From 20e3be0a99fa7d9620d9eb5bbfa560d61a544382 Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Fri, 3 Apr 2026 15:43:06 +0800 Subject: [PATCH] refactor(gitops): move cluster roots to apps and split db chain --- .../pre/accounts-pre-kustomization.yaml | 2 +- .../pre/console-pre-kustomization.yaml | 0 .../clusters/pre/kustomization.yaml | 2 +- .../pre/stunnel-client-pre-kustomization.yaml | 16 +++++ .../prod/accounts-prod-kustomization.yaml | 2 +- .../prod/console-prod-kustomization.yaml | 0 .../clusters/prod/kustomization.yaml | 6 +- {infra => apps}/clusters/prod/namespaces.yaml | 1 - .../prod/observability-kustomization.yaml | 0 .../prod/postgresql-prod-kustomization.yaml | 4 +- .../clusters/prod/pre-kustomization.yaml | 2 +- .../stunnel-client-prod-kustomization.yaml | 16 +++++ .../prod/stunnel-server-kustomization.yaml | 6 +- apps/core/accounts/pre/values.yaml | 1 + apps/core/accounts/prod/values.yaml | 3 +- apps/core/console/pre/values.yaml | 1 + apps/core/console/prod/values.yaml | 3 +- .../stunnel-client/base/kustomization.yaml | 6 ++ .../base/stunnel-client-configmap.yaml | 17 +++++ .../base/stunnel-client-deployment.yaml | 31 ++++++++ .../base/stunnel-client-service.yaml | 11 +++ .../stunnel-client/pre}/kustomization.yaml | 4 +- .../stunnel-client/prod}/kustomization.yaml | 4 +- apps/demo/c-app/namespace.yaml | 6 -- apps/demo/c-app/release.yaml | 30 -------- apps/demo/go-app/kustomization.yaml | 5 -- apps/demo/go-app/namespace.yaml | 6 -- apps/demo/go-app/release.yaml | 30 -------- apps/demo/js-app/namespace.yaml | 6 -- apps/demo/js-app/release.yaml | 30 -------- apps/demo/python-app/kustomization.yaml | 5 -- apps/demo/python-app/namespace.yaml | 6 -- apps/demo/python-app/release.yaml | 30 -------- apps/demo/rust-app/kustomization.yaml | 5 -- apps/demo/rust-app/namespace.yaml | 6 -- apps/demo/rust-app/release.yaml | 30 -------- apps/itsm-dev/kustomization.yaml | 5 -- apps/itsm-dev/release.yaml | 40 ----------- apps/platform/k3s-platform/helmrelease.yaml | 3 + databases/postgresql-core/helmrelease.yaml | 22 ++++++ databases/postgresql-core/kustomization.yaml | 12 ++++ databases/postgresql-core/oci-repository.yaml | 12 ++++ databases/postgresql-core/values.yaml | 55 ++++++++++++++ databases/postgresql/README.md | 26 +++++++ .../postgresql/stunnel-externalsecret.yaml | 22 ------ .../postgresql/stunnel-server-deployment.yaml | 8 +-- databases/stunnel-server/kustomization.yaml | 7 ++ .../stunnel-server-configmap.yaml | 22 ++++++ .../stunnel-server-deployment.yaml | 49 +++++++++++++ .../stunnel-server-service.yaml | 11 +++ scripts/seed-vault-postgresql.sh | 71 +++++++++++++++++++ 51 files changed, 414 insertions(+), 284 deletions(-) rename {infra => apps}/clusters/pre/accounts-pre-kustomization.yaml (89%) rename {infra => apps}/clusters/pre/console-pre-kustomization.yaml (100%) rename {infra => apps}/clusters/pre/kustomization.yaml (78%) create mode 100644 apps/clusters/pre/stunnel-client-pre-kustomization.yaml rename {infra => apps}/clusters/prod/accounts-prod-kustomization.yaml (89%) rename {infra => apps}/clusters/prod/console-prod-kustomization.yaml (100%) rename {infra => apps}/clusters/prod/kustomization.yaml (71%) rename {infra => apps}/clusters/prod/namespaces.yaml (99%) rename {infra => apps}/clusters/prod/observability-kustomization.yaml (100%) rename infra/clusters/prod/database-kustomization.yaml => apps/clusters/prod/postgresql-prod-kustomization.yaml (79%) rename {infra => apps}/clusters/prod/pre-kustomization.yaml (88%) create mode 100644 apps/clusters/prod/stunnel-client-prod-kustomization.yaml rename infra/clusters/prod/infrastructure-kustomization.yaml => apps/clusters/prod/stunnel-server-kustomization.yaml (73%) create mode 100644 apps/core/stunnel-client/base/kustomization.yaml create mode 100644 apps/core/stunnel-client/base/stunnel-client-configmap.yaml create mode 100644 apps/core/stunnel-client/base/stunnel-client-deployment.yaml create mode 100644 apps/core/stunnel-client/base/stunnel-client-service.yaml rename apps/{demo/c-app => core/stunnel-client/pre}/kustomization.yaml (66%) rename apps/{demo/js-app => core/stunnel-client/prod}/kustomization.yaml (66%) delete mode 100644 apps/demo/c-app/namespace.yaml delete mode 100644 apps/demo/c-app/release.yaml delete mode 100644 apps/demo/go-app/kustomization.yaml delete mode 100644 apps/demo/go-app/namespace.yaml delete mode 100644 apps/demo/go-app/release.yaml delete mode 100644 apps/demo/js-app/namespace.yaml delete mode 100644 apps/demo/js-app/release.yaml delete mode 100644 apps/demo/python-app/kustomization.yaml delete mode 100644 apps/demo/python-app/namespace.yaml delete mode 100644 apps/demo/python-app/release.yaml delete mode 100644 apps/demo/rust-app/kustomization.yaml delete mode 100644 apps/demo/rust-app/namespace.yaml delete mode 100644 apps/demo/rust-app/release.yaml delete mode 100644 apps/itsm-dev/kustomization.yaml delete mode 100644 apps/itsm-dev/release.yaml create mode 100644 databases/postgresql-core/helmrelease.yaml create mode 100644 databases/postgresql-core/kustomization.yaml create mode 100644 databases/postgresql-core/oci-repository.yaml create mode 100644 databases/postgresql-core/values.yaml create mode 100644 databases/postgresql/README.md delete mode 100644 databases/postgresql/stunnel-externalsecret.yaml create mode 100644 databases/stunnel-server/kustomization.yaml create mode 100644 databases/stunnel-server/stunnel-server-configmap.yaml create mode 100644 databases/stunnel-server/stunnel-server-deployment.yaml create mode 100644 databases/stunnel-server/stunnel-server-service.yaml create mode 100755 scripts/seed-vault-postgresql.sh diff --git a/infra/clusters/pre/accounts-pre-kustomization.yaml b/apps/clusters/pre/accounts-pre-kustomization.yaml similarity index 89% rename from infra/clusters/pre/accounts-pre-kustomization.yaml rename to apps/clusters/pre/accounts-pre-kustomization.yaml index 5dd3598..ee3af3b 100644 --- a/infra/clusters/pre/accounts-pre-kustomization.yaml +++ b/apps/clusters/pre/accounts-pre-kustomization.yaml @@ -12,4 +12,4 @@ spec: name: platform-config path: ./apps/core/accounts/pre dependsOn: - - name: database-stack + - name: stunnel-client-pre diff --git a/infra/clusters/pre/console-pre-kustomization.yaml b/apps/clusters/pre/console-pre-kustomization.yaml similarity index 100% rename from infra/clusters/pre/console-pre-kustomization.yaml rename to apps/clusters/pre/console-pre-kustomization.yaml diff --git a/infra/clusters/pre/kustomization.yaml b/apps/clusters/pre/kustomization.yaml similarity index 78% rename from infra/clusters/pre/kustomization.yaml rename to apps/clusters/pre/kustomization.yaml index 2563a8d..1b025eb 100644 --- a/infra/clusters/pre/kustomization.yaml +++ b/apps/clusters/pre/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - stunnel-client-pre-kustomization.yaml - console-pre-kustomization.yaml - accounts-pre-kustomization.yaml - diff --git a/apps/clusters/pre/stunnel-client-pre-kustomization.yaml b/apps/clusters/pre/stunnel-client-pre-kustomization.yaml new file mode 100644 index 0000000..b941009 --- /dev/null +++ b/apps/clusters/pre/stunnel-client-pre-kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: stunnel-client-pre + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + timeout: 10m0s + sourceRef: + kind: GitRepository + name: platform-config + path: ./apps/core/stunnel-client/pre + dependsOn: + - name: stunnel-server diff --git a/infra/clusters/prod/accounts-prod-kustomization.yaml b/apps/clusters/prod/accounts-prod-kustomization.yaml similarity index 89% rename from infra/clusters/prod/accounts-prod-kustomization.yaml rename to apps/clusters/prod/accounts-prod-kustomization.yaml index edc1cc8..dba31da 100644 --- a/infra/clusters/prod/accounts-prod-kustomization.yaml +++ b/apps/clusters/prod/accounts-prod-kustomization.yaml @@ -12,4 +12,4 @@ spec: name: platform-config path: ./apps/core/accounts/prod dependsOn: - - name: database-stack + - name: stunnel-client-prod diff --git a/infra/clusters/prod/console-prod-kustomization.yaml b/apps/clusters/prod/console-prod-kustomization.yaml similarity index 100% rename from infra/clusters/prod/console-prod-kustomization.yaml rename to apps/clusters/prod/console-prod-kustomization.yaml diff --git a/infra/clusters/prod/kustomization.yaml b/apps/clusters/prod/kustomization.yaml similarity index 71% rename from infra/clusters/prod/kustomization.yaml rename to apps/clusters/prod/kustomization.yaml index c0f41ff..a591df9 100644 --- a/infra/clusters/prod/kustomization.yaml +++ b/apps/clusters/prod/kustomization.yaml @@ -2,10 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespaces.yaml - - database-kustomization.yaml - - observability-kustomization.yaml + - postgresql-prod-kustomization.yaml + - stunnel-server-kustomization.yaml + - stunnel-client-prod-kustomization.yaml - console-prod-kustomization.yaml - accounts-prod-kustomization.yaml + - observability-kustomization.yaml - pre-kustomization.yaml # Sync marker for Flux reconciliation on jp-k3s-vultr.svc.plus. diff --git a/infra/clusters/prod/namespaces.yaml b/apps/clusters/prod/namespaces.yaml similarity index 99% rename from infra/clusters/prod/namespaces.yaml rename to apps/clusters/prod/namespaces.yaml index 0314602..dbf5af2 100644 --- a/infra/clusters/prod/namespaces.yaml +++ b/apps/clusters/prod/namespaces.yaml @@ -27,4 +27,3 @@ apiVersion: v1 kind: Namespace metadata: name: core-pre - diff --git a/infra/clusters/prod/observability-kustomization.yaml b/apps/clusters/prod/observability-kustomization.yaml similarity index 100% rename from infra/clusters/prod/observability-kustomization.yaml rename to apps/clusters/prod/observability-kustomization.yaml diff --git a/infra/clusters/prod/database-kustomization.yaml b/apps/clusters/prod/postgresql-prod-kustomization.yaml similarity index 79% rename from infra/clusters/prod/database-kustomization.yaml rename to apps/clusters/prod/postgresql-prod-kustomization.yaml index b66e1a5..3ff78b7 100644 --- a/infra/clusters/prod/database-kustomization.yaml +++ b/apps/clusters/prod/postgresql-prod-kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: database-stack + name: postgresql-prod namespace: flux-system spec: interval: 5m0s @@ -11,4 +11,4 @@ spec: sourceRef: kind: GitRepository name: platform-config - path: ./databases/postgresql + path: ./databases/postgresql-core diff --git a/infra/clusters/prod/pre-kustomization.yaml b/apps/clusters/prod/pre-kustomization.yaml similarity index 88% rename from infra/clusters/prod/pre-kustomization.yaml rename to apps/clusters/prod/pre-kustomization.yaml index f2b7537..fd8de56 100644 --- a/infra/clusters/prod/pre-kustomization.yaml +++ b/apps/clusters/prod/pre-kustomization.yaml @@ -10,4 +10,4 @@ spec: sourceRef: kind: GitRepository name: platform-config - path: ./infra/clusters/pre + path: ./apps/clusters/pre diff --git a/apps/clusters/prod/stunnel-client-prod-kustomization.yaml b/apps/clusters/prod/stunnel-client-prod-kustomization.yaml new file mode 100644 index 0000000..9d9c56b --- /dev/null +++ b/apps/clusters/prod/stunnel-client-prod-kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: stunnel-client-prod + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + timeout: 10m0s + sourceRef: + kind: GitRepository + name: platform-config + path: ./apps/core/stunnel-client/prod + dependsOn: + - name: stunnel-server diff --git a/infra/clusters/prod/infrastructure-kustomization.yaml b/apps/clusters/prod/stunnel-server-kustomization.yaml similarity index 73% rename from infra/clusters/prod/infrastructure-kustomization.yaml rename to apps/clusters/prod/stunnel-server-kustomization.yaml index cc71861..5205a19 100644 --- a/infra/clusters/prod/infrastructure-kustomization.yaml +++ b/apps/clusters/prod/stunnel-server-kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: infrastructure-stack + name: stunnel-server namespace: flux-system spec: interval: 5m0s @@ -11,6 +11,6 @@ spec: sourceRef: kind: GitRepository name: platform-config - path: ./databases/postgresql + path: ./databases/stunnel-server dependsOn: - - name: platform-k3s + - name: postgresql-prod diff --git a/apps/core/accounts/pre/values.yaml b/apps/core/accounts/pre/values.yaml index 40e176f..26161b5 100644 --- a/apps/core/accounts/pre/values.yaml +++ b/apps/core/accounts/pre/values.yaml @@ -1,6 +1,7 @@ service: replicaCount: 1 global: + imagePullPolicy: Always tag: latest env: APP_ENV: pre diff --git a/apps/core/accounts/prod/values.yaml b/apps/core/accounts/prod/values.yaml index 085baef..95b52e6 100644 --- a/apps/core/accounts/prod/values.yaml +++ b/apps/core/accounts/prod/values.yaml @@ -1,7 +1,8 @@ service: replicaCount: 2 global: - # Production consumes an explicitly published stable tag such as `release`. + imagePullPolicy: IfNotPresent + # Production consumes an explicitly published release tag or version. tag: release env: APP_ENV: production diff --git a/apps/core/console/pre/values.yaml b/apps/core/console/pre/values.yaml index b94cc7f..866eef4 100644 --- a/apps/core/console/pre/values.yaml +++ b/apps/core/console/pre/values.yaml @@ -1,6 +1,7 @@ service: replicaCount: 1 global: + imagePullPolicy: Always tag: latest env: APP_ENV: pre diff --git a/apps/core/console/prod/values.yaml b/apps/core/console/prod/values.yaml index 715c94a..d56b87c 100644 --- a/apps/core/console/prod/values.yaml +++ b/apps/core/console/prod/values.yaml @@ -1,7 +1,8 @@ service: replicaCount: 2 global: - # Production consumes an explicitly published stable tag such as `release`. + imagePullPolicy: IfNotPresent + # Production consumes an explicitly published release tag or version. tag: release env: APP_ENV: production diff --git a/apps/core/stunnel-client/base/kustomization.yaml b/apps/core/stunnel-client/base/kustomization.yaml new file mode 100644 index 0000000..5df243f --- /dev/null +++ b/apps/core/stunnel-client/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - stunnel-client-configmap.yaml + - stunnel-client-deployment.yaml + - stunnel-client-service.yaml diff --git a/apps/core/stunnel-client/base/stunnel-client-configmap.yaml b/apps/core/stunnel-client/base/stunnel-client-configmap.yaml new file mode 100644 index 0000000..0ae93cd --- /dev/null +++ b/apps/core/stunnel-client/base/stunnel-client-configmap.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgresql-stunnel-client +data: + stunnel.conf: | + foreground = yes + debug = 5 + [postgres-client] + client = yes + accept = 0.0.0.0:15432 + connect = postgresql-stunnel-server.database.svc.cluster.local:5433 + verifyChain = no + sslVersionMin = TLSv1.2 + options = NO_SSLv2 + options = NO_SSLv3 + TIMEOUTclose = 0 diff --git a/apps/core/stunnel-client/base/stunnel-client-deployment.yaml b/apps/core/stunnel-client/base/stunnel-client-deployment.yaml new file mode 100644 index 0000000..640014f --- /dev/null +++ b/apps/core/stunnel-client/base/stunnel-client-deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgresql-stunnel-client +spec: + replicas: 1 + selector: + matchLabels: + app: postgresql-stunnel-client + template: + metadata: + labels: + app: postgresql-stunnel-client + spec: + imagePullSecrets: + - name: postgresql-ghcr-pull + containers: + - name: stunnel-client + image: ghcr.io/x-evor/postgresql.svc.plus/stunnel-client:latest + imagePullPolicy: IfNotPresent + command: ["stunnel", "/etc/stunnel/stunnel.conf"] + ports: + - containerPort: 15432 + volumeMounts: + - name: stunnel-config + mountPath: /etc/stunnel/stunnel.conf + subPath: stunnel.conf + volumes: + - name: stunnel-config + configMap: + name: postgresql-stunnel-client diff --git a/apps/core/stunnel-client/base/stunnel-client-service.yaml b/apps/core/stunnel-client/base/stunnel-client-service.yaml new file mode 100644 index 0000000..a90c21c --- /dev/null +++ b/apps/core/stunnel-client/base/stunnel-client-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgresql-stunnel-client +spec: + selector: + app: postgresql-stunnel-client + ports: + - name: postgres + port: 15432 + targetPort: 15432 diff --git a/apps/demo/c-app/kustomization.yaml b/apps/core/stunnel-client/pre/kustomization.yaml similarity index 66% rename from apps/demo/c-app/kustomization.yaml rename to apps/core/stunnel-client/pre/kustomization.yaml index 750e521..ebef587 100644 --- a/apps/demo/c-app/kustomization.yaml +++ b/apps/core/stunnel-client/pre/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: core-pre resources: - - namespace.yaml - - release.yaml + - ../base diff --git a/apps/demo/js-app/kustomization.yaml b/apps/core/stunnel-client/prod/kustomization.yaml similarity index 66% rename from apps/demo/js-app/kustomization.yaml rename to apps/core/stunnel-client/prod/kustomization.yaml index 750e521..ca26074 100644 --- a/apps/demo/js-app/kustomization.yaml +++ b/apps/core/stunnel-client/prod/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: core-prod resources: - - namespace.yaml - - release.yaml + - ../base diff --git a/apps/demo/c-app/namespace.yaml b/apps/demo/c-app/namespace.yaml deleted file mode 100644 index 29c71eb..0000000 --- a/apps/demo/c-app/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: demo-c - labels: - app.kubernetes.io/component: demo-c diff --git a/apps/demo/c-app/release.yaml b/apps/demo/c-app/release.yaml deleted file mode 100644 index e566304..0000000 --- a/apps/demo/c-app/release.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: stable - namespace: demo-c -spec: - interval: 1m - url: https://charts.onwalk.net/ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: cp-app - namespace: demo-c -spec: - chart: - spec: - chart: app - version: "0.1.1" - sourceRef: - kind: HelmRepository - name: stable - namespace: demo-c - interval: 1m - values: - image: - repository: artifact.onwalk.net/base/scaffolding-design/c - tag: "dee1c17b11822997e16e71244b1a1e98fe919688" - ingress: - className: "nginx" diff --git a/apps/demo/go-app/kustomization.yaml b/apps/demo/go-app/kustomization.yaml deleted file mode 100644 index 750e521..0000000 --- a/apps/demo/go-app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - release.yaml diff --git a/apps/demo/go-app/namespace.yaml b/apps/demo/go-app/namespace.yaml deleted file mode 100644 index 6e862f3..0000000 --- a/apps/demo/go-app/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: demo-go - labels: - app.kubernetes.io/component: demo-go diff --git a/apps/demo/go-app/release.yaml b/apps/demo/go-app/release.yaml deleted file mode 100644 index 63ea90d..0000000 --- a/apps/demo/go-app/release.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apps/go-demo/release.yaml apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: stable - namespace: demo-go -spec: - interval: 1m - url: https://charts.onwalk.net/ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: stable - namespace: demo-go -spec: - chart: - spec: - chart: app - version: "0.1.1" - sourceRef: - kind: HelmRepository - name: stable - namespace: demo-go - interval: 1m - values: - image: - repository: artifact.onwalk.net/base/scaffolding-design/go - tag: "fe2a0fba3014709b26d8acd75bacb661bf2522a4" - ingress: - className: "nginx" diff --git a/apps/demo/js-app/namespace.yaml b/apps/demo/js-app/namespace.yaml deleted file mode 100644 index 15a16cb..0000000 --- a/apps/demo/js-app/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: demo-js - labels: - app.kubernetes.io/component: demo diff --git a/apps/demo/js-app/release.yaml b/apps/demo/js-app/release.yaml deleted file mode 100644 index ac8b476..0000000 --- a/apps/demo/js-app/release.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: stable - namespace: demo-js -spec: - interval: 1m - url: https://charts.onwalk.net/ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: stable - namespace: demo-js -spec: - chart: - spec: - chart: app - version: "0.1.1" - sourceRef: - kind: HelmRepository - name: stable - namespace: demo-python - interval: 1m - values: - image: - repository: artifact.onwalk.net/base/scaffolding-design/javascript-frontend - tag: "fc998a6d433c45986dc7d51ab62bf7aa48613d62" - ingress: - className: "nginx" diff --git a/apps/demo/python-app/kustomization.yaml b/apps/demo/python-app/kustomization.yaml deleted file mode 100644 index 750e521..0000000 --- a/apps/demo/python-app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - release.yaml diff --git a/apps/demo/python-app/namespace.yaml b/apps/demo/python-app/namespace.yaml deleted file mode 100644 index 4d1a4a6..0000000 --- a/apps/demo/python-app/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: demo-python - labels: - app.kubernetes.io/component: demo-python diff --git a/apps/demo/python-app/release.yaml b/apps/demo/python-app/release.yaml deleted file mode 100644 index bdaca19..0000000 --- a/apps/demo/python-app/release.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: stable - namespace: demo-python -spec: - interval: 1m - url: https://charts.onwalk.net/ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: stable - namespace: demo-python -spec: - chart: - spec: - chart: app - version: "0.1.1" - sourceRef: - kind: HelmRepository - name: stable - namespace: demo-python - interval: 1m - values: - image: - repository: artifact.onwalk.net/base/scaffolding-design/python - tag: "d72ba38f7a3a76b71eb50f00fe46a94497e6ecaa" - ingress: - className: "nginx" diff --git a/apps/demo/rust-app/kustomization.yaml b/apps/demo/rust-app/kustomization.yaml deleted file mode 100644 index 750e521..0000000 --- a/apps/demo/rust-app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - release.yaml diff --git a/apps/demo/rust-app/namespace.yaml b/apps/demo/rust-app/namespace.yaml deleted file mode 100644 index 1e8856b..0000000 --- a/apps/demo/rust-app/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: demo-rust - labels: - app.kubernetes.io/component: demo-rust diff --git a/apps/demo/rust-app/release.yaml b/apps/demo/rust-app/release.yaml deleted file mode 100644 index 9dddcfa..0000000 --- a/apps/demo/rust-app/release.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: stable - namespace: demo-rust -spec: - interval: 1m - url: https://charts.onwalk.net/ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: stable - namespace: demo-rust -spec: - chart: - spec: - chart: app - version: "0.1.1" - sourceRef: - kind: HelmRepository - name: stable - namespace: demo-rust - interval: 1m - values: - image: - repository: artifact.onwalk.net/base/scaffolding-design/rust - tag: "84a66d19f29c20c57127f5c896d00b0b84dcd986" - ingress: - className: "nginx" diff --git a/apps/itsm-dev/kustomization.yaml b/apps/itsm-dev/kustomization.yaml deleted file mode 100644 index 97d68e5..0000000 --- a/apps/itsm-dev/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: itsm-dev -resources: - - release.yaml diff --git a/apps/itsm-dev/release.yaml b/apps/itsm-dev/release.yaml deleted file mode 100644 index 3fd7f75..0000000 --- a/apps/itsm-dev/release.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: itsm-dev - namespace: itsm-dev -spec: - interval: 1m - chart: - spec: - version: "0.1.16" - chart: itsm - sourceRef: - kind: HelmRepository - name: stable - namespace: itsm-dev - interval: 1m - values: - novu: - web: - ingress: - enabled: true - hostname: novu-web.onwalk.net - ingressClassName: 'nginx' - apisix: - dashboard: - ingress: - enabled: true - className: "nginx" - hosts: - - host: apisix-dashboard.onwalk.net - paths: - - /* - etcd-adapter: - enabled: true - mysql: - host: mysql - port: 3306 - username: apisix - password: apisix - database: apisix diff --git a/apps/platform/k3s-platform/helmrelease.yaml b/apps/platform/k3s-platform/helmrelease.yaml index a7fc541..c5eb704 100644 --- a/apps/platform/k3s-platform/helmrelease.yaml +++ b/apps/platform/k3s-platform/helmrelease.yaml @@ -6,6 +6,9 @@ metadata: spec: interval: 10m0s releaseName: k3s-platform + dependsOn: + - name: external-secrets + namespace: platform chartRef: kind: OCIRepository name: k3s-platform-chart diff --git a/databases/postgresql-core/helmrelease.yaml b/databases/postgresql-core/helmrelease.yaml new file mode 100644 index 0000000..6f1eed1 --- /dev/null +++ b/databases/postgresql-core/helmrelease.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: postgresql + namespace: database +spec: + interval: 10m0s + releaseName: postgresql + chartRef: + kind: OCIRepository + name: postgresql-chart + namespace: database + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: postgresql-values + valuesKey: values.yaml diff --git a/databases/postgresql-core/kustomization.yaml b/databases/postgresql-core/kustomization.yaml new file mode 100644 index 0000000..5c04712 --- /dev/null +++ b/databases/postgresql-core/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: database +resources: + - oci-repository.yaml + - helmrelease.yaml +configMapGenerator: + - name: postgresql-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/databases/postgresql-core/oci-repository.yaml b/databases/postgresql-core/oci-repository.yaml new file mode 100644 index 0000000..daecd5f --- /dev/null +++ b/databases/postgresql-core/oci-repository.yaml @@ -0,0 +1,12 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: postgresql-chart + namespace: database +spec: + interval: 5m0s + url: oci://ghcr.io/x-evor/postgresql-chart + ref: + semver: "1.1.0" + secretRef: + name: postgresql-ghcr-pull diff --git a/databases/postgresql-core/values.yaml b/databases/postgresql-core/values.yaml new file mode 100644 index 0000000..72f6242 --- /dev/null +++ b/databases/postgresql-core/values.yaml @@ -0,0 +1,55 @@ +server: + enabled: true + +image: + repository: ghcr.io/x-evor/postgresql.svc.plus/postgresql-svc-plus + tag: "17" + pullPolicy: IfNotPresent + +imagePullSecrets: + - name: postgresql-ghcr-pull + +auth: + username: postgres + database: postgres + existingSecret: postgresql-auth + secretKey: password + +initScripts: + enabled: true + scripts: + 01-core-schemas.sql: | + DO $$ + BEGIN + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_prod_user') THEN + CREATE ROLE core_prod_user LOGIN; + END IF; + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_pre_user') THEN + CREATE ROLE core_pre_user LOGIN; + END IF; + END + $$; + + CREATE SCHEMA IF NOT EXISTS core_prod AUTHORIZATION postgres; + CREATE SCHEMA IF NOT EXISTS core_pre AUTHORIZATION postgres; + + GRANT USAGE ON SCHEMA core_prod TO core_prod_user; + GRANT USAGE ON SCHEMA core_pre TO core_pre_user; + + ALTER DEFAULT PRIVILEGES IN SCHEMA core_prod + GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_prod_user; + ALTER DEFAULT PRIVILEGES IN SCHEMA core_pre + GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_pre_user; + +persistence: + enabled: true + size: 20Gi + +metrics: + enabled: false + +stunnel: + enabled: false + +stunnelClient: + enabled: false diff --git a/databases/postgresql/README.md b/databases/postgresql/README.md new file mode 100644 index 0000000..3620f64 --- /dev/null +++ b/databases/postgresql/README.md @@ -0,0 +1,26 @@ +# PostgreSQL GitOps Bootstrap + +This stack uses ExternalSecrets to materialize runtime credentials from Vault. +The GitOps manifests intentionally do not store secret values. + +## Vault paths expected by this stack + +- `postgresql.svc.plus` + - `POSTGRES_USER` + - `POSTGRES_PASSWORD` + - `GHCR_USERNAME` + - `GHCR_TOKEN` +## Bootstrap rule + +Before or during initial reconciliation, the Vault key `postgresql.svc.plus` +must be seeded with the runtime credentials expected by the manifests in this +directory. Otherwise the ExternalSecrets controller will report +`Secret does not exist`. + +## Helper + +Use `scripts/seed-vault-postgresql.sh` from a trusted admin shell to write the +expected Vault keys from local environment variables or existing K8s Secrets. +The shared TLS Secret for `postgresql-vultr.svc.plus` is synchronized by the +`k3s-platform` Helm chart into `database/postgresql-vultr-tls`, which +`stunnel-server` consumes directly. Do not commit the secret values to Git. diff --git a/databases/postgresql/stunnel-externalsecret.yaml b/databases/postgresql/stunnel-externalsecret.yaml deleted file mode 100644 index d360b6f..0000000 --- a/databases/postgresql/stunnel-externalsecret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postgresql-stunnel-server - namespace: database -spec: - refreshInterval: 1m - secretStoreRef: - kind: ClusterSecretStore - name: vault-platform - target: - name: postgresql-stunnel-server - creationPolicy: Owner - data: - - secretKey: server-cert.pem - remoteRef: - key: database/postgresql-stunnel - property: server-cert.pem - - secretKey: server-key.pem - remoteRef: - key: database/postgresql-stunnel - property: server-key.pem diff --git a/databases/postgresql/stunnel-server-deployment.yaml b/databases/postgresql/stunnel-server-deployment.yaml index eaa179e..bb46da0 100644 --- a/databases/postgresql/stunnel-server-deployment.yaml +++ b/databases/postgresql/stunnel-server-deployment.yaml @@ -38,13 +38,13 @@ spec: name: postgresql-stunnel-server - name: stunnel-cert secret: - secretName: postgresql-stunnel-server + secretName: postgresql-vultr-tls items: - - key: server-cert.pem + - key: tls.crt path: server-cert.pem - name: stunnel-key secret: - secretName: postgresql-stunnel-server + secretName: postgresql-vultr-tls items: - - key: server-key.pem + - key: tls.key path: server-key.pem diff --git a/databases/stunnel-server/kustomization.yaml b/databases/stunnel-server/kustomization.yaml new file mode 100644 index 0000000..ddb3e9b --- /dev/null +++ b/databases/stunnel-server/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: database +resources: + - stunnel-server-configmap.yaml + - stunnel-server-deployment.yaml + - stunnel-server-service.yaml diff --git a/databases/stunnel-server/stunnel-server-configmap.yaml b/databases/stunnel-server/stunnel-server-configmap.yaml new file mode 100644 index 0000000..91fd39b --- /dev/null +++ b/databases/stunnel-server/stunnel-server-configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgresql-stunnel-server +data: + stunnel.conf: | + foreground = yes + debug = 5 + [postgres-tls-server] + client = no + accept = 0.0.0.0:5433 + connect = postgresql.database.svc.cluster.local:5432 + cert = /etc/stunnel/certs/server-cert.pem + key = /etc/stunnel/certs/server-key.pem + sslVersionMin = TLSv1.2 + options = NO_SSLv2 + options = NO_SSLv3 + socket = l:TCP_NODELAY=1 + socket = r:TCP_NODELAY=1 + socket = l:SO_KEEPALIVE=1 + TIMEOUTclose = 0 + TIMEOUTidle = 43200 diff --git a/databases/stunnel-server/stunnel-server-deployment.yaml b/databases/stunnel-server/stunnel-server-deployment.yaml new file mode 100644 index 0000000..1f53ebb --- /dev/null +++ b/databases/stunnel-server/stunnel-server-deployment.yaml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgresql-stunnel-server +spec: + replicas: 1 + selector: + matchLabels: + app: postgresql-stunnel-server + template: + metadata: + labels: + app: postgresql-stunnel-server + spec: + imagePullSecrets: + - name: postgresql-ghcr-pull + containers: + - name: stunnel-server + image: ghcr.io/x-evor/postgresql.svc.plus/stunnel-server:latest + imagePullPolicy: IfNotPresent + command: ["stunnel", "/etc/stunnel/stunnel.conf"] + ports: + - containerPort: 5433 + volumeMounts: + - name: stunnel-conf + mountPath: /etc/stunnel/stunnel.conf + subPath: stunnel.conf + - name: stunnel-cert + mountPath: /etc/stunnel/certs/server-cert.pem + subPath: server-cert.pem + - name: stunnel-key + mountPath: /etc/stunnel/certs/server-key.pem + subPath: server-key.pem + volumes: + - name: stunnel-conf + configMap: + name: postgresql-stunnel-server + - name: stunnel-cert + secret: + secretName: postgresql-vultr-tls + items: + - key: tls.crt + path: server-cert.pem + - name: stunnel-key + secret: + secretName: postgresql-vultr-tls + items: + - key: tls.key + path: server-key.pem diff --git a/databases/stunnel-server/stunnel-server-service.yaml b/databases/stunnel-server/stunnel-server-service.yaml new file mode 100644 index 0000000..04ba444 --- /dev/null +++ b/databases/stunnel-server/stunnel-server-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgresql-stunnel-server +spec: + selector: + app: postgresql-stunnel-server + ports: + - name: tls + port: 5433 + targetPort: 5433 diff --git a/scripts/seed-vault-postgresql.sh b/scripts/seed-vault-postgresql.sh new file mode 100755 index 0000000..eac4582 --- /dev/null +++ b/scripts/seed-vault-postgresql.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +set -euo pipefail + +usage() { + cat <<'EOF' +Usage: + seed-vault-postgresql.sh --vault-addr --vault-token \ + --postgres-user --postgres-password \ + --ghcr-username --ghcr-token \ + --tls-crt --tls-key + +Options may also be provided via environment variables: + VAULT_ADDR, VAULT_TOKEN, POSTGRES_USER, POSTGRES_PASSWORD, + GHCR_USERNAME, GHCR_TOKEN, TLS_CRT, TLS_KEY + +This writes the runtime values expected by databases/postgresql/*.yaml to the +Vault KV path postgresql.svc.plus and the shared TLS material for +postgresql-vultr.svc.plus. +EOF +} + +VAULT_ADDR="${VAULT_ADDR:-}" +VAULT_TOKEN="${VAULT_TOKEN:-}" +POSTGRES_USER="${POSTGRES_USER:-}" +POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-}" +GHCR_USERNAME="${GHCR_USERNAME:-}" +GHCR_TOKEN="${GHCR_TOKEN:-}" +TLS_CRT="${TLS_CRT:-}" +TLS_KEY="${TLS_KEY:-}" + +while [[ $# -gt 0 ]]; do + case "$1" in + --vault-addr) VAULT_ADDR="${2:-}"; shift 2 ;; + --vault-token) VAULT_TOKEN="${2:-}"; shift 2 ;; + --postgres-user) POSTGRES_USER="${2:-}"; shift 2 ;; + --postgres-password) POSTGRES_PASSWORD="${2:-}"; shift 2 ;; + --ghcr-username) GHCR_USERNAME="${2:-}"; shift 2 ;; + --ghcr-token) GHCR_TOKEN="${2:-}"; shift 2 ;; + --tls-crt) TLS_CRT="${2:-}"; shift 2 ;; + --tls-key) TLS_KEY="${2:-}"; shift 2 ;; + -h|--help) usage; exit 0 ;; + *) echo "unknown argument: $1" >&2; usage >&2; exit 1 ;; + esac +done + +missing=0 +for name in VAULT_ADDR VAULT_TOKEN POSTGRES_USER POSTGRES_PASSWORD GHCR_USERNAME GHCR_TOKEN TLS_CRT TLS_KEY; do + if [[ -z "${!name}" ]]; then + echo "missing required value: $name" >&2 + missing=1 + fi +done +[[ "$missing" -eq 0 ]] || exit 1 + +if ! command -v vault >/dev/null 2>&1; then + echo "missing required command: vault" >&2 + exit 1 +fi + +export VAULT_ADDR VAULT_TOKEN + +vault kv put postgresql.svc.plus \ + POSTGRES_USER="$POSTGRES_USER" \ + POSTGRES_PASSWORD="$POSTGRES_PASSWORD" \ + GHCR_USERNAME="$GHCR_USERNAME" \ + GHCR_TOKEN="$GHCR_TOKEN" + +vault kv put postgresql-vultr.svc.plus \ + tls.crt="$(cat "$TLS_CRT")" \ + tls.key="$(cat "$TLS_KEY")"