ai-workspace-infra/artifacts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(charts): remove k3s platform chart

Browse Source
This commit is contained in:
Haitao Pan 2026-04-04 08:09:29 +08:00
parent eb7f01e0ac
commit 54edf1d219
14 changed files with 0 additions and 607 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/release-oci-charts.yml vendored
View File

@ -6,7 +6,6 @@ on:
- main - main
paths: paths:
- "oci/charts/apps/app-service/**" - "oci/charts/apps/app-service/**"
- "oci/charts/infra/platform/k3s/**"
- "oci/charts/postgresql/**" - "oci/charts/postgresql/**"
- "oci/charts/observability/**" - "oci/charts/observability/**"
- ".github/workflows/release-oci-charts.yml" - ".github/workflows/release-oci-charts.yml"
@ -40,7 +39,6 @@ jobs:
set -euo pipefail set -euo pipefail
charts=( charts=(
"oci/charts/apps/app-service" "oci/charts/apps/app-service"
"oci/charts/infra/platform/k3s"
"oci/charts/postgresql" "oci/charts/postgresql"
"oci/charts/observability" "oci/charts/observability"
) )
@ -54,7 +52,6 @@ jobs:
mkdir -p dist mkdir -p dist
charts=( charts=(
"oci/charts/apps/app-service" "oci/charts/apps/app-service"
"oci/charts/infra/platform/k3s"
"oci/charts/postgresql" "oci/charts/postgresql"
"oci/charts/observability" "oci/charts/observability"
) )

1
oci/charts/README.md
View File

@ -5,7 +5,6 @@ This repository stores reusable Helm charts published to `ghcr.io/x-evor`.
## Layout ## Layout
- `apps/app-service`: reusable runtime chart for application services - `apps/app-service`: reusable runtime chart for application services
- `infra/platform/k3s`: platform composition chart for `caddy`, `apisix`, `external-dns`, `external-secrets`, and `vault`
- `postgresql`: PostgreSQL service chart with optional `stunnel` server/client - `postgresql`: PostgreSQL service chart with optional `stunnel` server/client
- `observability`: observability composition chart for server and agent components - `observability`: observability composition chart for server and agent components

6
oci/charts/infra/platform/k3s/Chart.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v2
name: k3s-platform-chart
description: Composes Flux-managed platform components for the k3s platform
type: application
version: 0.1.9
appVersion: "1.0.0"

44
oci/charts/infra/platform/k3s/templates/apisix-helmrelease.yaml
View File

@ -1,44 +0,0 @@
{{- if .Values.components.apisix.enabled }}
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Values.components.apisix.releaseName }}
namespace: {{ .Values.namespaces.platform }}
spec:
interval: 10m0s
releaseName: {{ .Values.components.apisix.releaseName }}
chart:
spec:
chart: {{ .Values.components.apisix.chart.name }}
version: {{ .Values.components.apisix.chart.version | quote }}
sourceRef:
kind: {{ .Values.components.apisix.sourceRef.kind }}
name: {{ .Values.components.apisix.sourceRef.name }}
namespace: {{ .Values.components.apisix.sourceRef.namespace }}
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
postRenderers:
- kustomize:
patches:
- target:
group: apps
version: v1
kind: Deployment
name: {{ .Values.components.apisix.releaseName }}
patch: |
- op: replace
path: /spec/template/spec/containers/0/command
value:
- sh
- -c
- |
export APISIX_STAND_ALONE=true
ln -sf /apisix-config/apisix.yaml /usr/local/apisix/conf/apisix.yaml
exec /docker-entrypoint.sh docker-start
values:
{{- toYaml .Values.components.apisix.values | nindent 4 }}
{{- end }}

30
oci/charts/infra/platform/k3s/templates/apisix-ingress.yaml
View File

@ -1,30 +0,0 @@
{{- if .Values.apisixIngress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Values.apisixIngress.name }}
namespace: {{ .Values.apisixIngress.namespace }}
{{- with .Values.apisixIngress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.apisixIngress.className }}
tls:
- hosts:
{{- toYaml .Values.apisixIngress.tls.hosts | nindent 8 }}
secretName: {{ .Values.apisixIngress.tls.secretName }}
rules:
{{- range .Values.apisixIngress.hosts }}
- host: {{ .host }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ .serviceName }}
port:
number: {{ .servicePort }}
{{- end }}
{{- end }}

27
oci/charts/infra/platform/k3s/templates/caddy-helmrelease.yaml
View File

@ -1,27 +0,0 @@
{{- if .Values.components.caddy.enabled }}
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Values.components.caddy.releaseName }}
namespace: {{ .Values.namespaces.platform }}
spec:
interval: 10m0s
releaseName: {{ .Values.components.caddy.releaseName }}
chart:
spec:
chart: {{ .Values.components.caddy.chart.name }}
version: {{ .Values.components.caddy.chart.version | quote }}
sourceRef:
kind: {{ .Values.components.caddy.sourceRef.kind }}
name: {{ .Values.components.caddy.sourceRef.name }}
namespace: {{ .Values.components.caddy.sourceRef.namespace }}
install:
createNamespace: false
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
{{- toYaml .Values.components.caddy.values | nindent 4 }}
{{- end }}

19
oci/charts/infra/platform/k3s/templates/clustersecretstore.yaml
View File

@ -1,19 +0,0 @@
{{- if .Values.components.externalSecretsStore.enabled }}
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: {{ .Values.components.externalSecretsStore.name }}
spec:
provider:
vault:
server: {{ .Values.components.externalSecretsStore.vault.server }}
path: {{ .Values.components.externalSecretsStore.vault.path }}
version: {{ .Values.components.externalSecretsStore.vault.version }}
auth:
kubernetes:
mountPath: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.mountPath }}
role: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.role }}
serviceAccountRef:
name: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.serviceAccountRef.name }}
namespace: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.serviceAccountRef.namespace }}
{{- end }}

46
oci/charts/infra/platform/k3s/templates/external-dns.yaml
View File

@ -1,46 +0,0 @@
{{- if .Values.components.externalDns.enabled }}
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ .Values.components.externalDns.secret.name }}
namespace: {{ .Values.namespaces.platform }}
spec:
refreshInterval: {{ .Values.components.externalDns.secret.refreshInterval }}
secretStoreRef:
kind: {{ .Values.components.externalDns.secret.secretStoreRef.kind }}
name: {{ .Values.components.externalDns.secret.secretStoreRef.name }}
target:
name: {{ .Values.components.externalDns.secret.target.name }}
creationPolicy: {{ .Values.components.externalDns.secret.target.creationPolicy }}
data:
- secretKey: {{ .Values.components.externalDns.secret.data.secretKey }}
remoteRef:
key: {{ .Values.components.externalDns.secret.data.remoteRef.key }}
property: {{ .Values.components.externalDns.secret.data.remoteRef.property }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Values.components.externalDns.releaseName }}
namespace: {{ .Values.namespaces.platform }}
spec:
interval: 10m0s
releaseName: {{ .Values.components.externalDns.releaseName }}
chart:
spec:
chart: {{ .Values.components.externalDns.chart.name }}
version: {{ .Values.components.externalDns.chart.version | quote }}
sourceRef:
kind: {{ .Values.components.externalDns.sourceRef.kind }}
name: {{ .Values.components.externalDns.sourceRef.name }}
namespace: {{ .Values.components.externalDns.sourceRef.namespace }}
install:
createNamespace: false
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
{{- toYaml .Values.components.externalDns.values | nindent 4 }}
{{- end }}

4
oci/charts/infra/platform/k3s/templates/extra-objects.yaml
View File

@ -1,4 +0,0 @@
{{- range .Values.extraObjects }}
---
{{ toYaml . }}
{{- end }}

39
oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml
View File

@ -1,39 +0,0 @@
{{- with .Values.components.postgresqlTlsIngress }}
apiVersion: v1
kind: Service
metadata:
name: {{ .serviceName }}
namespace: {{ .namespace }}
spec:
type: ClusterIP
ports:
- port: {{ .servicePort }}
targetPort: {{ .servicePort }}
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ .serviceName }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .name }}
namespace: {{ .namespace }}
spec:
ingressClassName: {{ .className }}
tls:
- hosts:
- {{ .host }}
secretName: {{ .secretName }}
rules:
- host: {{ .host }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: {{ .serviceName }}
port:
number: {{ .servicePort }}
{{- end }}

83
oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml
View File

@ -1,83 +0,0 @@
{{- with .Values.components.sharedTlsSecretSync }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .name }}
namespace: {{ $.Values.namespaces.platform }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .name }}-source
namespace: {{ .sourceNamespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["{{ .sourceSecretName }}"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .name }}-target
namespace: {{ .targetNamespace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["{{ .targetSecretName }}"]
verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .name }}-source
namespace: {{ .sourceNamespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .name }}-source
subjects:
- kind: ServiceAccount
name: {{ .name }}
namespace: {{ $.Values.namespaces.platform }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .name }}-target
namespace: {{ .targetNamespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .name }}-target
subjects:
- kind: ServiceAccount
name: {{ .name }}
namespace: {{ $.Values.namespaces.platform }}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ .name }}
namespace: {{ $.Values.namespaces.platform }}
spec:
schedule: {{ .refreshSchedule | quote }}
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
serviceAccountName: {{ .name }}
restartPolicy: OnFailure
containers:
- name: sync
image: bitnami/kubectl:latest
command:
- /bin/sh
- -ec
- |
tmp=$(mktemp)
kubectl -n {{ .sourceNamespace }} get secret {{ .sourceSecretName }} -o yaml \
| sed '/^ resourceVersion:/d;/^ uid:/d;/^ creationTimestamp:/d;/^ managedFields:/d;/^ annotations:/d;/^ ownerReferences:/d;/^ namespace:/d;/^ selfLink:/d' \
| kubectl -n {{ .targetNamespace }} apply -f -
{{- end }}

75
oci/charts/infra/platform/k3s/templates/vault-bootstrap.yaml
View File

@ -1,75 +0,0 @@
{{- if .Values.vaultBootstrap.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap
namespace: {{ .Values.namespaces.vault }}
spec:
template:
spec:
serviceAccountName: {{ .Values.vaultBootstrap.serviceAccountName }}
restartPolicy: OnFailure
containers:
- name: bootstrap
image: {{ .Values.vaultBootstrap.image }}
env:
- name: VAULT_ADDR
value: http://vault.{{ .Values.namespaces.vault }}.svc.cluster.local:8200
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.vaultBootstrap.rootTokenSecretName }}
key: {{ .Values.vaultBootstrap.rootTokenSecretKey }}
- name: CLOUDFLARE_API_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.vaultBootstrap.cloudflareSecretName }}
key: {{ .Values.vaultBootstrap.cloudflareSecretKey }}
command:
- /bin/sh
- -ec
- |
until vault status >/dev/null 2>&1; do
sleep 5
done
vault secrets enable -path=secret kv-v2 || true
cat <<'EOF' >/tmp/eso-policy.hcl
path "secret/data/*" {
capabilities = ["read"]
}
path "secret/metadata/*" {
capabilities = ["read", "list"]
}
EOF
vault policy write eso-read /tmp/eso-policy.hcl
vault auth enable kubernetes || true
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
vault write auth/kubernetes/role/external-secrets \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="{{ .Values.vaultBootstrap.externalSecretsRoleNamespace }}" \
policies="eso-read" \
ttl="1h"
vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.vaultBootstrap.serviceAccountName }}
namespace: {{ .Values.namespaces.vault }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-bootstrap-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ .Values.vaultBootstrap.serviceAccountName }}
namespace: {{ .Values.namespaces.vault }}
{{- end }}

26
oci/charts/infra/platform/k3s/templates/vault-helmrelease.yaml
View File

@ -1,26 +0,0 @@
{{- if .Values.components.vault.enabled }}
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: {{ .Values.components.vault.releaseName }}
namespace: {{ .Values.namespaces.vault }}
spec:
interval: 10m0s
releaseName: {{ .Values.components.vault.releaseName }}
chart:
spec:
chart: {{ .Values.components.vault.chart.name }}
version: {{ .Values.components.vault.chart.version | quote }}
sourceRef:
kind: {{ .Values.components.vault.sourceRef.kind }}
name: {{ .Values.components.vault.sourceRef.name }}
namespace: {{ .Values.components.vault.sourceRef.namespace }}
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
{{- toYaml .Values.components.vault.values | nindent 4 }}
{{- end }}

204
oci/charts/infra/platform/k3s/values.yaml
View File

@ -1,204 +0,0 @@
namespaces:
platform: platform
vault: extsvc
components:
caddy:
enabled: true
releaseName: caddy
sourceRef:
kind: HelmRepository
name: caddy-ingress
namespace: flux-system
chart:
name: caddy-ingress-controller
version: ">=1.0.0 <2.0.0"
values:
ingressController:
enabled: true
ingressClass:
create: true
name: caddy
default: false
service:
type: LoadBalancer
apisix:
enabled: true
releaseName: apisix
sourceRef:
kind: HelmRepository
name: apisix
namespace: flux-system
chart:
name: apisix
version: ">=2.7.0 <3.0.0"
values:
etcd:
enabled: false
externalEtcd:
user: ""
ingress-controller:
enabled: false
dashboard:
enabled: false
gateway:
enabled: true
type: ClusterIP
control:
enabled: false
apisix:
admin:
enabled: false
deployment:
mode: standalone
role: data_plane
standalone:
config: |
routes:
- id: 1
uri: "/*"
hosts:
- api.svc.plus
name: api-gateway-prod
upstream:
type: roundrobin
nodes:
"accounts.core-prod.svc.cluster.local:80": 1
- id: 2
uri: "/*"
hosts:
- api-pre.svc.plus
name: api-gateway-pre
upstream:
type: roundrobin
nodes:
"accounts.core-pre.svc.cluster.local:80": 1
externalDns:
enabled: true
releaseName: external-dns
sourceRef:
kind: HelmRepository
name: external-dns
namespace: flux-system
chart:
name: external-dns
version: ">=1.14.0 <2.0.0"
secret:
name: cloudflare-api-token
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: ""
target:
name: cloudflare-api-token
creationPolicy: Owner
data:
secretKey: api-token
remoteRef:
key: platform/cloudflare
property: api-token
values:
provider: cloudflare
policy: sync
registry: txt
txtOwnerId: svc-plus-k3s
sources:
- ingress
domainFilters:
- svc.plus
env:
- name: CF_API_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-api-token
key: api-token
externalSecretsStore:
enabled: false
name: ""
vault:
server: http://vault.extsvc.svc.cluster.local:8200
path: secret
version: v2
auth:
kubernetes:
mountPath: kubernetes
role: external-secrets
serviceAccountRef:
name: external-secrets
namespace: platform
sharedTlsSecretSync:
enabled: true
name: postgresql-tls-sync
sourceNamespace: platform
sourceSecretName: postgresql-tls
targetNamespace: database
targetSecretName: postgresql-tls
refreshSchedule: "*/5 * * * *"
postgresqlTlsIngress:
enabled: true
name: postgresql-tls
namespace: platform
className: caddy
serviceName: postgresql-tls-placeholder
servicePort: 80
host: "postgresql-<node-or-cluster>.svc.plus"
secretName: postgresql-tls
vault:
enabled: false
releaseName: vault
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: flux-system
chart:
name: vault
version: ">=0.28.0 <1.0.0"
values:
injector:
enabled: false
server:
standalone:
enabled: false
dataStorage:
enabled: true
size: 8Gi
ha:
enabled: true
replicas: 1
raft:
enabled: true
setNodeId: true
service:
enabled: true
apisixIngress:
enabled: true
name: apisix-gateway
namespace: platform
className: caddy
annotations:
external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus
tls:
secretName: apisix-gateway-tls
hosts:
- api.svc.plus
- api-pre.svc.plus
hosts:
- host: api.svc.plus
serviceName: apisix-gateway
servicePort: 80
- host: api-pre.svc.plus
serviceName: apisix-gateway
servicePort: 80
vaultBootstrap:
enabled: false
image: hashicorp/vault:1.16.3
serviceAccountName: vault-bootstrap
cloudflareSecretName: vault-bootstrap
cloudflareSecretKey: cloudflareApiToken
rootTokenSecretName: vault-bootstrap
rootTokenSecretKey: rootToken
externalSecretsRoleNamespace: platform
extraObjects: []