Merge pull request #1 from svc-design/playbooks

add playbooks & scripts

README.md

@@ -1 +1,90 @@
-# gitops
+# ansible-playbook
+
+This repository contains a collection of Ansible playbooks and roles for various infrastructure setups and service management tasks.
+
+## Playbook 角色说明
+
+1. playbooks/roles/docker：适用于简单的、单机环境的部署，主要使用 Docker 和 Docker Compose 进行容器化管理。
+2. playbooks/roles/charts：面向大规模的 Kubernetes 集群，使用 Helm 和标准化 Chart 部署模式进行高可用和可扩展的管理。
+3. playbooks/roles/vhosts：传统的非容器化部署方式，通常涉及手动配置服务器和虚拟主机，适用于不使用容器的应用场景。
+
+
+## Role Summary
+
+| Role Name               | Description                                           | Docker | Charts | VHosts | CICD    | Validate | Last Update  |
+|-------------------------|-------------------------------------------------------|--------|--------|--------|---------|----------|--------------|
+| `common`                | 通用角色，包含一些常用的功能，如日志记录、监控等。      |        |        |   ✔    |         |   yes    | 2025-02-14   |
+| `keycloak`              | 用于管理身份认证和授权服务。                            |   ✔    |        |        | github  |   yes    | 2024-11-10   |
+| `harbor`                | 容器镜像仓库角色，用于存储和管理容器镜像。              |   ✔    |        |        | github  |   yes    | 2024-11-14   |
+| `app`                   | 参考模板。                                              |        |        |        |         |          |              |
+| `nginx`                 | 用于设置 Nginx                                          |        |   ✔    |   ✔    |         |          |              |
+| `grafana`               | 用于设置 Grafana                                        |        |   ✔    |   ✔    |         |          |              |
+| `grafana-loki`          | 用于设置 Grafana-loki                                   |        |   ✔    |   ✔    |         |          |              |
+| `Grafana-tempo`         | 用于设置 Grafana-tempo                                  |        |   ✔    |   ✔    |         |          |              |
+| `prometheus`            | 用于设置 Prometheus                                     |        |   ✔    |   ✔    |         |          |              |
+| `prometheus-transfer`   | 用于 Prometheus 数据传输设置。                          |        |        |   ✔    |         |          |              |
+| `vector`                | 用于配置日志收集代理。                                  |        |        |   ✔    |         |          |              |
+| `node-exporter`         | 用于导出系统和硬件的监控数据。                          |        |   ✔    |        |         |          |              |
+| `observability-agent`   | 用于管理 Observability 代理。                           |        |   ✔    |   ✔    |         |          |              |
+| `observability-server`  | 用于设置 Observability 服务端。                         |        |   ✔    |   ✔    |         |          |              |
+| `wireguard-client`      | 用于设置 WireGuard 客户端。                             |        |        |   ✔    |         |          |              |
+| `wireguard-gateway`     | 用于设置 WireGuard 网关。                               |        |        |   ✔    |         |          |              |
+| `vault`                 | 用于管理敏感数据和密钥。                                |        |        |   ✔    |         |          |              |
+| `postgresql`            | PostgreSQL 数据库角色，用于提供 PostgreSQL 数据库服务。 |        |   ✔    |        |         |          |              |
+| `redis`                 | Redis 数据库角色，用于提供 Redis 数据库服务。           |        |   ✔    |        |         |          |              |
+| `chartmuseum`           | 图表仓库角色，用于存储和管理 Kubernetes 图表。          |        |   ✔    |        |         |          |              |
+| `gitlab`                | 代码仓库角色，用于存储和管理代码。                      |        |   ✔    |        |         |          |              |
+| `mysql`                 | MySQL 数据库角色，用于提供 MySQL 数据库服务。           |        |   ✔    |        |         |          |              |
+| `argo-server`           | 用于设置和管理 Argo Server。                            |        |   ✔    |        |         |          |              |
+| `deepflow`              | 用于流量监控与网络性能分析的 DeepFlow 服务。            |        |   ✔    |        |         |          |              |
+| `jenkins`               | Jenkins 自动化构建工具角色，用于 CI/CD 管道。           |        |   ✔    |        |         |          |              |
+| `chaos-mesh`            | 用于 Chaos Engineering 测试的 Chaos Mesh 角色。         |        |   ✔    |        |         |          |              |
+| `flagger-loadtester`    | 用于负载测试的 Flagger Loadtester 角色。                |        |   ✔    |        |         |          |              |
+| `splunk-otel-collector` | 用于配置 Splunk OpenTelemetry Collector。               |        |   ✔    |        |         |          |              |
+| `openldap`              | 用于设置和管理 OpenLDAP 身份认证服务。                  |        |   ✔    |        |         |          |              |
+| `alerting`              | 用于设置和管理警报系统。                                |        |        |   ✔    |         |          |              |
+| `k3s`                   | 用于创建 Kubernetes 集群。                              |        |        |   ✔    |         |          |              |
+| `k3s-reset`             | 用于重置 Kubernetes 集群。                              |        |        |   ✔    |         |          |              |
+| `k3s-addon`             | 用于安装 Kubernetes 集群插件。                          |        |        |   ✔    |         |          |              |
+| `secret-manger`         | 密钥管理角色，用于管理密钥。                            |        |        |   ✔    |         |          |              |
+| `cert-manager`          | 证书管理角色，用于管理证书。                            |        |        |   ✔    |         |          |              |
+
+表格说明
+- Docker：是否属于 Docker 角色。
+- Charts：是否属于 Helm Chart 角色。
+- VHosts：是否属于虚拟主机管理相关角色。
+- CICD：是否启用 CICD 管道，标明是否集成了自动化流程。
+- Validate：是否经过验证测试。
+- Last Update：最后更新时间。
+
+##  Usage Examples
+
+- Linux OS Setup
+
+ansible-playbook -i inventory/hosts/all playbooks/common -D -C
+ansible-playbook -i inventory/hosts/all playbooks/common -D
+
+- Gather Network Information
+
+ansible-playbook -i inventory gather_network_info.yml -e target_group=master
+
+- Display network information on all nodes
+
+ansible -i inventory all -m script -a 'roles/network_info/tasks/files/display_network_info.sh'
+
+- Deploy Keycloak Server
+
+ansible-playbook -i inventory/hosts/core playbooks/keycloak_server -D
+
+- Set up WireGuard Gateway
+
+ansible-playbook -i inventory/hosts/vpn playbooks/wireguard_gateway.yaml -D
+
+- Set up Grafana Alloy
+
+ansible-playbook -i inventory/k3s-cluster playbooks/init_grafana_alloy -D -C -l cn-k3s-server.svc.plus -e @playbooks/roles/alloy/files/loki_journal_sources_k3s_server.yml -e "ansible_become_pass='xxxx'"
+
+
+- Setup VPN gateway
+
+ansible-playbook -i inventory/hosts/all playbooks/common -l gateway -D

ansible.cfg

@@ -0,0 +1,15 @@
+[inventory]
+cache: yes
+cache_plugin: ansible.builtin.jsonfile
+
+[defaults]
+vault_password_file = ~/.vault_password
+timeout        = 10
+forks          = 10
+poll_interval  = 10
+transport      = smart
+gathering      = smart
+stdout_callback = skippy
+host_key_checking = False
+deprecation_warnings = False
+ansible_python_interpreter=/usr/bin/python3

inventory/group_vars/all.yml

@@ -0,0 +1,5 @@
+ansible_port: 22
+ansible_ssh_user: ubuntu
+ansible_ssh_private_key_file: ~/.ssh/id_rsa
+ansible_host_key_checking: False
+

inventory/hosts/all

@@ -0,0 +1,19 @@
+[all]
+hw-node.svc.plus                  ansible_host=139.9.139.22     ansible_ssh_user=root
+cn-gateway.svc.plus               ansible_host=8.130.10.142     ansible_ssh_user=root
+us-gateway.svc.plus               ansible_host=52.196.108.28    ansible_ssh_user=ubuntu
+global-gateway.svc.plus           ansible_host=54.183.199.99    ansible_ssh_user=ubuntu
+canada-gateway.svc.plus           ansible_host=3.96.167.208     ansible_ssh_user=ubuntu
+vault.onwalk.net                  ansible_host=3.101.151.231    ansible_ssh_user=ubuntu
+ldap.svc.plus                     ansible_host=35.182.63.247    ansible_ssh_user=ubuntu
+keycloak.svc.plus                 ansible_host=3.99.126.158     ansible_ssh_user=ubuntu
+observability.onwalk.net          ansible_host=54.153.80.120    ansible_ssh_user=ubuntu
+argocd.svc.plus                   ansible_host=13.57.247.27     ansible_ssh_user=ubuntu
+
+[gateway]
+vpn-gateway.svc.plus              ansible_host=167.179.72.223   ansible_ssh_user=root
+
+[all:vars]
+ansible_port=22
+ansible_ssh_private_key_file=~/.ssh/id_rsa
+ansible_host_key_checking=False

inventory/hosts/vpn

@@ -0,0 +1,2 @@
+[vpn-gateway]
+xproxy.onwalk.net               ansible_host=43.206.158.21

inventory/k3s-cluster

@@ -0,0 +1,12 @@
+[all]
+cn-gateway.svc.plus         ansible_host=10.254.0.1
+cn-k3s-server.svc.plus      ansible_host=10.254.0.3
+cn-hw-node.svc.plus         ansible_host=10.254.0.4
+global-gateway.svc.plus     ansible_host=10.255.0.1
+global-k3s-server.svc.plus  ansible_host=10.255.0.3
+
+[all:vars]
+ansible_port=22
+ansible_ssh_user=ubuntu
+ansible_ssh_private_key_file=~/.ssh/id_rsa
+ansible_host_key_checking=False

playbooks/common

@@ -0,0 +1,8 @@
+---
+- name: Init Linux OS Common setting
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - vhosts/common

playbooks/deploy-docker-harbor.yml

@@ -0,0 +1,5 @@
+---
+- hosts: all
+  become: yes
+  roles:
+    - docker/harbor

playbooks/deploy-docker-keycloak.yml

@@ -0,0 +1,5 @@
+---
+- hosts: all
+  become: yes
+  roles:
+    - docker/keycloak

playbooks/init-harbor-server

@@ -0,0 +1,17 @@
+- name: setup harbor 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: harbor
+      vars:
+        group: master
+        namespace: harbor
+        db_namespace: database
+        update_secret: true
+        tls:
+          - secret_name: harbor-tls
+            keyfile: /etc/ssl/onwalk.net.key
+            certfile: /etc/ssl/onwalk.net.pem

playbooks/init_chaos_mesh

@@ -0,0 +1,17 @@
+- name: setup chaos-mesh server
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: chaos-mesh
+      vars:
+        group: master
+        domain: onwalk.net
+        namespace: chaos-mesh
+        update_secret: true
+        tls:
+          - secret_name: chaos-mesh-tls
+            keyfile: /etc/ssl/onwalk.net.key
+            certfile: /etc/ssl/onwalk.net.pem

playbooks/init_chartmuseum

@@ -0,0 +1,8 @@
+---
+- name: deploy chartmuseum
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - chartmuseum

playbooks/init_deepflow

@@ -0,0 +1,16 @@
+- name: setup deepflow server 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: deepflow
+      vars:
+        group: master
+        update_secret: true
+        namespace: monitoring
+        tls:
+          - secret_name: obs-tls
+            keyfile: /etc/ssl/onwalk.net.key
+            certfile: /etc/ssl/onwalk.net.pem

playbooks/init_flagger-loadtester

@@ -0,0 +1,16 @@
+- name: setup flagger-loadtester server
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: flagger-loadtester
+      vars:
+        group: master
+        update_secret: true
+        namespace: loadtester
+        tls:
+          - secret_name: obs-tls
+            keyfile: /etc/ssl/${DOMAIN}.key
+            certfile: /etc/ssl/${DOMAIN}.pem

playbooks/init_gitlab

@@ -0,0 +1,23 @@
+- name: setup gitlab 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: gitlab
+      vars:
+        group: master
+        gitlab_version: '7.0.4'
+        namespace: gitlab
+        db_namespace: database
+        domain: onwalk.net
+        auto_issuance: false
+        update_secret: true  
+        tls:
+          - secret_name: gitlab-tls
+            keyfile: /etc/ssl/onwalk.net.key
+            certfile: /etc/ssl/onwalk.net.pem
+        gitlab_oidc_client_id: gitlab-oidc
+        gitlab_oidc_isser: 'https://keycloak.onwalk.net/realms/cloud-sso'
+        gitlab_oidc_redirect_uri: 'https://gitlab.onwalk.net/users/auth/openid_connect/callback'

playbooks/init_grafana_alloy

@@ -0,0 +1,8 @@
+---
+- name: deploy grafana alloy agent
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - alloy

playbooks/init_harbor_server

@@ -0,0 +1,8 @@
+---
+- name: deploy harbor server
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - harbor

playbooks/init_jenkins

@@ -0,0 +1,18 @@
+- name: setup jenkins server
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: jenkins
+      vars:
+        group: master
+        domain: onwalk.net
+        namespace: jenkins
+        update_secret: true
+        db_namespace: database
+        tls:
+          - secret_name: jenkins-tls
+            keyfile: /etc/ssl/onwalk.net.key
+            certfile: /etc/ssl/onwalk.net.pem

playbooks/init_k3s_cluster_agent

@@ -0,0 +1,8 @@
+---
+- name: Initialize K3s Cluster Agent
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - k3s-cluster-agent

playbooks/init_k3s_cluster_server

@@ -0,0 +1,8 @@
+---
+- name: Initialize K3s Cluster Server
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - k3s-cluster-server

playbooks/init_k3s_cluster_std

@@ -0,0 +1,27 @@
+- name: set artifact cluster with vhosts
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: k3s-reset
+      vars:
+        group: master
+        cluster_reset: 'enable'
+    - include_role:
+        name: k3s
+      vars:
+        group: master
+        cni: default
+        version: 'v1.27.2+k3s1'
+        pod_cidr: '10.10.0.0/16'
+        svc_cidr: '172.16.0.0/16'
+        enable_api_access: true
+    - include_role:
+        name: k3s-addon
+      vars:
+        group: master
+        ingress: nginx
+        external_dns: enable
+        cert_issuance: vault

playbooks/init_k3s_cluster_with_argo_server

@@ -0,0 +1,38 @@
+- name: set artifact cluster with vhosts
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: k3s-reset
+      vars:
+        group: master
+        cluster_reset: 'enable'
+    - include_role:
+        name: k3s
+      vars:
+        group: master
+        cni: default
+        version: 'v1.27.2+k3s1'
+        pod_cidr: '10.10.0.0/16'
+        svc_cidr: '172.16.0.0/16'
+        enable_api_access: true
+    - include_role:
+        name: k3s-addon
+      vars:
+        group: master
+        ingress: disable
+        external_dns: disable
+        cert_issuance: vault
+    - include_role:
+        name: argo-server
+      vars:
+        group: master
+        namespace: argocd
+        domain: onwalk.net
+        update_secret: true  
+        tls:
+          - secret_name: argocd-server-tls
+            keyfile: /etc/ssl/onwalk.net.key
+            certfile: /etc/ssl/onwalk.net.pem

playbooks/init_observability-agent

@@ -0,0 +1,13 @@
+- name: setup observability agent
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: observability-agent
+      vars:
+        group: master
+        namespace: monitoring
+        deepflowserverip: 10.146.0.8
+        deepflowk8sclusterid: d-kqjofXyZbg 

playbooks/init_observability-server

@@ -0,0 +1,29 @@
+- name: setup observability server 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: observability-server
+      vars:
+        group: master
+        update_secret: true
+        auto_issuance: false
+        namespace: monitoring
+        db_namespace: database
+        tls:
+          - secret_name: obs-tls
+            keyfile: /etc/ssl/svc.ink.key
+            certfile: /etc/ssl/svc.ink.pem
+    - include_role:
+        name: flagger-loadtester 
+      vars:
+        group: master
+        update_secret: true
+        auto_issuance: false
+        namespace: loadtester
+        tls:
+          - secret_name: obs-tls
+            keyfile: /etc/ssl/svc.ink.key
+            certfile: /etc/ssl/svc.ink.pem

playbooks/init_openldap

@@ -0,0 +1,18 @@
+- name: setup openldap 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: openldap
+      vars:
+        group: master
+        namespace: itsm
+        domain: onwalk.net
+        update_secret: true
+        auto_issuance: false
+        tls:
+          - secret_name: openldap-tls
+            keyfile: /etc/ssl/onwalk.net.key
+            certfile: /etc/ssl/onwalk.net.pem

playbooks/init_splunk-otel-collector

@@ -0,0 +1,13 @@
+- name: setup splunk otel collector 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: splunk-otel-collector
+      vars:
+        group: master
+        namespace: default
+        splunk_hec_url: https://xxxx.splunkcloud.com:8088/services/collector/event
+        splunk_hec_token: "token-xxxxxx"

playbooks/init_telegraf

@@ -0,0 +1,10 @@
+- name: Setup telegraf 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: telegraf
+      vars:
+        update_secret: true

playbooks/init_vault

@@ -0,0 +1,8 @@
+---
+- name: deploy vault server
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - vault

playbooks/init_vpn_gateway.yml

@@ -0,0 +1,7 @@
+---
+- hosts: vpn-gateway
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - wireguard-gateway

playbooks/keycloak_server

@@ -0,0 +1,7 @@
+---
+- hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - keycloak

playbooks/playbooks/roles/docker/keycloak/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+postgres_db: keycloak
+postgres_user: keycloak_user
+postgres_password: keycloak_password
+
+keycloak_admin: admin
+keycloak_admin_password: admin_password
+
+keycloak_key_store_password: a4h3ljbn
+keycloak_trust_store_password: a4h3ljbn
+
+ssl_certificate_path: /etc/ssl/onwalk.net.pem
+ssl_certificate_key_path: /etc/ssl/onwalk.net.key
+dhparam_path: /etc/ssl/dhparam.pem

playbooks/playbooks/roles/docker/keycloak/files/nginx.conf

@@ -0,0 +1,37 @@
+server {
+    listen 80;
+    server_name keycloak.onwalk.net;
+
+    # 强制 HTTP 请求重定向到 HTTPS
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name keycloak.onwalk.net;
+
+    # SSL 配置
+    ssl_certificate /etc/ssl/certs/onwalk.net.pem;
+    ssl_certificate_key /etc/ssl/certs/onwalk.net.key;
+
+    # 日志设置
+    access_log /dev/stdout;
+    error_log /dev/stderr;
+
+    # 配置反向代理
+    location / {
+        proxy_pass https://127.0.0.1:8443;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header Cookie $http_cookie;
+        proxy_redirect off;
+    }
+
+    # SSL 强化
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256';
+    ssl_prefer_server_ciphers off;
+}

playbooks/playbooks/roles/docker/keycloak/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: 执行 pre-setup 操作
+  include_tasks: "{{ playbook_dir }}/roles/docker/keycloak/tasks/pre-setup.yml"
+
+- name: 渲染 .env 配置文件
+  template:
+    src: "{{ playbook_dir }}/roles/docker/keycloak/templates/.env.j2"
+    dest: "{{ playbook_dir }}/roles/docker/keycloak/files/.env"
+
+- name: 执行 create_keystore.sh 脚本
+  script: "{{ playbook_dir }}/roles/docker/keycloak/files/create_keystore.sh"
+  args:
+    chdir: "/home/ubuntu"
+
+- name: 渲染 Docker Compose 配置文件
+  template:
+    src: "{{ playbook_dir }}/roles/docker/keycloak/templates/docker-compose.yml.j2"
+    dest: "{{ playbook_dir }}/roles/docker/keycloak/files/docker-compose.yml"
+
+- name: 启动 Docker Compose 服务
+  become: true
+  docker_compose:
+    project_src: "{{ playbook_dir }}/roles/docker/keycloak"
+    files:
+      - "{{ playbook_dir }}/roles/docker/keycloak/files/docker-compose.yml"
+    restarted: true
+    state: present
+
+- name: 执行 post-setup 操作
+  include_tasks: "{{ playbook_dir }}/roles/docker/keycloak/tasks/post-setup.yml"

playbooks/playbooks/roles/docker/keycloak/templates/docker-compose.yml.j2

@@ -0,0 +1,64 @@
+version: '3.7'
+
+services:
+  postgres:
+    image: postgres:16.0-bookworm
+    environment:
+      POSTGRES_DB: {{ postgres_db }}
+      POSTGRES_USER: {{ postgres_user }}
+      POSTGRES_PASSWORD: {{ postgres_password }}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    networks:
+      - keycloak_network
+
+  keycloak:
+    image: bitnami/keycloak:latest
+    environment:
+      KEYCLOAK_ADMIN: {{ keycloak_admin }}
+      KEYCLOAK_ADMIN_PASSWORD: {{ keycloak_admin_password }}
+      KEYCLOAK_DATABASE_VENDOR: postgresql
+      KEYCLOAK_DATABASE_HOST: postgres
+      KEYCLOAK_DATABASE_PORT: 5432
+      KEYCLOAK_DATABASE_USER: {{ postgres_user }}
+      KEYCLOAK_DATABASE_NAME: {{ postgres_db }}
+      KEYCLOAK_DATABASE_PASSWORD: {{ postgres_password }}
+      KEYCLOAK_ENABLE_HTTPS: true
+      KEYCLOAK_HTTPS_KEY_STORE_FILE: /etc/ssl/keystore.jks
+      KEYCLOAK_HTTPS_KEY_STORE_PASSWORD: {{ keycloak_key_store_password }}
+      KEYCLOAK_HTTPS_TRUST_STORE_FILE: /etc/ssl/truststore.jks
+      KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD: {{ keycloak_trust_store_password }}
+    ports:
+      - 8080:8080
+    volumes:
+      - /etc/ssl/keystore.jks:/etc/ssl/keystore.jks
+      - /etc/ssl/truststore.jks:/etc/ssl/truststore.jks
+    restart: always
+    depends_on:
+      - postgres
+    networks:
+      - keycloak_network
+
+  nginx:
+    image: nginx:latest
+    depends_on:
+      - keycloak
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /etc/ssl/onwalk.net.pem:/etc/ssl/certs/onwalk.net.pem
+      - /etc/ssl/onwalk.net.key:/etc/ssl/certs/onwalk.net.key
+      - /etc/ssl/dhparam.pem:/etc/nginx/ssl/dhparam.pem
+      - ./nginx.conf:/etc/nginx/nginx.conf
+    restart: unless-stopped
+    networks:
+      - keycloak_network
+
+volumes:
+  postgres_data:
+    driver: local
+
+networks:
+  keycloak_network:
+    driver: bridge

playbooks/pre_setup.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Function to check if a variable is empty
+check_empty() {
+    if [ -z "${!1}" ]; then
+        echo "$1 is empty. Aborting."
+        exit 1
+    fi
+}
+
+# List of variables to check
+variables=("DNS_AK" "DNS_SK" "OSS_AK" "OSS_SK" "ROOT_PASSWORD" "SMTP_PASSWORD" "GITLAB_OIDC_CLIENT_TOKEN" "HARBOR_OIDC_CLIENT_TOKEN" "SSH_USER" "SSH_HOST_IP" "SSH_HOST_DOMAIN" "SSH_PRIVATE_KEY")
+
+# Loop through variables and check if each one is empty
+for var in "${variables[@]}"; do
+    check_empty "$var"
+done
+
+sudo apt install jq ansible -y
+
+mkdir -pv ~/.ssh/
+cat > ~/.ssh/id_rsa << EOF
+$SSH_PRIVATE_KEY
+EOF
+sudo chmod 0400 ~/.ssh/id_rsa
+md5sum ~/.ssh/id_rsa
+
+mkdir -pv hosts/
+
+cat > hosts/inventory << EOF
+[master]
+$SSH_HOST_DOMAIN               ansible_host=$SSH_HOST_IP
+
+[all:vars]
+ansible_port=22
+ansible_ssh_user=$SSH_USER
+ansible_ssh_private_key_file=~/.ssh/id_rsa
+ansible_host_key_checking=False
+ingress_ip=$SSH_HOST_IP
+dns_ak=$DNS_AK
+dns_sk=$DNS_SK
+oss_ak=$OSS_AK
+oss_sk=$OSS_SK
+admin_password=$ROOT_PASSWORD
+smtp_password=$SMTP_PASSWORD
+gitlab_oidc_client_token=$GITLAB_OIDC_CLIENT_TOKEN
+harbor_oidc_client_token=$HARBOR_OIDC_CLIENT_TOKEN
+EOF

playbooks/renew_nodes_ssl_certs

@@ -0,0 +1,8 @@
+---
+- name: renew nodes ssl certs
+  hosts: all
+  user: ubuntu
+  become: yes
+  gather_facts: yes
+  roles:
+    - cert-manager 

playbooks/roles/charts/app/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: common

playbooks/roles/charts/app/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: Prep DIR
+  shell: "mkdir -pv /tmp/app/"
+
+- name: Prep NameSpace
+  shell: "kubectl create namespace default || echo true"
+
+- name: Sync Deploy yaml
+  template: src=templates/{{ item }}  dest=/tmp/app/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
+  with_items:
+    - deploy-app.yaml
+
+- name: Setup App
+  shell: "kubectl apply -f /tmp/app/{{ item }}"
+  when: inventory_hostname in groups[group]
+  with_items:
+   - deploy-app.yaml

playbooks/roles/charts/app/templates/.gitignore

@@ -0,0 +1,2 @@
+/clickhouse-keeper-k8s.iml
+/.idea/

playbooks/roles/charts/app/templates/deploy-app.yaml

@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: demo
+  template:
+    metadata:
+      labels:
+        app: demo
+    spec:
+      containers:
+      - name: demo
+        image: {{ app_image }}:{{ app_tag }} 
+        imagePullPolicy: Always

playbooks/roles/charts/argo-server/files/setup-argocd.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+# 检查参数是否为空
+check_not_empty() {
+  if [[ -z $1 ]]; then
+    echo "Error: $2 is empty. Please provide a value."
+    exit 1
+  fi
+}
+
+helm repo add argo https://argoproj.github.io/argo-helm
+helm repo update
+
+# 使用 Helm 部署 Argo CD
+#helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace
+
+cat <<EOF > values.yaml
+global:
+  domain: argocd.onwalk.net
+server:
+  service:
+    type: ClusterIP
+    servicePortHttp: 80
+    servicePortHttps: 443
+    servicePortHttpName: http
+    servicePortHttpsName: https
+  ingress:
+    enabled: false
+    ingressClassName: "nginx"
+    hostname: argocd.onwalk.net
+    annotations:
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    tls: true
+repoServer:
+  extraContainers:
+    - name: helmfile
+      image: ghcr.io/helmfile/helmfile:v0.157.0
+      # Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server
+      command: ["/var/run/argocd/argocd-cmp-server"]
+      env:
+        - name: HELM_CACHE_HOME
+          value: /tmp/helm/cache
+        - name: HELM_CONFIG_HOME
+          value: /tmp/helm/config
+        - name: HELMFILE_CACHE_HOME
+          value: /tmp/helmfile/cache
+        - name: HELMFILE_TEMPDIR
+          value: /tmp/helmfile/tmp
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+      volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        # Register helmfile plugin into sidecar
+        - mountPath: /home/argocd/cmp-server/config/plugin.yaml
+          subPath: helmfile.yaml
+          name: argocd-cmp-cm
+        # Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps mitigate path traversal attacks.
+        - mountPath: /tmp
+          name: helmfile-tmp
+  volumes:
+    - name: argocd-cmp-cm
+      configMap:
+        name: argocd-cmp-cm
+    - name: helmfile-tmp
+      emptyDir: {}
+configs:
+  cmp:
+    create: true
+    plugins:
+      helmfile:
+        allowConcurrency: true
+        discover:
+          fileName: helmfile.yaml
+        generate:
+          command:
+            - bash
+            - "-c"
+            - |
+              if [[ -v ENV_NAME ]]; then
+                helmfile -n "$ARGOCD_APP_NAMESPACE" -e $ENV_NAME template --include-crds -q
+              elif [[ -v ARGOCD_ENV_ENV_NAME ]]; then
+                helmfile -n "$ARGOCD_APP_NAMESPACE" -e "$ARGOCD_ENV_ENV_NAME" template --include-crds -q
+              else
+                helmfile -n "$ARGOCD_APP_NAMESPACE" template --include-crds -q
+              fi
+        lockRepo: false
+EOF
+
+helm upgrade --install argocd argo/argo-cd -n argocd -f values.yaml
+
+# 等待 Argo CD 完全启动
+echo "Waiting for Argo CD to be ready..."
+kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=argocd-server -n argocd --timeout=180s
+
+echo "Argo CD deployment and configuration complete."

playbooks/roles/charts/argo-server/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: cert-manager

playbooks/roles/charts/argo-server/tasks/main.yml

@@ -0,0 +1,2 @@
+- name: Set ArgoCD Contoller
+  script: files/setup-argocd.sh

playbooks/roles/charts/chaos-mesh/files/setup.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -x
+export domain=$1
+export secret=$2
+export namespace=$3
+
+cat > values.yaml << EOF
+chaosDaemon:
+  runtime: containerd
+  socketPath: /run/k3s/containerd/containerd.sock
+dashboard:
+  create: true
+  ingress:
+    enabled: true
+    ingressClassName: "nginx"
+    hosts:
+      - name: chaos-mesh.$domain
+        tls: true
+        tlsSecret: $secret
+EOF
+
+helm repo add chaos-mesh https://charts.chaos-mesh.org
+helm repo update
+helm upgrade --install chaos-mesh chaos-mesh/chaos-mesh -n $namespace --create-namespace  --version 2.6.3 -f values.yaml

playbooks/roles/charts/chaos-mesh/howto.md

@@ -0,0 +1,124 @@
+# Jenkins Mater 部署
+
+# Jenkins Node IaC Runner 设置
+1. 安装git terraform
+
+## GitLab to trigger Jenkins
+
+1. Gitlab https://gitlab.xxx.com/-/profile/personal_access_tokens 
+
+2. GitLab和Jenkins的集成可以让你在GitLab中的代码更新后自动触发Jenkins的构建任务。以下是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤：
+3. 在Jenkins中安装GitLab插件
+首先，你需要在Jenkins中安装GitLab插件。登录到Jenkins的管理界面，然后转到“Manage Jenkins” > “Manage Plugins” > “Available”，在搜索框中输入“GitLab”，找到并安装“GitLab Plugin”。
+4. 在Jenkins中配置GitLab连接
+安装完插件后，你需要配置GitLab的连接。转到“Manage Jenkins” > “Configure System”，滚动到“GitLab”部分，点击“Add GitLab Server” > “Server”，输入你的GitLab服务器URL，并生成并输入一个与你的GitLab账户相关联的API Token。
+5. 在Jenkins中创建一个新的任务
+创建一个新的任务，并在源代码管理部分选择“Git”，输入你的GitLab项目的URL。在构建触发器部分，选择“Build when a change is pushed to GitLab”。
+记录:GitLab webhook URL: https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
+6. 在GitLab中配置Webhook
+在你的GitLab项目中，转到“Settings” > “Integrations” -> 启用"Jenkins"
+- 在URL中输入步骤5记录的 Webhook URL https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
+- 选择你想要触发Jenkins任务的事件（例如，当代码被推送时）
+- Project name: 输入项目名称
+- Username: Jenkins 用户名
+- Password: Jenkins 认证密码
+- 保存更改, 测试设置，返回状态200为配置正确
+
+以上就是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤。在完成这些步骤后，每当你的GitLab项目有更新时，都会自动触发对应的Jenkins构建任务。
+
+## 要将GitHub代码仓库与Jenkins关联起来，您需要完成以下步骤：
+
+1 要在 GitHub 中启用 webhook 功能以触发 Jenkins 构建，请按照以下步骤操作：
+2 进入 GitHub 仓库设置：在要设置 webhook 的 GitHub 仓库页面上，点击右上角的“Settings”。
+3 选择 Webhooks 选项：在仓库设置页面的左侧菜单中，选择“Webhooks”。
+4 添加 Webhook：在 Webhooks 页面的右上角，点击“Add webhook”。
+
+配置 Webhook：
+
+1. Payload URL：输入 Jenkins 服务器的 webhook URL。格式应为 http://your-jenkins-server/github-webhook/。确保替换 your-jenkins-server 为您 Jenkins 服务器的实际地址。
+2. Content type：选择 application/json。
+3. Secret（可选）：如果需要额外的安全性，可以输入一个秘密令牌。
+4. SSL verification：选择是否验证 SSL 证书。
+5. Which events would you like to trigger this webhook?：选择触发 webhook 的事件。通常选择 Just the push event（只有推送事件）或 Let me select individual events（让我选择单独的事件）并选择适当的事件（例如，push、pull request 等）。
+添加 Webhook：点击页面底部的“Add webhook”按钮以保存配置。
+
+完成以上步骤后，您的 GitHub 仓库就配置好了一个 webhook，可以触发 Jenkins 构建。记得在 Jenkins 中设置相应的任务来响应这些 webhook。
+
+
+安装Jenkins插件：
+
+确保您的Jenkins实例已经安装了“GitHub”和“GitHub Integration”插件。您可以在Jenkins管理界面的“插件管理”部分进行安装。
+配置GitHub Webhook：
+
+在GitHub仓库的设置中，找到“Webhooks”部分并添加一个新的Webhook。
+将“Payload URL”设置为您的Jenkins服务器的URL，通常是这样的格式：http://<JENKINS_URL>/github-webhook/。
+选择触发Webhook的事件，通常是“Just the push event”或者“Send me everything”。
+确保“Content type”设置为“application/json”。
+点击“Add webhook”保存设置。
+配置Jenkins Job：
+
+在Jenkins中创建一个新的构建任务或者配置现有的任务。
+在“源码管理”部分，选择“Git”并填写您的GitHub仓库的URL。
+在“构建触发器”部分，选择“GitHub hook trigger for GITScm polling”选项。这样，每当GitHub仓库有新的推送事件时，Jenkins就会自动触发构建。
+测试配置：
+
+推送一些改动到您的GitHub仓库，检查是否触发了Jenkins构建。
+在Jenkins的构建历史中查看构建是否成功执行。
+通过完成以上步骤，您的GitHub代码仓库就与Jenkins关联起来了，可以实现自动触发构建的功能。
+
+要在 Jenkins 中设置 GitHub 服务，您需要进行以下步骤：
+
+安装 GitHub 插件：首先确保您的 Jenkins 实例已安装 GitHub 插件。如果尚未安装，请转到 Jenkins 的“插件管理”页面，在“可选插件”选项卡中搜索并安装 GitHub 插件。
+
+配置 GitHub 服务器：在 Jenkins 管理界面中，转到“系统管理” > “系统设置”。
+
+在系统设置页面中，找到并点击“GitHub”部分。
+点击“Add GitHub Server”添加一个新的 GitHub 服务器配置。
+在配置页面中，输入一个描述性的名称，例如“GitHub”。
+在 GitHub API URL 中输入 GitHub 的 API 地址。通常为 https://api.github.com。
+如果您的 GitHub 仓库需要身份验证，请在“凭据”部分选择一个已配置的凭据。如果尚未配置凭据，请点击“Add”添加一个新的凭据，选择类型为“Secret text”或“Username with password”，然后输入您的 GitHub 用户名和密码或访问令牌。
+完成配置后，点击“保存”保存 GitHub 服务器配置。
+验证配置：您可以在配置页面的底部点击“Test connection”来验证您的 GitHub 服务器配置是否正常工作。
+
+保存设置：确保在完成配置后点击“保存”保存更改。
+
+现在，您已成功配置了 Jenkins 的 GitHub 服务。您可以在 Jenkins 任务中使用这个配置来与 GitHub 仓库进行集成，例如触发构建、拉取代码等操作。
+
+
+对于 Jenkins 中的 GitHub API URL (https://api.github.com) 的凭据设置，您可以使用 GitHub Personal Access Token。这个 Token 可以通过以下步骤生成：
+
+在 GitHub 上登录您的账号。
+点击页面右上角的头像，选择“Settings”。
+在左侧边栏中，点击“Developer settings”。
+在左侧边栏中，点击“Personal access tokens”。
+点击“Generate new token”。
+输入一个描述性的名称，选择需要的权限（至少需要 repo 权限来访问仓库），然后点击“Generate token”。
+复制生成的 Token，并保存到一个安全的地方。请注意，这个 Token 只会显示一次，如果您丢失了，请重新生成一个新的 Token。
+在 Jenkins 中使用这个 Token 作为 GitHub API URL (https://api.github.com) 的凭据时，您可以将 Token 添加为 Jenkins 的凭据：
+
+进入 Jenkins 管理界面，转到“凭据” > “系统”。
+在“系统”页面中，点击“Global credentials (unrestricted)”。
+在凭据页面中，点击“Add credentials”。
+在“Kind”下拉菜单中选择“Secret text”。
+在“Secret”框中粘贴您在 GitHub 上生成的 Personal Access Token。
+输入一个描述性的名称，并点击“OK”保存凭据。
+现在，您可以在 Jenkins 的配置中使用这个凭据来访问 GitHub API (https://api.github.com)。
+
+确保 Docker 已安装：在 Jenkins 代理节点上确认 Docker 已正确安装并配置。您可以通过在终端中执行 docker --version 命令来检查 Docker 是否可用。
+
+检查 Docker 环境：如果 Docker 已安装，请确保 Docker 服务正在运行。您可以使用 sudo systemctl status docker 命令检查 Docker 服务的状态。
+
+确认 Jenkins 全局工具配置：在 Jenkins 管理界面中，转到“系统管理”->“全局工具配置”，确保 Docker 工具已正确配置。如果未配置，您可以添加一个 Docker 工具，并指定正确的安装路径。
+
+重启 Jenkins 服务：在进行了上述更改后，尝试重启 Jenkins 服务，以确保新的配置生效。
+
+尝试在终端中执行 Docker 命令：在 Jenkins 代理节点上打开终端，尝试手动执行一些 Docker 命令（如 docker pull），看看是否能够正常执行
+
+要设置 Jenkins Docker 流水线，你可以按照以下步骤进行操作：
+
+前提条件
+确保你的 Jenkins 实例已经安装了以下插件：
+
+Docker Pipeline
+Docker Commons
+

playbooks/roles/charts/chaos-mesh/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: secret-manger

playbooks/roles/charts/chaos-mesh/tasks/main.yml

@@ -0,0 +1,4 @@
+- name: Setup chaos-mesh Server
+  script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }}
+  when: inventory_hostname in groups[group] and ( tls is defined)
+  loop: "{{ tls }}"

playbooks/roles/charts/chartmuseum/files/setup.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+domain=$1
+namespace=$2
+admin_password=$3
+secret_name=$4
+storage_type=$5
+
+cat > values.yaml << EOF
+env:
+  open:
+    STORAGE: local
+    DISABLE_API: false
+    AUTH_ANONYMOUS_GET: true
+  secret:
+    BASIC_AUTH_USER: admin
+    BASIC_AUTH_PASS: '$admin_password'
+ingress:
+  enabled: true
+  hosts:
+    - name: charts.$domain
+      path: /
+      tls: true
+      tlsSecret: $secret_name
+  ingressClassName: nginx
+persistence:
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 8Gi
+  path: /storage
+  storageClass: "local-path"
+EOF
+
+export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+helm repo add chartmuseum https://chartmuseum.github.io/charts
+helm repo update
+helm upgrade --install chartmuseum chartmuseum/chartmuseum -f values.yaml -n $namespace

playbooks/roles/charts/chartmuseum/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: secret-manger

playbooks/roles/charts/chartmuseum/tasks/main.yml

@@ -0,0 +1,4 @@
+- name: Setup Chartmuseum Server
+  script: files/setup.sh {{ domain }} {{ namespace }} {{ admin_password }} {{ item.secret_name }}
+  loop: "{{ tls }}"
+  when: inventory_hostname in groups[group]

playbooks/roles/charts/chartmuseum/vars/main.yml

@@ -0,0 +1,8 @@
+group: master
+namespace: harbor
+storage_type: oss
+update_secret: true
+tls:
+  - secret_name: chartmuseum-tls
+    keyfile: /etc/ssl/onwalk.net.key
+    certfile: /etc/ssl/onwalk.net.pem

playbooks/roles/charts/clickhouse/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: secret-manger

playbooks/roles/charts/clickhouse/tasks/main.yml

@@ -0,0 +1,48 @@
+- name: Prep DIR
+  shell: "mkdir -pv /tmp/clickhouse-cluster/ && mkdir -pv /tmp/qryn"
+
+- name: Prep NameSpace
+  shell: "kubectl create namespace monitoring || echo true"
+
+- name: sync clickhouse deploy yaml
+  template: src=templates/{{ item }}  dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
+  with_items:
+    - clickhouse-cluster/clickhouse-config.yaml
+    - clickhouse-cluster/clickhouse-service.yaml
+    - clickhouse-cluster/clickhouse-user-config.yaml
+    - clickhouse-cluster/clickhouse-statefulset.yml
+    - postsetup.sh
+
+- name: Setup ClickHouse Server
+  shell: "cd /tmp/clickhouse-cluster && kubectl apply -f ."
+  when: inventory_hostname in groups[group]
+
+#- name: Post Setup ClickHouse Server
+#  shell: "cd /tmp/ && sh postsetup.sh"
+#  when: inventory_hostname in groups[group]
+
+- name: get clickhouse node ip
+  shell: " kubectl  get pods -n monitoring -o wide | grep -E '^clickhouse-' | awk '{print $6}' "
+  register: ck_node_ip_raw
+  when: inventory_hostname in groups[group][0]
+
+- name: Check if ck_node_ip_raw is not empty
+  fail:
+    msg: "ck_node_ip_raw is empty, terminating the playbook."
+  when: ck_node_ip_raw.stdout_lines | length == 0
+
+- name: set fact join command for ck_node_ip
+  set_fact:
+    ck_node_ip : "{{ ck_node_ip_raw.stdout_lines[0] }}"
+  when: inventory_hostname in groups[group][0]
+
+- name: sync clickhouse deploy yaml
+  template: src=templates/{{ item }}  dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
+  with_items:
+    - qryn/qryn-deployment.yaml
+    - qryn/qryn-service.yaml
+    - qryn/qryn-ingress.yaml
+
+- name: Setup Qryn Server
+  shell: "cd /tmp/qryn && kubectl apply -f ."
+  when: inventory_hostname in groups[group]

playbooks/roles/charts/clickhouse/templates/.gitignore

@@ -0,0 +1,2 @@
+/clickhouse-keeper-k8s.iml
+/.idea/

playbooks/roles/charts/clickhouse/templates/clickhouse-cluster/clickhouse-config.yaml

@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: clickhouse-config
+  namespace: monitoring
+data:
+  keeper.xml: |
+    <?xml version="1.0"?>
+    <yandex>
+        <listen_host>0.0.0.0</listen_host>
+        <logger>
+            <level>trace</level>
+            <console>1</console>
+        </logger>
+        <openSSL>
+            <server>
+                <certificateFile remove="1"/>
+                <privateKeyFile remove="1"/>
+            </server>
+        </openSSL>
+        <keeper_server>
+            <tcp_port>2181</tcp_port>
+            <server_id from_env="CK_INDEX"/>
+            <log_storage_path>/var/lib/clickhouse/coordination/log</log_storage_path>
+            <snapshot_storage_path>/var/lib/clickhouse/coordination/snapshots</snapshot_storage_path>
+            <coordination_settings>
+                <operation_timeout_ms>10000</operation_timeout_ms>
+                <session_timeout_ms>30000</session_timeout_ms>
+                <raft_logs_level>trace</raft_logs_level>
+                <rotate_log_storage_interval>10000</rotate_log_storage_interval>
+            </coordination_settings>
+            <raft_configuration>
+                <server>
+                    <id>0</id>
+                    <hostname>clickhouse-0.clickhouse-service.monitoring</hostname>
+                    <port>9444</port>
+                </server>
+                <server>
+                    <id>1</id>
+                    <hostname>clickhouse-1.clickhouse-service.monitoring</hostname>
+                    <port>9444</port>
+                </server>
+                <server>
+                    <id>2</id>
+                    <hostname>clickhouse-2.clickhouse-service.monitoring</hostname>
+                    <port>9444</port>
+                </server>
+            </raft_configuration>
+        </keeper_server>
+        <zookeeper>
+            <node>
+                <host>clickhouse-0.clickhouse-service.monitoring</host>
+                <port>2181</port>
+            </node>
+            <node>
+                <host>clickhouse-1.clickhouse-service.monitoring</host>
+                <port>2181</port>
+            </node>
+            <node>
+                <host>clickhouse-2.clickhouse-service.monitoring</host>
+                <port>2181</port>
+            </node>
+        </zookeeper>
+    </yandex>
+
+  cluster.xml: |
+    <?xml version="1.0"?>
+    <yandex>
+        <remote_servers>
+            <testcluster>
+                <shard>
+                    <replica>
+                        <host>clickhouse-0.clickhouse-service.monitoring</host>
+                        <port>9000</port>
+                    </replica>
+                </shard>
+                <shard>
+                    <replica>
+                        <host>clickhouse-1.clickhouse-service.monitoring</host>
+                        <port>9000</port>
+                    </replica>
+                </shard>
+            </testcluster>
+        </remote_servers>
+    </yandex>
+  macros.xml: |
+    <?xml version="1.0" ?>
+    <yandex>
+        <macros>
+            <cluster>testcluster</cluster>
+            <replica from_env="HOSTNAME"/>
+            <shard>1</shard>
+        </macros>
+    </yandex>

playbooks/roles/charts/clickhouse/templates/clickhouse-cluster/clickhouse-ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: clickhouse
+  namespace: monitoring
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: clickhouse.{{ domain }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: clickhouse-service
+            port:
+              number: 8123
+        path: /
+        pathType: Prefix

playbooks/roles/charts/clickhouse/templates/clickhouse-cluster/clickhouse-service.yaml

@@ -0,0 +1,23 @@
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    app: clickhouse
+  name: clickhouse-service
+  namespace: monitoring
+spec:
+  ports:
+    - name: rest
+      port: 8123
+    - name: keeper
+      port: 2181
+    - name: replica-a
+      port: 9000
+    - name: replica-b
+      port: 9009
+    - name: raft
+      port: 9444
+
+  clusterIP: None
+  selector:
+    app: clickhouse

playbooks/roles/charts/clickhouse/templates/clickhouse-cluster/clickhouse-statefulset.yml

@@ -0,0 +1,103 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: clickhouse
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      app: clickhouse
+  serviceName: clickhouse-service
+  replicas: 3
+  podManagementPolicy: "Parallel"
+  #  podManagementPolicy: OrderedReady
+  template:
+    metadata:
+      labels:
+        app: clickhouse
+    spec:
+      containers:
+        - name: clickhouse
+          image: clickhouse/clickhouse-server:22.4.5
+          imagePullPolicy: IfNotPresent
+          workingDir: /
+          command:
+            - /bin/bash
+            - -c
+            - |-
+              export CK_INDEX=${HOSTNAME##*-}
+              echo CK_INDEX=${CK_INDEX}
+              ./entrypoint.sh
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          ports:
+            - name: rest
+              containerPort: 8123
+            - name: keeper
+              containerPort: 2181
+            - name: replica-a
+              containerPort: 9000
+            - name: replica-b
+              containerPort: 9009
+            - name: raft
+              containerPort: 9444
+          volumeMounts:
+            - name: clickhouse-config
+              mountPath: /etc/clickhouse-server/config.d/
+            - name: clickhouse-user-config
+              mountPath: /etc/clickhouse-server/users.d/
+            - name: clickhouse-meta
+              mountPath: /var/lib/clickhouse/coordination/
+            - name: clickhouse-data
+              mountPath: /var/lib/clickhouse/
+      volumes:
+        - name: clickhouse-config
+          configMap:
+            name: clickhouse-config
+            items:
+              - key: keeper.xml
+                path: keeper.xml
+              - key: cluster.xml
+                path: cluster.xml
+              - key: macros.xml
+                path: macros.xml
+        - name: clickhouse-user-config
+          configMap:
+            name: clickhouse-user-config
+            items:
+              - key: user.xml
+                path: user.xml
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      labels:
+        app.kubernetes.io/component: clickhouse
+        app.kubernetes.io/instance: clickhouse
+        app.kubernetes.io/name: clickhouse
+      name: clickhouse-meta
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
+      volumeMode: Filesystem
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      labels:
+        app.kubernetes.io/component: clickhouse
+        app.kubernetes.io/instance: clickhouse
+        app.kubernetes.io/name: clickhouse
+      name: clickhouse-data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 5Gi
+      volumeMode: Filesystem

playbooks/roles/charts/clickhouse/templates/clickhouse-cluster/clickhouse-user-config.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: clickhouse-user-config
+  namespace: monitoring
+data:
+  user.xml: |
+    <?xml version="1.0"?>
+    <yandex>
+        <profiles>
+            <default>
+                <max_memory_usage>10000000000</max_memory_usage>
+                <max_distributed_depth>4000</max_distributed_depth>
+                <distributed_connections_pool_size>4096</distributed_connections_pool_size>
+                <max_distributed_connections>4096</max_distributed_connections>
+                <load_balancing>random</load_balancing>
+            </default>
+        </profiles>
+    </yandex>

playbooks/roles/charts/clickhouse/templates/otel-collector/configmap.yaml

@@ -0,0 +1,142 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: otel-collector-config
+  namespace: default
+data:
+  config.yaml: |
+    receivers:
+      loki:
+        use_incoming_timestamp: true
+        protocols:
+          http:
+            endpoint: 0.0.0.0:3100
+          grpc:
+            endpoint: 0.0.0.0:3200
+      syslog:
+        protocol: rfc5424
+        tcp:
+          listen_address: "0.0.0.0:5514"
+      fluentforward:
+        endpoint: 0.0.0.0:24224
+      splunk_hec:
+        endpoint: 0.0.0.0:8088
+      otlp:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:4317
+          http:
+            endpoint: 0.0.0.0:4318
+      jaeger:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:14250
+          thrift_http:
+            endpoint: 0.0.0.0:14268
+      zipkin:
+        endpoint: 0.0.0.0:9411
+      skywalking:
+        protocols:
+          grpc:
+            endpoint: 0.0.0.0:11800
+          http:
+            endpoint: 0.0.0.0:12800
+      prometheus:
+        config:
+          scrape_configs:
+            - job_name: 'otel-collector'
+              scrape_interval: 5s
+              static_configs:
+                - targets: ['exporter:8080']
+      influxdb:
+        endpoint: 0.0.0.0:8086
+
+    connectors:
+      servicegraph:
+        latency_histogram_buckets: [ 100us, 1ms, 2ms, 6ms, 10ms, 100ms, 250ms ]
+        dimensions: [ cluster, namespace ]
+        store:
+          ttl: 2s
+          max_items: 1000
+        cache_loop: 2m
+        store_expiration_loop: 2s
+        virtual_node_peer_attributes:
+          - db.name
+          - rpc.service
+      spanmetrics:
+        namespace: span.metrics
+        exemplars:
+          enabled: false
+        dimensions_cache_size: 1000
+        aggregation_temporality: 'AGGREGATION_TEMPORALITY_CUMULATIVE'
+        metrics_flush_interval: 30s
+        metrics_expiration: 5m
+        events:
+          enabled: false
+
+    processors:
+      batch:
+        send_batch_size: 10000
+        timeout: 5s
+      memory_limiter:
+        check_interval: 2s
+        limit_mib: 1800
+        spike_limit_mib: 500
+      resourcedetection/system:
+        detectors: ['system']
+        system:
+          hostname_sources: ['os']
+      resource:
+        attributes:
+          - key: service.name
+            value: "serviceName"
+            action: upsert
+      metricstransform:
+        transforms:
+          - include: calls_total
+            action: update
+            new_name: traces_spanmetrics_calls_total
+          - include: latency
+            action: update
+            new_name: traces_spanmetrics_latency
+
+    exporters:
+      qryn:
+        dsn: tcp://clickhouse-server:9000/qryn?username=default&password=*************
+        timeout: 10s
+        sending_queue:
+          queue_size: 100
+        retry_on_failure:
+          enabled: true
+          initial_interval: 5s
+          max_interval: 30s
+          max_elapsed_time: 300s
+        logs:
+          format: raw
+      otlp/spanmetrics:
+        endpoint: localhost:4317
+        tls:
+          insecure: true
+
+    extensions:
+      health_check:
+      pprof:
+      zpages:
+
+    service:
+      extensions: [pprof, zpages, health_check]
+      pipelines:
+        logs:
+          receivers: [fluentforward, otlp, loki, syslog, splunk_hec]
+          processors: [memory_limiter, resourcedetection/system, resource, batch]
+          exporters: [qryn]
+        traces:
+          receivers: [otlp, jaeger, zipkin, skywalking]
+          processors: [memory_limiter, resourcedetection/system, resource, batch]
+          exporters: [qryn, spanmetrics, servicegraph]
+        metrics:
+          receivers: [prometheus, influxdb, spanmetrics, servicegraph]
+          processors: [memory_limiter, resourcedetection/system, resource, batch]
+          exporters: [qryn]
+
+

playbooks/roles/charts/clickhouse/templates/otel-collector/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: otel-collector
+  namespace: default
+  labels:
+    app: otel-collector
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: otel-collector
+  template:
+    metadata:
+      labels:
+        app: otel-collector
+    spec:
+      containers:
+      - name: otel-collector
+        image: ghcr.io/metrico/qryn-otel-collector:latest
+        volumeMounts:
+        - name: config
+          mountPath: /etc/otel
+          subPath: config.yaml
+        ports:
+        - containerPort: 3100
+        - containerPort: 3200
+        - containerPort: 8088
+        - containerPort: 5514
+        - containerPort: 24224
+        - containerPort: 4317
+        - containerPort: 4318
+        - containerPort: 14250
+        - containerPort: 14268
+        - containerPort: 9411
+        - containerPort: 11800
+        - containerPort: 12800
+        - containerPort: 8086
+      volumes:
+      - name: config
+        configMap:
+          name: otel-collector-config

playbooks/roles/charts/clickhouse/templates/otel-collector/ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: otel-collector-ingress
+  namespace: default
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - host: your-domain.example.com
+    http:
+      paths:
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: otel-collector
+            port:
+              number: 3100

playbooks/roles/charts/clickhouse/templates/otel-collector/service.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: otel-collector
+  namespace: default
+spec:
+  ports:
+  - port: 3100
+    targetPort: 3100
+    protocol: TCP
+  - port: 3200
+    targetPort: 3200
+    protocol: TCP
+  - port: 8088
+    targetPort: 8088
+    protocol: TCP
+  - port: 5514
+    targetPort: 5514
+    protocol: TCP
+  - port: 24224
+    targetPort: 24224
+    protocol: TCP
+  - port: 4317
+    targetPort: 4317
+    protocol: TCP
+  - port: 4318
+    targetPort: 4318
+    protocol: TCP
+  - port: 14250
+    targetPort: 14250
+    protocol: TCP
+  - port: 14268
+    targetPort: 14268
+    protocol: TCP
+  - port: 9411
+    targetPort: 9411
+    protocol: TCP
+  - port: 11800
+    targetPort: 11800
+    protocol: TCP
+  - port: 12800
+    targetPort: 12800
+    protocol: TCP
+  - port: 8086
+    targetPort: 8086
+    protocol: TCP
+  selector:
+    app: otel-collector

playbooks/roles/charts/clickhouse/templates/postsetup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+#检查 ClickHouse 版本
+#clickhouse-client --version | grep -q "21.8"
+#if [ $? -ne 0 ]; then
+#echo "ClickHouse 的版本必须至少为 21.8"
+#exit 1
+#fi
+
+创建数据库
+for db in deepflow_system event ext_metrics flow_log flow_metrics flow_tag profile; do
+clickhouse-client -u admin -p admin -q "CREATE DATABASE $db"
+done
+
+创建用户
+clickhouse-client -u admin -p admin -q "CREATE USER admin IDENTIFIED WITH PLAINTEXT_PASSWORD BY 'admin'"
+clickhouse-client -u admin -p admin -q "CREATE USER deepflow IDENTIFIED WITH PLAINTEXT_PASSWORD BY 'deepflow'"
+
+授权账户
+clickhouse-client -u admin -p admin -q "GRANT ALL ON . TO admin"
+clickhouse-client -u admin -p admin -q "GRANT SELECT ON deepflow_system.* TO deepflow"
+clickhouse-client -u admin -p admin -q "GRANT SELECT ON event.* TO deepflow"
+clickhouse-client -u admin -p admin -q "GRANT SELECT ON ext_metrics.* TO deepflow"
+clickhouse-client -u admin -p admin -q "GRANT SELECT ON flow_log.* TO deepflow"
+clickhouse-client -u admin -p admin -q "GRANT SELECT ON flow_metrics.* TO deepflow"
+clickhouse-client -u admin -p admin -q "GRANT SELECT ON flow_tag.* TO deepflow"
+clickhouse-client -u admin -p admin -q "GRANT SELECT ON profile.* TO deepflow"

playbooks/roles/charts/clickhouse/templates/qryn/qryn-deployment.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qryn
+  namespace: monitoring
+  labels:
+    io.metrico.service: qryn
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      io.metrico.service: qryn
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        qryn.cmd: qryn.dev
+      creationTimestamp: null
+      labels:
+        io.metrico.service: qryn
+    spec:
+      containers:
+        - env:
+            - name: CLICKHOUSE_AUTH
+              value: "default"
+            - name: CLICKHOUSE_PORT
+              value: "8123"
+            - name: CLICKHOUSE_SERVER
+              value: "{{ hostvars[groups[group][0]].ck_node_ip }}"
+          image: qxip/qryn
+          name: qryn
+          ports:
+            - containerPort: 3100
+          resources: {}
+      restartPolicy: Always
+status: {}

playbooks/roles/charts/clickhouse/templates/qryn/qryn-ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: data-gateway
+  namespace: monitoring
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: data-gateway.{{ domain }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: qryn
+            port:
+              number: 3100
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - data-gateway.{{ domain }}
+    secretName: obs-tls

playbooks/roles/charts/clickhouse/templates/qryn/qryn-service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    io.metrico.service: qryn
+  name: qryn
+  namespace: monitoring
+spec:
+  ports:
+    - name: "3100"
+      port: 3100
+      targetPort: 3100
+  selector:
+    io.metrico.service: qryn

playbooks/roles/charts/deepflow/Readme.md

@@ -0,0 +1,12 @@
+
+# 统计存储数据
+
+select formatReadableSize(sum(rows)) as "每天写入行数", formatReadableSize(sum(bytes_on_disk)) as "每天落盘的字节", formatReadableSize(sum(data_uncompressed_bytes)) as "压缩前字节", sum(data_uncompressed_bytes)/sum(bytes_on_disk) as "压缩比",  sum(rows)/86400 as "平均每秒写入的行数" from cluster(df_cluster, system.parts) where partition like '%2024-12-03%' limit 10;
+
+
+ 可以grafana再 查下确认下，流日志的统计:
+select  min(partition),max(partition),formatReadableSize(sum(rows)) as "每天写入行数", formatReadableSize(sum(bytes_on_disk)) as "每天落盘的字节", formatReadableSize(sum(data_uncompressed_bytes)) as "压缩前字节", sum(data_uncompressed_bytes)/sum(bytes_on_disk) as "压缩比",  sum(rows)/86400 as "平均每秒写入的行数" from cluster(df_cluster, system.parts) where partition like '%2024-12-03%' and table='l4_flow_log_local'  limit 10;
+
+调用日志的统计:
+select  min(partition),max(partition),formatReadableSize(sum(rows)) as "每天写入行数", formatReadableSize(sum(bytes_on_disk)) as "每天落盘的字节", formatReadableSize(sum(data_uncompressed_bytes)) as "压缩前字节", sum(data_uncompressed_bytes)/sum(bytes_on_disk) as "压缩比",  sum(rows)/86400 as "平均每秒写入的行数" from cluster(df_cluster, system.parts) where partition like '%2024-12-03%' and table='l7_flow_log_local'  limit 10;
+

playbooks/roles/charts/deepflow/files/post-setup.sh

@@ -0,0 +1,7 @@
+sudo apt-get install -y apt-transport-https ca-certificates curl gnupg
+curl -fsSL 'https://packages.clickhouse.com/rpm/lts/repodata/repomd.xml.key' | sudo gpg --dearmor -o /usr/share/keyrings/clickhouse-keyring.gpg
+
+echo "deb [signed-by=/usr/share/keyrings/clickhouse-keyring.gpg] https://packages.clickhouse.com/deb stable main" | sudo tee \
+    /etc/apt/sources.list.d/clickhouse.list
+sudo apt-get update
+sudo apt-get install -y clickhouse-client

playbooks/roles/charts/deepflow/files/pre-setup.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+export namespace=$1
+
+export MYSQL_ROOT_PASSWORD=$(kubectl get secret --namespace $namespace mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d)
+
+kubectl run mysql-client --rm --tty -i --restart='Never' --image  docker.io/bitnami/mysql:8.0.32-debian-11-r14 --namespace $namespace --env MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD --command -- bash -c "mysql -h mysql.database.svc.cluster.local -uroot -p$MYSQL_ROOT_PASSWORD -e 'create database IF NOT EXISTS jenkins;'"

playbooks/roles/charts/deepflow/files/setup.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -x
+export domain=$1
+export secret=$2
+export namespace=$3
+
+cat << EOF > values-custom.yaml
+clickhouse:
+  enabled: true
+server:
+  enabled: true
+deepflow-agent:
+  enabled: true
+grafana:
+  enabled: true
+  service:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    hosts:
+      - grafana.onwalk.net
+    tls:
+      - secretName: obs-tls
+        hosts:
+          - grafana.onwalk.net
+EOF
+helm repo add deepflow https://deepflowio.github.io/deepflow
+helm repo update deepflow # use `helm repo update` when helm < 3.7.0
+helm upgrade --install deepflow -n monitoring deepflow/deepflow --create-namespace --version 6.4.9 -f values-custom.yaml

playbooks/roles/charts/deepflow/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: secret-manger

playbooks/roles/charts/deepflow/tasks/main.yml

@@ -0,0 +1,19 @@
+#- name: get mysql db password
+#  shell: 'kubectl get secret --namespace database mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d'
+#  register: mysql_db_password_raw
+#  when: inventory_hostname in groups[group][0]
+#
+#- name: set fact join command
+#  set_fact:
+#    mysql_db_password : "{{ mysql_db_password_raw.stdout }}"
+#  when: inventory_hostname in groups[group][0]
+#
+#- name: DB Pre Setup for Jenkins Server
+#  script: files/pre-setup.sh {{ db_namespace }}
+#  when: inventory_hostname in groups[group]
+#  script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }} {{ mysql_db_password }}
+
+- name: Setup Deepflow Cluster
+  script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }}
+  when: inventory_hostname in groups[group] and ( tls is defined)
+  loop: "{{ tls }}"

playbooks/roles/charts/flagger-loadtester/files/setup.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -x
+
+# 检查参数是否为空
+check_not_empty() {
+  if [[ -z $1 ]]; then
+    echo "Error: $2 is empty. Please provide a value."
+    exit 1
+  fi
+}
+
+# 检查参数是否为空
+check_not_empty "$1" "DOMAIN" && DOMAIN=$1
+
+helm repo add flagger https://flagger.app
+kubectl create ns monitoring || true
+helm upgrade -i flaggerloadtester flagger/loadtester --namespace=monitoring
+
+cat > flagger-loadtester-ingress.yaml << EOF
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  name: flagger
+  namespace: monitoring
+spec:
+  ingressClassName: apisix
+  rules:
+  - host: flaggerloadtester.${DOMAIN}
+    http:
+      paths:
+      - backend:
+          service:
+            name: flagger-loadtester
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - flaggerloadtester.${DOMAIN}
+    secretName: obs-tls
+EOF
+
+kubectl apply -f flagger-loadtester-ingress.yaml
+

playbooks/roles/charts/flagger-loadtester/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: secret-manger

playbooks/roles/charts/flagger-loadtester/tasks/main.yml

@@ -0,0 +1,4 @@
+- name: Setup Loadtester Server
+  script: files/setup.sh {{ domain }}
+  when: inventory_hostname in groups[group]
+

playbooks/roles/charts/gitlab/files/post-setup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+kubectl  delete hpa --all -A
+
+# 获取所有部署
+DEPLOYMENTS=$(kubectl get deploy -n gitlab -o jsonpath='{.items[*].metadata.name}')
+
+# 遍历部署并设置副本数为1
+for DEPLOY in $DEPLOYMENTS
+do
+  echo "Setting replicas=1 for deployment $DEPLOY"
+  kubectl scale deploy/$DEPLOY -n gitlab --replicas=1
+done
+
+# 遍历部署并获取 CPU 和内存配置
+for DEPLOY in $DEPLOYMENTS
+do
+  echo "Deployment: $DEPLOY"
+  echo "===================="
+  kubectl get deploy $DEPLOY -n gitlab -o=jsonpath='{range .spec.template.spec.containers[*]}{.name}:{"\n"}{"\t"}cpu: {.resources.requests.cpu}{"\n"}{"\t"}mem: {.resources.requests.memory}{"\n"}{end}'
+  echo "===================="
+done
+
+# 遍历部署并设置 CPU 和内存请求
+#for DEPLOY in $DEPLOYMENTS
+#do
+#  echo "Setting cpu=0.1 and mem=100m for deployment $DEPLOY"
+#  kubectl patch deployment $DEPLOY -n gitlab -p '{"spec": {"template": {"spec": {"containers": [{"name": "'$DEPLOY'", "resources": {"requests": {"cpu": "0.1", "memory": "100m"}}}]}}}}'
+#  echo "===================="
+#done

playbooks/roles/charts/gitlab/files/pre-setup.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set +x
+
+export namespace=$1
+export POSTGRES_PASSWORD=$(kubectl get secret --namespace $namespace postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace $namespace --image docker.io/bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE gitlabhq_production OWNER postgres;" || echo true
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace $namespace --image docker.io/bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d gitlabhq_production -p 5432 -w -c "CREATE EXTENSION IF NOT EXISTS plpgsql; CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS btree_gist;" || echo true

playbooks/roles/charts/gitlab/files/setup-with-oidc.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+domain=$1
+namespace=$2
+object_bucket=$3
+gitlab_secret=$4
+gitlab_stmp_secret=$5
+smtp_port=$7
+smtp_domain=$8
+smtp_address=$9
+smtp_username=$10
+smtp_emailfrom=$11
+smtp_display_name=$12
+oidc_issuer_url=$13
+oidc_client_id=$14
+oidc_client_token=$15
+
+cat > gitlab-values.yaml <<EOF
+global:
+  edition: ce
+  hosts:
+    https: true
+    domain: $domain
+    gitlab:
+      name: gitlab.$domain
+  ingress:
+    class: nginx
+    enabled: true
+    configureCertmanager: false
+    tls:
+      enabled: true
+      secretName: ${gitlab_secret}
+  minio:
+    enabled: true
+  appConfig:
+    email:
+      from: $smtp_emailfrom
+      display_name: $smtp_display_name
+    smtp:
+      tls: true
+      enabled: true
+      port: $smtp_port
+      domain: $smtp_domain
+      address: $smtp_address
+      user_name: $smtp_username
+      password:
+        secret: $gitlab_smtp_secret
+        key: password
+      authentication: "login"
+      starttls_auto: true
+      openssl_verify_mode: "peer"
+      pool: true
+    omniauth:
+      enabled: true
+      syncProfileAttributes: [email]
+      allowSingleSignOn: ['openid_connect']
+      autoLinkLdapUser: false
+      autoLinkSamlUser: false
+      providers:
+        - name: 'openid_connect'
+          label: 'keycloak_oidc'
+          args:
+            discovery: true
+            response_type: 'code'
+            name: 'openid_connect'
+            uid_field: 'gltlab_openid'
+            client_auth_method: 'query'
+            issuer: $oidc_issuer_url
+            scope: ['openid','profile','email']
+            send_scope_to_token_endpoint: false
+            client_options:
+              identifier: $oidc_client_id
+              secret: $oidc_client_token
+              redirect_uri: 'https://gitlab.${domain}/users/auth/openid_connect/callback'
+registry:
+  enabled: true
+  ingress:
+    enabled: false
+gitlab-exporter:
+  enabled: false
+kas:
+  enabled: false
+nginx-ingress:
+  enabled: false
+prometheus:
+  install: false
+redis:
+  metrics:
+    enabled: false
+postgresql:
+  metrics:
+    enabled: false
+certmanager:
+  install: false
+  installCRDs: false
+  startupapicheck:
+    enabled: false
+upgradeCheck:
+  enabled: false
+EOF
+
+export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+helm repo add gitlab https://charts.gitlab.io/
+helm repo up
+kubectl create namespace gitlab || true
+helm upgrade --install gitlab gitlab/gitlab --version=6.6.1 --namespace gitlab -f gitlab-values.yaml

playbooks/roles/charts/gitlab/files/setup-with_aws-s3.sh

@@ -0,0 +1,154 @@
+#!/bin/bash
+
+domain=$1
+namespace=$2
+object_bucket=$3
+gitlab_secret=$4
+gitlab_stmp_secret=$5
+gitlab_storage_secret=$6
+smtp_port=$7
+smtp_domain=$8
+smtp_address=$9
+smtp_username=$10
+smtp_emailfrom=$11
+smtp_display_name=$12
+oidc_issuer_url=$13
+oidc_client_id=$14
+oidc_client_token=$15
+
+cat > gitlab-values.yaml <<EOF
+global:
+  edition: ce
+  hosts:
+    https: true
+    domain: $domain
+    gitlab:
+      name: gitlab.$domain
+  ingress:
+    class: nginx
+    enabled: true
+    configureCertmanager: false
+    tls:
+      enabled: true
+      secretName: ${gitlab_secret}
+  minio:
+    enabled: true
+  appConfig:
+appConfig:
+    object_store:
+      enabled: true
+      proxy_download: true
+      connection:
+        secret: $gitlab_storage_secret
+        key: connection
+    artifacts:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    external_diffs:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    lfs:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    uploads:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    packages:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    uploads:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    dependency_proxy:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    terraform_state:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    pages:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    backups:
+      enabled: true
+      proxy_download: true
+      bucket: $object_bucket
+    email:
+      from: $smtp_emailfrom
+      display_name: $smtp_display_name
+    smtp:
+      tls: true
+      enabled: true
+      port: $smtp_port
+      domain: $smtp_domain
+      address: $smtp_address
+      user_name: $smtp_username
+      password:
+        secret: $gitlab_smtp_secret
+        key: password
+      authentication: "login"
+      starttls_auto: true
+      openssl_verify_mode: "peer"
+      pool: true
+    omniauth:
+      enabled: true
+      syncProfileAttributes: [email]
+      allowSingleSignOn: ['openid_connect']
+      autoLinkLdapUser: false
+      autoLinkSamlUser: false
+      providers:
+        - name: 'openid_connect'
+          label: 'keycloak_oidc'
+          args:
+            discovery: true
+            response_type: 'code'
+            name: 'openid_connect'
+            uid_field: 'gltlab_openid'
+            client_auth_method: 'query'
+            issuer: $oidc_issuer_url
+            scope: ['openid','profile','email']
+            send_scope_to_token_endpoint: false
+            client_options:
+              identifier: $oidc_client_id
+              secret: $oidc_client_token
+              redirect_uri: 'https://gitlab.${domain}/users/auth/openid_connect/callback'
+registry:
+  enabled: true
+  ingress:
+    enabled: false
+gitlab-exporter:
+  enabled: false
+kas:
+  enabled: false
+nginx-ingress:
+  enabled: false
+prometheus:
+  install: false
+redis:
+  metrics:
+    enabled: false
+postgresql:
+  metrics:
+    enabled: false
+certmanager:
+  install: false
+  installCRDs: false
+  startupapicheck:
+    enabled: false
+upgradeCheck:
+  enabled: false
+EOF
+
+export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+helm repo add gitlab https://charts.gitlab.io/
+helm repo up
+kubectl create namespace gitlab || true
+helm upgrade --install gitlab gitlab/gitlab --version=6.6.1 --namespace gitlab -f gitlab-values.yaml

playbooks/roles/charts/gitlab/files/setup.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+
+check_empty() {
+  if [ -z "$1" ]; then
+    echo "$2"
+    exit 1
+  fi
+}
+
+check_empty "$1" "Please provide a version name as the first argument"
+check_empty "$2" "Please provide a domain name as the second argument"
+check_empty "$3" "Please provide a namespace as the third argument"
+check_empty "$4" "Please provide a GitLab secret as the fourth argument"
+check_empty "$5" "Please provide a GitLab database secret as the fifth argument"
+check_empty "$6" "Please provide a GitLab SSO secret as the sixth argument"
+check_empty "$7" "Please provide a GitLab SMTP secret as the seventh argument"
+check_empty "$8" "Please provide a GitLab Redis secret as the eighth argument"
+
+version=$1
+domain=$2
+namespace=$3
+gitlab_secret=$4
+gitlab_db_secret=$5
+gitlab_sso_secret=$6
+gitlab_smtp_secret=$7
+gitlab_redis_secret=$8
+
+cat > gitlab-values.yaml <<EOF
+global:
+  edition: ce
+  hosts:
+    domain: $domain
+    gitlab:
+      name: gitlab.$domain
+    https: true
+  ingress:
+    class: nginx
+    configureCertmanager: false
+    enabled: true
+    tls:
+      enabled: true
+      secretName: $gitlab_secret
+  minio:
+    enabled: true
+  gitaly:
+    persistence:
+      enabled: true
+  psql:
+    host: postgresql.database.svc.cluster.local
+    port: 5432
+    username: postgres
+    database: gitlabhq_production
+    password:
+      secret: $gitlab_db_secret
+      key: password
+  redis:
+    host: redis-master.redis.svc.cluster.local
+    port: 6379
+    password:
+      enabled: true
+      secret: $gitlab_redis_secret
+      key: password
+  email:
+    from: 'manbuzhe2009@qq.com'
+    display_name: GitLab-System
+  smtp:
+    tls: true
+    pool: true
+    port: 465
+    enabled: true
+    domain: exmail.qq.com
+    address: smtp.exmail.qq.com
+    user_name: 'manbuzhe2009@qq.com'
+    password:
+      secret: $gitlab_smtp_secret
+      key: password
+    authentication: "login"
+    starttls_auto: false
+    openssl_verify_mode: "peer"
+  appConfig:
+    omniauth:
+      enabled: true
+      autoLinkLdapUser: false
+      autoLinkSamlUser: false
+      blockAutoCreatedUsers: false
+      autoSignInWithProvider: null
+      autoLinkUser:
+        - 'openid_connect'
+      allowSingleSignOn:
+        - 'openid_connect'
+      providers:
+      - secret: $gitlab_sso_secret
+        key: provider
+certmanager:
+  install: false
+  installCRDs: false
+  startupapicheck:
+    enabled: false
+postgresql:
+  install: false
+redis:
+  install: false
+kas:
+  enabled: false
+nginx-ingress:
+  enabled: false
+gitlab-exporter:
+  enabled: false
+prometheus:
+  install: false
+upgradeCheck:
+  enabled: false
+EOF
+
+export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+helm repo add gitlab https://charts.gitlab.io/
+helm repo up
+kubectl create namespace gitlab || true
+helm upgrade --install gitlab gitlab/gitlab --version=$version --namespace gitlab -f gitlab-values.yaml --timeout=3m --debug

playbooks/roles/charts/gitlab/meta/main.yml

@@ -0,0 +1,5 @@
+dependencies:
+  - role: redis
+  - role: postgresql
+  - role: cert-manager
+  - role: secret-manger

playbooks/roles/charts/gitlab/tasks/main.yml

@@ -0,0 +1,58 @@
+- name: get redis password
+  shell: 'kubectl get secret --namespace redis redis -o jsonpath="{.data.redis-password}" | base64 -d'
+  register: redis_command_raw
+  when: inventory_hostname in groups[group][0]
+
+- name: set fact join command for redis
+  set_fact:
+    redis_password : "{{ redis_command_raw.stdout }}"
+
+- name: get db password
+  shell: 'kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d'
+  register: db_command_raw
+  when: inventory_hostname in groups[group][0]
+
+- name: set fact join command for mysql_db
+  set_fact:
+    pg_db_password : "{{ db_command_raw.stdout }}"
+  when: inventory_hostname in groups[group][0]
+
+#- name: Show Debug Info
+#  debug: var=db_password_raw verbosity=0
+#
+- name: Sync provider.yaml
+  template: src=templates/{{ item }}  dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
+  with_items:
+    - provider.yaml
+
+- name:  "cluster {{ ClusterContext }} Create New Generic Secret from Key/Vaule"
+  shell: 'kubectl delete secret {{ item.secret_name }} -n  {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-file="{{ item.key }}={{ item.value }}" -n {{ namespace }}'
+  loop:
+    - { secret_name: 'gitlab-sso-secret', key: 'provider', value: "/tmp/provider.yaml" }
+
+- name:  "cluster {{ ClusterContext }} Create New Generic Secret from Key/Vaule"
+  shell: 'kubectl delete secret {{ item.secret_name }} -n  {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-literal={{ item.key }}="{{ hostvars[groups[group][0]].pg_db_password }}" -n {{ namespace }}'
+  loop:
+    - { secret_name: 'gitlab-db-secret', key: 'password' }
+
+- name:  "cluster {{ ClusterContext }} Create New Generic Secret from Key/Vaule"
+  shell: 'kubectl delete secret {{ item.secret_name }} -n  {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-literal={{ item.key }}="{{ hostvars[groups[group][0]].redis_password }}" -n {{ namespace }}'
+  loop:
+    - { secret_name: 'gitlab-redis-secret', key: 'password' }
+
+- name:  "cluster {{ ClusterContext }} Create SMTP Secret"
+  shell: 'kubectl delete secret {{ item.secret_name }} -n  {{ namespace }} || echo true; kubectl create secret generic {{ item.secret_name }} --from-literal={{ item.key }}={{ smtp_password }} -n {{ namespace }}'
+  loop:
+    - { secret_name: 'gitlab-smtp-secret', key: 'password' }
+
+- name: DB Pre Setup for Gitlab Server
+  script: files/pre-setup.sh {{ db_namespace }}
+  when: inventory_hostname in groups[group]
+
+- name: Setup Gitlab Server
+  script: files/setup.sh {{ gitlab_version }} {{ domain }} {{ namespace }} 'gitlab-tls' 'gitlab-db-secret' 'gitlab-sso-secret' 'gitlab-smtp-secret' 'gitlab-redis-secret'
+  when: inventory_hostname in groups[group]
+
+- name: Post Setup for Gitlab Server
+  script: files/post-setup.sh
+  when: inventory_hostname in groups[group]

playbooks/roles/charts/gitlab/templates/gitlab-backup-cfg

@@ -0,0 +1,5 @@
+[default]
+use_https = True
+host_base = {{ s3_endpoint }}
+bucket_location = {{ region }}
+host_bucket = %(bucket)s.{{ s3_endpoint }}

playbooks/roles/charts/gitlab/templates/provider.yaml

@@ -0,0 +1,18 @@
+name: 'openid_connect'
+label: 'keycloak-sso'
+args:
+  name: 'openid_connect'
+  scope:
+    - 'openid'
+    - 'profile'
+    - 'email'
+  pkce: true
+  discovery: true
+  response_type: 'code'
+  client_auth_method: 'query'
+  send_scope_to_token_endpoint: true
+  issuer: '{{ gitlab_oidc_isser }}'
+  client_options:
+    identifier: '{{ gitlab_oidc_client_id }}'
+    secret: '{{ gitlab_oidc_client_token }}'
+    redirect_uri: '{{ gitlab_oidc_redirect_uri }}'

playbooks/roles/charts/harbor/files/post-setup.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+check_empty() {
+  if [ -z "$1" ]; then
+    echo "$2"
+    exit 1
+  fi
+}
+
+check_empty "$1" "Please provide harbor admin password"
+
+export admin_passowrd=$1
+curl -X PUT -u "admin:$admin_password" -H "Content-Type: application/json" -ki https://artifact.onwalk.ne/api/v2.0/configurations -d @/tmp/harbor-oidc-config.json
+rm -f /tmp/harbor-oidc-config.json

playbooks/roles/charts/harbor/files/pre-setup.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+export namespace=$1
+export POSTGRES_PASSWORD=$(kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE registry;" || echo true
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_core;" || echo true
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_clair;" || echo true
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_notary_server;" || echo true
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace database --image bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE harbor_notary_signer;" || echo true

playbooks/roles/charts/harbor/files/setup-bitnami-harbor.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+
+# 检查参数是否为空
+check_not_empty() {
+  if [[ -z $1 ]]; then
+    echo "Error: $2 is empty. Please provide a value."
+    exit 1
+  fi
+}
+
+check_not_empty "$1" "ak"             && export ak=$1
+check_not_empty "$2" "sk"             && export sk=$2
+check_not_empty "$3" "domain"         && export domain=$3
+check_not_empty "$4" "namespace"      && export namespace=$4
+check_not_empty "$5" "secret_name"   && export secret_name=$5
+check_not_empty "$6" "redis_password" && export redis_password=$6
+check_not_empty "$7" "pg_db_password" && export pg_db_password=$7
+check_not_empty "$8" "backend_type"   && export backend_type=$8
+                                         export registry=$9
+
+cat > values.yaml << EOF
+global:
+  imageRegistry: "$registry"
+exposureType: ingress
+ingress:
+  core:
+    ingressClassName: "nginx"
+    hostname: images.${domain}
+    extraTls:
+    - hosts:
+        - images.${domain}
+      secretName: "$secret_name"
+externalURL: https://images.${domain}
+
+postgresql:
+  enabled: false
+redis:
+  enabled: false
+notary:
+  enabled: false
+trivy:
+  enabled: false
+
+externalDatabase:
+  host: postgresql.database.svc.cluster.local
+  user: postgres
+  port: 5432
+  password: "$pg_db_password"
+  sslmode: disable
+  coreDatabase: harbor_core
+  clairDatabase: harbor_clair
+  clairUsername: "postgres"
+  clairPassword: "$pg_db_password"
+  notaryServerDatabase: harbor_notary_server
+  notaryServerUsername: "postgres"
+  notaryServerPassword: "$pg_db_password"
+  notarySignerDatabase: harbor_notary_signer
+  notarySignerUsername: "postgres"
+  notarySignerPassword: "$pg_db_password"
+externalRedis:
+  host: redis-master.redis.svc.cluster.local
+  port: 6379
+  password: "$redis_password"
+persistence:
+  enabled: true
+  imageChartStorage:
+    type: $backend_type
+    oss:
+      accesskeyid: $ak
+      accesskeysecret: $sk
+      region: "oss-cn-wulanchabu"
+      bucket: "harbor-oss"
+      endpoint: "oss-cn-wulanchabu.aliyuncs.com"
+    s3:
+      region: ap-east-1
+      bucket: artifact-s3
+      accesskey: $ak
+      secretkey: $sk
+EOF
+
+export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm repo update bitnami
+kubectl create ns $namespace || true
+helm upgrade --install artifact bitnami/harbor --version=16.7.0 -f values.yaml -n $namespace

playbooks/roles/charts/harbor/files/setup-office-harbor.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+ak=$1
+sk=$2
+domain=$3
+namespace=$4
+secret_name=$5
+redis_password=$6
+pg_db_password=$7
+storage_type=$8
+
+cat > harbor-arm-config.yaml << EOF
+portal:
+  image:
+    repository: ghcr.io/octohelm/harbor/harbor-portal
+    tag: v2.7.0@sha256:b3f4e0e990500362b554338579497ad89af5473e024564731563704ceab9305b
+core:
+  image:
+    repository: ghcr.io/octohelm/harbor/harbor-core
+    tag: v2.7.0@sha256:dd7f3898f32caf8e03cee046596f03034f4297231458d4de39775dd58709b55a 
+jobservice:
+  image:
+    repository: ghcr.io/octohelm/harbor/harbor-jobservice
+    tag: v2.7.0@sha256:7abd6694f546172ffec4a87e389e8ba425fa6ee82479782693c120a89a291435
+registry:
+  registry:
+    image:
+      repository: ghcr.io/octohelm/harbor/registry-photon
+      tag: v2.7.0@sha256:d5f23b2bc4271b2eb1ec002eb0c0c51e708015944316e5bd17c61de73ea54415
+  controller:
+    image:
+      repository: ghcr.io/svc-design/harbor-multi-arch-images/harbor-registryctl
+      tag: v2.7.0@sha256:ba2412c1a629ca1c2ca4584ba51eb05e964c7eef7b1f9f6ddb39d67512debaf5 
+chartmuseum:
+  enabled: true
+  image:
+    repository: ghcr.io/octohelm/harbor/chartmuseum-photon
+    tag: v2.7.0@sha256:0815066d46474b9403b2d2e5f6f9e2ae44d067d8d2f8523b95ea3d3f20f3d058
+trivy:
+  enabled: false
+notary:
+  enabled: false
+expose:
+  type: ingress
+  tls:
+    enabled: true
+    certSource: secret
+    secret:
+      secretName: $secret_name
+      notarySecretName: $secret_name
+  ingress:
+    hosts:
+      core: harbor.${domain}
+      notary: artifact-notary.${domain}
+    className: "nginx"
+externalURL: https://artifact.${domain}
+database:
+  type: external
+  external:
+    host: "postgresql.database.svc.cluster.local"
+    port: "5432"
+    username: "postgres"
+    password: "$pg_db_password"
+    coreDatabase: "registry"
+    notaryServerDatabase: "notary_server"
+    notarySignerDatabase: "notary_signer"
+redis:
+  type: external
+  external:
+    addr: "redis-master.redis.svc.cluster.local:6379"
+    password: "$redis_password"
+persistence:
+  imageChartStorage:
+    type: $storage_type
+    oss:
+      accesskeyid: $ak
+      accesskeysecret: $sk
+      region: "oss-cn-wulanchabu"
+      bucket: "harbor-s3"
+      endpoint: "oss-cn-wulanchabu.aliyuncs.com"
+    s3:
+      region: ap-east-1
+      bucket: artifact-s3
+      accesskey: $ak
+      secretkey: $sk
+EOF
+
+export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+helm repo add harbor https://helm.goharbor.io
+helm repo update
+helm upgrade --install artifact harbor/harbor -f harbor-arm-config.yaml --version 1.11.1 -n $namespace

playbooks/roles/charts/harbor/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - role: redis
+  - role: postgresql
+  - role: secret-manger

playbooks/roles/charts/harbor/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: get redis password
+  shell: 'kubectl get secret --namespace {{ cache_namespace }} redis -o jsonpath="{.data.redis-password}" | base64 -d'
+  register: redis_command_raw
+  when: inventory_hostname in groups[group][0]
+
+- name: set fact join command for redis
+  set_fact:
+    redis_password : "{{ redis_command_raw.stdout }}"
+
+- name: get db password
+  shell: 'kubectl get secret --namespace {{ db_namespace }}  postgresql -o jsonpath="{.data.postgres-password}" | base64 -d'
+  register: db_command_raw
+  when: inventory_hostname in groups[group][0]
+
+- name: set fact join command for pg_db
+  set_fact:
+    pg_db_password : "{{ db_command_raw.stdout }}"
+  when: inventory_hostname in groups[group][0]
+
+#- name: Show Debug Info
+#  debug: var=command_raw verbosity=0
+
+- name: Pre Setup harbor DB
+  script: files/pre-setup.sh {{ namespace }} 
+  when: inventory_hostname in groups[group]
+
+- name: Setup harbor Server
+  script: files/setup-bitnami-harbor.sh {{ oss_ak }} {{ oss_sk }} {{ domain }} {{ namespace }} {{ item.secret_name }} {{ hostvars[groups[group][0]].redis_password }} {{ hostvars[groups[group][0]].pg_db_password }} {{ backend_type }} {{ registry }}
+  loop: "{{ tls }}"
+  when: inventory_hostname in groups[group]
+
+#- name: Sync harbor-oidc-config.json
+#  template: src=templates/{{ item }}  dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
+#  with_items:
+#    - harbor-oidc-config.json 
+
+#- name: Setup harbor oidc config
+#  script: files/post-setup.sh {{ admin_password }} 

playbooks/roles/charts/harbor/templates/harbor-oidc-config.json

@@ -0,0 +1,11 @@
+{
+  "auth_mode": "oidc_auth",
+  "oidc_name": "Keycloak-sso",
+  "oidc_endpoint": "https://keycloak.onwalk.net/realms/cloud-sso",
+  "oidc_client_id": "harbor-oidc",
+  "oidc_client_secret": '{{ harbor_oidc_client_token }}',
+  "oidc_scope": "openid,profile,email",
+  "oidc_groups_claim": "groups",
+  "oidc_auto_onboard": true,
+  "oidc_user_claim": "preferred_username"
+}

playbooks/roles/charts/harbor/vars/main.yml

@@ -0,0 +1,9 @@
+group: master
+namespace: artifact
+db_namespace: database
+cache_namespace: redis
+update_secret: true
+tls:
+  - secret_name: harbor-tls
+    keyfile: /etc/ssl/svc.plus.key
+    certfile: /etc/ssl/svc.plus.pem

playbooks/roles/charts/jenkins/files/pre-setup.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+export namespace=$1
+
+export MYSQL_ROOT_PASSWORD=$(kubectl get secret --namespace $namespace mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d)
+
+kubectl run mysql-client --rm --tty -i --restart='Never' --image  docker.io/bitnami/mysql:8.0.32-debian-11-r14 --namespace $namespace --env MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD --command -- bash -c "mysql -h mysql.database.svc.cluster.local -uroot -p$MYSQL_ROOT_PASSWORD -e 'create database IF NOT EXISTS jenkins;'"

playbooks/roles/charts/jenkins/files/setup.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+set -x
+export domain=$1
+export secret=$2
+export namespace=$3
+export mysql_db_password=$4
+
+cat > values.yaml << EOF
+
+controller:
+  agentListenerServiceType: "NodePort"
+  agentListenerNodePort: 50000
+  admin:
+    username: 'admin'
+    password: "jenkins"
+  jenkinsUrlProtocol: "https"
+  jenkinsHome: "/var/jenkins_home"
+  jenkinsUrl: https://jenkins.$domain
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/tls-acme: "false"
+    ingressClassName: nginx
+    hostName: jenkins.$domain
+    path: '/'
+    tls:
+      - secretName: $secret
+        hosts:
+          - jenkins.$domain
+  installLatestPlugins: true
+  installPlugins:
+    - git:5.2.1
+    - github:1.38.0
+    - github-pullrequest:0.7.0
+    - locale:314.v22ce953dfe9e
+    - database-mysql:1.4
+    - database:191.vd5981b_97a_5fa_
+    - credentials:1337.v60b_d7b_c7b_c9f
+    - credentials-binding:642.v737c34dea_6c2  # 更新版本以满足依赖关系
+    - configuration-as-code:1775.v810dc950b_514  # 更新版本以满足依赖关系
+    - gitlab-plugin:1.7.16
+    - kubernetes:4029.v5712230ccb_f8
+    - docker-plugin:1.6
+    - docker-workflow:572.v950f58993843
+    - docker-commons:439.va_3cb_0a_6a_fb_29
+    - pipeline-stage-view:2.33
+    - workflow-job:1385.vb_58b_86ea_fff1
+    - workflow-cps:3883.vb_3ff2a_e3eea_f
+    - workflow-aggregator:596.v8c21c963d92d
+  JCasC:
+    enabled: true
+    defaultConfig: true
+    configScripts:
+      database: |
+        unclassified:
+          globalDatabaseConfiguration:
+            database:
+              mysql:
+                hostname: mysql.database.svc.cluster.local
+                username: "root"
+                database: "jenkins"
+                password: $mysql_db_password
+                properties: "?useSSL=false"
+                validationQuery: "SELECT 1"
+agent:
+  enabled: true
+  replicas: 3
+  numExecutors: 1
+  jenkinsUrl: https://jenkins.$domain
+  image:
+    repository: "jenkins/inbound-agent"
+    tag: "latest"
+  customJenkinsLabels: []
+
+persistence:
+  enabled: true
+  storageClass: "local-path"
+  size: "10Gi"
+networkPolicy:
+  enabled: false
+additionalConfig: {}
+EOF
+
+helm repo add jenkins https://charts.jenkins.io
+helm repo update
+helm upgrade --install jenkins jenkins/jenkins -n $namespace --create-namespace -f values.yaml

playbooks/roles/charts/jenkins/howto.md

@@ -0,0 +1,124 @@
+# Jenkins Mater 部署
+
+# Jenkins Node IaC Runner 设置
+1. 安装git terraform
+
+## GitLab to trigger Jenkins
+
+1. Gitlab https://gitlab.xxx.com/-/profile/personal_access_tokens 
+
+2. GitLab和Jenkins的集成可以让你在GitLab中的代码更新后自动触发Jenkins的构建任务。以下是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤：
+3. 在Jenkins中安装GitLab插件
+首先，你需要在Jenkins中安装GitLab插件。登录到Jenkins的管理界面，然后转到“Manage Jenkins” > “Manage Plugins” > “Available”，在搜索框中输入“GitLab”，找到并安装“GitLab Plugin”。
+4. 在Jenkins中配置GitLab连接
+安装完插件后，你需要配置GitLab的连接。转到“Manage Jenkins” > “Configure System”，滚动到“GitLab”部分，点击“Add GitLab Server” > “Server”，输入你的GitLab服务器URL，并生成并输入一个与你的GitLab账户相关联的API Token。
+5. 在Jenkins中创建一个新的任务
+创建一个新的任务，并在源代码管理部分选择“Git”，输入你的GitLab项目的URL。在构建触发器部分，选择“Build when a change is pushed to GitLab”。
+记录:GitLab webhook URL: https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
+6. 在GitLab中配置Webhook
+在你的GitLab项目中，转到“Settings” > “Integrations” -> 启用"Jenkins"
+- 在URL中输入步骤5记录的 Webhook URL https://jenkins.xxx.xxx/project/alicloud-oss-pipeline
+- 选择你想要触发Jenkins任务的事件（例如，当代码被推送时）
+- Project name: 输入项目名称
+- Username: Jenkins 用户名
+- Password: Jenkins 认证密码
+- 保存更改, 测试设置，返回状态200为配置正确
+
+以上就是配置GitLab插件和Jenkins以实现GitLab触发Jenkins的步骤。在完成这些步骤后，每当你的GitLab项目有更新时，都会自动触发对应的Jenkins构建任务。
+
+## 要将GitHub代码仓库与Jenkins关联起来，您需要完成以下步骤：
+
+1 要在 GitHub 中启用 webhook 功能以触发 Jenkins 构建，请按照以下步骤操作：
+2 进入 GitHub 仓库设置：在要设置 webhook 的 GitHub 仓库页面上，点击右上角的“Settings”。
+3 选择 Webhooks 选项：在仓库设置页面的左侧菜单中，选择“Webhooks”。
+4 添加 Webhook：在 Webhooks 页面的右上角，点击“Add webhook”。
+
+配置 Webhook：
+
+1. Payload URL：输入 Jenkins 服务器的 webhook URL。格式应为 http://your-jenkins-server/github-webhook/。确保替换 your-jenkins-server 为您 Jenkins 服务器的实际地址。
+2. Content type：选择 application/json。
+3. Secret（可选）：如果需要额外的安全性，可以输入一个秘密令牌。
+4. SSL verification：选择是否验证 SSL 证书。
+5. Which events would you like to trigger this webhook?：选择触发 webhook 的事件。通常选择 Just the push event（只有推送事件）或 Let me select individual events（让我选择单独的事件）并选择适当的事件（例如，push、pull request 等）。
+添加 Webhook：点击页面底部的“Add webhook”按钮以保存配置。
+
+完成以上步骤后，您的 GitHub 仓库就配置好了一个 webhook，可以触发 Jenkins 构建。记得在 Jenkins 中设置相应的任务来响应这些 webhook。
+
+
+安装Jenkins插件：
+
+确保您的Jenkins实例已经安装了“GitHub”和“GitHub Integration”插件。您可以在Jenkins管理界面的“插件管理”部分进行安装。
+配置GitHub Webhook：
+
+在GitHub仓库的设置中，找到“Webhooks”部分并添加一个新的Webhook。
+将“Payload URL”设置为您的Jenkins服务器的URL，通常是这样的格式：http://<JENKINS_URL>/github-webhook/。
+选择触发Webhook的事件，通常是“Just the push event”或者“Send me everything”。
+确保“Content type”设置为“application/json”。
+点击“Add webhook”保存设置。
+配置Jenkins Job：
+
+在Jenkins中创建一个新的构建任务或者配置现有的任务。
+在“源码管理”部分，选择“Git”并填写您的GitHub仓库的URL。
+在“构建触发器”部分，选择“GitHub hook trigger for GITScm polling”选项。这样，每当GitHub仓库有新的推送事件时，Jenkins就会自动触发构建。
+测试配置：
+
+推送一些改动到您的GitHub仓库，检查是否触发了Jenkins构建。
+在Jenkins的构建历史中查看构建是否成功执行。
+通过完成以上步骤，您的GitHub代码仓库就与Jenkins关联起来了，可以实现自动触发构建的功能。
+
+要在 Jenkins 中设置 GitHub 服务，您需要进行以下步骤：
+
+安装 GitHub 插件：首先确保您的 Jenkins 实例已安装 GitHub 插件。如果尚未安装，请转到 Jenkins 的“插件管理”页面，在“可选插件”选项卡中搜索并安装 GitHub 插件。
+
+配置 GitHub 服务器：在 Jenkins 管理界面中，转到“系统管理” > “系统设置”。
+
+在系统设置页面中，找到并点击“GitHub”部分。
+点击“Add GitHub Server”添加一个新的 GitHub 服务器配置。
+在配置页面中，输入一个描述性的名称，例如“GitHub”。
+在 GitHub API URL 中输入 GitHub 的 API 地址。通常为 https://api.github.com。
+如果您的 GitHub 仓库需要身份验证，请在“凭据”部分选择一个已配置的凭据。如果尚未配置凭据，请点击“Add”添加一个新的凭据，选择类型为“Secret text”或“Username with password”，然后输入您的 GitHub 用户名和密码或访问令牌。
+完成配置后，点击“保存”保存 GitHub 服务器配置。
+验证配置：您可以在配置页面的底部点击“Test connection”来验证您的 GitHub 服务器配置是否正常工作。
+
+保存设置：确保在完成配置后点击“保存”保存更改。
+
+现在，您已成功配置了 Jenkins 的 GitHub 服务。您可以在 Jenkins 任务中使用这个配置来与 GitHub 仓库进行集成，例如触发构建、拉取代码等操作。
+
+
+对于 Jenkins 中的 GitHub API URL (https://api.github.com) 的凭据设置，您可以使用 GitHub Personal Access Token。这个 Token 可以通过以下步骤生成：
+
+在 GitHub 上登录您的账号。
+点击页面右上角的头像，选择“Settings”。
+在左侧边栏中，点击“Developer settings”。
+在左侧边栏中，点击“Personal access tokens”。
+点击“Generate new token”。
+输入一个描述性的名称，选择需要的权限（至少需要 repo 权限来访问仓库），然后点击“Generate token”。
+复制生成的 Token，并保存到一个安全的地方。请注意，这个 Token 只会显示一次，如果您丢失了，请重新生成一个新的 Token。
+在 Jenkins 中使用这个 Token 作为 GitHub API URL (https://api.github.com) 的凭据时，您可以将 Token 添加为 Jenkins 的凭据：
+
+进入 Jenkins 管理界面，转到“凭据” > “系统”。
+在“系统”页面中，点击“Global credentials (unrestricted)”。
+在凭据页面中，点击“Add credentials”。
+在“Kind”下拉菜单中选择“Secret text”。
+在“Secret”框中粘贴您在 GitHub 上生成的 Personal Access Token。
+输入一个描述性的名称，并点击“OK”保存凭据。
+现在，您可以在 Jenkins 的配置中使用这个凭据来访问 GitHub API (https://api.github.com)。
+
+确保 Docker 已安装：在 Jenkins 代理节点上确认 Docker 已正确安装并配置。您可以通过在终端中执行 docker --version 命令来检查 Docker 是否可用。
+
+检查 Docker 环境：如果 Docker 已安装，请确保 Docker 服务正在运行。您可以使用 sudo systemctl status docker 命令检查 Docker 服务的状态。
+
+确认 Jenkins 全局工具配置：在 Jenkins 管理界面中，转到“系统管理”->“全局工具配置”，确保 Docker 工具已正确配置。如果未配置，您可以添加一个 Docker 工具，并指定正确的安装路径。
+
+重启 Jenkins 服务：在进行了上述更改后，尝试重启 Jenkins 服务，以确保新的配置生效。
+
+尝试在终端中执行 Docker 命令：在 Jenkins 代理节点上打开终端，尝试手动执行一些 Docker 命令（如 docker pull），看看是否能够正常执行
+
+要设置 Jenkins Docker 流水线，你可以按照以下步骤进行操作：
+
+前提条件
+确保你的 Jenkins 实例已经安装了以下插件：
+
+Docker Pipeline
+Docker Commons
+

playbooks/roles/charts/jenkins/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: mysql
+  - role: secret-manger

playbooks/roles/charts/jenkins/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: get mysql db password
+  shell: 'kubectl get secret --namespace database mysql -o jsonpath="{.data.mysql-root-password}" | base64 -d'
+  register: mysql_db_password_raw
+  when: inventory_hostname in groups[group][0]
+
+- name: set fact join command
+  set_fact:
+    mysql_db_password : "{{ mysql_db_password_raw.stdout }}"
+  when: inventory_hostname in groups[group][0]
+
+- name: DB Pre Setup for Jenkins Server
+  script: files/pre-setup.sh {{ db_namespace }}
+  when: inventory_hostname in groups[group]
+
+- name: Setup Jenkins Cluster
+  script: files/setup.sh {{ domain }} {{ item.secret_name }} {{ namespace }} {{ mysql_db_password }}
+  when: inventory_hostname in groups[group] and ( tls is defined)
+  loop: "{{ tls }}"

playbooks/roles/charts/keycloak/files/pre-setup.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+export namespace=$1
+export POSTGRES_PASSWORD=$(kubectl get secret --namespace $namespace postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)
+
+kubectl run postgresql-client --rm --tty -i --restart='Never' --namespace $namespace --image docker.io/bitnami/postgresql:15.2.0-debian-11-r11 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host postgresql -U postgres -d postgres -p 5432 -w -c "CREATE DATABASE keycloak;" || echo true

playbooks/roles/charts/keycloak/files/setup-keycloak.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+export domain=$1
+export secret=$2
+export namespace=$3
+export keycloak_ui_password=$4
+export keycloak_db_password=$5
+
+cat > keycloak-values.yaml << EOF
+proxy: edge
+tls:
+  enabled: false
+  existingSecret: "$secret"
+auth:
+  adminPassword: "$keycloak_ui_password"
+ingress:
+  enabled: false
+  ingressClassName: "nginx"
+  hostname: keycloak.${domain}
+  tls: true
+  extraTls:
+  - hosts:
+      - keycloak.${domain}
+    secretName: $secret
+postgresql:
+  enabled: true
+#externalDatabase:
+#  host: "postgresql.database.svc.cluster.local"
+#  port: 5432
+#  user: postgres
+#  database: keycloak
+#  password: "$keycloak_db_password"
+EOF
+
+helm repo add bitnami https://charts.bitnami.com/bitnami || echo true
+helm repo update
+kubectl create ns ${namespace} || echo true
+kubectl create secret tls onwalk-tls --cert=/etc/ssl/onwalk.net.pem --key=/etc/ssl/onwalk.net.key -n ${namespace} || echo true
+helm upgrade --install keycloak bitnami/keycloak -n $namespace -f keycloak-values.yaml