Merge pull request #1 from svc-design/playbooks
add playbooks & scripts
This commit is contained in:
commit
2993aba194
91
README.md
91
README.md
@ -1 +1,90 @@
|
||||
# gitops
|
||||
# ansible-playbook
|
||||
|
||||
This repository contains a collection of Ansible playbooks and roles for various infrastructure setups and service management tasks.
|
||||
|
||||
## Playbook 角色说明
|
||||
|
||||
1. playbooks/roles/docker:适用于简单的、单机环境的部署,主要使用 Docker 和 Docker Compose 进行容器化管理。
|
||||
2. playbooks/roles/charts:面向大规模的 Kubernetes 集群,使用 Helm 和标准化 Chart 部署模式进行高可用和可扩展的管理。
|
||||
3. playbooks/roles/vhosts:传统的非容器化部署方式,通常涉及手动配置服务器和虚拟主机,适用于不使用容器的应用场景。
|
||||
|
||||
|
||||
## Role Summary
|
||||
|
||||
| Role Name | Description | Docker | Charts | VHosts | CICD | Validate | Last Update |
|
||||
|-------------------------|-------------------------------------------------------|--------|--------|--------|---------|----------|--------------|
|
||||
| `common` | 通用角色,包含一些常用的功能,如日志记录、监控等。 | | | ✔ | | yes | 2025-02-14 |
|
||||
| `keycloak` | 用于管理身份认证和授权服务。 | ✔ | | | github | yes | 2024-11-10 |
|
||||
| `harbor` | 容器镜像仓库角色,用于存储和管理容器镜像。 | ✔ | | | github | yes | 2024-11-14 |
|
||||
| `app` | 参考模板。 | | | | | | |
|
||||
| `nginx` | 用于设置 Nginx | | ✔ | ✔ | | | |
|
||||
| `grafana` | 用于设置 Grafana | | ✔ | ✔ | | | |
|
||||
| `grafana-loki` | 用于设置 Grafana-loki | | ✔ | ✔ | | | |
|
||||
| `Grafana-tempo` | 用于设置 Grafana-tempo | | ✔ | ✔ | | | |
|
||||
| `prometheus` | 用于设置 Prometheus | | ✔ | ✔ | | | |
|
||||
| `prometheus-transfer` | 用于 Prometheus 数据传输设置。 | | | ✔ | | | |
|
||||
| `vector` | 用于配置日志收集代理。 | | | ✔ | | | |
|
||||
| `node-exporter` | 用于导出系统和硬件的监控数据。 | | ✔ | | | | |
|
||||
| `observability-agent` | 用于管理 Observability 代理。 | | ✔ | ✔ | | | |
|
||||
| `observability-server` | 用于设置 Observability 服务端。 | | ✔ | ✔ | | | |
|
||||
| `wireguard-client` | 用于设置 WireGuard 客户端。 | | | ✔ | | | |
|
||||
| `wireguard-gateway` | 用于设置 WireGuard 网关。 | | | ✔ | | | |
|
||||
| `vault` | 用于管理敏感数据和密钥。 | | | ✔ | | | |
|
||||
| `postgresql` | PostgreSQL 数据库角色,用于提供 PostgreSQL 数据库服务。 | | ✔ | | | | |
|
||||
| `redis` | Redis 数据库角色,用于提供 Redis 数据库服务。 | | ✔ | | | | |
|
||||
| `chartmuseum` | 图表仓库角色,用于存储和管理 Kubernetes 图表。 | | ✔ | | | | |
|
||||
| `gitlab` | 代码仓库角色,用于存储和管理代码。 | | ✔ | | | | |
|
||||
| `mysql` | MySQL 数据库角色,用于提供 MySQL 数据库服务。 | | ✔ | | | | |
|
||||
| `argo-server` | 用于设置和管理 Argo Server。 | | ✔ | | | | |
|
||||
| `deepflow` | 用于流量监控与网络性能分析的 DeepFlow 服务。 | | ✔ | | | | |
|
||||
| `jenkins` | Jenkins 自动化构建工具角色,用于 CI/CD 管道。 | | ✔ | | | | |
|
||||
| `chaos-mesh` | 用于 Chaos Engineering 测试的 Chaos Mesh 角色。 | | ✔ | | | | |
|
||||
| `flagger-loadtester` | 用于负载测试的 Flagger Loadtester 角色。 | | ✔ | | | | |
|
||||
| `splunk-otel-collector` | 用于配置 Splunk OpenTelemetry Collector。 | | ✔ | | | | |
|
||||
| `openldap` | 用于设置和管理 OpenLDAP 身份认证服务。 | | ✔ | | | | |
|
||||
| `alerting` | 用于设置和管理警报系统。 | | | ✔ | | | |
|
||||
| `k3s` | 用于创建 Kubernetes 集群。 | | | ✔ | | | |
|
||||
| `k3s-reset` | 用于重置 Kubernetes 集群。 | | | ✔ | | | |
|
||||
| `k3s-addon` | 用于安装 Kubernetes 集群插件。 | | | ✔ | | | |
|
||||
| `secret-manger` | 密钥管理角色,用于管理密钥。 | | | ✔ | | | |
|
||||
| `cert-manager` | 证书管理角色,用于管理证书。 | | | ✔ | | | |
|
||||
|
||||
表格说明
|
||||
- Docker:是否属于 Docker 角色。
|
||||
- Charts:是否属于 Helm Chart 角色。
|
||||
- VHosts:是否属于虚拟主机管理相关角色。
|
||||
- CICD:是否启用 CICD 管道,标明是否集成了自动化流程。
|
||||
- Validate:是否经过验证测试。
|
||||
- Last Update:最后更新时间。
|
||||
|
||||
## Usage Examples
|
||||
|
||||
- Linux OS Setup
|
||||
|
||||
ansible-playbook -i inventory/hosts/all playbooks/common -D -C
|
||||
ansible-playbook -i inventory/hosts/all playbooks/common -D
|
||||
|
||||
- Gather Network Information
|
||||
|
||||
ansible-playbook -i inventory gather_network_info.yml -e target_group=master
|
||||
|
||||
- Display network information on all nodes
|
||||
|
||||
ansible -i inventory all -m script -a 'roles/network_info/tasks/files/display_network_info.sh'
|
||||
|
||||
- Deploy Keycloak Server
|
||||
|
||||
ansible-playbook -i inventory/hosts/core playbooks/keycloak_server -D
|
||||
|
||||
- Set up WireGuard Gateway
|
||||
|
||||
ansible-playbook -i inventory/hosts/vpn playbooks/wireguard_gateway.yaml -D
|
||||
|
||||
- Set up Grafana Alloy
|
||||
|
||||
ansible-playbook -i inventory/k3s-cluster playbooks/init_grafana_alloy -D -C -l cn-k3s-server.svc.plus -e @playbooks/roles/alloy/files/loki_journal_sources_k3s_server.yml -e "ansible_become_pass='xxxx'"
|
||||
|
||||
|
||||
- Setup VPN gateway
|
||||
|
||||
ansible-playbook -i inventory/hosts/all playbooks/common -l gateway -D
|
||||
|
||||
15
ansible.cfg
Normal file
15
ansible.cfg
Normal file
@ -0,0 +1,15 @@
|
||||
[inventory]
|
||||
cache: yes
|
||||
cache_plugin: ansible.builtin.jsonfile
|
||||
|
||||
[defaults]
|
||||
vault_password_file = ~/.vault_password
|
||||
timeout = 10
|
||||
forks = 10
|
||||
poll_interval = 10
|
||||
transport = smart
|
||||
gathering = smart
|
||||
stdout_callback = skippy
|
||||
host_key_checking = False
|
||||
deprecation_warnings = False
|
||||
ansible_python_interpreter=/usr/bin/python3
|
||||
5
inventory/group_vars/all.yml
Normal file
5
inventory/group_vars/all.yml
Normal file
@ -0,0 +1,5 @@
|
||||
ansible_port: 22
|
||||
ansible_ssh_user: ubuntu
|
||||
ansible_ssh_private_key_file: ~/.ssh/id_rsa
|
||||
ansible_host_key_checking: False
|
||||
|
||||
19
inventory/hosts/all
Normal file
19
inventory/hosts/all
Normal file
@ -0,0 +1,19 @@
|
||||
[all]
|
||||
hw-node.svc.plus ansible_host=139.9.139.22 ansible_ssh_user=root
|
||||
cn-gateway.svc.plus ansible_host=8.130.10.142 ansible_ssh_user=root
|
||||
us-gateway.svc.plus ansible_host=52.196.108.28 ansible_ssh_user=ubuntu
|
||||
global-gateway.svc.plus ansible_host=54.183.199.99 ansible_ssh_user=ubuntu
|
||||
canada-gateway.svc.plus ansible_host=3.96.167.208 ansible_ssh_user=ubuntu
|
||||
vault.onwalk.net ansible_host=3.101.151.231 ansible_ssh_user=ubuntu
|
||||
ldap.svc.plus ansible_host=35.182.63.247 ansible_ssh_user=ubuntu
|
||||
keycloak.svc.plus ansible_host=3.99.126.158 ansible_ssh_user=ubuntu
|
||||
observability.onwalk.net ansible_host=54.153.80.120 ansible_ssh_user=ubuntu
|
||||
argocd.svc.plus ansible_host=13.57.247.27 ansible_ssh_user=ubuntu
|
||||
|
||||
[gateway]
|
||||
vpn-gateway.svc.plus ansible_host=167.179.72.223 ansible_ssh_user=root
|
||||
|
||||
[all:vars]
|
||||
ansible_port=22
|
||||
ansible_ssh_private_key_file=~/.ssh/id_rsa
|
||||
ansible_host_key_checking=False
|
||||
2
inventory/hosts/vpn
Normal file
2
inventory/hosts/vpn
Normal file
@ -0,0 +1,2 @@
|
||||
[vpn-gateway]
|
||||
xproxy.onwalk.net ansible_host=43.206.158.21
|
||||
12
inventory/k3s-cluster
Normal file
12
inventory/k3s-cluster
Normal file
@ -0,0 +1,12 @@
|
||||
[all]
|
||||
cn-gateway.svc.plus ansible_host=10.254.0.1
|
||||
cn-k3s-server.svc.plus ansible_host=10.254.0.3
|
||||
cn-hw-node.svc.plus ansible_host=10.254.0.4
|
||||
global-gateway.svc.plus ansible_host=10.255.0.1
|
||||
global-k3s-server.svc.plus ansible_host=10.255.0.3
|
||||
|
||||
[all:vars]
|
||||
ansible_port=22
|
||||
ansible_ssh_user=ubuntu
|
||||
ansible_ssh_private_key_file=~/.ssh/id_rsa
|
||||
ansible_host_key_checking=False
|
||||
8
playbooks/common
Normal file
8
playbooks/common
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Init Linux OS Common setting
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- vhosts/common
|
||||
5
playbooks/deploy-docker-harbor.yml
Normal file
5
playbooks/deploy-docker-harbor.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
roles:
|
||||
- docker/harbor
|
||||
5
playbooks/deploy-docker-keycloak.yml
Normal file
5
playbooks/deploy-docker-keycloak.yml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
roles:
|
||||
- docker/keycloak
|
||||
17
playbooks/init-harbor-server
Normal file
17
playbooks/init-harbor-server
Normal file
@ -0,0 +1,17 @@
|
||||
- name: setup harbor
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: harbor
|
||||
vars:
|
||||
group: master
|
||||
namespace: harbor
|
||||
db_namespace: database
|
||||
update_secret: true
|
||||
tls:
|
||||
- secret_name: harbor-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
17
playbooks/init_chaos_mesh
Normal file
17
playbooks/init_chaos_mesh
Normal file
@ -0,0 +1,17 @@
|
||||
- name: setup chaos-mesh server
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: chaos-mesh
|
||||
vars:
|
||||
group: master
|
||||
domain: onwalk.net
|
||||
namespace: chaos-mesh
|
||||
update_secret: true
|
||||
tls:
|
||||
- secret_name: chaos-mesh-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
8
playbooks/init_chartmuseum
Normal file
8
playbooks/init_chartmuseum
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: deploy chartmuseum
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- chartmuseum
|
||||
16
playbooks/init_deepflow
Normal file
16
playbooks/init_deepflow
Normal file
@ -0,0 +1,16 @@
|
||||
- name: setup deepflow server
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: deepflow
|
||||
vars:
|
||||
group: master
|
||||
update_secret: true
|
||||
namespace: monitoring
|
||||
tls:
|
||||
- secret_name: obs-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
16
playbooks/init_flagger-loadtester
Normal file
16
playbooks/init_flagger-loadtester
Normal file
@ -0,0 +1,16 @@
|
||||
- name: setup flagger-loadtester server
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: flagger-loadtester
|
||||
vars:
|
||||
group: master
|
||||
update_secret: true
|
||||
namespace: loadtester
|
||||
tls:
|
||||
- secret_name: obs-tls
|
||||
keyfile: /etc/ssl/${DOMAIN}.key
|
||||
certfile: /etc/ssl/${DOMAIN}.pem
|
||||
23
playbooks/init_gitlab
Normal file
23
playbooks/init_gitlab
Normal file
@ -0,0 +1,23 @@
|
||||
- name: setup gitlab
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: gitlab
|
||||
vars:
|
||||
group: master
|
||||
gitlab_version: '7.0.4'
|
||||
namespace: gitlab
|
||||
db_namespace: database
|
||||
domain: onwalk.net
|
||||
auto_issuance: false
|
||||
update_secret: true
|
||||
tls:
|
||||
- secret_name: gitlab-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
gitlab_oidc_client_id: gitlab-oidc
|
||||
gitlab_oidc_isser: 'https://keycloak.onwalk.net/realms/cloud-sso'
|
||||
gitlab_oidc_redirect_uri: 'https://gitlab.onwalk.net/users/auth/openid_connect/callback'
|
||||
8
playbooks/init_grafana_alloy
Normal file
8
playbooks/init_grafana_alloy
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: deploy grafana alloy agent
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- alloy
|
||||
8
playbooks/init_harbor_server
Normal file
8
playbooks/init_harbor_server
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: deploy harbor server
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- harbor
|
||||
18
playbooks/init_jenkins
Normal file
18
playbooks/init_jenkins
Normal file
@ -0,0 +1,18 @@
|
||||
- name: setup jenkins server
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: jenkins
|
||||
vars:
|
||||
group: master
|
||||
domain: onwalk.net
|
||||
namespace: jenkins
|
||||
update_secret: true
|
||||
db_namespace: database
|
||||
tls:
|
||||
- secret_name: jenkins-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
8
playbooks/init_k3s_cluster_agent
Normal file
8
playbooks/init_k3s_cluster_agent
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Initialize K3s Cluster Agent
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- k3s-cluster-agent
|
||||
8
playbooks/init_k3s_cluster_server
Normal file
8
playbooks/init_k3s_cluster_server
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: Initialize K3s Cluster Server
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- k3s-cluster-server
|
||||
27
playbooks/init_k3s_cluster_std
Normal file
27
playbooks/init_k3s_cluster_std
Normal file
@ -0,0 +1,27 @@
|
||||
- name: set artifact cluster with vhosts
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: k3s-reset
|
||||
vars:
|
||||
group: master
|
||||
cluster_reset: 'enable'
|
||||
- include_role:
|
||||
name: k3s
|
||||
vars:
|
||||
group: master
|
||||
cni: default
|
||||
version: 'v1.27.2+k3s1'
|
||||
pod_cidr: '10.10.0.0/16'
|
||||
svc_cidr: '172.16.0.0/16'
|
||||
enable_api_access: true
|
||||
- include_role:
|
||||
name: k3s-addon
|
||||
vars:
|
||||
group: master
|
||||
ingress: nginx
|
||||
external_dns: enable
|
||||
cert_issuance: vault
|
||||
38
playbooks/init_k3s_cluster_with_argo_server
Normal file
38
playbooks/init_k3s_cluster_with_argo_server
Normal file
@ -0,0 +1,38 @@
|
||||
- name: set artifact cluster with vhosts
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: k3s-reset
|
||||
vars:
|
||||
group: master
|
||||
cluster_reset: 'enable'
|
||||
- include_role:
|
||||
name: k3s
|
||||
vars:
|
||||
group: master
|
||||
cni: default
|
||||
version: 'v1.27.2+k3s1'
|
||||
pod_cidr: '10.10.0.0/16'
|
||||
svc_cidr: '172.16.0.0/16'
|
||||
enable_api_access: true
|
||||
- include_role:
|
||||
name: k3s-addon
|
||||
vars:
|
||||
group: master
|
||||
ingress: disable
|
||||
external_dns: disable
|
||||
cert_issuance: vault
|
||||
- include_role:
|
||||
name: argo-server
|
||||
vars:
|
||||
group: master
|
||||
namespace: argocd
|
||||
domain: onwalk.net
|
||||
update_secret: true
|
||||
tls:
|
||||
- secret_name: argocd-server-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
13
playbooks/init_observability-agent
Normal file
13
playbooks/init_observability-agent
Normal file
@ -0,0 +1,13 @@
|
||||
- name: setup observability agent
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: observability-agent
|
||||
vars:
|
||||
group: master
|
||||
namespace: monitoring
|
||||
deepflowserverip: 10.146.0.8
|
||||
deepflowk8sclusterid: d-kqjofXyZbg
|
||||
29
playbooks/init_observability-server
Normal file
29
playbooks/init_observability-server
Normal file
@ -0,0 +1,29 @@
|
||||
- name: setup observability server
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: observability-server
|
||||
vars:
|
||||
group: master
|
||||
update_secret: true
|
||||
auto_issuance: false
|
||||
namespace: monitoring
|
||||
db_namespace: database
|
||||
tls:
|
||||
- secret_name: obs-tls
|
||||
keyfile: /etc/ssl/svc.ink.key
|
||||
certfile: /etc/ssl/svc.ink.pem
|
||||
- include_role:
|
||||
name: flagger-loadtester
|
||||
vars:
|
||||
group: master
|
||||
update_secret: true
|
||||
auto_issuance: false
|
||||
namespace: loadtester
|
||||
tls:
|
||||
- secret_name: obs-tls
|
||||
keyfile: /etc/ssl/svc.ink.key
|
||||
certfile: /etc/ssl/svc.ink.pem
|
||||
18
playbooks/init_openldap
Normal file
18
playbooks/init_openldap
Normal file
@ -0,0 +1,18 @@
|
||||
- name: setup openldap
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: openldap
|
||||
vars:
|
||||
group: master
|
||||
namespace: itsm
|
||||
domain: onwalk.net
|
||||
update_secret: true
|
||||
auto_issuance: false
|
||||
tls:
|
||||
- secret_name: openldap-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
13
playbooks/init_splunk-otel-collector
Normal file
13
playbooks/init_splunk-otel-collector
Normal file
@ -0,0 +1,13 @@
|
||||
- name: setup splunk otel collector
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: splunk-otel-collector
|
||||
vars:
|
||||
group: master
|
||||
namespace: default
|
||||
splunk_hec_url: https://xxxx.splunkcloud.com:8088/services/collector/event
|
||||
splunk_hec_token: "token-xxxxxx"
|
||||
10
playbooks/init_telegraf
Normal file
10
playbooks/init_telegraf
Normal file
@ -0,0 +1,10 @@
|
||||
- name: Setup telegraf
|
||||
hosts: all
|
||||
user: root
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
tasks:
|
||||
- include_role:
|
||||
name: telegraf
|
||||
vars:
|
||||
update_secret: true
|
||||
8
playbooks/init_vault
Normal file
8
playbooks/init_vault
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: deploy vault server
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- vault
|
||||
7
playbooks/init_vpn_gateway.yml
Executable file
7
playbooks/init_vpn_gateway.yml
Executable file
@ -0,0 +1,7 @@
|
||||
---
|
||||
- hosts: vpn-gateway
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- wireguard-gateway
|
||||
7
playbooks/keycloak_server
Normal file
7
playbooks/keycloak_server
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
- hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- keycloak
|
||||
14
playbooks/playbooks/roles/docker/keycloak/defaults/main.yml
Normal file
14
playbooks/playbooks/roles/docker/keycloak/defaults/main.yml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
postgres_db: keycloak
|
||||
postgres_user: keycloak_user
|
||||
postgres_password: keycloak_password
|
||||
|
||||
keycloak_admin: admin
|
||||
keycloak_admin_password: admin_password
|
||||
|
||||
keycloak_key_store_password: a4h3ljbn
|
||||
keycloak_trust_store_password: a4h3ljbn
|
||||
|
||||
ssl_certificate_path: /etc/ssl/onwalk.net.pem
|
||||
ssl_certificate_key_path: /etc/ssl/onwalk.net.key
|
||||
dhparam_path: /etc/ssl/dhparam.pem
|
||||
37
playbooks/playbooks/roles/docker/keycloak/files/nginx.conf
Normal file
37
playbooks/playbooks/roles/docker/keycloak/files/nginx.conf
Normal file
@ -0,0 +1,37 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name keycloak.onwalk.net;
|
||||
|
||||
# 强制 HTTP 请求重定向到 HTTPS
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name keycloak.onwalk.net;
|
||||
|
||||
# SSL 配置
|
||||
ssl_certificate /etc/ssl/certs/onwalk.net.pem;
|
||||
ssl_certificate_key /etc/ssl/certs/onwalk.net.key;
|
||||
|
||||
# 日志设置
|
||||
access_log /dev/stdout;
|
||||
error_log /dev/stderr;
|
||||
|
||||
# 配置反向代理
|
||||
location / {
|
||||
proxy_pass https://127.0.0.1:8443;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
proxy_set_header Cookie $http_cookie;
|
||||
proxy_redirect off;
|
||||
}
|
||||
|
||||
# SSL 强化
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256';
|
||||
ssl_prefer_server_ciphers off;
|
||||
}
|
||||
29
playbooks/playbooks/roles/docker/keycloak/tasks/main.yml
Normal file
29
playbooks/playbooks/roles/docker/keycloak/tasks/main.yml
Normal file
@ -0,0 +1,29 @@
|
||||
- name: 执行 pre-setup 操作
|
||||
include_tasks: "{{ playbook_dir }}/roles/docker/keycloak/tasks/pre-setup.yml"
|
||||
|
||||
- name: 渲染 .env 配置文件
|
||||
template:
|
||||
src: "{{ playbook_dir }}/roles/docker/keycloak/templates/.env.j2"
|
||||
dest: "{{ playbook_dir }}/roles/docker/keycloak/files/.env"
|
||||
|
||||
- name: 执行 create_keystore.sh 脚本
|
||||
script: "{{ playbook_dir }}/roles/docker/keycloak/files/create_keystore.sh"
|
||||
args:
|
||||
chdir: "/home/ubuntu"
|
||||
|
||||
- name: 渲染 Docker Compose 配置文件
|
||||
template:
|
||||
src: "{{ playbook_dir }}/roles/docker/keycloak/templates/docker-compose.yml.j2"
|
||||
dest: "{{ playbook_dir }}/roles/docker/keycloak/files/docker-compose.yml"
|
||||
|
||||
- name: 启动 Docker Compose 服务
|
||||
become: true
|
||||
docker_compose:
|
||||
project_src: "{{ playbook_dir }}/roles/docker/keycloak"
|
||||
files:
|
||||
- "{{ playbook_dir }}/roles/docker/keycloak/files/docker-compose.yml"
|
||||
restarted: true
|
||||
state: present
|
||||
|
||||
- name: 执行 post-setup 操作
|
||||
include_tasks: "{{ playbook_dir }}/roles/docker/keycloak/tasks/post-setup.yml"
|
||||
@ -0,0 +1,64 @@
|
||||
version: '3.7'
|
||||
|
||||
services:
|
||||
postgres:
|
||||
image: postgres:16.0-bookworm
|
||||
environment:
|
||||
POSTGRES_DB: {{ postgres_db }}
|
||||
POSTGRES_USER: {{ postgres_user }}
|
||||
POSTGRES_PASSWORD: {{ postgres_password }}
|
||||
volumes:
|
||||
- postgres_data:/var/lib/postgresql/data
|
||||
networks:
|
||||
- keycloak_network
|
||||
|
||||
keycloak:
|
||||
image: bitnami/keycloak:latest
|
||||
environment:
|
||||
KEYCLOAK_ADMIN: {{ keycloak_admin }}
|
||||
KEYCLOAK_ADMIN_PASSWORD: {{ keycloak_admin_password }}
|
||||
KEYCLOAK_DATABASE_VENDOR: postgresql
|
||||
KEYCLOAK_DATABASE_HOST: postgres
|
||||
KEYCLOAK_DATABASE_PORT: 5432
|
||||
KEYCLOAK_DATABASE_USER: {{ postgres_user }}
|
||||
KEYCLOAK_DATABASE_NAME: {{ postgres_db }}
|
||||
KEYCLOAK_DATABASE_PASSWORD: {{ postgres_password }}
|
||||
KEYCLOAK_ENABLE_HTTPS: true
|
||||
KEYCLOAK_HTTPS_KEY_STORE_FILE: /etc/ssl/keystore.jks
|
||||
KEYCLOAK_HTTPS_KEY_STORE_PASSWORD: {{ keycloak_key_store_password }}
|
||||
KEYCLOAK_HTTPS_TRUST_STORE_FILE: /etc/ssl/truststore.jks
|
||||
KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD: {{ keycloak_trust_store_password }}
|
||||
ports:
|
||||
- 8080:8080
|
||||
volumes:
|
||||
- /etc/ssl/keystore.jks:/etc/ssl/keystore.jks
|
||||
- /etc/ssl/truststore.jks:/etc/ssl/truststore.jks
|
||||
restart: always
|
||||
depends_on:
|
||||
- postgres
|
||||
networks:
|
||||
- keycloak_network
|
||||
|
||||
nginx:
|
||||
image: nginx:latest
|
||||
depends_on:
|
||||
- keycloak
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
volumes:
|
||||
- /etc/ssl/onwalk.net.pem:/etc/ssl/certs/onwalk.net.pem
|
||||
- /etc/ssl/onwalk.net.key:/etc/ssl/certs/onwalk.net.key
|
||||
- /etc/ssl/dhparam.pem:/etc/nginx/ssl/dhparam.pem
|
||||
- ./nginx.conf:/etc/nginx/nginx.conf
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- keycloak_network
|
||||
|
||||
volumes:
|
||||
postgres_data:
|
||||
driver: local
|
||||
|
||||
networks:
|
||||
keycloak_network:
|
||||
driver: bridge
|
||||
48
playbooks/pre_setup.sh
Normal file
48
playbooks/pre_setup.sh
Normal file
@ -0,0 +1,48 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Function to check if a variable is empty
|
||||
check_empty() {
|
||||
if [ -z "${!1}" ]; then
|
||||
echo "$1 is empty. Aborting."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# List of variables to check
|
||||
variables=("DNS_AK" "DNS_SK" "OSS_AK" "OSS_SK" "ROOT_PASSWORD" "SMTP_PASSWORD" "GITLAB_OIDC_CLIENT_TOKEN" "HARBOR_OIDC_CLIENT_TOKEN" "SSH_USER" "SSH_HOST_IP" "SSH_HOST_DOMAIN" "SSH_PRIVATE_KEY")
|
||||
|
||||
# Loop through variables and check if each one is empty
|
||||
for var in "${variables[@]}"; do
|
||||
check_empty "$var"
|
||||
done
|
||||
|
||||
sudo apt install jq ansible -y
|
||||
|
||||
mkdir -pv ~/.ssh/
|
||||
cat > ~/.ssh/id_rsa << EOF
|
||||
$SSH_PRIVATE_KEY
|
||||
EOF
|
||||
sudo chmod 0400 ~/.ssh/id_rsa
|
||||
md5sum ~/.ssh/id_rsa
|
||||
|
||||
mkdir -pv hosts/
|
||||
|
||||
cat > hosts/inventory << EOF
|
||||
[master]
|
||||
$SSH_HOST_DOMAIN ansible_host=$SSH_HOST_IP
|
||||
|
||||
[all:vars]
|
||||
ansible_port=22
|
||||
ansible_ssh_user=$SSH_USER
|
||||
ansible_ssh_private_key_file=~/.ssh/id_rsa
|
||||
ansible_host_key_checking=False
|
||||
ingress_ip=$SSH_HOST_IP
|
||||
dns_ak=$DNS_AK
|
||||
dns_sk=$DNS_SK
|
||||
oss_ak=$OSS_AK
|
||||
oss_sk=$OSS_SK
|
||||
admin_password=$ROOT_PASSWORD
|
||||
smtp_password=$SMTP_PASSWORD
|
||||
gitlab_oidc_client_token=$GITLAB_OIDC_CLIENT_TOKEN
|
||||
harbor_oidc_client_token=$HARBOR_OIDC_CLIENT_TOKEN
|
||||
EOF
|
||||
8
playbooks/renew_nodes_ssl_certs
Normal file
8
playbooks/renew_nodes_ssl_certs
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
- name: renew nodes ssl certs
|
||||
hosts: all
|
||||
user: ubuntu
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- cert-manager
|
||||
2
playbooks/roles/charts/app/meta/main.yml
Normal file
2
playbooks/roles/charts/app/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- role: common
|
||||
16
playbooks/roles/charts/app/tasks/main.yml
Executable file
16
playbooks/roles/charts/app/tasks/main.yml
Executable file
@ -0,0 +1,16 @@
|
||||
- name: Prep DIR
|
||||
shell: "mkdir -pv /tmp/app/"
|
||||
|
||||
- name: Prep NameSpace
|
||||
shell: "kubectl create namespace default || echo true"
|
||||
|
||||
- name: Sync Deploy yaml
|
||||
template: src=templates/{{ item }} dest=/tmp/app/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
|
||||
with_items:
|
||||
- deploy-app.yaml
|
||||
|
||||
- name: Setup App
|
||||
shell: "kubectl apply -f /tmp/app/{{ item }}"
|
||||
when: inventory_hostname in groups[group]
|
||||
with_items:
|
||||
- deploy-app.yaml
|
||||
2
playbooks/roles/charts/app/templates/.gitignore
vendored
Normal file
2
playbooks/roles/charts/app/templates/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
/clickhouse-keeper-k8s.iml
|
||||
/.idea/
|
||||
18
playbooks/roles/charts/app/templates/deploy-app.yaml
Normal file
18
playbooks/roles/charts/app/templates/deploy-app.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: app
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: demo
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: demo
|
||||
spec:
|
||||
containers:
|
||||
- name: demo
|
||||
image: {{ app_image }}:{{ app_tag }}
|
||||
imagePullPolicy: Always
|
||||
100
playbooks/roles/charts/argo-server/files/setup-argocd.sh
Normal file
100
playbooks/roles/charts/argo-server/files/setup-argocd.sh
Normal file
@ -0,0 +1,100 @@
|
||||
#!/bin/bash
|
||||
|
||||
# 检查参数是否为空
|
||||
check_not_empty() {
|
||||
if [[ -z $1 ]]; then
|
||||
echo "Error: $2 is empty. Please provide a value."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
helm repo add argo https://argoproj.github.io/argo-helm
|
||||
helm repo update
|
||||
|
||||
# 使用 Helm 部署 Argo CD
|
||||
#helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace
|
||||
|
||||
cat <<EOF > values.yaml
|
||||
global:
|
||||
domain: argocd.onwalk.net
|
||||
server:
|
||||
service:
|
||||
type: ClusterIP
|
||||
servicePortHttp: 80
|
||||
servicePortHttps: 443
|
||||
servicePortHttpName: http
|
||||
servicePortHttpsName: https
|
||||
ingress:
|
||||
enabled: false
|
||||
ingressClassName: "nginx"
|
||||
hostname: argocd.onwalk.net
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||
tls: true
|
||||
repoServer:
|
||||
extraContainers:
|
||||
- name: helmfile
|
||||
image: ghcr.io/helmfile/helmfile:v0.157.0
|
||||
# Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server
|
||||
command: ["/var/run/argocd/argocd-cmp-server"]
|
||||
env:
|
||||
- name: HELM_CACHE_HOME
|
||||
value: /tmp/helm/cache
|
||||
- name: HELM_CONFIG_HOME
|
||||
value: /tmp/helm/config
|
||||
- name: HELMFILE_CACHE_HOME
|
||||
value: /tmp/helmfile/cache
|
||||
- name: HELMFILE_TEMPDIR
|
||||
value: /tmp/helmfile/tmp
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 999
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/argocd
|
||||
name: var-files
|
||||
- mountPath: /home/argocd/cmp-server/plugins
|
||||
name: plugins
|
||||
# Register helmfile plugin into sidecar
|
||||
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
|
||||
subPath: helmfile.yaml
|
||||
name: argocd-cmp-cm
|
||||
# Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps mitigate path traversal attacks.
|
||||
- mountPath: /tmp
|
||||
name: helmfile-tmp
|
||||
volumes:
|
||||
- name: argocd-cmp-cm
|
||||
configMap:
|
||||
name: argocd-cmp-cm
|
||||
- name: helmfile-tmp
|
||||
emptyDir: {}
|
||||
configs:
|
||||
cmp:
|
||||
create: true
|
||||
plugins:
|
||||
helmfile:
|
||||
allowConcurrency: true
|
||||
discover:
|
||||
fileName: helmfile.yaml
|
||||
generate:
|
||||
command:
|
||||
- bash
|
||||
- "-c"
|
||||
- |
|
||||
if [[ -v ENV_NAME ]]; then
|
||||
helmfile -n "$ARGOCD_APP_NAMESPACE" -e $ENV_NAME template --include-crds -q
|
||||
elif [[ -v ARGOCD_ENV_ENV_NAME ]]; then
|
||||
helmfile -n "$ARGOCD_APP_NAMESPACE" -e "$ARGOCD_ENV_ENV_NAME" template --include-crds -q
|
||||
else
|
||||
helmfile -n "$ARGOCD_APP_NAMESPACE" template --include-crds -q
|
||||
fi
|
||||
lockRepo: false
|
||||
EOF
|
||||
|
||||
helm upgrade --install argocd argo/argo-cd -n argocd -f values.yaml
|
||||
|
||||
# 等待 Argo CD 完全启动
|
||||
echo "Waiting for Argo CD to be ready..."
|
||||
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=argocd-server -n argocd --timeout=180s
|
||||
|
||||
echo "Argo CD deployment and configuration complete."
|
||||
2
playbooks/roles/charts/argo-server/meta/main.yml
Normal file
2
playbooks/roles/charts/argo-server/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- role: cert-manager
|
||||
2
playbooks/roles/charts/argo-server/tasks/main.yml
Executable file
2
playbooks/roles/charts/argo-server/tasks/main.yml
Executable file
@ -0,0 +1,2 @@
|
||||
- name: Set ArgoCD Contoller
|
||||
script: files/setup-argocd.sh
|
||||
24
playbooks/roles/charts/chaos-mesh/files/setup.sh
Normal file
24
playbooks/roles/charts/chaos-mesh/files/setup.sh
Normal file
@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
set -x
|
||||
export domain=$1
|
||||
export secret=$2
|
||||
export namespace=$3
|
||||
|
||||
cat > values.yaml << EOF
|
||||
chaosDaemon:
|
||||
runtime: containerd
|
||||
socketPath: /run/k3s/containerd/containerd.sock
|
||||
dashboard:
|
||||
create: true
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
hosts:
|
||||
- name: chaos-mesh.$domain
|
||||
tls: true
|
||||
tlsSecret: $secret
|
||||
EOF
|
||||
|
||||
helm repo add chaos-mesh https://charts.chaos-mesh.org
|
||||
helm repo update
|
||||
helm upgrade --install chaos-mesh chaos-mesh/chaos-mesh -n $namespace --create-namespace --version 2.6.3 -f values.yaml
|
||||
124
playbooks/roles/charts/chaos-mesh/howto.md
Normal file
124
playbooks/roles/charts/chaos-mesh/howto.md
Normal file
@ -0,0 +1,124 @@
|
||||
# Jenkins Mater 部署
|
||||
|
||||
# Jenkins Node IaC Runner 设置
|
||||
1. 安装git terraform
|
||||
|
||||
## GitLab to trigger Jenkins
|
||||
|
||||
1. Gitlab https://gitlab.xxx.com/-/profile/personal_access_tokens
|
||||
|
||||
2. GitLab和Jenkins的集成可以让你在GitLab中的代码更新后自动触发Jenkins的构建任务。以下是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤:
|
||||
3. 在Jenkins中安装GitLab插件
|
||||
首先,你需要在Jenkins中安装GitLab插件。登录到Jenkins的管理界面,然后转到“Manage Jenkins” > “Manage Plugins” > “Available”,在搜索框中输入“GitLab”,找到并安装“GitLab Plugin”。
|
||||
4. 在Jenkins中配置GitLab连接
|
||||
安装完插件后,你需要配置GitLab的连接。转到“Manage Jenkins” > “Configure System”,滚动到“GitLab”部分,点击“Add GitLab Server” > “Server”,输入你的GitLab服务器URL,并生成并输入一个与你的GitLab账户相关联的API Token。
|
||||
5. 在Jenkins中创建一个新的任务
|
||||
创建一个新的任务,并在源代码管理部分选择“Git”,输入你的GitLab项目的URL。在构建触发器部分,选择“Build when a change is pushed to GitLab”。
|
||||
记录:GitLab webhook URL: https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
|
||||
6. 在GitLab中配置Webhook
|
||||
在你的GitLab项目中,转到“Settings” > “Integrations” -> 启用"Jenkins"
|
||||
- 在URL中输入步骤5记录的 Webhook URL https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
|
||||
- 选择你想要触发Jenkins任务的事件(例如,当代码被推送时)
|
||||
- Project name: 输入项目名称
|
||||
- Username: Jenkins 用户名
|
||||
- Password: Jenkins 认证密码
|
||||
- 保存更改, 测试设置,返回状态200为配置正确
|
||||
|
||||
以上就是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤。在完成这些步骤后,每当你的GitLab项目有更新时,都会自动触发对应的Jenkins构建任务。
|
||||
|
||||
## 要将GitHub代码仓库与Jenkins关联起来,您需要完成以下步骤:
|
||||
|
||||
1 要在 GitHub 中启用 webhook 功能以触发 Jenkins 构建,请按照以下步骤操作:
|
||||
2 进入 GitHub 仓库设置:在要设置 webhook 的 GitHub 仓库页面上,点击右上角的“Settings”。
|
||||
3 选择 Webhooks 选项:在仓库设置页面的左侧菜单中,选择“Webhooks”。
|
||||
4 添加 Webhook:在 Webhooks 页面的右上角,点击“Add webhook”。
|
||||
|
||||
配置 Webhook:
|
||||
|
||||
1. Payload URL:输入 Jenkins 服务器的 webhook URL。格式应为 http://your-jenkins-server/github-webhook/。确保替换 your-jenkins-server 为您 Jenkins 服务器的实际地址。
|
||||
2. Content type:选择 application/json。
|
||||
3. Secret(可选):如果需要额外的安全性,可以输入一个秘密令牌。
|
||||
4. SSL verification:选择是否验证 SSL 证书。
|
||||
5. Which events would you like to trigger this webhook?:选择触发 webhook 的事件。通常选择 Just the push event(只有推送事件)或 Let me select individual events(让我选择单独的事件)并选择适当的事件(例如,push、pull request 等)。
|
||||
添加 Webhook:点击页面底部的“Add webhook”按钮以保存配置。
|
||||
|
||||
完成以上步骤后,您的 GitHub 仓库就配置好了一个 webhook,可以触发 Jenkins 构建。记得在 Jenkins 中设置相应的任务来响应这些 webhook。
|
||||
|
||||
|
||||
安装Jenkins插件:
|
||||
|
||||
确保您的Jenkins实例已经安装了“GitHub”和“GitHub Integration”插件。您可以在Jenkins管理界面的“插件管理”部分进行安装。
|
||||
配置GitHub Webhook:
|
||||
|
||||
在GitHub仓库的设置中,找到“Webhooks”部分并添加一个新的Webhook。
|
||||
将“Payload URL”设置为您的Jenkins服务器的URL,通常是这样的格式:http://<JENKINS_URL>/github-webhook/。
|
||||
选择触发Webhook的事件,通常是“Just the push event”或者“Send me everything”。
|
||||
确保“Content type”设置为“application/json”。
|
||||
点击“Add webhook”保存设置。
|
||||
配置Jenkins Job:
|
||||
|
||||
在Jenkins中创建一个新的构建任务或者配置现有的任务。
|
||||
在“源码管理”部分,选择“Git”并填写您的GitHub仓库的URL。
|
||||
在“构建触发器”部分,选择“GitHub hook trigger for GITScm polling”选项。这样,每当GitHub仓库有新的推送事件时,Jenkins就会自动触发构建。
|
||||
测试配置:
|
||||
|
||||
推送一些改动到您的GitHub仓库,检查是否触发了Jenkins构建。
|
||||
在Jenkins的构建历史中查看构建是否成功执行。
|
||||
通过完成以上步骤,您的GitHub代码仓库就与Jenkins关联起来了,可以实现自动触发构建的功能。
|
||||
|
||||
要在 Jenkins 中设置 GitHub 服务,您需要进行以下步骤:
|
||||
|
||||
安装 GitHub 插件:首先确保您的 Jenkins 实例已安装 GitHub 插件。如果尚未安装,请转到 Jenkins 的“插件管理”页面,在“可选插件”选项卡中搜索并安装 GitHub 插件。
|
||||
|
||||
配置 GitHub 服务器:在 Jenkins 管理界面中,转到“系统管理” > “系统设置”。
|
||||
|
||||
在系统设置页面中,找到并点击“GitHub”部分。
|
||||
点击“Add GitHub Server”添加一个新的 GitHub 服务器配置。
|
||||
在配置页面中,输入一个描述性的名称,例如“GitHub”。
|
||||
在 GitHub API URL 中输入 GitHub 的 API 地址。通常为 https://api.github.com。
|
||||
如果您的 GitHub 仓库需要身份验证,请在“凭据”部分选择一个已配置的凭据。如果尚未配置凭据,请点击“Add”添加一个新的凭据,选择类型为“Secret text”或“Username with password”,然后输入您的 GitHub 用户名和密码或访问令牌。
|
||||
完成配置后,点击“保存”保存 GitHub 服务器配置。
|
||||
验证配置:您可以在配置页面的底部点击“Test connection”来验证您的 GitHub 服务器配置是否正常工作。
|
||||
|
||||
保存设置:确保在完成配置后点击“保存”保存更改。
|
||||
|
||||
现在,您已成功配置了 Jenkins 的 GitHub 服务。您可以在 Jenkins 任务中使用这个配置来与 GitHub 仓库进行集成,例如触发构建、拉取代码等操作。
|
||||
|
||||
|
||||
对于 Jenkins 中的 GitHub API URL (https://api.github.com) 的凭据设置,您可以使用 GitHub Personal Access Token。这个 Token 可以通过以下步骤生成:
|
||||
|
||||
在 GitHub 上登录您的账号。
|
||||
点击页面右上角的头像,选择“Settings”。
|
||||
在左侧边栏中,点击“Developer settings”。
|
||||
在左侧边栏中,点击“Personal access tokens”。
|
||||
点击“Generate new token”。
|
||||
输入一个描述性的名称,选择需要的权限(至少需要 repo 权限来访问仓库),然后点击“Generate token”。
|
||||
复制生成的 Token,并保存到一个安全的地方。请注意,这个 Token 只会显示一次,如果您丢失了,请重新生成一个新的 Token。
|
||||
在 Jenkins 中使用这个 Token 作为 GitHub API URL (https://api.github.com) 的凭据时,您可以将 Token 添加为 Jenkins 的凭据:
|
||||
|
||||
进入 Jenkins 管理界面,转到“凭据” > “系统”。
|
||||
在“系统”页面中,点击“Global credentials (unrestricted)”。
|
||||
在凭据页面中,点击“Add credentials”。
|
||||
在“Kind”下拉菜单中选择“Secret text”。
|
||||
在“Secret”框中粘贴您在 GitHub 上生成的 Personal Access Token。
|
||||
输入一个描述性的名称,并点击“OK”保存凭据。
|
||||
现在,您可以在 Jenkins 的配置中使用这个凭据来访问 GitHub API (https://api.github.com)。
|
||||
|
||||
确保 Docker 已安装:在 Jenkins 代理节点上确认 Docker 已正确安装并配置。您可以通过在终端中执行 docker --version 命令来检查 Docker 是否可用。
|
||||
|
||||
检查 Docker 环境:如果 Docker 已安装,请确保 Docker 服务正在运行。您可以使用 sudo systemctl status docker 命令检查 Docker 服务的状态。
|
||||
|
||||
确认 Jenkins 全局工具配置:在 Jenkins 管理界面中,转到“系统管理”->“全局工具配置”,确保 Docker 工具已正确配置。如果未配置,您可以添加一个 Docker 工具,并指定正确的安装路径。
|
||||
|
||||
重启 Jenkins 服务:在进行了上述更改后,尝试重启 Jenkins 服务,以确保新的配置生效。
|
||||
|
||||
尝试在终端中执行 Docker 命令:在 Jenkins 代理节点上打开终端,尝试手动执行一些 Docker 命令(如 docker pull),看看是否能够正常执行
|
||||
|
||||
要设置 Jenkins Docker 流水线,你可以按照以下步骤进行操作:
|
||||
|
||||
前提条件
|
||||
确保你的 Jenkins 实例已经安装了以下插件:
|
||||
|
||||
Docker Pipeline
|
||||
Docker Commons
|
||||
|
||||
2
playbooks/roles/charts/chaos-mesh/meta/main.yml
Normal file
2
playbooks/roles/charts/chaos-mesh/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- role: secret-manger
|
||||
4
playbooks/roles/charts/chaos-mesh/tasks/main.yml
Executable file
4
playbooks/roles/charts/chaos-mesh/tasks/main.yml
Executable file
@ -0,0 +1,4 @@
|
||||
- name: Setup chaos-mesh Server
|
||||
script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }}
|
||||
when: inventory_hostname in groups[group] and ( tls is defined)
|
||||
loop: "{{ tls }}"
|
||||
37
playbooks/roles/charts/chartmuseum/files/setup.sh
Normal file
37
playbooks/roles/charts/chartmuseum/files/setup.sh
Normal file
@ -0,0 +1,37 @@
|
||||
#!/bin/bash
|
||||
|
||||
domain=$1
|
||||
namespace=$2
|
||||
admin_password=$3
|
||||
secret_name=$4
|
||||
storage_type=$5
|
||||
|
||||
cat > values.yaml << EOF
|
||||
env:
|
||||
open:
|
||||
STORAGE: local
|
||||
DISABLE_API: false
|
||||
AUTH_ANONYMOUS_GET: true
|
||||
secret:
|
||||
BASIC_AUTH_USER: admin
|
||||
BASIC_AUTH_PASS: '$admin_password'
|
||||
ingress:
|
||||
enabled: true
|
||||
hosts:
|
||||
- name: charts.$domain
|
||||
path: /
|
||||
tls: true
|
||||
tlsSecret: $secret_name
|
||||
ingressClassName: nginx
|
||||
persistence:
|
||||
enabled: true
|
||||
accessMode: ReadWriteOnce
|
||||
size: 8Gi
|
||||
path: /storage
|
||||
storageClass: "local-path"
|
||||
EOF
|
||||
|
||||
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
|
||||
helm repo add chartmuseum https://chartmuseum.github.io/charts
|
||||
helm repo update
|
||||
helm upgrade --install chartmuseum chartmuseum/chartmuseum -f values.yaml -n $namespace
|
||||
2
playbooks/roles/charts/chartmuseum/meta/main.yml
Normal file
2
playbooks/roles/charts/chartmuseum/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- role: secret-manger
|
||||
4
playbooks/roles/charts/chartmuseum/tasks/main.yml
Executable file
4
playbooks/roles/charts/chartmuseum/tasks/main.yml
Executable file
@ -0,0 +1,4 @@
|
||||
- name: Setup Chartmuseum Server
|
||||
script: files/setup.sh {{ domain }} {{ namespace }} {{ admin_password }} {{ item.secret_name }}
|
||||
loop: "{{ tls }}"
|
||||
when: inventory_hostname in groups[group]
|
||||
8
playbooks/roles/charts/chartmuseum/vars/main.yml
Normal file
8
playbooks/roles/charts/chartmuseum/vars/main.yml
Normal file
@ -0,0 +1,8 @@
|
||||
group: master
|
||||
namespace: harbor
|
||||
storage_type: oss
|
||||
update_secret: true
|
||||
tls:
|
||||
- secret_name: chartmuseum-tls
|
||||
keyfile: /etc/ssl/onwalk.net.key
|
||||
certfile: /etc/ssl/onwalk.net.pem
|
||||
2
playbooks/roles/charts/clickhouse/meta/main.yml
Normal file
2
playbooks/roles/charts/clickhouse/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- role: secret-manger
|
||||
48
playbooks/roles/charts/clickhouse/tasks/main.yml
Executable file
48
playbooks/roles/charts/clickhouse/tasks/main.yml
Executable file
@ -0,0 +1,48 @@
|
||||
- name: Prep DIR
|
||||
shell: "mkdir -pv /tmp/clickhouse-cluster/ && mkdir -pv /tmp/qryn"
|
||||
|
||||
- name: Prep NameSpace
|
||||
shell: "kubectl create namespace monitoring || echo true"
|
||||
|
||||
- name: sync clickhouse deploy yaml
|
||||
template: src=templates/{{ item }} dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
|
||||
with_items:
|
||||
- clickhouse-cluster/clickhouse-config.yaml
|
||||
- clickhouse-cluster/clickhouse-service.yaml
|
||||
- clickhouse-cluster/clickhouse-user-config.yaml
|
||||
- clickhouse-cluster/clickhouse-statefulset.yml
|
||||
- postsetup.sh
|
||||
|
||||
- name: Setup ClickHouse Server
|
||||
shell: "cd /tmp/clickhouse-cluster && kubectl apply -f ."
|
||||
when: inventory_hostname in groups[group]
|
||||
|
||||
#- name: Post Setup ClickHouse Server
|
||||
# shell: "cd /tmp/ && sh postsetup.sh"
|
||||
# when: inventory_hostname in groups[group]
|
||||
|
||||
- name: get clickhouse node ip
|
||||
shell: " kubectl get pods -n monitoring -o wide | grep -E '^clickhouse-' | awk '{print $6}' "
|
||||
register: ck_node_ip_raw
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: Check if ck_node_ip_raw is not empty
|
||||
fail:
|
||||
msg: "ck_node_ip_raw is empty, terminating the playbook."
|
||||
when: ck_node_ip_raw.stdout_lines | length == 0
|
||||
|
||||
- name: set fact join command for ck_node_ip
|
||||
set_fact:
|
||||
ck_node_ip : "{{ ck_node_ip_raw.stdout_lines[0] }}"
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: sync clickhouse deploy yaml
|
||||
template: src=templates/{{ item }} dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
|
||||
with_items:
|
||||
- qryn/qryn-deployment.yaml
|
||||
- qryn/qryn-service.yaml
|
||||
- qryn/qryn-ingress.yaml
|
||||
|
||||
- name: Setup Qryn Server
|
||||
shell: "cd /tmp/qryn && kubectl apply -f ."
|
||||
when: inventory_hostname in groups[group]
|
||||
2
playbooks/roles/charts/clickhouse/templates/.gitignore
vendored
Normal file
2
playbooks/roles/charts/clickhouse/templates/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
/clickhouse-keeper-k8s.iml
|
||||
/.idea/
|
||||
@ -0,0 +1,94 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: clickhouse-config
|
||||
namespace: monitoring
|
||||
data:
|
||||
keeper.xml: |
|
||||
<?xml version="1.0"?>
|
||||
<yandex>
|
||||
<listen_host>0.0.0.0</listen_host>
|
||||
<logger>
|
||||
<level>trace</level>
|
||||
<console>1</console>
|
||||
</logger>
|
||||
<openSSL>
|
||||
<server>
|
||||
<certificateFile remove="1"/>
|
||||
<privateKeyFile remove="1"/>
|
||||
</server>
|
||||
</openSSL>
|
||||
<keeper_server>
|
||||
<tcp_port>2181</tcp_port>
|
||||
<server_id from_env="CK_INDEX"/>
|
||||
<log_storage_path>/var/lib/clickhouse/coordination/log</log_storage_path>
|
||||
<snapshot_storage_path>/var/lib/clickhouse/coordination/snapshots</snapshot_storage_path>
|
||||
<coordination_settings>
|
||||
<operation_timeout_ms>10000</operation_timeout_ms>
|
||||
<session_timeout_ms>30000</session_timeout_ms>
|
||||
<raft_logs_level>trace</raft_logs_level>
|
||||
<rotate_log_storage_interval>10000</rotate_log_storage_interval>
|
||||
</coordination_settings>
|
||||
<raft_configuration>
|
||||
<server>
|
||||
<id>0</id>
|
||||
<hostname>clickhouse-0.clickhouse-service.monitoring</hostname>
|
||||
<port>9444</port>
|
||||
</server>
|
||||
<server>
|
||||
<id>1</id>
|
||||
<hostname>clickhouse-1.clickhouse-service.monitoring</hostname>
|
||||
<port>9444</port>
|
||||
</server>
|
||||
<server>
|
||||
<id>2</id>
|
||||
<hostname>clickhouse-2.clickhouse-service.monitoring</hostname>
|
||||
<port>9444</port>
|
||||
</server>
|
||||
</raft_configuration>
|
||||
</keeper_server>
|
||||
<zookeeper>
|
||||
<node>
|
||||
<host>clickhouse-0.clickhouse-service.monitoring</host>
|
||||
<port>2181</port>
|
||||
</node>
|
||||
<node>
|
||||
<host>clickhouse-1.clickhouse-service.monitoring</host>
|
||||
<port>2181</port>
|
||||
</node>
|
||||
<node>
|
||||
<host>clickhouse-2.clickhouse-service.monitoring</host>
|
||||
<port>2181</port>
|
||||
</node>
|
||||
</zookeeper>
|
||||
</yandex>
|
||||
|
||||
cluster.xml: |
|
||||
<?xml version="1.0"?>
|
||||
<yandex>
|
||||
<remote_servers>
|
||||
<testcluster>
|
||||
<shard>
|
||||
<replica>
|
||||
<host>clickhouse-0.clickhouse-service.monitoring</host>
|
||||
<port>9000</port>
|
||||
</replica>
|
||||
</shard>
|
||||
<shard>
|
||||
<replica>
|
||||
<host>clickhouse-1.clickhouse-service.monitoring</host>
|
||||
<port>9000</port>
|
||||
</replica>
|
||||
</shard>
|
||||
</testcluster>
|
||||
</remote_servers>
|
||||
</yandex>
|
||||
macros.xml: |
|
||||
<?xml version="1.0" ?>
|
||||
<yandex>
|
||||
<macros>
|
||||
<cluster>testcluster</cluster>
|
||||
<replica from_env="HOSTNAME"/>
|
||||
<shard>1</shard>
|
||||
</macros>
|
||||
</yandex>
|
||||
@ -0,0 +1,18 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: clickhouse
|
||||
namespace: monitoring
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: clickhouse.{{ domain }}
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: clickhouse-service
|
||||
port:
|
||||
number: 8123
|
||||
path: /
|
||||
pathType: Prefix
|
||||
@ -0,0 +1,23 @@
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
labels:
|
||||
app: clickhouse
|
||||
name: clickhouse-service
|
||||
namespace: monitoring
|
||||
spec:
|
||||
ports:
|
||||
- name: rest
|
||||
port: 8123
|
||||
- name: keeper
|
||||
port: 2181
|
||||
- name: replica-a
|
||||
port: 9000
|
||||
- name: replica-b
|
||||
port: 9009
|
||||
- name: raft
|
||||
port: 9444
|
||||
|
||||
clusterIP: None
|
||||
selector:
|
||||
app: clickhouse
|
||||
@ -0,0 +1,103 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: clickhouse
|
||||
namespace: monitoring
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: clickhouse
|
||||
serviceName: clickhouse-service
|
||||
replicas: 3
|
||||
podManagementPolicy: "Parallel"
|
||||
# podManagementPolicy: OrderedReady
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: clickhouse
|
||||
spec:
|
||||
containers:
|
||||
- name: clickhouse
|
||||
image: clickhouse/clickhouse-server:22.4.5
|
||||
imagePullPolicy: IfNotPresent
|
||||
workingDir: /
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |-
|
||||
export CK_INDEX=${HOSTNAME##*-}
|
||||
echo CK_INDEX=${CK_INDEX}
|
||||
./entrypoint.sh
|
||||
env:
|
||||
- name: HOSTNAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
ports:
|
||||
- name: rest
|
||||
containerPort: 8123
|
||||
- name: keeper
|
||||
containerPort: 2181
|
||||
- name: replica-a
|
||||
containerPort: 9000
|
||||
- name: replica-b
|
||||
containerPort: 9009
|
||||
- name: raft
|
||||
containerPort: 9444
|
||||
volumeMounts:
|
||||
- name: clickhouse-config
|
||||
mountPath: /etc/clickhouse-server/config.d/
|
||||
- name: clickhouse-user-config
|
||||
mountPath: /etc/clickhouse-server/users.d/
|
||||
- name: clickhouse-meta
|
||||
mountPath: /var/lib/clickhouse/coordination/
|
||||
- name: clickhouse-data
|
||||
mountPath: /var/lib/clickhouse/
|
||||
volumes:
|
||||
- name: clickhouse-config
|
||||
configMap:
|
||||
name: clickhouse-config
|
||||
items:
|
||||
- key: keeper.xml
|
||||
path: keeper.xml
|
||||
- key: cluster.xml
|
||||
path: cluster.xml
|
||||
- key: macros.xml
|
||||
path: macros.xml
|
||||
- name: clickhouse-user-config
|
||||
configMap:
|
||||
name: clickhouse-user-config
|
||||
items:
|
||||
- key: user.xml
|
||||
path: user.xml
|
||||
volumeClaimTemplates:
|
||||
- apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: clickhouse
|
||||
app.kubernetes.io/instance: clickhouse
|
||||
app.kubernetes.io/name: clickhouse
|
||||
name: clickhouse-meta
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
volumeMode: Filesystem
|
||||
- apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: clickhouse
|
||||
app.kubernetes.io/instance: clickhouse
|
||||
app.kubernetes.io/name: clickhouse
|
||||
name: clickhouse-data
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
volumeMode: Filesystem
|
||||
@ -0,0 +1,19 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: clickhouse-user-config
|
||||
namespace: monitoring
|
||||
data:
|
||||
user.xml: |
|
||||
<?xml version="1.0"?>
|
||||
<yandex>
|
||||
<profiles>
|
||||
<default>
|
||||
<max_memory_usage>10000000000</max_memory_usage>
|
||||
<max_distributed_depth>4000</max_distributed_depth>
|
||||
<distributed_connections_pool_size>4096</distributed_connections_pool_size>
|
||||
<max_distributed_connections>4096</max_distributed_connections>
|
||||
<load_balancing>random</load_balancing>
|
||||
</default>
|
||||
</profiles>
|
||||
</yandex>
|
||||
@ -0,0 +1,142 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: otel-collector-config
|
||||
namespace: default
|
||||
data:
|
||||
config.yaml: |
|
||||
receivers:
|
||||
loki:
|
||||
use_incoming_timestamp: true
|
||||
protocols:
|
||||
http:
|
||||
endpoint: 0.0.0.0:3100
|
||||
grpc:
|
||||
endpoint: 0.0.0.0:3200
|
||||
syslog:
|
||||
protocol: rfc5424
|
||||
tcp:
|
||||
listen_address: "0.0.0.0:5514"
|
||||
fluentforward:
|
||||
endpoint: 0.0.0.0:24224
|
||||
splunk_hec:
|
||||
endpoint: 0.0.0.0:8088
|
||||
otlp:
|
||||
protocols:
|
||||
grpc:
|
||||
endpoint: 0.0.0.0:4317
|
||||
http:
|
||||
endpoint: 0.0.0.0:4318
|
||||
jaeger:
|
||||
protocols:
|
||||
grpc:
|
||||
endpoint: 0.0.0.0:14250
|
||||
thrift_http:
|
||||
endpoint: 0.0.0.0:14268
|
||||
zipkin:
|
||||
endpoint: 0.0.0.0:9411
|
||||
skywalking:
|
||||
protocols:
|
||||
grpc:
|
||||
endpoint: 0.0.0.0:11800
|
||||
http:
|
||||
endpoint: 0.0.0.0:12800
|
||||
prometheus:
|
||||
config:
|
||||
scrape_configs:
|
||||
- job_name: 'otel-collector'
|
||||
scrape_interval: 5s
|
||||
static_configs:
|
||||
- targets: ['exporter:8080']
|
||||
influxdb:
|
||||
endpoint: 0.0.0.0:8086
|
||||
|
||||
connectors:
|
||||
servicegraph:
|
||||
latency_histogram_buckets: [ 100us, 1ms, 2ms, 6ms, 10ms, 100ms, 250ms ]
|
||||
dimensions: [ cluster, namespace ]
|
||||
store:
|
||||
ttl: 2s
|
||||
max_items: 1000
|
||||
cache_loop: 2m
|
||||
store_expiration_loop: 2s
|
||||
virtual_node_peer_attributes:
|
||||
- db.name
|
||||
- rpc.service
|
||||
spanmetrics:
|
||||
namespace: span.metrics
|
||||
exemplars:
|
||||
enabled: false
|
||||
dimensions_cache_size: 1000
|
||||
aggregation_temporality: 'AGGREGATION_TEMPORALITY_CUMULATIVE'
|
||||
metrics_flush_interval: 30s
|
||||
metrics_expiration: 5m
|
||||
events:
|
||||
enabled: false
|
||||
|
||||
processors:
|
||||
batch:
|
||||
send_batch_size: 10000
|
||||
timeout: 5s
|
||||
memory_limiter:
|
||||
check_interval: 2s
|
||||
limit_mib: 1800
|
||||
spike_limit_mib: 500
|
||||
resourcedetection/system:
|
||||
detectors: ['system']
|
||||
system:
|
||||
hostname_sources: ['os']
|
||||
resource:
|
||||
attributes:
|
||||
- key: service.name
|
||||
value: "serviceName"
|
||||
action: upsert
|
||||
metricstransform:
|
||||
transforms:
|
||||
- include: calls_total
|
||||
action: update
|
||||
new_name: traces_spanmetrics_calls_total
|
||||
- include: latency
|
||||
action: update
|
||||
new_name: traces_spanmetrics_latency
|
||||
|
||||
exporters:
|
||||
qryn:
|
||||
dsn: tcp://clickhouse-server:9000/qryn?username=default&password=*************
|
||||
timeout: 10s
|
||||
sending_queue:
|
||||
queue_size: 100
|
||||
retry_on_failure:
|
||||
enabled: true
|
||||
initial_interval: 5s
|
||||
max_interval: 30s
|
||||
max_elapsed_time: 300s
|
||||
logs:
|
||||
format: raw
|
||||
otlp/spanmetrics:
|
||||
endpoint: localhost:4317
|
||||
tls:
|
||||
insecure: true
|
||||
|
||||
extensions:
|
||||
health_check:
|
||||
pprof:
|
||||
zpages:
|
||||
|
||||
service:
|
||||
extensions: [pprof, zpages, health_check]
|
||||
pipelines:
|
||||
logs:
|
||||
receivers: [fluentforward, otlp, loki, syslog, splunk_hec]
|
||||
processors: [memory_limiter, resourcedetection/system, resource, batch]
|
||||
exporters: [qryn]
|
||||
traces:
|
||||
receivers: [otlp, jaeger, zipkin, skywalking]
|
||||
processors: [memory_limiter, resourcedetection/system, resource, batch]
|
||||
exporters: [qryn, spanmetrics, servicegraph]
|
||||
metrics:
|
||||
receivers: [prometheus, influxdb, spanmetrics, servicegraph]
|
||||
processors: [memory_limiter, resourcedetection/system, resource, batch]
|
||||
exporters: [qryn]
|
||||
|
||||
|
||||
@ -0,0 +1,42 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: otel-collector
|
||||
namespace: default
|
||||
labels:
|
||||
app: otel-collector
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: otel-collector
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: otel-collector
|
||||
spec:
|
||||
containers:
|
||||
- name: otel-collector
|
||||
image: ghcr.io/metrico/qryn-otel-collector:latest
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/otel
|
||||
subPath: config.yaml
|
||||
ports:
|
||||
- containerPort: 3100
|
||||
- containerPort: 3200
|
||||
- containerPort: 8088
|
||||
- containerPort: 5514
|
||||
- containerPort: 24224
|
||||
- containerPort: 4317
|
||||
- containerPort: 4318
|
||||
- containerPort: 14250
|
||||
- containerPort: 14268
|
||||
- containerPort: 9411
|
||||
- containerPort: 11800
|
||||
- containerPort: 12800
|
||||
- containerPort: 8086
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: otel-collector-config
|
||||
@ -0,0 +1,19 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: otel-collector-ingress
|
||||
namespace: default
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
spec:
|
||||
rules:
|
||||
- host: your-domain.example.com
|
||||
http:
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: otel-collector
|
||||
port:
|
||||
number: 3100
|
||||
@ -0,0 +1,48 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: otel-collector
|
||||
namespace: default
|
||||
spec:
|
||||
ports:
|
||||
- port: 3100
|
||||
targetPort: 3100
|
||||
protocol: TCP
|
||||
- port: 3200
|
||||
targetPort: 3200
|
||||
protocol: TCP
|
||||
- port: 8088
|
||||
targetPort: 8088
|
||||
protocol: TCP
|
||||
- port: 5514
|
||||
targetPort: 5514
|
||||
protocol: TCP
|
||||
- port: 24224
|
||||
targetPort: 24224
|
||||
protocol: TCP
|
||||
- port: 4317
|
||||
targetPort: 4317
|
||||
protocol: TCP
|
||||
- port: 4318
|
||||
targetPort: 4318
|
||||
protocol: TCP
|
||||
- port: 14250
|
||||
targetPort: 14250
|
||||
protocol: TCP
|
||||
- port: 14268
|
||||
targetPort: 14268
|
||||
protocol: TCP
|
||||
- port: 9411
|
||||
targetPort: 9411
|
||||
protocol: TCP
|
||||
- port: 11800
|
||||
targetPort: 11800
|
||||
protocol: TCP
|
||||
- port: 12800
|
||||
targetPort: 12800
|
||||
protocol: TCP
|
||||
- port: 8086
|
||||
targetPort: 8086
|
||||
protocol: TCP
|
||||
selector:
|
||||
app: otel-collector
|
||||
27
playbooks/roles/charts/clickhouse/templates/postsetup.sh
Executable file
27
playbooks/roles/charts/clickhouse/templates/postsetup.sh
Executable file
@ -0,0 +1,27 @@
|
||||
#!/bin/bash
|
||||
|
||||
#检查 ClickHouse 版本
|
||||
#clickhouse-client --version | grep -q "21.8"
|
||||
#if [ $? -ne 0 ]; then
|
||||
#echo "ClickHouse 的版本必须至少为 21.8"
|
||||
#exit 1
|
||||
#fi
|
||||
|
||||
创建数据库
|
||||
for db in deepflow_system event ext_metrics flow_log flow_metrics flow_tag profile; do
|
||||
clickhouse-client -u admin -p admin -q "CREATE DATABASE $db"
|
||||
done
|
||||
|
||||
创建用户
|
||||
clickhouse-client -u admin -p admin -q "CREATE USER admin IDENTIFIED WITH PLAINTEXT_PASSWORD BY 'admin'"
|
||||
clickhouse-client -u admin -p admin -q "CREATE USER deepflow IDENTIFIED WITH PLAINTEXT_PASSWORD BY 'deepflow'"
|
||||
|
||||
授权账户
|
||||
clickhouse-client -u admin -p admin -q "GRANT ALL ON . TO admin"
|
||||
clickhouse-client -u admin -p admin -q "GRANT SELECT ON deepflow_system.* TO deepflow"
|
||||
clickhouse-client -u admin -p admin -q "GRANT SELECT ON event.* TO deepflow"
|
||||
clickhouse-client -u admin -p admin -q "GRANT SELECT ON ext_metrics.* TO deepflow"
|
||||
clickhouse-client -u admin -p admin -q "GRANT SELECT ON flow_log.* TO deepflow"
|
||||
clickhouse-client -u admin -p admin -q "GRANT SELECT ON flow_metrics.* TO deepflow"
|
||||
clickhouse-client -u admin -p admin -q "GRANT SELECT ON flow_tag.* TO deepflow"
|
||||
clickhouse-client -u admin -p admin -q "GRANT SELECT ON profile.* TO deepflow"
|
||||
@ -0,0 +1,36 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: qryn
|
||||
namespace: monitoring
|
||||
labels:
|
||||
io.metrico.service: qryn
|
||||
spec:
|
||||
replicas: 2
|
||||
selector:
|
||||
matchLabels:
|
||||
io.metrico.service: qryn
|
||||
strategy: {}
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
qryn.cmd: qryn.dev
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
io.metrico.service: qryn
|
||||
spec:
|
||||
containers:
|
||||
- env:
|
||||
- name: CLICKHOUSE_AUTH
|
||||
value: "default"
|
||||
- name: CLICKHOUSE_PORT
|
||||
value: "8123"
|
||||
- name: CLICKHOUSE_SERVER
|
||||
value: "{{ hostvars[groups[group][0]].ck_node_ip }}"
|
||||
image: qxip/qryn
|
||||
name: qryn
|
||||
ports:
|
||||
- containerPort: 3100
|
||||
resources: {}
|
||||
restartPolicy: Always
|
||||
status: {}
|
||||
@ -0,0 +1,24 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: data-gateway
|
||||
namespace: monitoring
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: data-gateway.{{ domain }}
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: qryn
|
||||
port:
|
||||
number: 3100
|
||||
path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- data-gateway.{{ domain }}
|
||||
secretName: obs-tls
|
||||
@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
io.metrico.service: qryn
|
||||
name: qryn
|
||||
namespace: monitoring
|
||||
spec:
|
||||
ports:
|
||||
- name: "3100"
|
||||
port: 3100
|
||||
targetPort: 3100
|
||||
selector:
|
||||
io.metrico.service: qryn
|
||||
12
playbooks/roles/charts/deepflow/Readme.md
Normal file
12
playbooks/roles/charts/deepflow/Readme.md
Normal file
@ -0,0 +1,12 @@
|
||||
|
||||
# 统计存储数据
|
||||
|
||||
select formatReadableSize(sum(rows)) as "每天写入行数", formatReadableSize(sum(bytes_on_disk)) as "每天落盘的字节", formatReadableSize(sum(data_uncompressed_bytes)) as "压缩前字节", sum(data_uncompressed_bytes)/sum(bytes_on_disk) as "压缩比", sum(rows)/86400 as "平均每秒写入的行数" from cluster(df_cluster, system.parts) where partition like '%2024-12-03%' limit 10;
|
||||
|
||||
|
||||
可以grafana再 查下确认下,流日志的统计:
|
||||
select min(partition),max(partition),formatReadableSize(sum(rows)) as "每天写入行数", formatReadableSize(sum(bytes_on_disk)) as "每天落盘的字节", formatReadableSize(sum(data_uncompressed_bytes)) as "压缩前字节", sum(data_uncompressed_bytes)/sum(bytes_on_disk) as "压缩比", sum(rows)/86400 as "平均每秒写入的行数" from cluster(df_cluster, system.parts) where partition like '%2024-12-03%' and table='l4_flow_log_local' limit 10;
|
||||
|
||||
调用日志的统计:
|
||||
select min(partition),max(partition),formatReadableSize(sum(rows)) as "每天写入行数", formatReadableSize(sum(bytes_on_disk)) as "每天落盘的字节", formatReadableSize(sum(data_uncompressed_bytes)) as "压缩前字节", sum(data_uncompressed_bytes)/sum(bytes_on_disk) as "压缩比", sum(rows)/86400 as "平均每秒写入的行数" from cluster(df_cluster, system.parts) where partition like '%2024-12-03%' and table='l7_flow_log_local' limit 10;
|
||||
|
||||
7
playbooks/roles/charts/deepflow/files/post-setup.sh
Normal file
7
playbooks/roles/charts/deepflow/files/post-setup.sh
Normal file
@ -0,0 +1,7 @@
|
||||
sudo apt-get install -y apt-transport-https ca-certificates curl gnupg
|
||||
curl -fsSL 'https://packages.clickhouse.com/rpm/lts/repodata/repomd.xml.key' | sudo gpg --dearmor -o /usr/share/keyrings/clickhouse-keyring.gpg
|
||||
|
||||
echo "deb [signed-by=/usr/share/keyrings/clickhouse-keyring.gpg] https://packages.clickhouse.com/deb stable main" | sudo tee \
|
||||
/etc/apt/sources.list.d/clickhouse.list
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y clickhouse-client
|
||||
6
playbooks/roles/charts/deepflow/files/pre-setup.sh
Normal file
6
playbooks/roles/charts/deepflow/files/pre-setup.sh
Normal file
@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
export namespace=$1
|
||||
|
||||
export MYSQL_ROOT_PASSWORD=$(kubectl get secret --namespace $namespace mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d)
|
||||
|
||||
kubectl run mysql-client --rm --tty -i --restart='Never' --image docker.io/bitnami/mysql:8.0.32-debian-11-r14 --namespace $namespace --env MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD --command -- bash -c "mysql -h mysql.database.svc.cluster.local -uroot -p$MYSQL_ROOT_PASSWORD -e 'create database IF NOT EXISTS jenkins;'"
|
||||
29
playbooks/roles/charts/deepflow/files/setup.sh
Normal file
29
playbooks/roles/charts/deepflow/files/setup.sh
Normal file
@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
set -x
|
||||
export domain=$1
|
||||
export secret=$2
|
||||
export namespace=$3
|
||||
|
||||
cat << EOF > values-custom.yaml
|
||||
clickhouse:
|
||||
enabled: true
|
||||
server:
|
||||
enabled: true
|
||||
deepflow-agent:
|
||||
enabled: true
|
||||
grafana:
|
||||
enabled: true
|
||||
service:
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
hosts:
|
||||
- grafana.onwalk.net
|
||||
tls:
|
||||
- secretName: obs-tls
|
||||
hosts:
|
||||
- grafana.onwalk.net
|
||||
EOF
|
||||
helm repo add deepflow https://deepflowio.github.io/deepflow
|
||||
helm repo update deepflow # use `helm repo update` when helm < 3.7.0
|
||||
helm upgrade --install deepflow -n monitoring deepflow/deepflow --create-namespace --version 6.4.9 -f values-custom.yaml
|
||||
2
playbooks/roles/charts/deepflow/meta/main.yml
Normal file
2
playbooks/roles/charts/deepflow/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- role: secret-manger
|
||||
19
playbooks/roles/charts/deepflow/tasks/main.yml
Executable file
19
playbooks/roles/charts/deepflow/tasks/main.yml
Executable file
@ -0,0 +1,19 @@
|
||||
#- name: get mysql db password
|
||||
# shell: 'kubectl get secret --namespace database mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d'
|
||||
# register: mysql_db_password_raw
|
||||
# when: inventory_hostname in groups[group][0]
|
||||
#
|
||||
#- name: set fact join command
|
||||
# set_fact:
|
||||
# mysql_db_password : "{{ mysql_db_password_raw.stdout }}"
|
||||
# when: inventory_hostname in groups[group][0]
|
||||
#
|
||||
#- name: DB Pre Setup for Jenkins Server
|
||||
# script: files/pre-setup.sh {{ db_namespace }}
|
||||
# when: inventory_hostname in groups[group]
|
||||
# script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }} {{ mysql_db_password }}
|
||||
|
||||
- name: Setup Deepflow Cluster
|
||||
script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }}
|
||||
when: inventory_hostname in groups[group] and ( tls is defined)
|
||||
loop: "{{ tls }}"
|
||||
47
playbooks/roles/charts/flagger-loadtester/files/setup.sh
Normal file
47
playbooks/roles/charts/flagger-loadtester/files/setup.sh
Normal file
@ -0,0 +1,47 @@
|
||||
#!/bin/bash
|
||||
set -x
|
||||
|
||||
# 检查参数是否为空
|
||||
check_not_empty() {
|
||||
if [[ -z $1 ]]; then
|
||||
echo "Error: $2 is empty. Please provide a value."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
# 检查参数是否为空
|
||||
check_not_empty "$1" "DOMAIN" && DOMAIN=$1
|
||||
|
||||
helm repo add flagger https://flagger.app
|
||||
kubectl create ns monitoring || true
|
||||
helm upgrade -i flaggerloadtester flagger/loadtester --namespace=monitoring
|
||||
|
||||
cat > flagger-loadtester-ingress.yaml << EOF
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
name: flagger
|
||||
namespace: monitoring
|
||||
spec:
|
||||
ingressClassName: apisix
|
||||
rules:
|
||||
- host: flaggerloadtester.${DOMAIN}
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: flagger-loadtester
|
||||
port:
|
||||
number: 80
|
||||
path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- flaggerloadtester.${DOMAIN}
|
||||
secretName: obs-tls
|
||||
EOF
|
||||
|
||||
kubectl apply -f flagger-loadtester-ingress.yaml
|
||||
|
||||
2
playbooks/roles/charts/flagger-loadtester/meta/main.yml
Normal file
2
playbooks/roles/charts/flagger-loadtester/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- role: secret-manger
|
||||
4
playbooks/roles/charts/flagger-loadtester/tasks/main.yml
Executable file
4
playbooks/roles/charts/flagger-loadtester/tasks/main.yml
Executable file
@ -0,0 +1,4 @@
|
||||
- name: Setup Loadtester Server
|
||||
script: files/setup.sh {{ domain }}
|
||||
when: inventory_hostname in groups[group]
|
||||
|
||||
30
playbooks/roles/charts/gitlab/files/post-setup.sh
Executable file
30
playbooks/roles/charts/gitlab/files/post-setup.sh
Executable file
@ -0,0 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
kubectl delete hpa --all -A
|
||||
|
||||
# 获取所有部署
|
||||
DEPLOYMENTS=$(kubectl get deploy -n gitlab -o jsonpath='{.items[*].metadata.name}')
|
||||
|
||||
# 遍历部署并设置副本数为1
|
||||
for DEPLOY in $DEPLOYMENTS
|
||||
do
|
||||
echo "Setting replicas=1 for deployment $DEPLOY"
|
||||
kubectl scale deploy/$DEPLOY -n gitlab --replicas=1
|
||||
done
|
||||
|
||||
# 遍历部署并获取 CPU 和内存配置
|
||||
for DEPLOY in $DEPLOYMENTS
|
||||
do
|
||||
echo "Deployment: $DEPLOY"
|
||||
echo "===================="
|
||||
kubectl get deploy $DEPLOY -n gitlab -o=jsonpath='{range .spec.template.spec.containers[*]}{.name}:{"\n"}{"\t"}cpu: {.resources.requests.cpu}{"\n"}{"\t"}mem: {.resources.requests.memory}{"\n"}{end}'
|
||||
echo "===================="
|
||||
done
|
||||
|
||||
# 遍历部署并设置 CPU 和内存请求
|
||||
#for DEPLOY in $DEPLOYMENTS
|
||||
#do
|
||||
# echo "Setting cpu=0.1 and mem=100m for deployment $DEPLOY"
|
||||
# kubectl patch deployment $DEPLOY -n gitlab -p '{"spec": {"template": {"spec": {"containers": [{"name": "'$DEPLOY'", "resources": {"requests": {"cpu": "0.1", "memory": "100m"}}}]}}}}'
|
||||
# echo "===================="
|
||||
#done
|
||||
9
playbooks/roles/charts/gitlab/files/pre-setup.sh
Executable file
9
playbooks/roles/charts/gitlab/files/pre-setup.sh
Executable file
@ -0,0 +1,9 @@
|
||||
#!/bin/bash
|
||||
set +x
|
||||
|
||||
export namespace=$1
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace $namespace postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace $namespace --image docker.io/bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE gitlabhq_production OWNER postgres;" || echo true
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace $namespace --image docker.io/bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d gitlabhq_production -p 5432 -w -c "CREATE EXTENSION IF NOT EXISTS plpgsql; CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;" || echo true
|
||||
106
playbooks/roles/charts/gitlab/files/setup-with-oidc.sh
Normal file
106
playbooks/roles/charts/gitlab/files/setup-with-oidc.sh
Normal file
@ -0,0 +1,106 @@
|
||||
#!/bin/bash
|
||||
|
||||
domain=$1
|
||||
namespace=$2
|
||||
object_bucket=$3
|
||||
gitlab_secret=$4
|
||||
gitlab_stmp_secret=$5
|
||||
smtp_port=$7
|
||||
smtp_domain=$8
|
||||
smtp_address=$9
|
||||
smtp_username=$10
|
||||
smtp_emailfrom=$11
|
||||
smtp_display_name=$12
|
||||
oidc_issuer_url=$13
|
||||
oidc_client_id=$14
|
||||
oidc_client_token=$15
|
||||
|
||||
cat > gitlab-values.yaml <<EOF
|
||||
global:
|
||||
edition: ce
|
||||
hosts:
|
||||
https: true
|
||||
domain: $domain
|
||||
gitlab:
|
||||
name: gitlab.$domain
|
||||
ingress:
|
||||
class: nginx
|
||||
enabled: true
|
||||
configureCertmanager: false
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: ${gitlab_secret}
|
||||
minio:
|
||||
enabled: true
|
||||
appConfig:
|
||||
email:
|
||||
from: $smtp_emailfrom
|
||||
display_name: $smtp_display_name
|
||||
smtp:
|
||||
tls: true
|
||||
enabled: true
|
||||
port: $smtp_port
|
||||
domain: $smtp_domain
|
||||
address: $smtp_address
|
||||
user_name: $smtp_username
|
||||
password:
|
||||
secret: $gitlab_smtp_secret
|
||||
key: password
|
||||
authentication: "login"
|
||||
starttls_auto: true
|
||||
openssl_verify_mode: "peer"
|
||||
pool: true
|
||||
omniauth:
|
||||
enabled: true
|
||||
syncProfileAttributes: [email]
|
||||
allowSingleSignOn: ['openid_connect']
|
||||
autoLinkLdapUser: false
|
||||
autoLinkSamlUser: false
|
||||
providers:
|
||||
- name: 'openid_connect'
|
||||
label: 'keycloak_oidc'
|
||||
args:
|
||||
discovery: true
|
||||
response_type: 'code'
|
||||
name: 'openid_connect'
|
||||
uid_field: 'gltlab_openid'
|
||||
client_auth_method: 'query'
|
||||
issuer: $oidc_issuer_url
|
||||
scope: ['openid','profile','email']
|
||||
send_scope_to_token_endpoint: false
|
||||
client_options:
|
||||
identifier: $oidc_client_id
|
||||
secret: $oidc_client_token
|
||||
redirect_uri: 'https://gitlab.${domain}/users/auth/openid_connect/callback'
|
||||
registry:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: false
|
||||
gitlab-exporter:
|
||||
enabled: false
|
||||
kas:
|
||||
enabled: false
|
||||
nginx-ingress:
|
||||
enabled: false
|
||||
prometheus:
|
||||
install: false
|
||||
redis:
|
||||
metrics:
|
||||
enabled: false
|
||||
postgresql:
|
||||
metrics:
|
||||
enabled: false
|
||||
certmanager:
|
||||
install: false
|
||||
installCRDs: false
|
||||
startupapicheck:
|
||||
enabled: false
|
||||
upgradeCheck:
|
||||
enabled: false
|
||||
EOF
|
||||
|
||||
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
|
||||
helm repo add gitlab https://charts.gitlab.io/
|
||||
helm repo up
|
||||
kubectl create namespace gitlab || true
|
||||
helm upgrade --install gitlab gitlab/gitlab --version=6.6.1 --namespace gitlab -f gitlab-values.yaml
|
||||
154
playbooks/roles/charts/gitlab/files/setup-with_aws-s3.sh
Normal file
154
playbooks/roles/charts/gitlab/files/setup-with_aws-s3.sh
Normal file
@ -0,0 +1,154 @@
|
||||
#!/bin/bash
|
||||
|
||||
domain=$1
|
||||
namespace=$2
|
||||
object_bucket=$3
|
||||
gitlab_secret=$4
|
||||
gitlab_stmp_secret=$5
|
||||
gitlab_storage_secret=$6
|
||||
smtp_port=$7
|
||||
smtp_domain=$8
|
||||
smtp_address=$9
|
||||
smtp_username=$10
|
||||
smtp_emailfrom=$11
|
||||
smtp_display_name=$12
|
||||
oidc_issuer_url=$13
|
||||
oidc_client_id=$14
|
||||
oidc_client_token=$15
|
||||
|
||||
cat > gitlab-values.yaml <<EOF
|
||||
global:
|
||||
edition: ce
|
||||
hosts:
|
||||
https: true
|
||||
domain: $domain
|
||||
gitlab:
|
||||
name: gitlab.$domain
|
||||
ingress:
|
||||
class: nginx
|
||||
enabled: true
|
||||
configureCertmanager: false
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: ${gitlab_secret}
|
||||
minio:
|
||||
enabled: true
|
||||
appConfig:
|
||||
appConfig:
|
||||
object_store:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
connection:
|
||||
secret: $gitlab_storage_secret
|
||||
key: connection
|
||||
artifacts:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
external_diffs:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
lfs:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
uploads:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
packages:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
uploads:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
dependency_proxy:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
terraform_state:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
pages:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
backups:
|
||||
enabled: true
|
||||
proxy_download: true
|
||||
bucket: $object_bucket
|
||||
email:
|
||||
from: $smtp_emailfrom
|
||||
display_name: $smtp_display_name
|
||||
smtp:
|
||||
tls: true
|
||||
enabled: true
|
||||
port: $smtp_port
|
||||
domain: $smtp_domain
|
||||
address: $smtp_address
|
||||
user_name: $smtp_username
|
||||
password:
|
||||
secret: $gitlab_smtp_secret
|
||||
key: password
|
||||
authentication: "login"
|
||||
starttls_auto: true
|
||||
openssl_verify_mode: "peer"
|
||||
pool: true
|
||||
omniauth:
|
||||
enabled: true
|
||||
syncProfileAttributes: [email]
|
||||
allowSingleSignOn: ['openid_connect']
|
||||
autoLinkLdapUser: false
|
||||
autoLinkSamlUser: false
|
||||
providers:
|
||||
- name: 'openid_connect'
|
||||
label: 'keycloak_oidc'
|
||||
args:
|
||||
discovery: true
|
||||
response_type: 'code'
|
||||
name: 'openid_connect'
|
||||
uid_field: 'gltlab_openid'
|
||||
client_auth_method: 'query'
|
||||
issuer: $oidc_issuer_url
|
||||
scope: ['openid','profile','email']
|
||||
send_scope_to_token_endpoint: false
|
||||
client_options:
|
||||
identifier: $oidc_client_id
|
||||
secret: $oidc_client_token
|
||||
redirect_uri: 'https://gitlab.${domain}/users/auth/openid_connect/callback'
|
||||
registry:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: false
|
||||
gitlab-exporter:
|
||||
enabled: false
|
||||
kas:
|
||||
enabled: false
|
||||
nginx-ingress:
|
||||
enabled: false
|
||||
prometheus:
|
||||
install: false
|
||||
redis:
|
||||
metrics:
|
||||
enabled: false
|
||||
postgresql:
|
||||
metrics:
|
||||
enabled: false
|
||||
certmanager:
|
||||
install: false
|
||||
installCRDs: false
|
||||
startupapicheck:
|
||||
enabled: false
|
||||
upgradeCheck:
|
||||
enabled: false
|
||||
EOF
|
||||
|
||||
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
|
||||
helm repo add gitlab https://charts.gitlab.io/
|
||||
helm repo up
|
||||
kubectl create namespace gitlab || true
|
||||
helm upgrade --install gitlab gitlab/gitlab --version=6.6.1 --namespace gitlab -f gitlab-values.yaml
|
||||
119
playbooks/roles/charts/gitlab/files/setup.sh
Normal file
119
playbooks/roles/charts/gitlab/files/setup.sh
Normal file
@ -0,0 +1,119 @@
|
||||
#!/bin/bash
|
||||
|
||||
check_empty() {
|
||||
if [ -z "$1" ]; then
|
||||
echo "$2"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_empty "$1" "Please provide a version name as the first argument"
|
||||
check_empty "$2" "Please provide a domain name as the second argument"
|
||||
check_empty "$3" "Please provide a namespace as the third argument"
|
||||
check_empty "$4" "Please provide a GitLab secret as the fourth argument"
|
||||
check_empty "$5" "Please provide a GitLab database secret as the fifth argument"
|
||||
check_empty "$6" "Please provide a GitLab SSO secret as the sixth argument"
|
||||
check_empty "$7" "Please provide a GitLab SMTP secret as the seventh argument"
|
||||
check_empty "$8" "Please provide a GitLab Redis secret as the eighth argument"
|
||||
|
||||
version=$1
|
||||
domain=$2
|
||||
namespace=$3
|
||||
gitlab_secret=$4
|
||||
gitlab_db_secret=$5
|
||||
gitlab_sso_secret=$6
|
||||
gitlab_smtp_secret=$7
|
||||
gitlab_redis_secret=$8
|
||||
|
||||
cat > gitlab-values.yaml <<EOF
|
||||
global:
|
||||
edition: ce
|
||||
hosts:
|
||||
domain: $domain
|
||||
gitlab:
|
||||
name: gitlab.$domain
|
||||
https: true
|
||||
ingress:
|
||||
class: nginx
|
||||
configureCertmanager: false
|
||||
enabled: true
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: $gitlab_secret
|
||||
minio:
|
||||
enabled: true
|
||||
gitaly:
|
||||
persistence:
|
||||
enabled: true
|
||||
psql:
|
||||
host: postgresql.database.svc.cluster.local
|
||||
port: 5432
|
||||
username: postgres
|
||||
database: gitlabhq_production
|
||||
password:
|
||||
secret: $gitlab_db_secret
|
||||
key: password
|
||||
redis:
|
||||
host: redis-master.redis.svc.cluster.local
|
||||
port: 6379
|
||||
password:
|
||||
enabled: true
|
||||
secret: $gitlab_redis_secret
|
||||
key: password
|
||||
email:
|
||||
from: 'manbuzhe2009@qq.com'
|
||||
display_name: GitLab-System
|
||||
smtp:
|
||||
tls: true
|
||||
pool: true
|
||||
port: 465
|
||||
enabled: true
|
||||
domain: exmail.qq.com
|
||||
address: smtp.exmail.qq.com
|
||||
user_name: 'manbuzhe2009@qq.com'
|
||||
password:
|
||||
secret: $gitlab_smtp_secret
|
||||
key: password
|
||||
authentication: "login"
|
||||
starttls_auto: false
|
||||
openssl_verify_mode: "peer"
|
||||
appConfig:
|
||||
omniauth:
|
||||
enabled: true
|
||||
autoLinkLdapUser: false
|
||||
autoLinkSamlUser: false
|
||||
blockAutoCreatedUsers: false
|
||||
autoSignInWithProvider: null
|
||||
autoLinkUser:
|
||||
- 'openid_connect'
|
||||
allowSingleSignOn:
|
||||
- 'openid_connect'
|
||||
providers:
|
||||
- secret: $gitlab_sso_secret
|
||||
key: provider
|
||||
certmanager:
|
||||
install: false
|
||||
installCRDs: false
|
||||
startupapicheck:
|
||||
enabled: false
|
||||
postgresql:
|
||||
install: false
|
||||
redis:
|
||||
install: false
|
||||
kas:
|
||||
enabled: false
|
||||
nginx-ingress:
|
||||
enabled: false
|
||||
gitlab-exporter:
|
||||
enabled: false
|
||||
prometheus:
|
||||
install: false
|
||||
upgradeCheck:
|
||||
enabled: false
|
||||
EOF
|
||||
|
||||
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
|
||||
helm repo add gitlab https://charts.gitlab.io/
|
||||
helm repo up
|
||||
kubectl create namespace gitlab || true
|
||||
helm upgrade --install gitlab gitlab/gitlab --version=$version --namespace gitlab -f gitlab-values.yaml --timeout=3m --debug
|
||||
5
playbooks/roles/charts/gitlab/meta/main.yml
Normal file
5
playbooks/roles/charts/gitlab/meta/main.yml
Normal file
@ -0,0 +1,5 @@
|
||||
dependencies:
|
||||
- role: redis
|
||||
- role: postgresql
|
||||
- role: cert-manager
|
||||
- role: secret-manger
|
||||
58
playbooks/roles/charts/gitlab/tasks/main.yml
Executable file
58
playbooks/roles/charts/gitlab/tasks/main.yml
Executable file
@ -0,0 +1,58 @@
|
||||
- name: get redis password
|
||||
shell: 'kubectl get secret --namespace redis redis -o jsonpath="{.data.redis-password}" | base64 -d'
|
||||
register: redis_command_raw
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: set fact join command for redis
|
||||
set_fact:
|
||||
redis_password : "{{ redis_command_raw.stdout }}"
|
||||
|
||||
- name: get db password
|
||||
shell: 'kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d'
|
||||
register: db_command_raw
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: set fact join command for mysql_db
|
||||
set_fact:
|
||||
pg_db_password : "{{ db_command_raw.stdout }}"
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
#- name: Show Debug Info
|
||||
# debug: var=db_password_raw verbosity=0
|
||||
#
|
||||
- name: Sync provider.yaml
|
||||
template: src=templates/{{ item }} dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
|
||||
with_items:
|
||||
- provider.yaml
|
||||
|
||||
- name: "cluster {{ ClusterContext }} Create New Generic Secret from Key/Vaule"
|
||||
shell: 'kubectl delete secret {{ item.secret_name }} -n {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-file="{{ item.key }}={{ item.value }}" -n {{ namespace }}'
|
||||
loop:
|
||||
- { secret_name: 'gitlab-sso-secret', key: 'provider', value: "/tmp/provider.yaml" }
|
||||
|
||||
- name: "cluster {{ ClusterContext }} Create New Generic Secret from Key/Vaule"
|
||||
shell: 'kubectl delete secret {{ item.secret_name }} -n {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-literal={{ item.key }}="{{ hostvars[groups[group][0]].pg_db_password }}" -n {{ namespace }}'
|
||||
loop:
|
||||
- { secret_name: 'gitlab-db-secret', key: 'password' }
|
||||
|
||||
- name: "cluster {{ ClusterContext }} Create New Generic Secret from Key/Vaule"
|
||||
shell: 'kubectl delete secret {{ item.secret_name }} -n {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-literal={{ item.key }}="{{ hostvars[groups[group][0]].redis_password }}" -n {{ namespace }}'
|
||||
loop:
|
||||
- { secret_name: 'gitlab-redis-secret', key: 'password' }
|
||||
|
||||
- name: "cluster {{ ClusterContext }} Create SMTP Secret"
|
||||
shell: 'kubectl delete secret {{ item.secret_name }} -n {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-literal={{ item.key }}={{ smtp_password }} -n {{ namespace }}'
|
||||
loop:
|
||||
- { secret_name: 'gitlab-smtp-secret', key: 'password' }
|
||||
|
||||
- name: DB Pre Setup for Gitlab Server
|
||||
script: files/pre-setup.sh {{ db_namespace }}
|
||||
when: inventory_hostname in groups[group]
|
||||
|
||||
- name: Setup Gitlab Server
|
||||
script: files/setup.sh {{ gitlab_version }} {{ domain }} {{ namespace }} 'gitlab-tls' 'gitlab-db-secret' 'gitlab-sso-secret' 'gitlab-smtp-secret' 'gitlab-redis-secret'
|
||||
when: inventory_hostname in groups[group]
|
||||
|
||||
- name: Post Setup for Gitlab Server
|
||||
script: files/post-setup.sh
|
||||
when: inventory_hostname in groups[group]
|
||||
@ -0,0 +1,5 @@
|
||||
[default]
|
||||
use_https = True
|
||||
host_base = {{ s3_endpoint }}
|
||||
bucket_location = {{ region }}
|
||||
host_bucket = %(bucket)s.{{ s3_endpoint }}
|
||||
18
playbooks/roles/charts/gitlab/templates/provider.yaml
Normal file
18
playbooks/roles/charts/gitlab/templates/provider.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
name: 'openid_connect'
|
||||
label: 'keycloak-sso'
|
||||
args:
|
||||
name: 'openid_connect'
|
||||
scope:
|
||||
- 'openid'
|
||||
- 'profile'
|
||||
- 'email'
|
||||
pkce: true
|
||||
discovery: true
|
||||
response_type: 'code'
|
||||
client_auth_method: 'query'
|
||||
send_scope_to_token_endpoint: true
|
||||
issuer: '{{ gitlab_oidc_isser }}'
|
||||
client_options:
|
||||
identifier: '{{ gitlab_oidc_client_id }}'
|
||||
secret: '{{ gitlab_oidc_client_token }}'
|
||||
redirect_uri: '{{ gitlab_oidc_redirect_uri }}'
|
||||
14
playbooks/roles/charts/harbor/files/post-setup.sh
Normal file
14
playbooks/roles/charts/harbor/files/post-setup.sh
Normal file
@ -0,0 +1,14 @@
|
||||
#!/bin/bash
|
||||
|
||||
check_empty() {
|
||||
if [ -z "$1" ]; then
|
||||
echo "$2"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_empty "$1" "Please provide harbor admin password"
|
||||
|
||||
export admin_passowrd=$1
|
||||
curl -X PUT -u "admin:$admin_password" -H "Content-Type: application/json" -ki https://artifact.onwalk.ne/api/v2.0/configurations -d @/tmp/harbor-oidc-config.json
|
||||
rm -f /tmp/harbor-oidc-config.json
|
||||
13
playbooks/roles/charts/harbor/files/pre-setup.sh
Normal file
13
playbooks/roles/charts/harbor/files/pre-setup.sh
Normal file
@ -0,0 +1,13 @@
|
||||
#!/bin/bash
|
||||
export namespace=$1
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE registry;" || echo true
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_core;" || echo true
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_clair;" || echo true
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_notary_server;" || echo true
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_notary_signer;" || echo true
|
||||
85
playbooks/roles/charts/harbor/files/setup-bitnami-harbor.sh
Normal file
85
playbooks/roles/charts/harbor/files/setup-bitnami-harbor.sh
Normal file
@ -0,0 +1,85 @@
|
||||
#!/bin/bash
|
||||
|
||||
# 检查参数是否为空
|
||||
check_not_empty() {
|
||||
if [[ -z $1 ]]; then
|
||||
echo "Error: $2 is empty. Please provide a value."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_not_empty "$1" "ak" && export ak=$1
|
||||
check_not_empty "$2" "sk" && export sk=$2
|
||||
check_not_empty "$3" "domain" && export domain=$3
|
||||
check_not_empty "$4" "namespace" && export namespace=$4
|
||||
check_not_empty "$5" "secret_name" && export secret_name=$5
|
||||
check_not_empty "$6" "redis_password" && export redis_password=$6
|
||||
check_not_empty "$7" "pg_db_password" && export pg_db_password=$7
|
||||
check_not_empty "$8" "backend_type" && export backend_type=$8
|
||||
export registry=$9
|
||||
|
||||
cat > values.yaml << EOF
|
||||
global:
|
||||
imageRegistry: "$registry"
|
||||
exposureType: ingress
|
||||
ingress:
|
||||
core:
|
||||
ingressClassName: "nginx"
|
||||
hostname: images.${domain}
|
||||
extraTls:
|
||||
- hosts:
|
||||
- images.${domain}
|
||||
secretName: "$secret_name"
|
||||
externalURL: https://images.${domain}
|
||||
|
||||
postgresql:
|
||||
enabled: false
|
||||
redis:
|
||||
enabled: false
|
||||
notary:
|
||||
enabled: false
|
||||
trivy:
|
||||
enabled: false
|
||||
|
||||
externalDatabase:
|
||||
host: postgresql.database.svc.cluster.local
|
||||
user: postgres
|
||||
port: 5432
|
||||
password: "$pg_db_password"
|
||||
sslmode: disable
|
||||
coreDatabase: harbor_core
|
||||
clairDatabase: harbor_clair
|
||||
clairUsername: "postgres"
|
||||
clairPassword: "$pg_db_password"
|
||||
notaryServerDatabase: harbor_notary_server
|
||||
notaryServerUsername: "postgres"
|
||||
notaryServerPassword: "$pg_db_password"
|
||||
notarySignerDatabase: harbor_notary_signer
|
||||
notarySignerUsername: "postgres"
|
||||
notarySignerPassword: "$pg_db_password"
|
||||
externalRedis:
|
||||
host: redis-master.redis.svc.cluster.local
|
||||
port: 6379
|
||||
password: "$redis_password"
|
||||
persistence:
|
||||
enabled: true
|
||||
imageChartStorage:
|
||||
type: $backend_type
|
||||
oss:
|
||||
accesskeyid: $ak
|
||||
accesskeysecret: $sk
|
||||
region: "oss-cn-wulanchabu"
|
||||
bucket: "harbor-oss"
|
||||
endpoint: "oss-cn-wulanchabu.aliyuncs.com"
|
||||
s3:
|
||||
region: ap-east-1
|
||||
bucket: artifact-s3
|
||||
accesskey: $ak
|
||||
secretkey: $sk
|
||||
EOF
|
||||
|
||||
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
|
||||
helm repo add bitnami https://charts.bitnami.com/bitnami
|
||||
helm repo update bitnami
|
||||
kubectl create ns $namespace || true
|
||||
helm upgrade --install artifact bitnami/harbor --version=16.7.0 -f values.yaml -n $namespace
|
||||
91
playbooks/roles/charts/harbor/files/setup-office-harbor.sh
Normal file
91
playbooks/roles/charts/harbor/files/setup-office-harbor.sh
Normal file
@ -0,0 +1,91 @@
|
||||
#!/bin/bash
|
||||
|
||||
ak=$1
|
||||
sk=$2
|
||||
domain=$3
|
||||
namespace=$4
|
||||
secret_name=$5
|
||||
redis_password=$6
|
||||
pg_db_password=$7
|
||||
storage_type=$8
|
||||
|
||||
cat > harbor-arm-config.yaml << EOF
|
||||
portal:
|
||||
image:
|
||||
repository: ghcr.io/octohelm/harbor/harbor-portal
|
||||
tag: v2.7.0@sha256:b3f4e0e990500362b554338579497ad89af5473e024564731563704ceab9305b
|
||||
core:
|
||||
image:
|
||||
repository: ghcr.io/octohelm/harbor/harbor-core
|
||||
tag: v2.7.0@sha256:dd7f3898f32caf8e03cee046596f03034f4297231458d4de39775dd58709b55a
|
||||
jobservice:
|
||||
image:
|
||||
repository: ghcr.io/octohelm/harbor/harbor-jobservice
|
||||
tag: v2.7.0@sha256:7abd6694f546172ffec4a87e389e8ba425fa6ee82479782693c120a89a291435
|
||||
registry:
|
||||
registry:
|
||||
image:
|
||||
repository: ghcr.io/octohelm/harbor/registry-photon
|
||||
tag: v2.7.0@sha256:d5f23b2bc4271b2eb1ec002eb0c0c51e708015944316e5bd17c61de73ea54415
|
||||
controller:
|
||||
image:
|
||||
repository: ghcr.io/svc-design/harbor-multi-arch-images/harbor-registryctl
|
||||
tag: v2.7.0@sha256:ba2412c1a629ca1c2ca4584ba51eb05e964c7eef7b1f9f6ddb39d67512debaf5
|
||||
chartmuseum:
|
||||
enabled: true
|
||||
image:
|
||||
repository: ghcr.io/octohelm/harbor/chartmuseum-photon
|
||||
tag: v2.7.0@sha256:0815066d46474b9403b2d2e5f6f9e2ae44d067d8d2f8523b95ea3d3f20f3d058
|
||||
trivy:
|
||||
enabled: false
|
||||
notary:
|
||||
enabled: false
|
||||
expose:
|
||||
type: ingress
|
||||
tls:
|
||||
enabled: true
|
||||
certSource: secret
|
||||
secret:
|
||||
secretName: $secret_name
|
||||
notarySecretName: $secret_name
|
||||
ingress:
|
||||
hosts:
|
||||
core: harbor.${domain}
|
||||
notary: artifact-notary.${domain}
|
||||
className: "nginx"
|
||||
externalURL: https://artifact.${domain}
|
||||
database:
|
||||
type: external
|
||||
external:
|
||||
host: "postgresql.database.svc.cluster.local"
|
||||
port: "5432"
|
||||
username: "postgres"
|
||||
password: "$pg_db_password"
|
||||
coreDatabase: "registry"
|
||||
notaryServerDatabase: "notary_server"
|
||||
notarySignerDatabase: "notary_signer"
|
||||
redis:
|
||||
type: external
|
||||
external:
|
||||
addr: "redis-master.redis.svc.cluster.local:6379"
|
||||
password: "$redis_password"
|
||||
persistence:
|
||||
imageChartStorage:
|
||||
type: $storage_type
|
||||
oss:
|
||||
accesskeyid: $ak
|
||||
accesskeysecret: $sk
|
||||
region: "oss-cn-wulanchabu"
|
||||
bucket: "harbor-s3"
|
||||
endpoint: "oss-cn-wulanchabu.aliyuncs.com"
|
||||
s3:
|
||||
region: ap-east-1
|
||||
bucket: artifact-s3
|
||||
accesskey: $ak
|
||||
secretkey: $sk
|
||||
EOF
|
||||
|
||||
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
|
||||
helm repo add harbor https://helm.goharbor.io
|
||||
helm repo update
|
||||
helm upgrade --install artifact harbor/harbor -f harbor-arm-config.yaml --version 1.11.1 -n $namespace
|
||||
4
playbooks/roles/charts/harbor/meta/main.yml
Normal file
4
playbooks/roles/charts/harbor/meta/main.yml
Normal file
@ -0,0 +1,4 @@
|
||||
dependencies:
|
||||
- role: redis
|
||||
- role: postgresql
|
||||
- role: secret-manger
|
||||
38
playbooks/roles/charts/harbor/tasks/main.yml
Executable file
38
playbooks/roles/charts/harbor/tasks/main.yml
Executable file
@ -0,0 +1,38 @@
|
||||
- name: get redis password
|
||||
shell: 'kubectl get secret --namespace {{ cache_namespace }} redis -o jsonpath="{.data.redis-password}" | base64 -d'
|
||||
register: redis_command_raw
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: set fact join command for redis
|
||||
set_fact:
|
||||
redis_password : "{{ redis_command_raw.stdout }}"
|
||||
|
||||
- name: get db password
|
||||
shell: 'kubectl get secret --namespace {{ db_namespace }} postgresql -o jsonpath="{.data.postgres-password}" | base64 -d'
|
||||
register: db_command_raw
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: set fact join command for pg_db
|
||||
set_fact:
|
||||
pg_db_password : "{{ db_command_raw.stdout }}"
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
#- name: Show Debug Info
|
||||
# debug: var=command_raw verbosity=0
|
||||
|
||||
- name: Pre Setup harbor DB
|
||||
script: files/pre-setup.sh {{ namespace }}
|
||||
when: inventory_hostname in groups[group]
|
||||
|
||||
- name: Setup harbor Server
|
||||
script: files/setup-bitnami-harbor.sh {{ oss_ak }} {{ oss_sk }} {{ domain }} {{ namespace }} {{ item.secret_name }} {{ hostvars[groups[group][0]].redis_password }} {{ hostvars[groups[group][0]].pg_db_password }} {{ backend_type }} {{ registry }}
|
||||
loop: "{{ tls }}"
|
||||
when: inventory_hostname in groups[group]
|
||||
|
||||
#- name: Sync harbor-oidc-config.json
|
||||
# template: src=templates/{{ item }} dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
|
||||
# with_items:
|
||||
# - harbor-oidc-config.json
|
||||
|
||||
#- name: Setup harbor oidc config
|
||||
# script: files/post-setup.sh {{ admin_password }}
|
||||
@ -0,0 +1,11 @@
|
||||
{
|
||||
"auth_mode": "oidc_auth",
|
||||
"oidc_name": "Keycloak-sso",
|
||||
"oidc_endpoint": "https://keycloak.onwalk.net/realms/cloud-sso",
|
||||
"oidc_client_id": "harbor-oidc",
|
||||
"oidc_client_secret": '{{ harbor_oidc_client_token }}',
|
||||
"oidc_scope": "openid,profile,email",
|
||||
"oidc_groups_claim": "groups",
|
||||
"oidc_auto_onboard": true,
|
||||
"oidc_user_claim": "preferred_username"
|
||||
}
|
||||
9
playbooks/roles/charts/harbor/vars/main.yml
Normal file
9
playbooks/roles/charts/harbor/vars/main.yml
Normal file
@ -0,0 +1,9 @@
|
||||
group: master
|
||||
namespace: artifact
|
||||
db_namespace: database
|
||||
cache_namespace: redis
|
||||
update_secret: true
|
||||
tls:
|
||||
- secret_name: harbor-tls
|
||||
keyfile: /etc/ssl/svc.plus.key
|
||||
certfile: /etc/ssl/svc.plus.pem
|
||||
6
playbooks/roles/charts/jenkins/files/pre-setup.sh
Normal file
6
playbooks/roles/charts/jenkins/files/pre-setup.sh
Normal file
@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
export namespace=$1
|
||||
|
||||
export MYSQL_ROOT_PASSWORD=$(kubectl get secret --namespace $namespace mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d)
|
||||
|
||||
kubectl run mysql-client --rm --tty -i --restart='Never' --image docker.io/bitnami/mysql:8.0.32-debian-11-r14 --namespace $namespace --env MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD --command -- bash -c "mysql -h mysql.database.svc.cluster.local -uroot -p$MYSQL_ROOT_PASSWORD -e 'create database IF NOT EXISTS jenkins;'"
|
||||
86
playbooks/roles/charts/jenkins/files/setup.sh
Normal file
86
playbooks/roles/charts/jenkins/files/setup.sh
Normal file
@ -0,0 +1,86 @@
|
||||
#!/bin/bash
|
||||
set -x
|
||||
export domain=$1
|
||||
export secret=$2
|
||||
export namespace=$3
|
||||
export mysql_db_password=$4
|
||||
|
||||
cat > values.yaml << EOF
|
||||
|
||||
controller:
|
||||
agentListenerServiceType: "NodePort"
|
||||
agentListenerNodePort: 50000
|
||||
admin:
|
||||
username: 'admin'
|
||||
password: "jenkins"
|
||||
jenkinsUrlProtocol: "https"
|
||||
jenkinsHome: "/var/jenkins_home"
|
||||
jenkinsUrl: https://jenkins.$domain
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
kubernetes.io/tls-acme: "false"
|
||||
ingressClassName: nginx
|
||||
hostName: jenkins.$domain
|
||||
path: '/'
|
||||
tls:
|
||||
- secretName: $secret
|
||||
hosts:
|
||||
- jenkins.$domain
|
||||
installLatestPlugins: true
|
||||
installPlugins:
|
||||
- git:5.2.1
|
||||
- github:1.38.0
|
||||
- github-pullrequest:0.7.0
|
||||
- locale:314.v22ce953dfe9e
|
||||
- database-mysql:1.4
|
||||
- database:191.vd5981b_97a_5fa_
|
||||
- credentials:1337.v60b_d7b_c7b_c9f
|
||||
- credentials-binding:642.v737c34dea_6c2 # 更新版本以满足依赖关系
|
||||
- configuration-as-code:1775.v810dc950b_514 # 更新版本以满足依赖关系
|
||||
- gitlab-plugin:1.7.16
|
||||
- kubernetes:4029.v5712230ccb_f8
|
||||
- docker-plugin:1.6
|
||||
- docker-workflow:572.v950f58993843
|
||||
- docker-commons:439.va_3cb_0a_6a_fb_29
|
||||
- pipeline-stage-view:2.33
|
||||
- workflow-job:1385.vb_58b_86ea_fff1
|
||||
- workflow-cps:3883.vb_3ff2a_e3eea_f
|
||||
- workflow-aggregator:596.v8c21c963d92d
|
||||
JCasC:
|
||||
enabled: true
|
||||
defaultConfig: true
|
||||
configScripts:
|
||||
database: |
|
||||
unclassified:
|
||||
globalDatabaseConfiguration:
|
||||
database:
|
||||
mysql:
|
||||
hostname: mysql.database.svc.cluster.local
|
||||
username: "root"
|
||||
database: "jenkins"
|
||||
password: $mysql_db_password
|
||||
properties: "?useSSL=false"
|
||||
validationQuery: "SELECT 1"
|
||||
agent:
|
||||
enabled: true
|
||||
replicas: 3
|
||||
numExecutors: 1
|
||||
jenkinsUrl: https://jenkins.$domain
|
||||
image:
|
||||
repository: "jenkins/inbound-agent"
|
||||
tag: "latest"
|
||||
customJenkinsLabels: []
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "local-path"
|
||||
size: "10Gi"
|
||||
networkPolicy:
|
||||
enabled: false
|
||||
additionalConfig: {}
|
||||
EOF
|
||||
|
||||
helm repo add jenkins https://charts.jenkins.io
|
||||
helm repo update
|
||||
helm upgrade --install jenkins jenkins/jenkins -n $namespace --create-namespace -f values.yaml
|
||||
124
playbooks/roles/charts/jenkins/howto.md
Normal file
124
playbooks/roles/charts/jenkins/howto.md
Normal file
@ -0,0 +1,124 @@
|
||||
# Jenkins Mater 部署
|
||||
|
||||
# Jenkins Node IaC Runner 设置
|
||||
1. 安装git terraform
|
||||
|
||||
## GitLab to trigger Jenkins
|
||||
|
||||
1. Gitlab https://gitlab.xxx.com/-/profile/personal_access_tokens
|
||||
|
||||
2. GitLab和Jenkins的集成可以让你在GitLab中的代码更新后自动触发Jenkins的构建任务。以下是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤:
|
||||
3. 在Jenkins中安装GitLab插件
|
||||
首先,你需要在Jenkins中安装GitLab插件。登录到Jenkins的管理界面,然后转到“Manage Jenkins” > “Manage Plugins” > “Available”,在搜索框中输入“GitLab”,找到并安装“GitLab Plugin”。
|
||||
4. 在Jenkins中配置GitLab连接
|
||||
安装完插件后,你需要配置GitLab的连接。转到“Manage Jenkins” > “Configure System”,滚动到“GitLab”部分,点击“Add GitLab Server” > “Server”,输入你的GitLab服务器URL,并生成并输入一个与你的GitLab账户相关联的API Token。
|
||||
5. 在Jenkins中创建一个新的任务
|
||||
创建一个新的任务,并在源代码管理部分选择“Git”,输入你的GitLab项目的URL。在构建触发器部分,选择“Build when a change is pushed to GitLab”。
|
||||
记录:GitLab webhook URL: https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
|
||||
6. 在GitLab中配置Webhook
|
||||
在你的GitLab项目中,转到“Settings” > “Integrations” -> 启用"Jenkins"
|
||||
- 在URL中输入步骤5记录的 Webhook URL https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
|
||||
- 选择你想要触发Jenkins任务的事件(例如,当代码被推送时)
|
||||
- Project name: 输入项目名称
|
||||
- Username: Jenkins 用户名
|
||||
- Password: Jenkins 认证密码
|
||||
- 保存更改, 测试设置,返回状态200为配置正确
|
||||
|
||||
以上就是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤。在完成这些步骤后,每当你的GitLab项目有更新时,都会自动触发对应的Jenkins构建任务。
|
||||
|
||||
## 要将GitHub代码仓库与Jenkins关联起来,您需要完成以下步骤:
|
||||
|
||||
1 要在 GitHub 中启用 webhook 功能以触发 Jenkins 构建,请按照以下步骤操作:
|
||||
2 进入 GitHub 仓库设置:在要设置 webhook 的 GitHub 仓库页面上,点击右上角的“Settings”。
|
||||
3 选择 Webhooks 选项:在仓库设置页面的左侧菜单中,选择“Webhooks”。
|
||||
4 添加 Webhook:在 Webhooks 页面的右上角,点击“Add webhook”。
|
||||
|
||||
配置 Webhook:
|
||||
|
||||
1. Payload URL:输入 Jenkins 服务器的 webhook URL。格式应为 http://your-jenkins-server/github-webhook/。确保替换 your-jenkins-server 为您 Jenkins 服务器的实际地址。
|
||||
2. Content type:选择 application/json。
|
||||
3. Secret(可选):如果需要额外的安全性,可以输入一个秘密令牌。
|
||||
4. SSL verification:选择是否验证 SSL 证书。
|
||||
5. Which events would you like to trigger this webhook?:选择触发 webhook 的事件。通常选择 Just the push event(只有推送事件)或 Let me select individual events(让我选择单独的事件)并选择适当的事件(例如,push、pull request 等)。
|
||||
添加 Webhook:点击页面底部的“Add webhook”按钮以保存配置。
|
||||
|
||||
完成以上步骤后,您的 GitHub 仓库就配置好了一个 webhook,可以触发 Jenkins 构建。记得在 Jenkins 中设置相应的任务来响应这些 webhook。
|
||||
|
||||
|
||||
安装Jenkins插件:
|
||||
|
||||
确保您的Jenkins实例已经安装了“GitHub”和“GitHub Integration”插件。您可以在Jenkins管理界面的“插件管理”部分进行安装。
|
||||
配置GitHub Webhook:
|
||||
|
||||
在GitHub仓库的设置中,找到“Webhooks”部分并添加一个新的Webhook。
|
||||
将“Payload URL”设置为您的Jenkins服务器的URL,通常是这样的格式:http://<JENKINS_URL>/github-webhook/。
|
||||
选择触发Webhook的事件,通常是“Just the push event”或者“Send me everything”。
|
||||
确保“Content type”设置为“application/json”。
|
||||
点击“Add webhook”保存设置。
|
||||
配置Jenkins Job:
|
||||
|
||||
在Jenkins中创建一个新的构建任务或者配置现有的任务。
|
||||
在“源码管理”部分,选择“Git”并填写您的GitHub仓库的URL。
|
||||
在“构建触发器”部分,选择“GitHub hook trigger for GITScm polling”选项。这样,每当GitHub仓库有新的推送事件时,Jenkins就会自动触发构建。
|
||||
测试配置:
|
||||
|
||||
推送一些改动到您的GitHub仓库,检查是否触发了Jenkins构建。
|
||||
在Jenkins的构建历史中查看构建是否成功执行。
|
||||
通过完成以上步骤,您的GitHub代码仓库就与Jenkins关联起来了,可以实现自动触发构建的功能。
|
||||
|
||||
要在 Jenkins 中设置 GitHub 服务,您需要进行以下步骤:
|
||||
|
||||
安装 GitHub 插件:首先确保您的 Jenkins 实例已安装 GitHub 插件。如果尚未安装,请转到 Jenkins 的“插件管理”页面,在“可选插件”选项卡中搜索并安装 GitHub 插件。
|
||||
|
||||
配置 GitHub 服务器:在 Jenkins 管理界面中,转到“系统管理” > “系统设置”。
|
||||
|
||||
在系统设置页面中,找到并点击“GitHub”部分。
|
||||
点击“Add GitHub Server”添加一个新的 GitHub 服务器配置。
|
||||
在配置页面中,输入一个描述性的名称,例如“GitHub”。
|
||||
在 GitHub API URL 中输入 GitHub 的 API 地址。通常为 https://api.github.com。
|
||||
如果您的 GitHub 仓库需要身份验证,请在“凭据”部分选择一个已配置的凭据。如果尚未配置凭据,请点击“Add”添加一个新的凭据,选择类型为“Secret text”或“Username with password”,然后输入您的 GitHub 用户名和密码或访问令牌。
|
||||
完成配置后,点击“保存”保存 GitHub 服务器配置。
|
||||
验证配置:您可以在配置页面的底部点击“Test connection”来验证您的 GitHub 服务器配置是否正常工作。
|
||||
|
||||
保存设置:确保在完成配置后点击“保存”保存更改。
|
||||
|
||||
现在,您已成功配置了 Jenkins 的 GitHub 服务。您可以在 Jenkins 任务中使用这个配置来与 GitHub 仓库进行集成,例如触发构建、拉取代码等操作。
|
||||
|
||||
|
||||
对于 Jenkins 中的 GitHub API URL (https://api.github.com) 的凭据设置,您可以使用 GitHub Personal Access Token。这个 Token 可以通过以下步骤生成:
|
||||
|
||||
在 GitHub 上登录您的账号。
|
||||
点击页面右上角的头像,选择“Settings”。
|
||||
在左侧边栏中,点击“Developer settings”。
|
||||
在左侧边栏中,点击“Personal access tokens”。
|
||||
点击“Generate new token”。
|
||||
输入一个描述性的名称,选择需要的权限(至少需要 repo 权限来访问仓库),然后点击“Generate token”。
|
||||
复制生成的 Token,并保存到一个安全的地方。请注意,这个 Token 只会显示一次,如果您丢失了,请重新生成一个新的 Token。
|
||||
在 Jenkins 中使用这个 Token 作为 GitHub API URL (https://api.github.com) 的凭据时,您可以将 Token 添加为 Jenkins 的凭据:
|
||||
|
||||
进入 Jenkins 管理界面,转到“凭据” > “系统”。
|
||||
在“系统”页面中,点击“Global credentials (unrestricted)”。
|
||||
在凭据页面中,点击“Add credentials”。
|
||||
在“Kind”下拉菜单中选择“Secret text”。
|
||||
在“Secret”框中粘贴您在 GitHub 上生成的 Personal Access Token。
|
||||
输入一个描述性的名称,并点击“OK”保存凭据。
|
||||
现在,您可以在 Jenkins 的配置中使用这个凭据来访问 GitHub API (https://api.github.com)。
|
||||
|
||||
确保 Docker 已安装:在 Jenkins 代理节点上确认 Docker 已正确安装并配置。您可以通过在终端中执行 docker --version 命令来检查 Docker 是否可用。
|
||||
|
||||
检查 Docker 环境:如果 Docker 已安装,请确保 Docker 服务正在运行。您可以使用 sudo systemctl status docker 命令检查 Docker 服务的状态。
|
||||
|
||||
确认 Jenkins 全局工具配置:在 Jenkins 管理界面中,转到“系统管理”->“全局工具配置”,确保 Docker 工具已正确配置。如果未配置,您可以添加一个 Docker 工具,并指定正确的安装路径。
|
||||
|
||||
重启 Jenkins 服务:在进行了上述更改后,尝试重启 Jenkins 服务,以确保新的配置生效。
|
||||
|
||||
尝试在终端中执行 Docker 命令:在 Jenkins 代理节点上打开终端,尝试手动执行一些 Docker 命令(如 docker pull),看看是否能够正常执行
|
||||
|
||||
要设置 Jenkins Docker 流水线,你可以按照以下步骤进行操作:
|
||||
|
||||
前提条件
|
||||
确保你的 Jenkins 实例已经安装了以下插件:
|
||||
|
||||
Docker Pipeline
|
||||
Docker Commons
|
||||
|
||||
3
playbooks/roles/charts/jenkins/meta/main.yml
Normal file
3
playbooks/roles/charts/jenkins/meta/main.yml
Normal file
@ -0,0 +1,3 @@
|
||||
dependencies:
|
||||
- role: mysql
|
||||
- role: secret-manger
|
||||
18
playbooks/roles/charts/jenkins/tasks/main.yml
Executable file
18
playbooks/roles/charts/jenkins/tasks/main.yml
Executable file
@ -0,0 +1,18 @@
|
||||
- name: get mysql db password
|
||||
shell: 'kubectl get secret --namespace database mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d'
|
||||
register: mysql_db_password_raw
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: set fact join command
|
||||
set_fact:
|
||||
mysql_db_password : "{{ mysql_db_password_raw.stdout }}"
|
||||
when: inventory_hostname in groups[group][0]
|
||||
|
||||
- name: DB Pre Setup for Jenkins Server
|
||||
script: files/pre-setup.sh {{ db_namespace }}
|
||||
when: inventory_hostname in groups[group]
|
||||
|
||||
- name: Setup Jenkins Cluster
|
||||
script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }} {{ mysql_db_password }}
|
||||
when: inventory_hostname in groups[group] and ( tls is defined)
|
||||
loop: "{{ tls }}"
|
||||
5
playbooks/roles/charts/keycloak/files/pre-setup.sh
Normal file
5
playbooks/roles/charts/keycloak/files/pre-setup.sh
Normal file
@ -0,0 +1,5 @@
|
||||
#!/bin/bash
|
||||
export namespace=$1
|
||||
export POSTGRES_PASSWORD=$(kubectl get secret --namespace $namespace postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)
|
||||
|
||||
kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace $namespace --image docker.io/bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE keycloak;" || echo true
|
||||
39
playbooks/roles/charts/keycloak/files/setup-keycloak.sh
Normal file
39
playbooks/roles/charts/keycloak/files/setup-keycloak.sh
Normal file
@ -0,0 +1,39 @@
|
||||
#!/bin/bash
|
||||
|
||||
export domain=$1
|
||||
export secret=$2
|
||||
export namespace=$3
|
||||
export keycloak_ui_password=$4
|
||||
export keycloak_db_password=$5
|
||||
|
||||
cat > keycloak-values.yaml << EOF
|
||||
proxy: edge
|
||||
tls:
|
||||
enabled: false
|
||||
existingSecret: "$secret"
|
||||
auth:
|
||||
adminPassword: "$keycloak_ui_password"
|
||||
ingress:
|
||||
enabled: false
|
||||
ingressClassName: "nginx"
|
||||
hostname: keycloak.${domain}
|
||||
tls: true
|
||||
extraTls:
|
||||
- hosts:
|
||||
- keycloak.${domain}
|
||||
secretName: $secret
|
||||
postgresql:
|
||||
enabled: true
|
||||
#externalDatabase:
|
||||
# host: "postgresql.database.svc.cluster.local"
|
||||
# port: 5432
|
||||
# user: postgres
|
||||
# database: keycloak
|
||||
# password: "$keycloak_db_password"
|
||||
EOF
|
||||
|
||||
helm repo add bitnami https://charts.bitnami.com/bitnami || echo true
|
||||
helm repo update
|
||||
kubectl create ns ${namespace} || echo true
|
||||
kubectl create secret tls onwalk-tls --cert=/etc/ssl/onwalk.net.pem --key=/etc/ssl/onwalk.net.key -n ${namespace} || echo true
|
||||
helm upgrade --install keycloak bitnami/keycloak -n $namespace -f keycloak-values.yaml
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user