
chart: ingress-nginx
version: 4.13.2
targetNamespace: infra-net
valuesContent: |-
interval: 30m
chart:
spec:
chart: ingress-nginx
version: 4.13.2
sourceRef:
kind: HelmRepository
name: ingress-nginx
namespace: infra-gitops
interval: 12h
values:
fullnameOverride: ingress-nginx
controller:
image:
@@ -16,24 +22,12 @@ spec:
image: crowdsecurity/controller
tag: v1.13.2
digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
labels:
devcm-log-collecting/enabled: "true"
kind: DaemonSet
hostNetwork: true
hostPort:
enabled: true
# 添加 DNS 配置
dnsPolicy: "None"
dnsConfig:
nameservers:
- "169.254.20.10"
- "10.43.0.10"
service:
enabled: false
publishService:
@@ -131,7 +125,7 @@ spec:
plugins: "crowdsec"
lua-shared-dicts: "crowdsec_cache: 50m"
# 启用geoip2模块
maxmindLicenseKey: "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"
maxmindLicenseKey: ""
extraArgs:
default-ssl-certificate: "infra-net/dev-cm-crt"
# crowdsec插件配置
@@ -199,13 +193,3 @@ spec:
extraVolumeMounts:
- name: static
mountPath: /app/static
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- "cn-hk"
apps/infra/net/tailscale/helmchart.yaml → flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml
+14 -10
查看文件
@@ -1,16 +1,20 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: tailscale-derp-hk
namespace: infra-net
spec:
repo: https://devcm-repo.github.io/helm-charts
chart: tailscale-derp
version: 0.0.9
targetNamespace: infra-net
valuesContent: |-
nodeSelector:
kubernetes.io/hostname: tchk
interval: 30m
chart:
spec:
chart: tailscale-derp
version: 0.0.9
sourceRef:
kind: HelmRepository
name: devcm-repo
namespace: infra-gitops
interval: 12h
values:
image:
tag: v1.94.1
hostNetwork: true
@@ -27,7 +31,7 @@ spec:
- name: cert-volume
mountPath: /certs
derp:
hostname: 'tchk.node.dev.cm'
hostname: "tchk.node.dev.cm"
verify_clients: true
http_port: -1
https_port: 30443
apps/infra/net/nginx/ingress-cdn.yaml → flux/infrastructure/infra-net/ingress-cdn.yaml
查看文件
flux/infrastructure/infra-net/kustomization.yaml
+10
查看文件
@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrelease-ingress-nginx.yaml
- configmap-static.yaml
- certificate-dev-cm.yaml
- ingress-cdn.yaml
- helmrelease-crowdsec.yaml
- helmrelease-tailscale-derp.yaml
apps/infra/data/namespaces.yaml → flux/infrastructure/infra-net/namespace.yaml
+1 -1
查看文件
@@ -1,4 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: infra-data
name: infra-net
apps/kube/coredns/configmap.yaml → flux/infrastructure/kube-system/configmap-coredns.yaml
查看文件
flux/infrastructure/kube-system/kustomization.yaml
+5
查看文件
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- configmap-coredns.yaml
- nodelocaldns.yaml
apps/kube/coredns/nodelocaldns.yaml → flux/infrastructure/kube-system/nodelocaldns.yaml
查看文件
flux/infrastructure/secrets/dnspod-secret.yaml
+11
查看文件
@@ -0,0 +1,11 @@
# cert-manager DNSPod webhook凭据
# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
apiVersion: v1
kind: Secret
metadata:
name: dnspod-secret
namespace: infra-devops
type: Opaque
stringData:
secretId: "${DNSPOD_SECRET_ID}"
secretKey: "${DNSPOD_SECRET_KEY}"
flux/infrastructure/secrets/gitea-actions.yaml
+10
查看文件
@@ -0,0 +1,10 @@
# Gitea Actions Runner Token
# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
apiVersion: v1
kind: Secret
metadata:
name: gitea-actions
namespace: infra-gitops
type: Opaque
stringData:
token: "${GITEA_ACTIONS_TOKEN}"
flux/infrastructure/secrets/kustomization.yaml
+7
查看文件
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespaces.yaml
- s3-devcm-hw.yaml
- dnspod-secret.yaml
- gitea-actions.yaml
flux/infrastructure/secrets/namespaces.yaml
+16
查看文件
@@ -0,0 +1,16 @@
# 确保密钥目标命名空间已存在
# 与各infra层的namespace.yaml幂等
apiVersion: v1
kind: Namespace
metadata:
name: infra-devops
---
apiVersion: v1
kind: Namespace
metadata:
name: infra-data
---
apiVersion: v1
kind: Namespace
metadata:
name: infra-gitops
flux/infrastructure/secrets/s3-devcm-hw.yaml
+23
查看文件
@@ -0,0 +1,23 @@
# S3凭据 (华为云OBS)
# 用途: velero备份 + CNPG barman WAL归档
# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
apiVersion: v1
kind: Secret
metadata:
name: s3-devcm-hw
namespace: infra-devops
type: Opaque
stringData:
ACCESS_KEY_ID: "${S3_ACCESS_KEY_ID}"
ACCESS_SECRET_KEY: "${S3_ACCESS_SECRET_KEY}"
---
apiVersion: v1
kind: Secret
metadata:
name: s3-devcm-hw
namespace: infra-data
type: Opaque
stringData:
ACCESS_KEY_ID: "${S3_ACCESS_KEY_ID}"
ACCESS_SECRET_KEY: "${S3_ACCESS_SECRET_KEY}"

某些文件未显示,因为此 diff 中更改的文件太多 显示更多