dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

比较提交

基准分支: dev.cm/k3s:cddcd02d1b30bf40298a1cc00dde1bae55db405d
分支列表 Git 标签列表
dev.cm/k3s:main dev.cm/k3s:feature-flux
...
比较: dev.cm/k3s:7d33557c88a0e6a1c3d27ada26989d4118d01b5e
分支列表 Git 标签列表
dev.cm/k3s:main dev.cm/k3s:feature-flux

26 次代码提交
cddcd02d1b ... 7d33557c88

修改 127 个文件,包含 2199 行新增1128 行删除
展开所有文件 折叠所有文件
.env.sample
+14
查看文件
@@ -0,0 +1,14 @@
# 华为云OBS S3凭据 (velero备份 + CNPG WAL归档)
S3_ACCESS_KEY_ID=placeholder
S3_ACCESS_SECRET_KEY=placeholder
# DNSPod API凭据 (cert-manager ACME DNS验证)
DNSPOD_SECRET_ID=placeholder
DNSPOD_SECRET_KEY=placeholder
# Gitea Actions Runner TokenGitea 启动后在 admin → Runners 生成)
GITEA_ACTIONS_TOKEN=placeholder
# Flux Operator Web OIDC 凭据(Gitea 启动后创建 OAuth2 应用获取,Redirect URI: https://cd.dev.cm/oauth2/callback
FLUX_WEB_OIDC_CLIENT_ID=placeholder
FLUX_WEB_OIDC_CLIENT_SECRET=placeholder
.gitignore
+6
查看文件
@@ -2,6 +2,12 @@
logs logs
*.log *.log
# Secrets
.env
flux-git-auth
flux-git-auth.pub
known_hosts
# Editor directories and files # Editor directories and files
.vscode/* .vscode/*
!.vscode/extensions.json !.vscode/extensions.json
README.md
+13 -2
查看文件
@@ -4,6 +4,17 @@
参见 [ansible/README.md](ansible/README.md) 参见 [ansible/README.md](ansible/README.md)
#### apps 相关应用 #### 应用相关
参见 [apps/README.md](apps/README.md) 参见 [flux/README.md](flux/README.md)
`
ssh-keygen -t ed25519 -C "flux" -f ./flux-git-auth -N ""
ssh-keyscan github.com > ./known_hosts
kubectl -n infra-gitops create secret generic flux-git-auth \
--from-file=identity=./flux-git-auth \
--from-file=identity.pub=./flux-git-auth.pub \
--from-file=known_hosts=./known_hosts
`
ansible/.env.example → ansible/.env.sample
查看文件
ansible/inventory/group_vars/all.yml
+1 -1
查看文件
@@ -13,6 +13,7 @@ ha_server_url: "{{ lookup('env', 'HA_SERVER_URL') | default('', true) }}"
# K3s Server URL (优先使用 HA_SERVER_URL,否则动态使用 init 节点地址) # K3s Server URL (优先使用 HA_SERVER_URL,否则动态使用 init 节点地址)
k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}" k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}"
k3s_version: "v1.34.2+k3s1" k3s_version: "v1.34.2+k3s1"
tailscale_version: "1.96.4"
# ETCD 配置 # ETCD 配置
etcd_snapshot_retention: 1 etcd_snapshot_retention: 1
@@ -44,4 +45,3 @@ registry_mirrors:
- "k8s.m.daocloud.io" - "k8s.m.daocloud.io"
quay.io: quay.io:
- "quay.m.daocloud.io" - "quay.m.daocloud.io"
ansible/playbooks/site.yml
+34
查看文件
@@ -167,3 +167,37 @@
{{ nodes.stdout }} {{ nodes.stdout }}
══════════════════════════════════════════════════════════════ ══════════════════════════════════════════════════════════════
when: cluster_init | default(false) when: cluster_init | default(false)
# ============================================
# K3s 卸载 (需显式指定: --tags uninstall)
# ============================================
- name: Uninstall K3s agents
hosts: agents
gather_facts: false
tags: [uninstall, never]
tasks:
- name: Check agent uninstall script
ansible.builtin.stat:
path: /usr/local/bin/k3s-agent-uninstall.sh
register: agent_uninstall_script
- name: Run k3s-agent-uninstall.sh
ansible.builtin.command: /usr/local/bin/k3s-agent-uninstall.sh
when: agent_uninstall_script.stat.exists
changed_when: true
- name: Uninstall K3s masters
hosts: masters
gather_facts: false
serial: 1
tags: [uninstall, never]
tasks:
- name: Check server uninstall script
ansible.builtin.stat:
path: /usr/local/bin/k3s-uninstall.sh
register: server_uninstall_script
- name: Run k3s-uninstall.sh
ansible.builtin.command: /usr/local/bin/k3s-uninstall.sh
when: server_uninstall_script.stat.exists
changed_when: true
ansible/roles/common/tasks/main.yml
+24 -1
查看文件
@@ -37,6 +37,20 @@
failed_when: false failed_when: false
changed_when: false changed_when: false
- name: Check current Tailscale version
ansible.builtin.shell: tailscale version | head -1
register: common_tailscale_version
failed_when: false
changed_when: false
when: common_tailscale_check.rc == 0
- name: Set Tailscale install flag
ansible.builtin.set_fact:
tailscale_needs_install: "{{
common_tailscale_check.rc != 0 or
(common_tailscale_version.stdout | default('') is not search(tailscale_version))
}}"
- name: Download Tailscale install script - name: Download Tailscale install script
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://tailscale.com/install.sh url: https://tailscale.com/install.sh
@@ -44,11 +58,20 @@
mode: "0755" mode: "0755"
when: common_tailscale_check.rc != 0 when: common_tailscale_check.rc != 0
- name: Install Tailscale - name: Install Tailscale via install script
ansible.builtin.command: /tmp/tailscale-install.sh ansible.builtin.command: /tmp/tailscale-install.sh
when: common_tailscale_check.rc != 0 when: common_tailscale_check.rc != 0
changed_when: true changed_when: true
- name: Install specific Tailscale version
ansible.builtin.apt:
name:
- "tailscale={{ tailscale_version }}"
- "tailscaled={{ tailscale_version }}"
state: present
allow_downgrade: true
when: tailscale_needs_install
- name: Remove Tailscale install script - name: Remove Tailscale install script
ansible.builtin.file: ansible.builtin.file:
path: /tmp/tailscale-install.sh path: /tmp/tailscale-install.sh
ansible/roles/k3s/tasks/main.yml
+1 -1
查看文件
@@ -110,7 +110,7 @@
- name: Wait for K3s server ready - name: Wait for K3s server ready
ansible.builtin.wait_for: ansible.builtin.wait_for:
path: /var/lib/rancher/k3s/server/node-token path: /var/lib/rancher/k3s/server/node-token
timeout: 120 timeout: 300
when: "'masters' in group_names" when: "'masters' in group_names"
# 保存 kubeconfig (仅 cluster-init) # 保存 kubeconfig (仅 cluster-init)
apps/README.md
-29
查看文件
@@ -1,29 +0,0 @@
### apps
集群服务helm部署的应用,包含一些基础服务和一些业务服务
### 调试集群内服务方法 运行此命令
```shell
kubectl run -i --tty --rm --restart=Never \
--overrides='{"apiVersion": "v1", "spec": {"nodeSelector": {"kubernetes.io/hostname": "homea"}}}' \
--image=nicolaka/netshoot:latest \
debug -- sh
```
### 密钥相关
可以将helm部署中使用到的密钥放到k8s的secret中
然后使用reflector将secret中的密钥同步到其他namespace中
```shell
kubectl -n infra-data create secret generic s3-devcm-hw \
--from-literal=ACCESS_KEY_ID=xxxxx \
--from-literal=ACCESS_SECRET_KEY=xxxxx
kubectl -n infra-data annotate secret s3-devcm-hw \
reflector.v1.k8s.emberstack.com/reflection-allowed=true \
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces=infra-devops,apps \
reflector.v1.k8s.emberstack.com/reflection-auto-enabled=true --overwrite
```
apps/infra/data/cloudnative-pg/helmchart-plugin-barman.yaml
-25
查看文件
@@ -1,25 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cloudnative-pg-plugin-barman
namespace: infra-data
spec:
repo: https://cloudnative-pg.github.io/charts
chart: plugin-barman-cloud
targetNamespace: infra-data
version: 0.5.0
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
apps/infra/data/cloudnative-pg/helmchart.yaml
-25
查看文件
@@ -1,25 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cloudnative-pg
namespace: infra-data
spec:
repo: https://cloudnative-pg.github.io/charts
chart: cloudnative-pg
targetNamespace: infra-data
version: 0.27.1
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
apps/infra/data/valkey-cluster/helmchart.yaml
-21
查看文件
@@ -1,21 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: valkey-cluster-sh
namespace: infra-data
spec:
chart: oci://registry-1.docker.io/bitnamicharts/valkey-cluster
targetNamespace: infra-data
version: 3.0.23
valuesContent: |-
image:
repository: bitnamilegacy/valkey-cluster
cluster:
nodes: 1
replicas: 0
valkey:
nodeAffinityPreset:
type: hard
key: topology.kubernetes.io/region
values:
- cn-sh
apps/infra/devops/cert-manager/helmchart-dnspod.yaml
-29
查看文件
@@ -1,29 +0,0 @@
# 安装后需要将clusterIssuer的cnameStrategy策略设置为Follow
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager-webhook-dnspod
namespace: infra-devops
spec:
chart: oci://registry-1.docker.io/imroc/cert-manager-webhook-dnspod
targetNamespace: infra-devops
version: 1.4.5
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
image:
tag: "1.5.2"
namespace: infra-devops
certManager:
namespace: infra-devops
groupName: cert.dev.cm
# 此处关闭 选择手动创建 以支持cnameStrategy
clusterIssuer:
enabled: false
apps/infra/devops/cert-manager/helmchart.yaml
-51
查看文件
@@ -1,51 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager
namespace: infra-devops
spec:
repo: https://charts.jetstack.io
chart: cert-manager
targetNamespace: infra-devops
version: v1.19.3
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
webhook:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
cainjector:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
crds:
enabled: true
keep: true
# 在删除证书时同时删除secret
enableCertificateOwnerRef: true
prometheus:
enabled: true
servicemonitor:
enabled: true
interval: 300s
prometheusInstance: kube-prometheus
apps/infra/devops/reflector/helmchart.yaml
-20
查看文件
@@ -1,20 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: reflector
namespace: infra-devops
spec:
repo: https://emberstack.github.io/helm-charts
chart: reflector
targetNamespace: infra-devops
version: 9.1.45
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
apps/infra/devops/velero/helmchart.yaml
-85
查看文件
@@ -1,85 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: velero
namespace: infra-devops
spec:
repo: https://vmware-tanzu.github.io/helm-charts
chart: velero
targetNamespace: infra-devops
version: 11.3.2
valuesContent: |-
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homeb
# 此处暂时切换关闭upgradeCRDs操作 待官方修复后再开启
upgradeCRDs: false
deployNodeAgent: true
snapshotsEnabled: false
configuration:
backupSyncPeriod: 1h0m0s
defaultRepoMaintainFrequency: 3h0m0s
repositoryMaintenanceJob:
repositoryConfigData:
global:
keepLatestMaintenanceJobs: 1
backupStorageLocation:
- name: devcm-hw
default: true
provider: aws
bucket: devcm
prefix: velero
config:
region: cn-east-3
s3ForcePathStyle: false
s3Url: https://obs.cn-east-3.myhuaweicloud.com
checksumAlgorithm: ""
extraEnvVars:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: s3-devcm-hw
key: ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-devcm-hw
key: ACCESS_SECRET_KEY
credentials:
useSecret: false
initContainers:
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.13.0
volumeMounts:
- mountPath: /target
name: plugins
nodeAgent:
# 控制面板不启用 lb节点不启用
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: NotIn
values:
- "true"
- key: svccontroller.k3s.cattle.io/enablelb
operator: NotIn
values:
- "true"
apps/infra/gitops/flux/helmchart.yaml
-44
查看文件
@@ -1,44 +0,0 @@
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: flux-operator
namespace: infra-gitops
spec:
chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator
targetNamespace: infra-gitops
version: 0.40.0
valuesContent: |-
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
installCRDs: true
web:
config:
baseURL: https://cd.dev.cm
authentication:
type: OAuth2
oauth2:
provider: OIDC
issuerURL: https://git.dev.cm
clientID: "94b1ec99-55c4-4621-89c3-f49d8b7d5603"
clientSecret: "gto_5fmpkf6h7zohbpesnxfuvjvppinunayv7mfcyo2wmuzqtuj3ig2a"
networkPolicy:
create: false
ingress:
enabled: true
className: nginx
hosts:
- host: cd.dev.cm
paths:
- path: /
pathType: Prefix
apps/infra/net/nginx/configmap-static-update.sh
-21
查看文件
@@ -1,21 +0,0 @@
#!/bin/bash
# 更新 ConfigMap 中的静态文件
cat > configmap-static.yaml << 'EOF'
apiVersion: v1
kind: ConfigMap
metadata:
name: static
namespace: infra-net
data:
EOF
# 直接遍历 static 目录并追加到文件
for file in static/*; do
filename=$(basename "$file")
echo " $filename: |" >> configmap-static.yaml
sed 's/^/ /' "$file" >> configmap-static.yaml
echo "" >> configmap-static.yaml
done
echo "ConfigMap updated successfully!"
apps/infra/net/nginx/static/captcha.html
-302
查看文件
@@ -1,302 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta content="width=device-width,initial-scale=1,user-scalable=no,viewport-fit=cover" name="viewport">
<title>出于安全原因 请完成验证</title>
<script src="{{captcha_frontend_js}}" async defer></script>
<style>
* {
-webkit-box-sizing: border-box;
box-sizing: border-box
}
body {
padding: 0;
margin: 0
}
#error {
position: relative;
height: 100vh
}
#error .error {
position: absolute;
left: 50%;
top: 50%;
-webkit-transform: translate(-50%, -50%);
-ms-transform: translate(-50%, -50%);
transform: translate(-50%, -50%)
}
#error .error-bg {
position: absolute;
left: 0;
right: 0;
top: 0;
bottom: 0;
overflow: hidden
}
#error .error-bg > div {
position: absolute;
top: 0;
bottom: 0;
width: 1px;
background-color: #eee
}
#error .error-bg > div:nth-child(1) {
left: 20%
}
#error .error-bg > div:nth-child(2) {
left: 40%
}
#error .error-bg > div:nth-child(3) {
left: 60%
}
#error .error-bg > div:nth-child(4) {
left: 80%
}
#error .error-bg > div:after {
content: '';
position: absolute;
top: 0;
left: -.5px;
-webkit-transform: translateY(-160px);
-ms-transform: translateY(-160px);
transform: translateY(-160px);
height: 160px;
width: 2px;
background-color: #1cfafe
}
@-webkit-keyframes drop {
90% {
height: 20px
}
100% {
height: 160px;
-webkit-transform: translateY(calc(100vh + 160px));
transform: translateY(calc(100vh + 160px))
}
}
@keyframes drop {
90% {
height: 20px
}
100% {
height: 160px;
-webkit-transform: translateY(calc(100vh + 160px));
transform: translateY(calc(100vh + 160px))
}
}
#error .error-bg > div:nth-child(1):after {
-webkit-animation: drop 3s infinite linear;
animation: drop 3s infinite linear;
-webkit-animation-delay: .2s;
animation-delay: .2s
}
#error .error-bg > div:nth-child(2):after {
-webkit-animation: drop 2s infinite linear;
animation: drop 2s infinite linear;
-webkit-animation-delay: .7s;
animation-delay: .7s
}
#error .error-bg > div:nth-child(3):after {
-webkit-animation: drop 3s infinite linear;
animation: drop 3s infinite linear;
-webkit-animation-delay: .9s;
animation-delay: .9s
}
#error .error-bg > div:nth-child(4):after {
-webkit-animation: drop 2s infinite linear;
animation: drop 2s infinite linear;
-webkit-animation-delay: 1.2s;
animation-delay: 1.2s
}
.error {
max-width: 520px;
width: 100%;
padding: 20px;
text-align: center
}
.error .error-code {
height: 210px;
line-height: 210px
}
.error .error-code h1 {
font-family: oswald, sans-serif;
font-size: 80px;
font-weight: 700;
margin: 0;
text-shadow: 4px 4px 0 #1cfafe
}
.error h2 {
font-family: oswald, sans-serif;
font-size: 42px;
font-weight: 700;
margin: 0;
text-transform: uppercase;
letter-spacing: 1.6px
}
.error p {
font-family: lato, sans-serif;
color: #000;
font-weight: 400;
margin-top: 20px;
margin-bottom: 25px
}
.error a {
font-family: lato, sans-serif;
padding: 10px 30px;
display: inline-block;
color: #000;
font-weight: 400;
text-transform: uppercase;
-webkit-box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
text-decoration: none;
-webkit-transition: .2s all;
transition: .2s all
}
.error a:not(:first-of-type) {
margin-left: 20px
}
.error a:hover {
background-color: #1cfafe;
-webkit-box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe;
box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe
}
.error-social > a {
width: 40px;
height: 40px;
line-height: 40px;
padding: 0;
margin: 0 5px
}
.error-social > a:hover {
background-color: #1cfafe;
-webkit-box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe;
box-shadow: 0 0 0 0 #000, 0 0 0 2px #1cfafe
}
#captcha-form {
position: relative;
width: 300px;
height: 65px;
overflow: hidden;
margin: 0 auto 30px;
background-color: #fff;
-webkit-box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
box-shadow: 0 0 0 2px #000, 2px 2px 0 2px #1cfafe;
}
.loading {
position: absolute;
top: 0;
left: 0;
z-index: 1;
display: flex;
justify-content: center;
align-items: center;
width: 100%;
height: 65px;
gap: 10px;
}
.loading:has(+ *) {
display: none;
}
.loading::before {
content: "";
width: 20px;
height: 20px;
border: 2px solid #000;
border-right-color: #1cfafe;
border-radius: 50%;
animation: spin 1s linear infinite;
}
#captcha {
position: relative;
z-index: 2;
}
@keyframes spin {
from {
transform: rotate(0deg);
}
to {
transform: rotate(360deg);
}
}
@media only screen and (max-width: 480px) {
.error .error-code {
height: 122px;
line-height: 122px
}
.error .error-code h1 {
font-size: 60px
}
.error h2 {
font-size: 26px
}
}
</style>
</head>
<body>
<div id="error">
<div class="error-bg">
<div></div>
<div></div>
<div></div>
<div></div>
</div>
<div class="error">
<div class="error-code">
<h1>FillCode</h1>
</div>
<h2>请完成验证</h2>
<p>请完成下面验证, 页面将会自动跳转到访问页面。</p>
<form id="captcha-form" method="POST">
<div id="captcha" class="{{captcha_frontend_key}}" data-sitekey="{{captcha_site_key}}"
data-callback="captchaCallback" data-size="flexible"></div>
<div class="loading">验证码加载中, 请稍等...</div>
</form>
<a href="mailto:admin@dev.cm">联系我们</a>
</div>
</div>
<script>
function captchaCallback() {
setTimeout(() => document.querySelector('#captcha-form').submit(), 500)
}
</script>
</body>
</html>
apps/infra/net/nginx/static/pwa-cdn.js
-59
查看文件
@@ -1,59 +0,0 @@
'use strict'
// 配置
const pwaCdnConfig = {
cdnUrl: 'https://cdn.fillcode.com/',
serviceWorkerUrl: '/__static/sw-cdn.js',
staticRegex: /\.(js|css|png|jpg|jpeg|gif|svg|webp|woff|woff2|ttf|ico)$/,
debug: false,
}
/**
* PWA 初始化函数
*/
async function initializePWA() {
// 检查支持
if (!('serviceWorker' in navigator)) return console.log('PWA-CDN: Service Worker not supported')
let registration;
try {
// 注册Service Worker - 使用相对路径
registration = await navigator.serviceWorker.register(pwaCdnConfig.serviceWorkerUrl, {scope: '/'})
console.log('PWA-CDN: Service Worker registered')
} catch (error) {
console.error('PWA-CDN: Failed to register Service Worker:', error)
}
// 发送初始配置
const sendConfig = () => {
registration.active.postMessage({type: 'CONFIG', config: pwaCdnConfig})
}
// 如果注册失败,直接返回错误
if(!registration) return console.error('PWA-CDN: Service Worker registration failed, cannot send config')
// 更新配置函数
window.updatePWACDNConfig = (newConfig) => {
Object.assign(pwaCdnConfig, newConfig)
sendConfig()
}
// 等待Service Worker激活后发送配置
if (registration.active) sendConfig()
// 监听Service Worker更新事件
registration.addEventListener('updatefound', () => {
const newWorker = registration.installing
newWorker.addEventListener('statechange', () => {
if (newWorker.state === 'activated') sendConfig()
})
})
}
/**
* 启动 PWA-CDN
* */
initializePWA().catch(console.error)
apps/infra/net/nginx/static/sw-cdn.js
-88
查看文件
@@ -1,88 +0,0 @@
'use strict'
// Service Worker 配置 - 默认值
let config = {
cdnUrl: 'https://cdn.fillcode.com/',
serviceWorkerUrl: '/__static/sw-cdn.js',
staticRegex: /(.*\.(css|js|png|jpg|jpeg|gif|svg|webp|ico|woff|woff2|ttf|eot)|avatars[^/]+)$/,
debug: false,
}
// 监听配置更新消息
self.addEventListener('message', e => {
if (e.data.type !== 'CONFIG') return
config = e.data.config
if (config.debug) console.log('PWA-CDN: Config updated', config)
})
// 拦截网络请求
self.addEventListener('fetch', e => {
const url = new URL(e.request.url)
// 如果请求不是GET方法,直接返回
if (e.request.method !== 'GET') return
// 如果请求的域名不是当前页面的域名
if (url.origin !== self.location.origin) return
// 过滤__static路径下的请求
if (url.pathname.startsWith('/__static/')) return
// 如果请求的路径不匹配静态资源正则表达式,直接返回
if (!config.staticRegex.test(url.pathname)) return
// 判断是否是强制需要同源请求
const requiresSameOrigin = ['worker', 'sharedworker', 'serviceworker'].includes(e.request.destination)
// 如果是强制需要同源请求的资源类型,直接返回
if (requiresSameOrigin) return
// 开始处理静态资源请求
e.respondWith(handleStaticResource(e.request, url))
})
// 处理静态资源请求
async function handleStaticResource(request, url) {
// 生成CDN子路径
const hostname = self.location.hostname
const cdnPath = hostname.replace(/\./g, '-')
const targetUrl = config.cdnUrl + cdnPath + url.pathname + url.search
if (config.debug) console.log('PWA-CDN:', url.href, '->', targetUrl)
try {
// 创建新请求
const newRequest = new Request(targetUrl, {
...request,
mode: 'cors',
redirect: 'error',
})
// 请求目标域名,浏览器会自动处理缓存
const response = await fetch(newRequest)
// 检查响应状态
if (!response.ok) throw new Error('PWA-CDN: Non-2xx response detected')
return response
} catch (error) {
if (config.debug) console.warn('PWA-CDN: Fallback to original request for', url.href, error)
// 失败时回退到原始请求
return fetch(request)
}
}
// Service Worker 生命周期
self.addEventListener('install', () => {
if (config.debug) console.log('PWA-CDN: Service Worker installing')
self.skipWaiting().catch(console.error)
})
self.addEventListener('activate', () => {
if (config.debug) console.log('PWA-CDN: Service Worker activated')
self.clients.claim().catch(console.error)
})
apps/kube/README.md
-4
查看文件
@@ -1,4 +0,0 @@
### path core中服务的节点亲和性 使他们只运行在master节点上
```shell
kubectl patch -n kube-system deployment coredns --patch-file=apps/kube/patch-affinity.yaml
```
apps/kube/patch-affinity.yaml
-12
查看文件
@@ -1,12 +0,0 @@
spec:
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- "true"
flux/README.md
+93
查看文件
@@ -0,0 +1,93 @@
# Flux GitOps
## 目录结构
```
flux/
├── clusters/
│ └── dev-cm/ # 集群级别编排
│ ├── kustomization.yaml # 资源列表
│ ├── sources.yaml # HelmRepository 源
│ ├── kube-system.yaml # CoreDNS / NodeLocalDNS
│ ├── infra-devops.yaml # cert-manager / reflector / velero
│ ├── infra-data.yaml # CNPG / Valkey
│ ├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail)
│ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale
│ ├── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web)
│ └── apps.yaml # Halo / RustDesk / Fillcode / SinceAI
├── infrastructure/
│ ├── sources/ # 所有 HelmRepository 定义
│ ├── kube-system/ # CoreDNS 自定义 + NodeLocalDNS
│ ├── infra-devops/ # cert-manager, webhook-dnspod, reflector, velero
│ ├── infra-data/ # CNPG operator, Barman, PG集群, Valkey
│ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书
│ │ └── post/ # CDN Ingress(依赖 apps,打破循环)
│ ├── infra-monitor/ # Loki, Prometheus+Grafana
│ │ └── post/ # Promtail(依赖 infra-net,打破循环)
│ └── infra-gitops/ # Gitea
│ └── post/ # Gitea Actions + flux-operator WebOIDC/Ingress
└── apps/ # Halo, RustDesk, Whoami, 证书, Ingress
```
## 部署顺序
```
sources → secrets → kube-system → infra-devops → infra-data → infra-data-post
→ infra-monitor → infra-net → infra-devops-post
→ infra-monitor-post (Promtail)
→ infra-gitops
→ apps
→ infra-net-post (CDN Ingress)
→ infra-gitops-post (suspend=true,需手工凭据)
```
Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。
## 部署后手工步骤(infra-gitops-post
`infra-gitops-post` 默认 `suspend: true`,因为它依赖两类只能在 Gitea 启动后获取的凭据:
1. **Flux Operator Web 的 OIDC 客户端**
2. **Gitea Actions Runner Token**
步骤:
1. 浏览器访问 `https://git.dev.cm`,首个注册账号自动成为 admin。
2. **创建 OAuth2 应用**
- Site Administration → Integrations → Applications → Create OAuth2 Application
- Redirect URI: `https://cd.dev.cm/oauth2/callback`
- 记录 Client ID 与 Client Secret。
3. **生成 Runner Token**
- Site Administration → Actions → Runners → Create new Runner → 复制 registration token。
4. 更新 `k3s/.env`
```
FLUX_WEB_OIDC_CLIENT_ID=<step 2 client id>
FLUX_WEB_OIDC_CLIENT_SECRET=<step 2 client secret>
GITEA_ACTIONS_TOKEN=<step 3 token>
```
5. 重新注入 `flux-env` Secret 并协调:
```bash
kubectl -n infra-gitops create secret generic flux-env \
--from-env-file=k3s/.env \
--dry-run=client -o yaml | kubectl apply -f -
flux reconcile kustomization secrets -n infra-gitops
flux resume kustomization infra-gitops-post -n infra-gitops
flux reconcile kustomization infra-gitops-post -n infra-gitops --with-source
```
6. 验证:
```bash
kubectl -n infra-gitops get helmrelease gitea-actions
kubectl -n infra-gitops get deploy flux-operator -o yaml | grep -A2 args # 看到 --web-*
curl -I https://cd.dev.cm # 走 Gitea OIDC
```
## 为何拆出 \*-post 层?
- **`infra-monitor-post` (Promtail)**Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Podingress-nginx);而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`,打破循环。
- **`infra-gitops-post` (Gitea Actions + Flux Web)**:凭据必须在 Gitea 启动后手工创建;放在 post 层并默认 suspend,避免阻塞 bootstrap。
apps/apps/fillcode/certificate-fillcode-com.yaml → flux/apps/certificate-fillcode-com.yaml
查看文件
apps/apps/sinceai/certificate-sinceai-com.yaml → flux/apps/certificate-sinceai-com.yaml
查看文件
apps/apps/halo/helmchart.yaml → flux/apps/helmrelease-halo.yaml
+17 -24
查看文件
@@ -1,28 +1,24 @@
apiVersion: helm.cattle.io/v1 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmChart kind: HelmRelease
metadata: metadata:
name: halo name: halo
namespace: apps namespace: apps
spec: spec:
repo: https://halo-sigs.github.io/charts/ interval: 30m
chart: halo timeout: 15m
targetNamespace: apps chart:
version: 1.3.2 spec:
valuesContent: |- chart: halo
affinity: version: 1.3.2
podAffinity: sourceRef:
preferredDuringSchedulingIgnoredDuringExecution: kind: HelmRepository
- weight: 100 name: halo
podAffinityTerm: namespace: infra-gitops
labelSelector: interval: 12h
matchLabels: values:
cnpg.io/cluster: cnpg17-cluster-hk
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
image: image:
repository: halohub/halo-pro repository: halohub/halo-pro
tag: 2.23.1 tag: 2.24.0
service: service:
type: ClusterIP type: ClusterIP
ingress: ingress:
@@ -52,14 +48,11 @@ spec:
enabled: false enabled: false
externalDatabase: externalDatabase:
platform: postgresql platform: postgresql
host: cnpg17-cluster-hk-rw.infra-data host: cnpg17-cluster-rw.infra-data
port: 5432 port: 5432
user: app user: app
password: from-secret password: from-secret
database: halo database: halo
existingSecret: cnpg17-cluster-hk-app existingSecret: cnpg17-cluster-app
haloUsername: rohow haloUsername: rohow
haloExternalUrl: https://dev.cm haloExternalUrl: https://dev.cm
apps/apps/rustdesk/helmchart.yaml → flux/apps/helmrelease-rustdesk.yaml
+14 -10
查看文件
@@ -1,17 +1,21 @@
apiVersion: helm.cattle.io/v1 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmChart kind: HelmRelease
metadata: metadata:
name: rustdesk name: rustdesk
namespace: apps namespace: apps
spec: spec:
repo: https://devcm-repo.github.io/helm-charts interval: 30m
chart: rustdesk-server timeout: 15m
targetNamespace: apps chart:
version: 0.0.7 spec:
valuesContent: |- chart: rustdesk-server
nodeSelector: version: 0.0.7
kubernetes.io/hostname: tcd sourceRef:
kind: HelmRepository
name: devcm-repo
namespace: infra-gitops
interval: 12h
values:
rustdeskServer: rustdeskServer:
encryptedOnly: true encryptedOnly: true
mustLogin: true mustLogin: true
apps/apps/fillcode/helmchart-whoami.yaml → flux/apps/helmrelease-whoami.yaml
+14 -9
查看文件
@@ -1,14 +1,21 @@
apiVersion: helm.cattle.io/v1 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmChart kind: HelmRelease
metadata: metadata:
name: fillcode-whoami name: fillcode-whoami
namespace: apps namespace: apps
spec: spec:
repo: https://cowboysysop.github.io/charts/ interval: 30m
chart: whoami timeout: 15m
targetNamespace: apps chart:
version: 5.1.2 spec:
valuesContent: |- chart: whoami
version: 5.1.2
sourceRef:
kind: HelmRepository
name: cowboysysop
namespace: infra-gitops
interval: 12h
values:
ingress: ingress:
enabled: true enabled: true
ingressClassName: nginx ingressClassName: nginx
@@ -20,5 +27,3 @@ spec:
- host: whoami.fillcode.com - host: whoami.fillcode.com
paths: paths:
- / - /
apps/apps/fillcode/ingress.yaml → flux/apps/ingress-fillcode.yaml
-2
查看文件
@@ -3,7 +3,6 @@ kind: Ingress
metadata: metadata:
name: fillcode name: fillcode
namespace: apps namespace: apps
annotations:
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
@@ -21,4 +20,3 @@ spec:
- hosts: - hosts:
- fillcode.com - fillcode.com
secretName: fillcode-com-crt secretName: fillcode-com-crt
apps/apps/halo/ingress-static.yaml → flux/apps/ingress-halo-static.yaml
查看文件
apps/apps/halo/ingress-www.yaml → flux/apps/ingress-halo-www.yaml
-1
查看文件
@@ -20,4 +20,3 @@ spec:
name: halo name: halo
port: port:
number: 80 number: 80
apps/apps/sinceai/ingress-shop.yaml → flux/apps/ingress-sinceai-shop.yaml
-1
查看文件
@@ -24,4 +24,3 @@ spec:
- hosts: - hosts:
- shop.sinceai.com - shop.sinceai.com
secretName: sinceai-com-crt secretName: sinceai-com-crt
flux/apps/kustomization.yaml
+13
查看文件
@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- certificate-fillcode-com.yaml
- certificate-sinceai-com.yaml
- helmrelease-halo.yaml
- ingress-fillcode.yaml
- ingress-halo-www.yaml
- ingress-halo-static.yaml
- ingress-sinceai-shop.yaml
- helmrelease-whoami.yaml
- helmrelease-rustdesk.yaml
apps/apps/namespaces.yaml → flux/apps/namespace.yaml
查看文件
flux/clusters/base/apps.yaml
+18
查看文件
@@ -0,0 +1,18 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/apps
prune: true
dependsOn:
- name: infra-data-reflector
- name: infra-net
- name: infra-gitops
flux/clusters/base/infra-data.yaml
+58
查看文件
@@ -0,0 +1,58 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-data
prune: true
force: true
wait: true
dependsOn:
- name: infra-devops
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-data/post
prune: true
force: true
wait: true
dependsOn:
- name: infra-data
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-reflector
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-data/reflector
prune: true
force: true
wait: true
dependsOn:
- name: infra-data-post
flux/clusters/base/infra-devops.yaml
+38
查看文件
@@ -0,0 +1,38 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-devops
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-devops
prune: true
wait: true
dependsOn:
- name: sources
- name: secrets
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-devops-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-devops/post
prune: true
force: true
wait: true
dependsOn:
- name: infra-monitor
flux/clusters/base/infra-gitops.yaml
+43
查看文件
@@ -0,0 +1,43 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-gitops
prune: true
wait: true
dependsOn:
- name: infra-data-reflector
- name: infra-monitor
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
suspend: true
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-gitops/post
prune: true
wait: true
dependsOn:
- name: infra-gitops
- name: infra-net
postBuild:
substituteFrom:
- kind: Secret
name: flux-env
flux/clusters/base/infra-monitor.yaml
+39
查看文件
@@ -0,0 +1,39 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-monitor
prune: true
force: true
wait: true
dependsOn:
- name: infra-data-reflector
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-monitor/post
prune: true
force: true
wait: true
dependsOn:
- name: infra-monitor
- name: infra-net
flux/clusters/base/infra-net.yaml
+39
查看文件
@@ -0,0 +1,39 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-net
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-net
prune: true
wait: true
dependsOn:
- name: kube-system
- name: infra-devops
- name: infra-devops-post
- name: infra-monitor
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-net-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-net/post
prune: true
wait: true
dependsOn:
- name: apps
flux/clusters/base/kube-system.yaml
+15
查看文件
@@ -0,0 +1,15 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kube-system
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/kube-system
prune: false
wait: true
flux/clusters/base/kustomization.yaml
+12
查看文件
@@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- sources.yaml
- secrets.yaml
- kube-system.yaml
- infra-devops.yaml
- infra-data.yaml
- infra-net.yaml
- infra-monitor.yaml
- infra-gitops.yaml
- apps.yaml
flux/clusters/base/secrets.yaml
+23
查看文件
@@ -0,0 +1,23 @@
# 密钥管理层 - 通过postBuild从flux-env Secret注入变量
# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: secrets
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/secrets
prune: false
wait: true
dependsOn:
- name: sources
postBuild:
substituteFrom:
- kind: Secret
name: flux-env
flux/clusters/base/sources.yaml
+15
查看文件
@@ -0,0 +1,15 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sources
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/sources
prune: true
wait: true
apps/infra/data/cloudnative-pg/cnpg17-cluster-hk.yaml → flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml
+1 -18
查看文件
@@ -4,23 +4,6 @@ metadata:
name: cnpg17-cluster-hk name: cnpg17-cluster-hk
namespace: infra-data namespace: infra-data
spec: spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-hk"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- clawhk
imageName: ghcr.io/cloudnative-pg/postgresql:17.4 imageName: ghcr.io/cloudnative-pg/postgresql:17.4
enableSuperuserAccess: true enableSuperuserAccess: true
enablePDB: false enablePDB: false
@@ -40,7 +23,7 @@ spec:
isWALArchiver: true isWALArchiver: true
parameters: parameters:
barmanObjectName: cnpg17-objectstore-hw barmanObjectName: cnpg17-objectstore-hw
serverName: cnpg17-cluster-hk serverName: cnpg17-cluster-hk-a
--- ---
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
apps/infra/data/cloudnative-pg/cnpg17-cluster-sh.yaml → flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml
+1 -18
查看文件
@@ -4,23 +4,6 @@ metadata:
name: cnpg17-cluster-sh name: cnpg17-cluster-sh
namespace: infra-data namespace: infra-data
spec: spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
imageName: ghcr.io/cloudnative-pg/postgresql:17.4 imageName: ghcr.io/cloudnative-pg/postgresql:17.4
enableSuperuserAccess: true enableSuperuserAccess: true
enablePDB: false enablePDB: false
@@ -40,7 +23,7 @@ spec:
isWALArchiver: true isWALArchiver: true
parameters: parameters:
barmanObjectName: cnpg17-objectstore-hw barmanObjectName: cnpg17-objectstore-hw
serverName: cnpg17-cluster-sh serverName: cnpg17-cluster-sh-a
--- ---
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
flux/clusters/dev-cm/infra-data-post/databases.yaml
+43
查看文件
@@ -0,0 +1,43 @@
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-gitea
namespace: infra-data
spec:
name: gitea
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-grafana
namespace: infra-data
spec:
name: grafana
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-halo
namespace: infra-data
spec:
name: halo
owner: app
cluster:
name: cnpg17-cluster-hk
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-crowdsec
namespace: infra-data
spec:
name: crowdsec
owner: app
cluster:
name: cnpg17-cluster-hk
flux/clusters/dev-cm/infra-data-post/kustomization.yaml
+9
查看文件
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../infrastructure/infra-data/post/cnpg17-objectstore-hw.yaml
- cnpg17-cluster-hk.yaml
- cnpg17-cluster-sh.yaml
- databases.yaml
- loadbalancer-hk.yaml
- loadbalancer-sh.yaml
apps/infra/data/cloudnative-pg/loadbalancer-hk.yaml → flux/clusters/dev-cm/infra-data-post/loadbalancer-hk.yaml
查看文件
apps/infra/data/cloudnative-pg/loadbalancer-sh.yaml → flux/clusters/dev-cm/infra-data-post/loadbalancer-sh.yaml
查看文件
flux/clusters/dev-cm/infra-data-reflector/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- reflector-secret-annotations.yaml
flux/clusters/dev-cm/infra-data-reflector/reflector-secret-annotations.yaml
+38
查看文件
@@ -0,0 +1,38 @@
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-hk-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net"
---
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-sh-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
metadata:
name: valkey-cluster-sh
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
flux/clusters/dev-cm/kustomization.yaml
+49
查看文件
@@ -0,0 +1,49 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches:
- target:
kind: Kustomization
name: kube-system
path: patches/kube-system.yaml
- target:
kind: Kustomization
name: infra-devops
path: patches/infra-devops.yaml
- target:
kind: Kustomization
name: infra-data
path: patches/infra-data.yaml
- target:
kind: Kustomization
name: infra-data-post
path: patches/infra-data-post.yaml
- target:
kind: Kustomization
name: infra-data-reflector
path: patches/infra-data-reflector.yaml
- target:
kind: Kustomization
name: infra-net
path: patches/infra-net.yaml
- target:
kind: Kustomization
name: infra-monitor
path: patches/infra-monitor.yaml
- target:
kind: Kustomization
name: infra-monitor-post
path: patches/infra-monitor-post.yaml
- target:
kind: Kustomization
name: infra-gitops
path: patches/infra-gitops.yaml
- target:
kind: Kustomization
name: infra-gitops-post
path: patches/infra-gitops-post.yaml
- target:
kind: Kustomization
name: apps
path: patches/apps.yaml
flux/clusters/dev-cm/patches/apps.yaml
+42
查看文件
@@ -0,0 +1,42 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
spec:
patches:
- target:
kind: HelmRelease
name: halo
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: halo
spec:
values:
externalDatabase:
host: cnpg17-cluster-hk-rw.infra-data
existingSecret: cnpg17-cluster-hk-app
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-hk
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
- target:
kind: HelmRelease
name: rustdesk
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: rustdesk
spec:
values:
nodeSelector:
kubernetes.io/hostname: tcd
flux/clusters/dev-cm/patches/infra-data-post.yaml
+59
查看文件
@@ -0,0 +1,59 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-post
spec:
path: ./flux/clusters/dev-cm/infra-data-post
patches:
- target:
kind: Cluster
name: cnpg17-cluster-hk
patch: |
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cnpg17-cluster-hk
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-hk"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- clawhk
- target:
kind: Cluster
name: cnpg17-cluster-sh
patch: |
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cnpg17-cluster-sh
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
flux/clusters/dev-cm/patches/infra-data-reflector.yaml
+6
查看文件
@@ -0,0 +1,6 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-reflector
spec:
path: ./flux/clusters/dev-cm/infra-data-reflector
flux/clusters/dev-cm/patches/infra-data.yaml
+69
查看文件
@@ -0,0 +1,69 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data
spec:
patches:
- target:
kind: HelmRelease
name: cloudnative-pg
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- target:
kind: HelmRelease
name: cloudnative-pg-plugin-barman
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg-plugin-barman
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- target:
kind: HelmRelease
name: valkey-cluster
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: valkey-cluster
spec:
values:
fullnameOverride: valkey-cluster-sh
valkey:
nodeAffinityPreset:
type: hard
key: topology.kubernetes.io/region
values:
- cn-sh
flux/clusters/dev-cm/patches/infra-devops.yaml
+124
查看文件
@@ -0,0 +1,124 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-devops
spec:
patches:
- target:
kind: HelmRelease
name: cert-manager
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
webhook:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
cainjector:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- target:
kind: HelmRelease
name: cert-manager-webhook-dnspod
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager-webhook-dnspod
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- target:
kind: HelmRelease
name: reflector
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: reflector
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- target:
kind: HelmRelease
name: velero
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: velero
spec:
values:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homeb
nodeAgent:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: NotIn
values:
- "true"
- key: svccontroller.k3s.cattle.io/enablelb
operator: NotIn
values:
- "true"
flux/clusters/dev-cm/patches/infra-gitops-post.yaml
+19
查看文件
@@ -0,0 +1,19 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops-post
spec:
patches:
- target:
kind: HelmRelease
name: gitea-actions
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea-actions
spec:
values:
statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
flux/clusters/dev-cm/patches/infra-gitops.yaml
+59
查看文件
@@ -0,0 +1,59 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops
spec:
patches:
- target:
kind: HelmRelease
name: gitea
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea
spec:
values:
gitea:
config:
database:
HOST: cnpg17-cluster-sh-rw.infra-data:5432
additionalConfigFromEnvs:
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-sh-app
key: password
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: valkey-cluster-sh
key: valkey-password
- name: GITEA__SESSION__PROVIDER_CONFIG
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__CACHE__HOST
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__QUEUE__CONN_STR
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
app.kubernetes.io/name: redis
app.kubernetes.io/component: master
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
flux/clusters/dev-cm/patches/infra-monitor-post.yaml
+18
查看文件
@@ -0,0 +1,18 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor-post
spec:
patches:
- target:
kind: HelmRelease
name: loki-promtail
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki-promtail
spec:
values:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
flux/clusters/dev-cm/patches/infra-monitor.yaml
+94
查看文件
@@ -0,0 +1,94 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor
spec:
patches:
- target:
kind: HelmRelease
name: loki
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki
spec:
values:
lokiCanary:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
resultsCache:
nodeSelector:
kubernetes.io/hostname: tce
chunksCache:
nodeSelector:
kubernetes.io/hostname: tce
singleBinary:
nodeSelector:
kubernetes.io/hostname: tce
- target:
kind: HelmRelease
name: loki-promtail
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki-promtail
spec:
values:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
- target:
kind: HelmRelease
name: prometheus
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: prometheus
spec:
values:
prometheusOperator:
nodeSelector:
kubernetes.io/hostname: hwa
kube-state-metrics:
nodeSelector:
kubernetes.io/hostname: hwa
grafana:
envValueFrom:
GF_DATABASE_PASSWORD:
secretKeyRef:
name: cnpg17-cluster-sh-app
key: password
grafana.ini:
database:
host: cnpg17-cluster-sh-rw.infra-data:5432
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
persistence:
storageClassName: local-path
prometheus:
prometheusSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storageSpec:
volumeClaimTemplate:
spec:
storageClassName: local-path
alertmanager:
alertmanagerSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storage:
volumeClaimTemplate:
spec:
storageClassName: local-path
flux/clusters/dev-cm/patches/infra-net.yaml
+121
查看文件
@@ -0,0 +1,121 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-net
spec:
patches:
- target:
kind: HelmRelease
name: ingress-nginx
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingress-nginx
spec:
values:
controller:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
dnsPolicy: "None"
dnsConfig:
nameservers:
- "169.254.20.10"
- "10.43.0.10"
maxmindLicenseKey: "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"
defaultBackend:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- "cn-sh"
- "cn-hk"
- target:
kind: HelmRelease
name: crowdsec
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: crowdsec
spec:
values:
lapi:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-hk-app
key: password
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
config:
config.yaml.local: |
db_config:
type: postgresql
host: cnpg17-cluster-hk-rw.infra-data
port: 5432
db_name: crowdsec
user: app
password: ${DB_PASSWORD}
sslmode: require
api:
server:
auto_registration:
enabled: true
token: "${REGISTRATION_TOKEN}"
allowed_ranges:
- "127.0.0.1/32"
- "192.168.0.0/16"
- "172.16.0.0/12"
- "10.0.0.0/8"
agent:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: loki
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
appsec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
- target:
kind: HelmRelease
name: tailscale-derp-hk
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: tailscale-derp-hk
spec:
values:
nodeSelector:
kubernetes.io/hostname: tchk
flux/clusters/dev-cm/patches/kube-system.yaml
+30
查看文件
@@ -0,0 +1,30 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kube-system
spec:
patches:
- target:
kind: Deployment
name: "(coredns|local-path-provisioner|metrics-server)"
patch: |
apiVersion: apps/v1
kind: Deployment
metadata:
name: placeholder
spec:
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- "true"
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
apps/infra/gitops/flux/flux-instance.yaml → flux/flux-instance.yaml
+7
查看文件
@@ -22,6 +22,13 @@ spec:
storage: storage:
class: "local-path" class: "local-path"
size: "10Gi" size: "10Gi"
sync:
kind: GitRepository
url: ssh://git@github.com/devcm-repo/k3s.git
ref: refs/heads/main
path: flux/clusters/dev-cm
pullSecret: flux-git-auth
name: flux
kustomize: kustomize:
patches: patches:
- target: - target:
flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml
+19
查看文件
@@ -0,0 +1,19 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg-plugin-barman
namespace: infra-data
spec:
interval: 30m
timeout: 15m
dependsOn:
- name: cloudnative-pg
chart:
spec:
chart: plugin-barman-cloud
version: 0.5.0
sourceRef:
kind: HelmRepository
name: cloudnative-pg
namespace: infra-gitops
interval: 12h
flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml
+21
查看文件
@@ -0,0 +1,21 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cloudnative-pg
namespace: infra-data
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: cloudnative-pg
version: 0.27.1
sourceRef:
kind: HelmRepository
name: cloudnative-pg
namespace: infra-gitops
interval: 12h
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
+23
查看文件
@@ -0,0 +1,23 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: valkey-cluster
namespace: infra-data
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: valkey-cluster
version: 3.0.23
sourceRef:
kind: HelmRepository
name: bitnami
namespace: infra-gitops
interval: 12h
values:
image:
repository: bitnamilegacy/valkey-cluster
cluster:
nodes: 1
replicas: 0
flux/infrastructure/infra-data/kustomization.yaml
+7
查看文件
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrelease-cloudnative-pg.yaml
- helmrelease-barman-plugin.yaml
- helmrelease-valkey-cluster.yaml
apps/infra/net/namespaces.yaml → flux/infrastructure/infra-data/namespace.yaml
+1 -1
查看文件
@@ -1,4 +1,4 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: infra-net name: infra-data
flux/infrastructure/infra-data/post/cnpg17-cluster.yaml
+42
查看文件
@@ -0,0 +1,42 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cnpg17-cluster
namespace: infra-data
spec:
imageName: ghcr.io/cloudnative-pg/postgresql:17.4
enableSuperuserAccess: true
enablePDB: false
instances: 1
storage:
size: 10Gi
postgresql:
parameters:
archive_timeout: 30min
env:
- name: AWS_REQUEST_CHECKSUM_CALCULATION
value: when_required
- name: AWS_RESPONSE_CHECKSUM_VALIDATION
value: when_required
plugins:
- name: barman-cloud.cloudnative-pg.io
isWALArchiver: true
parameters:
barmanObjectName: cnpg17-objectstore-hw
serverName: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: cnpg17-cluster-backups
namespace: infra-data
spec:
schedule: "0 0 0 * * *"
immediate: true
backupOwnerReference: self
method: plugin
pluginConfiguration:
name: barman-cloud.cloudnative-pg.io
cluster:
name: cnpg17-cluster
apps/infra/data/cloudnative-pg/cnpg17-objectstore-hw.yaml → flux/infrastructure/infra-data/post/cnpg17-objectstore-hw.yaml
查看文件
flux/infrastructure/infra-data/post/databases.yaml
+43
查看文件
@@ -0,0 +1,43 @@
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-gitea
namespace: infra-data
spec:
name: gitea
owner: app
cluster:
name: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-grafana
namespace: infra-data
spec:
name: grafana
owner: app
cluster:
name: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-halo
namespace: infra-data
spec:
name: halo
owner: app
cluster:
name: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-crowdsec
namespace: infra-data
spec:
name: crowdsec
owner: app
cluster:
name: cnpg17-cluster
flux/infrastructure/infra-data/post/kustomization.yaml
+7
查看文件
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg17-objectstore-hw.yaml
- cnpg17-cluster.yaml
- databases.yaml
- loadbalancer.yaml
flux/infrastructure/infra-data/post/loadbalancer.yaml
+14
查看文件
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: cnpg17-cluster-lb
namespace: infra-data
spec:
selector:
cnpg.io/cluster: cnpg17-cluster
role: primary
ports:
- protocol: TCP
port: 5432
targetPort: 5432
type: LoadBalancer
flux/infrastructure/infra-data/reflector/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- reflector-secret-annotations.yaml
flux/infrastructure/infra-data/reflector/reflector-secret-annotations.yaml
+25
查看文件
@@ -0,0 +1,25 @@
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
metadata:
name: valkey-cluster
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml
+30
查看文件
@@ -0,0 +1,30 @@
# 安装后需要将clusterIssuer的cnameStrategy策略设置为Follow
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager-webhook-dnspod
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
dependsOn:
- name: cert-manager
chart:
spec:
chart: cert-manager-webhook-dnspod
version: 1.5.2
sourceRef:
kind: HelmRepository
name: imroc
namespace: infra-gitops
interval: 12h
values:
image:
tag: "1.5.2"
namespace: infra-devops
certManager:
namespace: infra-devops
groupName: cert.dev.cm
# 此处关闭 选择手动创建 以支持cnameStrategy
clusterIssuer:
enabled: false
flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml
+32
查看文件
@@ -0,0 +1,32 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: cert-manager
version: v1.19.3
sourceRef:
kind: HelmRepository
name: jetstack
namespace: infra-gitops
interval: 12h
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
# 首次install时servicemonitor=false(CRD尚不存在)
# infra-monitor层部署后通过SSA patch开启
values:
crds:
enabled: true
keep: true
enableCertificateOwnerRef: true
prometheus:
enabled: true
servicemonitor:
enabled: false
flux/infrastructure/infra-devops/helmrelease-reflector.yaml
+18
查看文件
@@ -0,0 +1,18 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: reflector
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: reflector
version: 9.1.45
sourceRef:
kind: HelmRepository
name: emberstack
namespace: infra-gitops
interval: 12h
values: {}
flux/infrastructure/infra-devops/helmrelease-velero.yaml
+61
查看文件
@@ -0,0 +1,61 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: velero
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: velero
version: 11.3.2
sourceRef:
kind: HelmRepository
name: vmware-tanzu
namespace: infra-gitops
interval: 12h
values:
# 此处暂时切换关闭upgradeCRDs操作 待官方修复后再开启
upgradeCRDs: false
deployNodeAgent: true
snapshotsEnabled: false
configuration:
backupSyncPeriod: 1h0m0s
defaultRepoMaintainFrequency: 3h0m0s
repositoryMaintenanceJob:
repositoryConfigData:
global:
keepLatestMaintenanceJobs: 1
backupStorageLocation:
- name: devcm-hw
default: true
provider: aws
bucket: devcm
prefix: velero
config:
region: cn-east-3
s3ForcePathStyle: false
s3Url: https://obs.cn-east-3.myhuaweicloud.com
checksumAlgorithm: ""
extraEnvVars:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: s3-devcm-hw
key: ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-devcm-hw
key: ACCESS_SECRET_KEY
credentials:
useSecret: false
initContainers:
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.13.0
volumeMounts:
- mountPath: /target
name: plugins
nodeAgent:
enabled: true
flux/infrastructure/infra-devops/kustomization.yaml
+8
查看文件
@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrelease-cert-manager.yaml
- helmrelease-cert-manager-webhook-dnspod.yaml
- helmrelease-reflector.yaml
- helmrelease-velero.yaml
apps/infra/devops/namespaces.yaml → flux/infrastructure/infra-devops/namespace.yaml
查看文件
apps/infra/devops/cert-manager/clusterissuer-dnspod.yaml → flux/infrastructure/infra-devops/post/clusterissuer-dnspod.yaml
查看文件
flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml
+24
查看文件
@@ -0,0 +1,24 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: infra-devops
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
spec:
interval: 30m
chart:
spec:
chart: cert-manager
version: v1.19.3
sourceRef:
kind: HelmRepository
name: jetstack
namespace: infra-gitops
interval: 12h
values:
prometheus:
servicemonitor:
enabled: true
interval: 300s
prometheusInstance: kube-prometheus
flux/infrastructure/infra-devops/post/kustomization.yaml
+5
查看文件
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- clusterissuer-dnspod.yaml
- helmrelease-cert-manager-patch.yaml
apps/infra/gitops/gitea/configmap-actions-dind.yaml → flux/infrastructure/infra-gitops/configmap-actions-dind.yaml
查看文件
apps/infra/gitops/gitea/configmap-templates.yaml → flux/infrastructure/infra-gitops/configmap-templates.yaml
查看文件
apps/infra/gitops/gitea/helmchart.yaml → flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
+20 -38
查看文件
@@ -1,36 +1,21 @@
apiVersion: helm.cattle.io/v1 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmChart kind: HelmRelease
metadata: metadata:
name: gitea name: gitea
namespace: infra-gitops namespace: infra-gitops
spec: spec:
repo: https://dl.gitea.com/charts interval: 30m
chart: gitea timeout: 15m
targetNamespace: infra-gitops chart:
version: 12.5.0 spec:
valuesContent: |- chart: gitea
affinity: version: 12.5.0
podAffinity: sourceRef:
preferredDuringSchedulingIgnoredDuringExecution: kind: HelmRepository
- weight: 100 name: gitea
podAffinityTerm: namespace: infra-gitops
labelSelector: interval: 12h
matchLabels: values:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
app.kubernetes.io/name: redis
app.kubernetes.io/component: master
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
redis-cluster: redis-cluster:
enabled: false enabled: false
postgresql-ha: postgresql-ha:
@@ -64,7 +49,7 @@ spec:
ROOT_URL: https://git.dev.cm/ ROOT_URL: https://git.dev.cm/
database: database:
DB_TYPE: postgres DB_TYPE: postgres
HOST: cnpg17-cluster-sh-rw.infra-data:5432 HOST: cnpg17-cluster-rw.infra-data:5432
NAME: gitea NAME: gitea
USER: app USER: app
SSL_MODE: disable SSL_MODE: disable
@@ -99,19 +84,19 @@ spec:
- name: GITEA__DATABASE__PASSWD - name: GITEA__DATABASE__PASSWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: cnpg17-cluster-sh-app name: cnpg17-cluster-app
key: password key: password
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: valkey-cluster-sh name: valkey-cluster
key: valkey-password key: valkey-password
- name: GITEA__SESSION__PROVIDER_CONFIG - name: GITEA__SESSION__PROVIDER_CONFIG
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s" value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__CACHE__HOST - name: GITEA__CACHE__HOST
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s" value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__QUEUE__CONN_STR - name: GITEA__QUEUE__CONN_STR
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s" value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
valkey-cluster: valkey-cluster:
enabled: false enabled: false
extraVolumes: extraVolumes:
@@ -125,6 +110,3 @@ spec:
- name: gitea-custom-templates-volume - name: gitea-custom-templates-volume
subPath: extra_links.tmpl subPath: extra_links.tmpl
mountPath: /data/gitea/templates/custom/extra_links.tmpl mountPath: /data/gitea/templates/custom/extra_links.tmpl
apps/infra/gitops/gitea/ingress-static.yaml → flux/infrastructure/infra-gitops/ingress-static-gitea.yaml
查看文件
flux/infrastructure/infra-gitops/kustomization.yaml
+9
查看文件
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-gitea.yaml
- configmap-templates.yaml
- configmap-actions-dind.yaml
- ingress-static-gitea.yaml
- loadbalancer-ssh.yaml
- networkpolicy-gitea.yaml
apps/infra/gitops/gitea/loadbalancer-ssh.yaml → flux/infrastructure/infra-gitops/loadbalancer-ssh.yaml
查看文件
apps/infra/gitops/gitea/networkpolicy.yaml → flux/infrastructure/infra-gitops/networkpolicy-gitea.yaml
查看文件
flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml
+27
查看文件
@@ -0,0 +1,27 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: flux-operator
namespace: infra-gitops
spec:
valuesContent: |-
web:
config:
baseURL: https://cd.dev.cm
authentication:
type: OAuth2
oauth2:
provider: OIDC
issuerURL: https://git.dev.cm
clientID: "${FLUX_WEB_OIDC_CLIENT_ID}"
clientSecret: "${FLUX_WEB_OIDC_CLIENT_SECRET}"
networkPolicy:
create: false
ingress:
enabled: true
className: nginx
hosts:
- host: cd.dev.cm
paths:
- path: /
pathType: Prefix
apps/infra/gitops/gitea/helmchart-actions.yaml → flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml
+16 -14
查看文件
@@ -1,18 +1,25 @@
apiVersion: helm.cattle.io/v1 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmChart kind: HelmRelease
metadata: metadata:
name: gitea-actions name: gitea-actions
namespace: infra-gitops namespace: infra-gitops
spec: spec:
repo: https://dl.gitea.com/charts interval: 30m
chart: actions timeout: 15m
targetNamespace: infra-gitops dependsOn:
version: 0.0.2 - name: gitea
valuesContent: |- chart:
spec:
chart: actions
version: 0.0.2
sourceRef:
kind: HelmRepository
name: gitea
namespace: infra-gitops
interval: 12h
values:
enabled: true enabled: true
statefulset: statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
actRunner: actRunner:
config: | config: |
log: log:
@@ -39,8 +46,3 @@ spec:
giteaRootURL: http://gitea-http.infra-gitops.svc.cluster.local:3000 giteaRootURL: http://gitea-http.infra-gitops.svc.cluster.local:3000
existingSecret: gitea-actions existingSecret: gitea-actions
existingSecretKey: token existingSecretKey: token
flux/infrastructure/infra-gitops/post/kustomization.yaml
+5
查看文件
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-gitea-actions.yaml
- helmchartconfig-flux-web.yaml
apps/infra/monitor/loki/helmchart-loki.yaml → flux/infrastructure/infra-monitor/helmrelease-loki.yaml
+22 -24
查看文件
@@ -1,32 +1,33 @@
apiVersion: helm.cattle.io/v1 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmChart kind: HelmRelease
metadata: metadata:
name: loki name: loki
namespace: infra-monitor namespace: infra-monitor
spec: spec:
repo: https://grafana.github.io/helm-charts interval: 30m
chart: loki timeout: 15m
targetNamespace: infra-monitor chart:
version: 6.53.0 spec:
valuesContent: |- chart: loki
version: 6.53.0
sourceRef:
kind: HelmRepository
name: grafana
namespace: infra-gitops
interval: 12h
values:
deploymentMode: SingleBinary deploymentMode: SingleBinary
gateway: gateway:
enabled: false enabled: false
lokiCanary: lokiCanary:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
extraArgs: extraArgs:
# 降低测试日志生成条数 # 降低测试日志生成条数
- -interval=30s - -interval=30s
- -labelname=service_name - -labelname=service_name
- -labelvalue=loki-canary - -labelvalue=loki-canary
resultsCache: resultsCache:
nodeSelector:
kubernetes.io/hostname: tce
allocatedMemory: 1024 allocatedMemory: 1024
chunksCache: chunksCache:
nodeSelector:
kubernetes.io/hostname: tce
allocatedMemory: 1024 allocatedMemory: 1024
loki: loki:
auth_enabled: false auth_enabled: false
@@ -37,24 +38,21 @@ spec:
max_query_series: 10000 max_query_series: 10000
volume_enabled: true volume_enabled: true
storage: storage:
type: 'filesystem' type: "filesystem"
schemaConfig: schemaConfig:
configs: configs:
- from: "2024-01-01" - from: "2024-01-01"
store: tsdb store: tsdb
index: index:
prefix: loki_index_ prefix: loki_index_
period: 24h period: 24h
object_store: filesystem object_store: filesystem
schema: v13 schema: v13
singleBinary: singleBinary:
replicas: 1 replicas: 1
nodeSelector:
kubernetes.io/hostname: tce
read: read:
replicas: 0 replicas: 0
backend: backend:
replicas: 0 replicas: 0
write: write:
replicas: 0 replicas: 0
apps/infra/monitor/prometheus/helmchart.yaml → flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml
+22 -33
查看文件
@@ -1,14 +1,25 @@
apiVersion: helm.cattle.io/v1 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmChart kind: HelmRelease
metadata: metadata:
name: prometheus name: prometheus
namespace: infra-monitor namespace: infra-monitor
spec: spec:
repo: https://prometheus-community.github.io/helm-charts interval: 30m
chart: kube-prometheus-stack timeout: 15m
targetNamespace: infra-monitor chart:
version: 81.6.5 spec:
valuesContent: |- chart: kube-prometheus-stack
version: 81.6.5
sourceRef:
kind: HelmRepository
name: prometheus-community
namespace: infra-gitops
interval: 12h
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
values:
kubeControllerManager: kubeControllerManager:
enabled: false enabled: false
kubeScheduler: kubeScheduler:
@@ -18,26 +29,11 @@ spec:
kubeEtcd: kubeEtcd:
enabled: false enabled: false
prometheusOperator: prometheusOperator: {}
nodeSelector:
kubernetes.io/hostname: hwa
kube-state-metrics: kube-state-metrics: {}
nodeSelector:
kubernetes.io/hostname: hwa
grafana: grafana:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
cnpg.io/cluster: cnpg17-cluster-sh
role: primary
topologyKey: kubernetes.io/hostname
namespaceSelector: {}
ingress: ingress:
enabled: true enabled: true
ingressClassName: nginx ingressClassName: nginx
@@ -57,7 +53,7 @@ spec:
envValueFrom: envValueFrom:
GF_DATABASE_PASSWORD: GF_DATABASE_PASSWORD:
secretKeyRef: secretKeyRef:
name: cnpg17-cluster-sh-app name: cnpg17-cluster-app
key: password key: password
grafana.ini: grafana.ini:
server: server:
@@ -70,26 +66,22 @@ spec:
news_feed_enabled: false news_feed_enabled: false
database: database:
type: postgres type: postgres
host: cnpg17-cluster-sh-rw.infra-data:5432 host: cnpg17-cluster-rw.infra-data:5432
name: grafana name: grafana
user: app user: app
password: $__env{GF_DATABASE_PASSWORD} password: $__env{GF_DATABASE_PASSWORD}
persistence: persistence:
type: pvc type: pvc
enabled: true enabled: true
storageClassName: local-path
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
size: 10Gi size: 10Gi
prometheus: prometheus:
prometheusSpec: prometheusSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storageSpec: storageSpec:
volumeClaimTemplate: volumeClaimTemplate:
spec: spec:
storageClassName: local-path
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
@@ -110,12 +102,9 @@ spec:
alertmanager: alertmanager:
alertmanagerSpec: alertmanagerSpec:
nodeSelector:
kubernetes.io/hostname: hwa
storage: storage:
volumeClaimTemplate: volumeClaimTemplate:
spec: spec:
storageClassName: local-path
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
apps/infra/monitor/prometheus/ingress-static.yaml → flux/infrastructure/infra-monitor/ingress-static-grafana.yaml
查看文件

某些文件未显示,因为此 diff 中更改的文件太多 显示更多