dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

比较提交

基准分支: dev.cm/k3s:feature-flux
分支列表 Git 标签列表
dev.cm/k3s:main dev.cm/k3s:feature-flux
...
比较: dev.cm/k3s:7d33557c88a0e6a1c3d27ada26989d4118d01b5e
分支列表 Git 标签列表
dev.cm/k3s:main dev.cm/k3s:feature-flux

21 次代码提交
feature-flux ... 7d33557c88

修改 73 个文件,包含 694 行新增304 行删除
展开所有文件 折叠所有文件
.env.sample
+5 -1
查看文件
@@ -6,5 +6,9 @@ S3_ACCESS_SECRET_KEY=placeholder
DNSPOD_SECRET_ID=placeholder
DNSPOD_SECRET_KEY=placeholder
# Gitea Actions Runner Token
# Gitea Actions Runner TokenGitea 启动后在 admin → Runners 生成)
GITEA_ACTIONS_TOKEN=placeholder
# Flux Operator Web OIDC 凭据(Gitea 启动后创建 OAuth2 应用获取,Redirect URI: https://cd.dev.cm/oauth2/callback
FLUX_WEB_OIDC_CLIENT_ID=placeholder
FLUX_WEB_OIDC_CLIENT_SECRET=placeholder
.gitignore
+3
查看文件
@@ -4,6 +4,9 @@ logs
# Secrets
.env
flux-git-auth
flux-git-auth.pub
known_hosts
# Editor directories and files
.vscode/*
README.md
+13 -2
查看文件
@@ -4,6 +4,17 @@
参见 [ansible/README.md](ansible/README.md)
#### apps 相关应用
#### 应用相关
参见 [apps/README.md](apps/README.md)
参见 [flux/README.md](flux/README.md)
`
ssh-keygen -t ed25519 -C "flux" -f ./flux-git-auth -N ""
ssh-keyscan github.com > ./known_hosts
kubectl -n infra-gitops create secret generic flux-git-auth \
--from-file=identity=./flux-git-auth \
--from-file=identity.pub=./flux-git-auth.pub \
--from-file=known_hosts=./known_hosts
`
ansible/inventory/group_vars/all.yml
+1 -1
查看文件
@@ -13,6 +13,7 @@ ha_server_url: "{{ lookup('env', 'HA_SERVER_URL') | default('', true) }}"
# K3s Server URL (优先使用 HA_SERVER_URL,否则动态使用 init 节点地址)
k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}"
k3s_version: "v1.34.2+k3s1"
tailscale_version: "1.96.4"
# ETCD 配置
etcd_snapshot_retention: 1
@@ -44,4 +45,3 @@ registry_mirrors:
- "k8s.m.daocloud.io"
quay.io:
- "quay.m.daocloud.io"
ansible/playbooks/site.yml
+34
查看文件
@@ -167,3 +167,37 @@
{{ nodes.stdout }}
══════════════════════════════════════════════════════════════
when: cluster_init | default(false)
# ============================================
# K3s 卸载 (需显式指定: --tags uninstall)
# ============================================
- name: Uninstall K3s agents
hosts: agents
gather_facts: false
tags: [uninstall, never]
tasks:
- name: Check agent uninstall script
ansible.builtin.stat:
path: /usr/local/bin/k3s-agent-uninstall.sh
register: agent_uninstall_script
- name: Run k3s-agent-uninstall.sh
ansible.builtin.command: /usr/local/bin/k3s-agent-uninstall.sh
when: agent_uninstall_script.stat.exists
changed_when: true
- name: Uninstall K3s masters
hosts: masters
gather_facts: false
serial: 1
tags: [uninstall, never]
tasks:
- name: Check server uninstall script
ansible.builtin.stat:
path: /usr/local/bin/k3s-uninstall.sh
register: server_uninstall_script
- name: Run k3s-uninstall.sh
ansible.builtin.command: /usr/local/bin/k3s-uninstall.sh
when: server_uninstall_script.stat.exists
changed_when: true
ansible/roles/common/tasks/main.yml
+24 -1
查看文件
@@ -37,6 +37,20 @@
failed_when: false
changed_when: false
- name: Check current Tailscale version
ansible.builtin.shell: tailscale version | head -1
register: common_tailscale_version
failed_when: false
changed_when: false
when: common_tailscale_check.rc == 0
- name: Set Tailscale install flag
ansible.builtin.set_fact:
tailscale_needs_install: "{{
common_tailscale_check.rc != 0 or
(common_tailscale_version.stdout | default('') is not search(tailscale_version))
}}"
- name: Download Tailscale install script
ansible.builtin.get_url:
url: https://tailscale.com/install.sh
@@ -44,11 +58,20 @@
mode: "0755"
when: common_tailscale_check.rc != 0
- name: Install Tailscale
- name: Install Tailscale via install script
ansible.builtin.command: /tmp/tailscale-install.sh
when: common_tailscale_check.rc != 0
changed_when: true
- name: Install specific Tailscale version
ansible.builtin.apt:
name:
- "tailscale={{ tailscale_version }}"
- "tailscaled={{ tailscale_version }}"
state: present
allow_downgrade: true
when: tailscale_needs_install
- name: Remove Tailscale install script
ansible.builtin.file:
path: /tmp/tailscale-install.sh
ansible/roles/k3s/tasks/main.yml
+1 -1
查看文件
@@ -110,7 +110,7 @@
- name: Wait for K3s server ready
ansible.builtin.wait_for:
path: /var/lib/rancher/k3s/server/node-token
timeout: 120
timeout: 300
when: "'masters' in group_names"
# 保存 kubeconfig (仅 cluster-init)
flux/README.md
+53 -190
查看文件
@@ -1,6 +1,4 @@
# Flux GitOps 迁移指南
补充一份面向本地演练和远端平滑切换的执行清单,见 [TEST_MIGRATION_PLAN.md](TEST_MIGRATION_PLAN.md)。
# Flux GitOps
## 目录结构
@@ -13,9 +11,9 @@ flux/
│ ├── kube-system.yaml # CoreDNS / NodeLocalDNS
│ ├── infra-devops.yaml # cert-manager / reflector / velero
│ ├── infra-data.yaml # CNPG / Valkey
│ ├── infra-monitor.yaml # Loki / Prometheus
│ ├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail)
│ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale
│ ├── infra-gitops.yaml # Gitea
│ ├── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web)
│ └── apps.yaml # Halo / RustDesk / Fillcode / SinceAI
├── infrastructure/
│ ├── sources/ # 所有 HelmRepository 定义
@@ -23,208 +21,73 @@ flux/
│ ├── infra-devops/ # cert-manager, webhook-dnspod, reflector, velero
│ ├── infra-data/ # CNPG operator, Barman, PG集群, Valkey
│ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书
├── infra-monitor/ # Loki, Promtail, Prometheus+Grafana
── infra-gitops/ # Gitea, Gitea Actions
│ └── post/ # CDN Ingress(依赖 apps,打破循环)
── infra-monitor/ # Loki, Prometheus+Grafana
│ │ └── post/ # Promtail(依赖 infra-net,打破循环)
│ └── infra-gitops/ # Gitea
│ └── post/ # Gitea Actions + flux-operator WebOIDC/Ingress
└── apps/ # Halo, RustDesk, Whoami, 证书, Ingress
```
## 依赖顺序
## 部署顺序
```
sources (HelmRepository)
├── kube-system (无依赖)
└── infra-devops (cert-manager → webhook-dnspod → ClusterIssuer, reflector, velero)
├── infra-data (CNPG operator → Barman plugin → PG集群 + ObjectStore, Valkey)
│ │
│ ├── infra-monitor (Loki → Promtail, Prometheus+Grafana→PG)
│ │ │
│ │ ├── infra-net (Nginx, 证书, CrowdSec→Loki+PG, Tailscale)
│ │ │
│ │ └── infra-gitops (Gitea→PG+Valkey, Gitea Actions→Gitea)
│ │
│ └───────┴── apps (Halo→PG, RustDesk, Whoami, 证书, Ingress)
sources → secrets → kube-system → infra-devops → infra-data → infra-data-post
→ infra-monitor → infra-net → infra-devops-post
→ infra-monitor-post (Promtail)
→ infra-gitops
→ apps
→ infra-net-post (CDN Ingress)
→ infra-gitops-post (suspend=true,需手工凭据)
```
## K3s 保留项
Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。
以下资源**继续由 K3s HelmChart 管理**,不迁移到 Flux
## 部署后手工步骤(infra-gitops-post
- `k3s/apps/infra/gitops/namespaces.yaml` — infra-gitops 命名空间
- `k3s/apps/infra/gitops/flux/helmchart.yaml` — flux-operator HelmChart
- `k3s/apps/infra/gitops/flux/flux-instance.yaml` — FluxInstance (含 sync 配置)
- `k3s/apps/infra/gitops/flux/networkpolicy.yaml` — flux-operator NetworkPolicy
- `k3s/apps/infra/gitops/flux/clusterrolebinding.yaml` — flux-web RBAC
`infra-gitops-post` 默认 `suspend: true`,因为它依赖两类只能在 Gitea 启动后获取的凭据:
## 迁移步骤
1. **Flux Operator Web 的 OIDC 客户端**
2. **Gitea Actions Runner Token**
### 1. 创建 Git 认证 Secret
步骤:
Flux 需要 HTTPS 凭据来访问 Gitea 仓库。在集群中创建 Secret:
1. 浏览器访问 `https://git.dev.cm`,首个注册账号自动成为 admin。
2. **创建 OAuth2 应用**
- Site Administration → Integrations → Applications → Create OAuth2 Application
- Redirect URI: `https://cd.dev.cm/oauth2/callback`
- 记录 Client ID 与 Client Secret。
3. **生成 Runner Token**
- Site Administration → Actions → Runners → Create new Runner → 复制 registration token。
4. 更新 `k3s/.env`
```bash
kubectl -n infra-gitops create secret generic flux-git-auth \
--from-literal=username=<GITEA_USERNAME> \
--from-literal=password=<GITEA_ACCESS_TOKEN>
```
```
FLUX_WEB_OIDC_CLIENT_ID=<step 2 client id>
FLUX_WEB_OIDC_CLIENT_SECRET=<step 2 client secret>
GITEA_ACTIONS_TOKEN=<step 3 token>
```
### 2. 确认仓库 URL
5. 重新注入 `flux-env` Secret 并协调:
检查 `k3s/apps/infra/gitops/flux/flux-instance.yaml` 中的 `sync.url` 字段,确保指向正确的 deploy 仓库地址。当前设置为:
```bash
kubectl -n infra-gitops create secret generic flux-env \
--from-env-file=k3s/.env \
--dry-run=client -o yaml | kubectl apply -f -
```yaml
sync:
url: https://git.dev.cm/devcm/deploy.git
```
flux reconcile kustomization secrets -n infra-gitops
flux resume kustomization infra-gitops-post -n infra-gitops
flux reconcile kustomization infra-gitops-post -n infra-gitops --with-source
```
如果组织名或仓库名不同,请修改。
6. 验证:
### 3. 提交并推送 Flux 清单
```bash
kubectl -n infra-gitops get helmrelease gitea-actions
kubectl -n infra-gitops get deploy flux-operator -o yaml | grep -A2 args # 看到 --web-*
curl -I https://cd.dev.cm # 走 Gitea OIDC
```
```bash
git add flux/
git add k3s/apps/infra/gitops/flux/flux-instance.yaml
git commit -m "feat: 迁移到 Flux GitOps 管理"
git push origin main
```
## 为何拆出 \*-post 层?
### 4. 应用更新后的 FluxInstance
FluxInstance 的 sync 配置更新后,K3s 会自动检测变更并重新应用。也可以手动触发:
```bash
kubectl apply -f k3s/apps/infra/gitops/flux/flux-instance.yaml
```
这会让 flux-operator 创建:
- `GitRepository/flux` — 监听 deploy 仓库
- `Kustomization/flux` — 应用 `flux/clusters/dev-cm/` 路径下的所有资源
### 5. 等待 Flux 完成同步
```bash
# 查看 GitRepository 状态
kubectl -n infra-gitops get gitrepository flux
# 查看所有 Kustomization 状态
kubectl -n infra-gitops get kustomization
# 查看所有 HelmRelease 状态
kubectl get helmrelease -A
# 实时查看 Flux 事件
kubectl -n infra-gitops get events --sort-by='.lastTimestamp' --watch
```
等待所有 Kustomization 和 HelmRelease 状态变为 `Ready`
### 6. 验证资源被 Flux 接管
对于每个已有的 Helm Release,Flux 会检测到已存在的资源并进行接管(adopt)。验证:
```bash
# 检查所有 HelmRelease 是否就绪
kubectl get helmrelease -A -o wide
# 检查某个具体的 release
kubectl -n infra-devops describe helmrelease cert-manager
```
### 7. 清理旧的 K3s HelmChart 资源
确认 Flux 已成功接管所有资源后,删除旧的 K3s HelmChart CR(不会影响已部署的应用):
```bash
# 列出所有 K3s HelmChart
kubectl get helmchart -A
# 逐个删除(保留 flux-operator
kubectl delete helmchart -n infra-devops cert-manager
kubectl delete helmchart -n infra-devops cert-manager-webhook-dnspod
kubectl delete helmchart -n infra-devops reflector
kubectl delete helmchart -n infra-devops velero
kubectl delete helmchart -n infra-data cloudnative-pg
kubectl delete helmchart -n infra-data cloudnative-pg-plugin-barman
kubectl delete helmchart -n infra-data valkey-cluster-sh
kubectl delete helmchart -n infra-net ingress-nginx
kubectl delete helmchart -n infra-net crowdsec
kubectl delete helmchart -n infra-net tailscale-derp-hk
kubectl delete helmchart -n infra-monitor loki
kubectl delete helmchart -n infra-monitor loki-promtail
kubectl delete helmchart -n infra-monitor prometheus
kubectl delete helmchart -n infra-gitops gitea
kubectl delete helmchart -n infra-gitops gitea-actions
kubectl delete helmchart -n apps fillcode-whoami
kubectl delete helmchart -n apps halo
kubectl delete helmchart -n apps rustdesk
```
> **注意**: K3s HelmChart 使用 `helm.cattle.io/v1` API。删除 HelmChart CR 默认**不会**卸载已部署的 Helm release。Flux 的 HelmRelease 会接管这些 release 的后续管理。
### 8. 清理旧的 K3s 清单文件
确认一切正常后,可以移除 `k3s/apps/` 中已迁移到 Flux 的文件(保留 flux 相关的):
```bash
# 保留以下文件(K3s 继续管理):
# k3s/apps/infra/gitops/namespaces.yaml
# k3s/apps/infra/gitops/flux/
# 其余文件可以删除或归档
```
## 资源映射表
| 原 K3s HelmChart | Flux HelmRelease | 命名空间 |
| ---------------------------- | ---------------------------- | ------------- |
| cert-manager | cert-manager | infra-devops |
| cert-manager-webhook-dnspod | cert-manager-webhook-dnspod | infra-devops |
| reflector | reflector | infra-devops |
| velero | velero | infra-devops |
| cloudnative-pg | cloudnative-pg | infra-data |
| cloudnative-pg-plugin-barman | cloudnative-pg-plugin-barman | infra-data |
| valkey-cluster-sh | valkey-cluster-sh | infra-data |
| ingress-nginx | ingress-nginx | infra-net |
| crowdsec | crowdsec | infra-net |
| tailscale-derp-hk | tailscale-derp-hk | infra-net |
| loki | loki | infra-monitor |
| loki-promtail | loki-promtail | infra-monitor |
| prometheus | prometheus | infra-monitor |
| gitea | gitea | infra-gitops |
| gitea-actions | gitea-actions | infra-gitops |
| fillcode-whoami | fillcode-whoami | apps |
| halo | halo | apps |
| rustdesk | rustdesk | apps |
## HelmRelease 内依赖关系
| HelmRelease | dependsOn |
| ---------------------------- | ------------------------------ |
| cert-manager-webhook-dnspod | cert-manager |
| cloudnative-pg-plugin-barman | cloudnative-pg |
| loki-promtail | loki |
| crowdsec | ingress-nginx, loki (cross-ns) |
| gitea-actions | gitea |
## 注意事项
1. **Helm Release 接管**: Flux 默认会检测与 HelmRelease 同名的已存在 Helm release。如果名称不匹配,需要在 `spec.releaseName` 中指定原始名称。
2. **CRD 管理**: cert-manager 和 kube-prometheus-stack 的 HelmRelease 配置了 `install.crds: CreateReplace``upgrade.crds: CreateReplace` 以确保 CRD 被正确管理。
3. **跨命名空间引用**: 所有 HelmRepository 位于 `infra-gitops` 命名空间。HelmRelease 通过 `sourceRef.namespace: infra-gitops` 跨命名空间引用。FluxInstance 配置为单租户模式 (`multitenant: false`),允许此行为。
4. **kube-system 资源**: `prune: false` 用于 kube-system Kustomization,防止 Flux 意外删除系统资源。
5. **Velero CRD**: Velero HelmRelease 保持 `upgradeCRDs: false`,与原始配置一致。
6. **敏感信息**: 以下 Secret 需要手动维护(不在 Git 中管理):
- `flux-git-auth` (Gitea 访问令牌)
- `dnspod-secret` (DNSPod API 凭据)
- `s3-devcm-hw` (华为云 OBS 凭据)
- `cnpg17-cluster-*-app` (PostgreSQL 密码, 由 CNPG 自动管理)
- `valkey-cluster-sh` (Valkey 密码)
- `gitea-actions` (Gitea Actions runner token)
- **`infra-monitor-post` (Promtail)**Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Podingress-nginx);而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`,打破循环。
- **`infra-gitops-post` (Gitea Actions + Flux Web)**:凭据必须在 Gitea 启动后手工创建;放在 post 层并默认 suspend,避免阻塞 bootstrap。
flux/apps/helmrelease-halo.yaml
+4 -3
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: apps
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: halo
@@ -17,7 +18,7 @@ spec:
values:
image:
repository: halohub/halo-pro
tag: 2.23.1
tag: 2.24.0
service:
type: ClusterIP
ingress:
@@ -47,11 +48,11 @@ spec:
enabled: false
externalDatabase:
platform: postgresql
host: cnpg17-cluster-hk-rw.infra-data
host: cnpg17-cluster-rw.infra-data
port: 5432
user: app
password: from-secret
database: halo
existingSecret: cnpg17-cluster-hk-app
existingSecret: cnpg17-cluster-app
haloUsername: rohow
haloExternalUrl: https://dev.cm
flux/apps/helmrelease-rustdesk.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: apps
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: rustdesk-server
flux/apps/helmrelease-whoami.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: apps
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: whoami
flux/clusters/base/apps.yaml
+2 -1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
@@ -12,6 +13,6 @@ spec:
path: ./flux/apps
prune: true
dependsOn:
- name: infra-data-post
- name: infra-data-reflector
- name: infra-net
- name: infra-gitops
flux/clusters/base/infra-data.yaml
+22
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
@@ -34,3 +36,23 @@ spec:
wait: true
dependsOn:
- name: infra-data
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-reflector
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-data/reflector
prune: true
force: true
wait: true
dependsOn:
- name: infra-data-post
flux/clusters/base/infra-devops.yaml
+2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
flux/clusters/base/infra-gitops.yaml
+27 -1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
@@ -13,5 +14,30 @@ spec:
prune: true
wait: true
dependsOn:
- name: infra-data-post
- name: infra-data-reflector
- name: infra-monitor
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
suspend: true
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-gitops/post
prune: true
wait: true
dependsOn:
- name: infra-gitops
- name: infra-net
postBuild:
substituteFrom:
- kind: Secret
name: flux-env
flux/clusters/base/infra-monitor.yaml
+23 -1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
@@ -14,4 +15,25 @@ spec:
force: true
wait: true
dependsOn:
- name: infra-data-post
- name: infra-data-reflector
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-monitor/post
prune: true
force: true
wait: true
dependsOn:
- name: infra-monitor
- name: infra-net
flux/clusters/base/infra-net.yaml
+20
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
@@ -17,3 +18,22 @@ spec:
- name: infra-devops
- name: infra-devops-post
- name: infra-monitor
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-net-post
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-net/post
prune: true
wait: true
dependsOn:
- name: apps
flux/clusters/base/kube-system.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
flux/clusters/base/secrets.yaml
+1
查看文件
@@ -7,6 +7,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
flux/clusters/base/sources.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
retryInterval: 1m
sourceRef:
kind: GitRepository
flux/infrastructure/infra-data/post/cnpg17-cluster-hk.yaml → flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-hk.yaml
+1 -1
查看文件
@@ -23,7 +23,7 @@ spec:
isWALArchiver: true
parameters:
barmanObjectName: cnpg17-objectstore-hw
serverName: cnpg17-cluster-hk
serverName: cnpg17-cluster-hk-a
---
apiVersion: postgresql.cnpg.io/v1
flux/infrastructure/infra-data/post/cnpg17-cluster-sh.yaml → flux/clusters/dev-cm/infra-data-post/cnpg17-cluster-sh.yaml
+1 -1
查看文件
@@ -23,7 +23,7 @@ spec:
isWALArchiver: true
parameters:
barmanObjectName: cnpg17-objectstore-hw
serverName: cnpg17-cluster-sh
serverName: cnpg17-cluster-sh-a
---
apiVersion: postgresql.cnpg.io/v1
flux/clusters/dev-cm/infra-data-post/databases.yaml
+43
查看文件
@@ -0,0 +1,43 @@
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-gitea
namespace: infra-data
spec:
name: gitea
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-grafana
namespace: infra-data
spec:
name: grafana
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-halo
namespace: infra-data
spec:
name: halo
owner: app
cluster:
name: cnpg17-cluster-hk
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-crowdsec
namespace: infra-data
spec:
name: crowdsec
owner: app
cluster:
name: cnpg17-cluster-hk
flux/clusters/dev-cm/infra-data-post/kustomization.yaml
+9
查看文件
@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../infrastructure/infra-data/post/cnpg17-objectstore-hw.yaml
- cnpg17-cluster-hk.yaml
- cnpg17-cluster-sh.yaml
- databases.yaml
- loadbalancer-hk.yaml
- loadbalancer-sh.yaml
flux/infrastructure/infra-data/post/loadbalancer-hk.yaml → flux/clusters/dev-cm/infra-data-post/loadbalancer-hk.yaml
查看文件
flux/infrastructure/infra-data/post/loadbalancer-sh.yaml → flux/clusters/dev-cm/infra-data-post/loadbalancer-sh.yaml
查看文件
flux/clusters/dev-cm/infra-data-reflector/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- reflector-secret-annotations.yaml
flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml → flux/clusters/dev-cm/infra-data-reflector/reflector-secret-annotations.yaml
+3 -6
查看文件
@@ -1,9 +1,3 @@
# 给CNPG和Valkey自动生成的secrets添加Reflector注解
# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
#
# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
# valkey-cluster-sh → infra-gitops (gitea)
apiVersion: v1
kind: Secret
metadata:
@@ -11,6 +5,7 @@ metadata:
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
@@ -23,6 +18,7 @@ metadata:
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
@@ -35,6 +31,7 @@ metadata:
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
flux/clusters/dev-cm/kustomization.yaml
+16
查看文件
@@ -3,6 +3,10 @@ kind: Kustomization
resources:
- ../base
patches:
- target:
kind: Kustomization
name: kube-system
path: patches/kube-system.yaml
- target:
kind: Kustomization
name: infra-devops
@@ -15,6 +19,10 @@ patches:
kind: Kustomization
name: infra-data-post
path: patches/infra-data-post.yaml
- target:
kind: Kustomization
name: infra-data-reflector
path: patches/infra-data-reflector.yaml
- target:
kind: Kustomization
name: infra-net
@@ -23,10 +31,18 @@ patches:
kind: Kustomization
name: infra-monitor
path: patches/infra-monitor.yaml
- target:
kind: Kustomization
name: infra-monitor-post
path: patches/infra-monitor-post.yaml
- target:
kind: Kustomization
name: infra-gitops
path: patches/infra-gitops.yaml
- target:
kind: Kustomization
name: infra-gitops-post
path: patches/infra-gitops-post.yaml
- target:
kind: Kustomization
name: apps
flux/clusters/dev-cm/patches/apps.yaml
+3
查看文件
@@ -14,6 +14,9 @@ spec:
name: halo
spec:
values:
externalDatabase:
host: cnpg17-cluster-hk-rw.infra-data
existingSecret: cnpg17-cluster-hk-app
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
flux/clusters/dev-cm/patches/infra-data-post.yaml
+1
查看文件
@@ -3,6 +3,7 @@ kind: Kustomization
metadata:
name: infra-data-post
spec:
path: ./flux/clusters/dev-cm/infra-data-post
patches:
- target:
kind: Cluster
flux/clusters/dev-cm/patches/infra-data-reflector.yaml
+6
查看文件
@@ -0,0 +1,6 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-data-reflector
spec:
path: ./flux/clusters/dev-cm/infra-data-reflector
flux/clusters/dev-cm/patches/infra-data.yaml
+3 -2
查看文件
@@ -52,14 +52,15 @@ spec:
effect: "NoSchedule"
- target:
kind: HelmRelease
name: valkey-cluster-sh
name: valkey-cluster
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: valkey-cluster-sh
name: valkey-cluster
spec:
values:
fullnameOverride: valkey-cluster-sh
valkey:
nodeAffinityPreset:
type: hard
flux/clusters/dev-cm/patches/infra-gitops-post.yaml
+19
查看文件
@@ -0,0 +1,19 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops-post
spec:
patches:
- target:
kind: HelmRelease
name: gitea-actions
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea-actions
spec:
values:
statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
flux/clusters/dev-cm/patches/infra-gitops.yaml
+21 -13
查看文件
@@ -14,6 +14,27 @@ spec:
name: gitea
spec:
values:
gitea:
config:
database:
HOST: cnpg17-cluster-sh-rw.infra-data:5432
additionalConfigFromEnvs:
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-sh-app
key: password
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: valkey-cluster-sh
key: valkey-password
- name: GITEA__SESSION__PROVIDER_CONFIG
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__CACHE__HOST
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__QUEUE__CONN_STR
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
@@ -36,16 +57,3 @@ spec:
operator: In
values:
- homea
- target:
kind: HelmRelease
name: gitea-actions
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea-actions
spec:
values:
statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
flux/clusters/dev-cm/patches/infra-monitor-post.yaml
+18
查看文件
@@ -0,0 +1,18 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor-post
spec:
patches:
- target:
kind: HelmRelease
name: loki-promtail
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: loki-promtail
spec:
values:
nodeSelector:
svccontroller.k3s.cattle.io/enablelb: "true"
flux/clusters/dev-cm/patches/infra-monitor.yaml
+8
查看文件
@@ -55,6 +55,14 @@ spec:
nodeSelector:
kubernetes.io/hostname: hwa
grafana:
envValueFrom:
GF_DATABASE_PASSWORD:
secretKeyRef:
name: cnpg17-cluster-sh-app
key: password
grafana.ini:
database:
host: cnpg17-cluster-sh-rw.infra-data:5432
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
flux/clusters/dev-cm/patches/infra-net.yaml
+37 -11
查看文件
@@ -48,6 +48,43 @@ spec:
name: crowdsec
spec:
values:
lapi:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-hk-app
key: password
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
config:
config.yaml.local: |
db_config:
type: postgresql
host: cnpg17-cluster-hk-rw.infra-data
port: 5432
db_name: crowdsec
user: app
password: ${DB_PASSWORD}
sslmode: require
api:
server:
auto_registration:
enabled: true
token: "${REGISTRATION_TOKEN}"
allowed_ranges:
- "127.0.0.1/32"
- "192.168.0.0/16"
- "172.16.0.0/12"
- "10.0.0.0/8"
agent:
affinity:
podAffinity:
@@ -70,17 +107,6 @@ spec:
operator: In
values:
- cn-hk
lapi:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
- target:
kind: HelmRelease
name: tailscale-derp-hk
flux/clusters/dev-cm/patches/kube-system.yaml
+30
查看文件
@@ -0,0 +1,30 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kube-system
spec:
patches:
- target:
kind: Deployment
name: "(coredns|local-path-provisioner|metrics-server)"
patch: |
apiVersion: apps/v1
kind: Deployment
metadata:
name: placeholder
spec:
template:
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- "true"
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
flux/flux-instance.yaml
+2 -2
查看文件
@@ -22,13 +22,13 @@ spec:
storage:
class: "local-path"
size: "10Gi"
# Git 仓库同步配置 - 请将 url 替换为实际的 deploy 仓库地址
sync:
kind: GitRepository
url: https://git.dev.cm/devcm/deploy.git
url: ssh://git@github.com/devcm-repo/k3s.git
ref: refs/heads/main
path: flux/clusters/dev-cm
pullSecret: flux-git-auth
name: flux
kustomize:
patches:
- target:
flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-data
spec:
interval: 30m
timeout: 15m
dependsOn:
- name: cloudnative-pg
chart:
flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-data
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: cloudnative-pg
flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
+2 -1
查看文件
@@ -1,10 +1,11 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: valkey-cluster-sh
name: valkey-cluster
namespace: infra-data
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: valkey-cluster
flux/infrastructure/infra-data/post/cnpg17-cluster.yaml
+42
查看文件
@@ -0,0 +1,42 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: cnpg17-cluster
namespace: infra-data
spec:
imageName: ghcr.io/cloudnative-pg/postgresql:17.4
enableSuperuserAccess: true
enablePDB: false
instances: 1
storage:
size: 10Gi
postgresql:
parameters:
archive_timeout: 30min
env:
- name: AWS_REQUEST_CHECKSUM_CALCULATION
value: when_required
- name: AWS_RESPONSE_CHECKSUM_VALIDATION
value: when_required
plugins:
- name: barman-cloud.cloudnative-pg.io
isWALArchiver: true
parameters:
barmanObjectName: cnpg17-objectstore-hw
serverName: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: cnpg17-cluster-backups
namespace: infra-data
spec:
schedule: "0 0 0 * * *"
immediate: true
backupOwnerReference: self
method: plugin
pluginConfiguration:
name: barman-cloud.cloudnative-pg.io
cluster:
name: cnpg17-cluster
flux/infrastructure/infra-data/post/databases.yaml
+43
查看文件
@@ -0,0 +1,43 @@
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-gitea
namespace: infra-data
spec:
name: gitea
owner: app
cluster:
name: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-grafana
namespace: infra-data
spec:
name: grafana
owner: app
cluster:
name: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-halo
namespace: infra-data
spec:
name: halo
owner: app
cluster:
name: cnpg17-cluster
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-crowdsec
namespace: infra-data
spec:
name: crowdsec
owner: app
cluster:
name: cnpg17-cluster
flux/infrastructure/infra-data/post/kustomization.yaml
+3 -5
查看文件
@@ -2,8 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg17-objectstore-hw.yaml
- cnpg17-cluster-hk.yaml
- cnpg17-cluster-sh.yaml
- loadbalancer-hk.yaml
- loadbalancer-sh.yaml
- reflector-secret-annotations.yaml
- cnpg17-cluster.yaml
- databases.yaml
- loadbalancer.yaml
flux/infrastructure/infra-data/post/loadbalancer.yaml
+14
查看文件
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: cnpg17-cluster-lb
namespace: infra-data
spec:
selector:
cnpg.io/cluster: cnpg17-cluster
role: primary
ports:
- protocol: TCP
port: 5432
targetPort: 5432
type: LoadBalancer
flux/infrastructure/infra-data/reflector/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- reflector-secret-annotations.yaml
flux/infrastructure/infra-data/reflector/reflector-secret-annotations.yaml
+25
查看文件
@@ -0,0 +1,25 @@
apiVersion: v1
kind: Secret
metadata:
name: cnpg17-cluster-app
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
---
apiVersion: v1
kind: Secret
metadata:
name: valkey-cluster
namespace: infra-data
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
kustomize.toolkit.fluxcd.io/ssa: Merge
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml
+2 -1
查看文件
@@ -6,12 +6,13 @@ metadata:
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
dependsOn:
- name: cert-manager
chart:
spec:
chart: cert-manager-webhook-dnspod
version: 1.4.5
version: 1.5.2
sourceRef:
kind: HelmRepository
name: imroc
flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: cert-manager
flux/infrastructure/infra-devops/helmrelease-reflector.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: reflector
flux/infrastructure/infra-devops/helmrelease-velero.yaml
+2 -1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-devops
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: velero
@@ -57,4 +58,4 @@ spec:
- mountPath: /target
name: plugins
nodeAgent:
# 控制面板不启用 lb节点不启用
enabled: true
flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml
+10 -3
查看文件
@@ -1,6 +1,3 @@
# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor
# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在)
# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
@@ -9,6 +6,16 @@ metadata:
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
spec:
interval: 30m
chart:
spec:
chart: cert-manager
version: v1.19.3
sourceRef:
kind: HelmRepository
name: jetstack
namespace: infra-gitops
interval: 12h
values:
prometheus:
servicemonitor:
flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
+7 -6
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: gitea
@@ -48,7 +49,7 @@ spec:
ROOT_URL: https://git.dev.cm/
database:
DB_TYPE: postgres
HOST: cnpg17-cluster-sh-rw.infra-data:5432
HOST: cnpg17-cluster-rw.infra-data:5432
NAME: gitea
USER: app
SSL_MODE: disable
@@ -83,19 +84,19 @@ spec:
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-sh-app
name: cnpg17-cluster-app
key: password
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: valkey-cluster-sh
name: valkey-cluster
key: valkey-password
- name: GITEA__SESSION__PROVIDER_CONFIG
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__CACHE__HOST
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
- name: GITEA__QUEUE__CONN_STR
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
valkey-cluster:
enabled: false
extraVolumes:
flux/infrastructure/infra-gitops/kustomization.yaml
-1
查看文件
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-gitea.yaml
- helmrelease-gitea-actions.yaml
- configmap-templates.yaml
- configmap-actions-dind.yaml
- ingress-static-gitea.yaml
flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml
+27
查看文件
@@ -0,0 +1,27 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: flux-operator
namespace: infra-gitops
spec:
valuesContent: |-
web:
config:
baseURL: https://cd.dev.cm
authentication:
type: OAuth2
oauth2:
provider: OIDC
issuerURL: https://git.dev.cm
clientID: "${FLUX_WEB_OIDC_CLIENT_ID}"
clientSecret: "${FLUX_WEB_OIDC_CLIENT_SECRET}"
networkPolicy:
create: false
ingress:
enabled: true
className: nginx
hosts:
- host: cd.dev.cm
paths:
- path: /
pathType: Prefix
flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml → flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-gitops
spec:
interval: 30m
timeout: 15m
dependsOn:
- name: gitea
chart:
flux/infrastructure/infra-gitops/post/kustomization.yaml
+5
查看文件
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-gitea-actions.yaml
- helmchartconfig-flux-web.yaml
flux/infrastructure/infra-monitor/helmrelease-loki.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-monitor
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: loki
flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml
+3 -2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-monitor
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: kube-prometheus-stack
@@ -52,7 +53,7 @@ spec:
envValueFrom:
GF_DATABASE_PASSWORD:
secretKeyRef:
name: cnpg17-cluster-sh-app
name: cnpg17-cluster-app
key: password
grafana.ini:
server:
@@ -65,7 +66,7 @@ spec:
news_feed_enabled: false
database:
type: postgres
host: cnpg17-cluster-sh-rw.infra-data:5432
host: cnpg17-cluster-rw.infra-data:5432
name: grafana
user: app
password: $__env{GF_DATABASE_PASSWORD}
flux/infrastructure/infra-monitor/kustomization.yaml
-1
查看文件
@@ -3,6 +3,5 @@ kind: Kustomization
resources:
- namespace.yaml
- helmrelease-loki.yaml
- helmrelease-promtail.yaml
- helmrelease-prometheus.yaml
- ingress-static-grafana.yaml
flux/infrastructure/infra-monitor/helmrelease-promtail.yaml → flux/infrastructure/infra-monitor/post/helmrelease-promtail.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-monitor
spec:
interval: 30m
timeout: 15m
dependsOn:
- name: loki
chart:
flux/infrastructure/infra-monitor/post/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-promtail.yaml
flux/infrastructure/infra-net/helmrelease-crowdsec.yaml
+3 -2
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-net
spec:
interval: 30m
timeout: 15m
dependsOn:
- name: ingress-nginx
- name: loki
@@ -77,14 +78,14 @@ spec:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: cnpg17-cluster-hk-app
name: cnpg17-cluster-app
key: password
config:
# api config.yaml配置
config.yaml.local: |
db_config:
type: postgresql
host: cnpg17-cluster-hk-rw.infra-data
host: cnpg17-cluster-rw.infra-data
port: 5432
db_name: crowdsec
user: app
flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-net
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: ingress-nginx
flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml
+1
查看文件
@@ -5,6 +5,7 @@ metadata:
namespace: infra-net
spec:
interval: 30m
timeout: 15m
chart:
spec:
chart: tailscale-derp
flux/infrastructure/infra-net/kustomization.yaml
-1
查看文件
@@ -5,6 +5,5 @@ resources:
- helmrelease-ingress-nginx.yaml
- configmap-static.yaml
- certificate-dev-cm.yaml
- ingress-cdn.yaml
- helmrelease-crowdsec.yaml
- helmrelease-tailscale-derp.yaml
flux/infrastructure/infra-net/ingress-cdn.yaml → flux/infrastructure/infra-net/post/ingress-cdn.yaml
查看文件
flux/clusters/local/kustomization.yaml → flux/infrastructure/infra-net/post/kustomization.yaml
+1 -1
查看文件
@@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- ingress-cdn.yaml
flux/infrastructure/sources/helm-repositories.yaml
+16 -17
查看文件
@@ -5,7 +5,7 @@ metadata:
name: jetstack
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://charts.jetstack.io
---
# cert-manager-webhook-dnspod (OCI)
@@ -15,9 +15,8 @@ metadata:
name: imroc
namespace: infra-gitops
spec:
interval: 24h
type: oci
url: oci://registry-1.docker.io/imroc
interval: 168h
url: https://imroc.github.io/cert-manager-webhook-dnspod
---
# reflector
apiVersion: source.toolkit.fluxcd.io/v1
@@ -26,7 +25,7 @@ metadata:
name: emberstack
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://emberstack.github.io/helm-charts
---
# velero
@@ -36,7 +35,7 @@ metadata:
name: vmware-tanzu
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://vmware-tanzu.github.io/helm-charts
---
# cloudnative-pg, plugin-barman-cloud
@@ -46,7 +45,7 @@ metadata:
name: cloudnative-pg
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://cloudnative-pg.github.io/charts
---
# valkey-cluster (OCI)
@@ -56,9 +55,9 @@ metadata:
name: bitnami
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
type: oci
url: oci://registry-1.docker.io/bitnamicharts
url: oci://docker.m.daocloud.io/bitnamicharts
---
# ingress-nginx
apiVersion: source.toolkit.fluxcd.io/v1
@@ -67,7 +66,7 @@ metadata:
name: ingress-nginx
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://kubernetes.github.io/ingress-nginx
---
# crowdsec
@@ -77,7 +76,7 @@ metadata:
name: crowdsec
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://crowdsecurity.github.io/helm-charts
---
# tailscale-derp, rustdesk-server
@@ -87,7 +86,7 @@ metadata:
name: devcm-repo
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://devcm-repo.github.io/helm-charts
---
# loki, promtail
@@ -97,7 +96,7 @@ metadata:
name: grafana
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://grafana.github.io/helm-charts
---
# kube-prometheus-stack
@@ -107,7 +106,7 @@ metadata:
name: prometheus-community
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://prometheus-community.github.io/helm-charts
---
# gitea, gitea-actions
@@ -117,7 +116,7 @@ metadata:
name: gitea
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://dl.gitea.com/charts
---
# whoami
@@ -127,7 +126,7 @@ metadata:
name: cowboysysop
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://cowboysysop.github.io/charts/
---
# halo
@@ -137,5 +136,5 @@ metadata:
name: halo
namespace: infra-gitops
spec:
interval: 24h
interval: 168h
url: https://halo-sigs.github.io/charts/
helmcharts/helmchart-flux.yaml
+4 -24
查看文件
@@ -6,7 +6,7 @@ metadata:
spec:
chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator
targetNamespace: infra-gitops
version: 0.40.0
version: 0.46.0
valuesContent: |-
affinity:
nodeAffinity:
@@ -19,26 +19,6 @@ spec:
values:
- homea
installCRDs: true
web:
config:
baseURL: https://cd.dev.cm
authentication:
type: OAuth2
oauth2:
provider: OIDC
issuerURL: https://git.dev.cm
clientID: "94b1ec99-55c4-4621-89c3-f49d8b7d5603"
clientSecret: "gto_5fmpkf6h7zohbpesnxfuvjvppinunayv7mfcyo2wmuzqtuj3ig2a"
networkPolicy:
create: false
ingress:
enabled: true
className: nginx
hosts:
- host: cd.dev.cm
paths:
- path: /
pathType: Prefix
# 注意:flux-operator 的 web 配置(OIDC + Ingress)依赖 Gitea 与 ingress-nginx,
# 由 Flux Kustomization `infra-gitops-post` 通过 k3s HelmChartConfig 在 Gitea 起来后叠加注入。
# 详见 flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml
helmcharts/namespace.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: infra-gitops