From 8de872669310491d415395b9a0d598188affbc9c Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Sat, 4 Apr 2026 07:20:40 +0800 Subject: [PATCH] fix(platform): render postgresql tls sync resources --- .../k3s/templates/postgresql-tls-ingress.yaml | 39 +++++++++ .../k3s/templates/shared-tls-secret-sync.yaml | 83 +++++++++++++++++++ oci/charts/infra/platform/k3s/values.yaml | 27 ++++-- 3 files changed, 144 insertions(+), 5 deletions(-) create mode 100644 oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml create mode 100644 oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml diff --git a/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml b/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml new file mode 100644 index 0000000..90594ff --- /dev/null +++ b/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml @@ -0,0 +1,39 @@ +{{- with .Values.components.postgresqlTlsIngress }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .serviceName }} + namespace: {{ .namespace }} +spec: + type: ClusterIP + ports: + - port: {{ .servicePort }} + targetPort: {{ .servicePort }} + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ .serviceName }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .name }} + namespace: {{ .namespace }} +spec: + ingressClassName: {{ .className }} + tls: + - hosts: + - {{ .host }} + secretName: {{ .secretName }} + rules: + - host: {{ .host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ .serviceName }} + port: + number: {{ .servicePort }} +{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml b/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml new file mode 100644 index 0000000..191e48e --- /dev/null +++ b/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml @@ -0,0 +1,83 @@ +{{- with .Values.components.sharedTlsSecretSync }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .name }} + namespace: {{ $.Values.namespaces.platform }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .name }}-source + namespace: {{ .sourceNamespace }} +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["{{ .sourceSecretName }}"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .name }}-target + namespace: {{ .targetNamespace }} +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["{{ .targetSecretName }}"] + verbs: ["get", "create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .name }}-source + namespace: {{ .sourceNamespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .name }}-source +subjects: + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ $.Values.namespaces.platform }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .name }}-target + namespace: {{ .targetNamespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .name }}-target +subjects: + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ $.Values.namespaces.platform }} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .name }} + namespace: {{ $.Values.namespaces.platform }} +spec: + schedule: {{ .refreshSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + serviceAccountName: {{ .name }} + restartPolicy: OnFailure + containers: + - name: sync + image: bitnami/kubectl:latest + command: + - /bin/sh + - -ec + - | + tmp=$(mktemp) + kubectl -n {{ .sourceNamespace }} get secret {{ .sourceSecretName }} -o yaml \ + | sed '/^ resourceVersion:/d;/^ uid:/d;/^ creationTimestamp:/d;/^ managedFields:/d;/^ annotations:/d;/^ ownerReferences:/d;/^ namespace:/d;/^ selfLink:/d' \ + | kubectl -n {{ .targetNamespace }} apply -f - +{{- end }} diff --git a/oci/charts/infra/platform/k3s/values.yaml b/oci/charts/infra/platform/k3s/values.yaml index f167b3e..c7f39be 100644 --- a/oci/charts/infra/platform/k3s/values.yaml +++ b/oci/charts/infra/platform/k3s/values.yaml @@ -88,7 +88,7 @@ components: refreshInterval: 1m secretStoreRef: kind: ClusterSecretStore - name: vault-platform + name: "" target: name: cloudflare-api-token creationPolicy: Owner @@ -113,8 +113,8 @@ components: name: cloudflare-api-token key: api-token externalSecretsStore: - enabled: true - name: vault-platform + enabled: false + name: "" vault: server: http://vault.extsvc.svc.cluster.local:8200 path: secret @@ -126,8 +126,25 @@ components: serviceAccountRef: name: external-secrets namespace: platform - vault: + sharedTlsSecretSync: enabled: true + name: postgresql-vultr-tls-sync + sourceNamespace: platform + sourceSecretName: postgresql-vultr-tls + targetNamespace: database + targetSecretName: postgresql-vultr-tls + refreshSchedule: "*/5 * * * *" + postgresqlTlsIngress: + enabled: true + name: postgresql-vultr-tls + namespace: platform + className: caddy + serviceName: postgresql-vultr-tls-placeholder + servicePort: 80 + host: postgresql-vultr.svc.plus + secretName: postgresql-vultr-tls + vault: + enabled: false releaseName: vault sourceRef: kind: HelmRepository @@ -175,7 +192,7 @@ apisixIngress: servicePort: 80 vaultBootstrap: - enabled: true + enabled: false image: hashicorp/vault:1.16.3 serviceAccountName: vault-bootstrap cloudflareSecretName: vault-bootstrap