ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(gitops): migrate platform and infra to OCI charts

Browse Source
This commit is contained in:
Haitao Pan 2026-04-02 15:01:47 +08:00
parent ad647de91a
commit 50153c8f2f
63 changed files with 645 additions and 683 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
StackFlow/svc-plus.yaml
View File

@ -1,140 +0,0 @@
apiVersion: gitops.svc.plus/v1alpha1
kind: StackFlow
metadata:
# Stack identifier (used in plans/artifacts).
name: svc-plus
global:
# Root domain for this business stack.
# Runner enforces: every targets[].domains[] must be under this root.
domain: svc.plus
# Declarative provider selector for future dns-apply (no secrets here).
dns_provider: cloudflare
# Default cloud for this stack (future iac-apply/deploy/observe phases).
cloud: gcp
project: xzerolab-480008
# Optional: multi-environment overrides (selected by runner --env).
# Today CI only runs plan/validate; env selection is for future expansion.
environments:
prod:
dns_provider: cloudflare
cloud: gcp
gcp_project: xzerolab-480008
dev:
dns_provider: cloudflare
cloud: gcp
gcp_project: xzerolab-480008
# Source-of-truth repos (informational).
gitops: https://github.com/cloud-neutral-toolkit/gitops
playbooks: https://github.com/cloud-neutral-toolkit/playbook
iac_modules: https://github.com/cloud-neutral-toolkit/iac_modules
targets:
# -----------------------------------------
# Vercel: www + console
# -----------------------------------------
- id: vercel-console
type: vercel
vercel:
project_url: https://vercel.com/svc-designs-projects/console-svc-plus
team_slug: svc-designs-projects
project_slug: console-svc-plus
domains:
- www.svc.plus
- console.svc.plus
# Optional env-specific intent (not used by runner yet).
environments:
dev:
domains:
- www.dev.svc.plus
- console.dev.svc.plus
dns:
# Default policy: pure DNS. Proxy can be enabled per-record later.
records:
- name: www
type: CNAME
value: cname.vercel-dns.com.
proxied: false
- name: console
type: CNAME
value: cname.vercel-dns.com.
proxied: false
# -----------------------------------------
# GCE vhost: clawdbot
# -----------------------------------------
- id: clawdbot
type: vhost
cloud: gcp
gcp:
project: xzerolab-480008
zone: asia-east1-b
instance_name: clawdbot-svc-plus
console_url: https://console.cloud.google.com/compute/instancesDetail/zones/asia-east1-b/instances/clawdbot-svc-plus?project=xzerolab-480008
domains:
- clawdbot.svc.plus
resources:
os: debian-13
cpu: 2
mem_mib: 4096
disk_gb: 50
endpoints:
# Will be filled by future iac-apply output.
public_ipv4: ""
dns:
records:
- name: clawdbot
type: A
valueFrom: endpoints.public_ipv4
proxied: false
# -----------------------------------------
# GCP Cloud Run: accounts
# -----------------------------------------
- id: accounts
type: cloud-run
cloud: gcp
repo: https://github.com/cloud-neutral-toolkit/accounts.svc.plus
gcp:
project: xzerolab-480008
region: asia-northeast1
service: accounts-svc-plus
console_url: https://console.cloud.google.com/run/detail/asia-northeast1/accounts-svc-plus/observability/metrics?project=xzerolab-480008
domains:
- accounts.svc.plus
deploy:
mode: repo-dispatch
repository: cloud-neutral-toolkit/accounts.svc.plus
event_type: stackflow.deploy.cloudrun
dns:
# Cloud Run custom domain mapping needs provider-specific verification records.
# Keep explicit records here once known; plan/validate won't apply them.
records: []
# -----------------------------------------
# Cloudflare Workers Containers: hk-xhttp
# -----------------------------------------
- id: hk-xhttp
type: cloudflare-workers-containers
cloud: cloudflare
repo: https://github.com/cloud-neutral-toolkit/iac_modules
cloudflare:
account_id: e71be5efb76a6c54f78f008da4404f00
worker_name: hk-xhttp-svc-plus
dashboard_url: https://dash.cloudflare.com/e71be5efb76a6c54f78f008da4404f00/workers-and-pages
domains:
- xhttp.svc.plus
deploy:
mode: wrangler
working_directory: vpn-overlay/xray/cloudflare-workers-containers
command: npx wrangler deploy
dns:
records:
- name: xhttp
type: CNAME
value: hk-xhttp-svc-plus.workers.dev.
proxied: true

7
helm/app-service/Chart.yaml
View File

@ -1,7 +0,0 @@
apiVersion: v2
name: app-service
description: Reusable chart for single-node core services
type: application
version: 0.1.0
appVersion: "1.0.0"

15
helm/app-service/templates/_helpers.tpl
View File

@ -1,15 +0,0 @@
{{- define "app-service.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "app-service.fullname" -}}
{{- include "app-service.name" . -}}
{{- end -}}
{{- define "app-service.labels" -}}
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- end -}}

59
helm/app-service/templates/deployment.yaml
View File

@ -1,59 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "app-service.fullname" . }}
labels:
{{- include "app-service.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: 3
strategy:
type: {{ .Values.strategy.type }}
rollingUpdate:
maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
{{- include "app-service.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- if and .Values.reloader.enabled .Values.existingSecretName }}
secret.reloader.stakater.com/reload: {{ default .Values.existingSecretName .Values.reloader.secretMatch | quote }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- name: app
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.containerPort }}
{{- if .Values.env }}
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.existingSecretName }}
envFrom:
- secretRef:
name: {{ .Values.existingSecretName }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}

15
helm/app-service/templates/pdb.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "app-service.fullname" . }}
labels:
{{- include "app-service.labels" . | nindent 4 }}
spec:
minAvailable: {{ .Values.pdb.minAvailable }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

16
helm/app-service/templates/service.yaml
View File

@ -1,16 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "app-service.fullname" . }}
labels:
{{- include "app-service.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
selector:
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ports:
- name: http
port: {{ .Values.service.port }}
targetPort: http

57
helm/app-service/values.yaml
View File

@ -1,57 +0,0 @@
nameOverride: ""
replicaCount: 1
image:
repository: ghcr.io/example/app
tag: latest
pullPolicy: IfNotPresent
containerPort: 8080
service:
port: 80
type: ClusterIP
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
podLabels: {}
podAnnotations: {}
env: {}
existingSecretName: ""
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
periodSeconds: 20
pdb:
enabled: true
minAvailable: 1
reloader:
enabled: true
secretMatch: ""

16
infra/apps/core/accounts/base/helmrelease.yaml
View File

@ -1,25 +1,17 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: accounts
spec:
interval: 5m0s
releaseName: accounts
chart:
spec:
chart: ./helm/app-service
sourceRef:
kind: GitRepository
name: platform-config
namespace: flux-system
interval: 1m0s
chartRef:
kind: OCIRepository
name: accounts-chart
valuesFrom:
- kind: ConfigMap
name: accounts-base-values
valuesKey: values.yaml
- kind: ConfigMap
name: accounts-channel-values
valuesKey: values.yaml
- kind: ConfigMap
name: accounts-env-values
valuesKey: values.yaml

11
infra/apps/core/accounts/base/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- oci-repository.yaml
- helmrelease.yaml
configMapGenerator:
- name: accounts-base-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

12
infra/apps/core/accounts/base/oci-repository.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: accounts-chart
spec:
interval: 10m0s
url: oci://ghcr.io/x-evor/charts/app-service
ref:
semver: "0.1.0"
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy

3
infra/apps/core/accounts/channels/latest.yaml
View File

@ -1,3 +0,0 @@
image:
repository: ghcr.io/x-evor/accounts
tag: latest

3
infra/apps/core/accounts/channels/release.yaml
View File

@ -1,3 +0,0 @@
image:
repository: ghcr.io/x-evor/accounts
tag: release

8
infra/apps/core/accounts/pre/kustomization.yaml
View File

@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-pre
resources:
- ../base/helmrelease.yaml
- ../base
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: accounts-base-values
files:
- values.yaml=../base/values.yaml
- name: accounts-channel-values
files:
- values.yaml=../channels/latest.yaml
- name: accounts-env-values
files:
- values.yaml=values.yaml

3
infra/apps/core/accounts/pre/values.yaml
View File

@ -1,4 +1,7 @@
replicaCount: 1
image:
repository: ghcr.io/x-evor/accounts
tag: latest
resources:
requests:
cpu: 100m

8
infra/apps/core/accounts/prod/kustomization.yaml
View File

@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-prod
resources:
- ../base/helmrelease.yaml
- ../base
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: accounts-base-values
files:
- values.yaml=../base/values.yaml
- name: accounts-channel-values
files:
- values.yaml=../channels/release.yaml
- name: accounts-env-values
files:
- values.yaml=values.yaml

3
infra/apps/core/accounts/prod/values.yaml
View File

@ -1,4 +1,7 @@
replicaCount: 2
image:
repository: ghcr.io/x-evor/accounts
tag: release
resources:
requests:
cpu: 250m

16
infra/apps/core/console/base/helmrelease.yaml
View File

@ -1,25 +1,17 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: console
spec:
interval: 5m0s
releaseName: console
chart:
spec:
chart: ./helm/app-service
sourceRef:
kind: GitRepository
name: platform-config
namespace: flux-system
interval: 1m0s
chartRef:
kind: OCIRepository
name: console-chart
valuesFrom:
- kind: ConfigMap
name: console-base-values
valuesKey: values.yaml
- kind: ConfigMap
name: console-channel-values
valuesKey: values.yaml
- kind: ConfigMap
name: console-env-values
valuesKey: values.yaml

11
infra/apps/core/console/base/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- oci-repository.yaml
- helmrelease.yaml
configMapGenerator:
- name: console-base-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

12
infra/apps/core/console/base/oci-repository.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: console-chart
spec:
interval: 10m0s
url: oci://ghcr.io/x-evor/charts/app-service
ref:
semver: "0.1.0"
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy

3
infra/apps/core/console/channels/latest.yaml
View File

@ -1,3 +0,0 @@
image:
repository: ghcr.io/x-evor/console
tag: latest

3
infra/apps/core/console/channels/release.yaml
View File

@ -1,3 +0,0 @@
image:
repository: ghcr.io/x-evor/console
tag: release

8
infra/apps/core/console/pre/kustomization.yaml
View File

@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-pre
resources:
- ../base/helmrelease.yaml
- ../base
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: console-base-values
files:
- values.yaml=../base/values.yaml
- name: console-channel-values
files:
- values.yaml=../channels/latest.yaml
- name: console-env-values
files:
- values.yaml=values.yaml

3
infra/apps/core/console/pre/values.yaml
View File

@ -1,4 +1,7 @@
replicaCount: 1
image:
repository: ghcr.io/x-evor/console
tag: latest
resources:
requests:
cpu: 100m

8
infra/apps/core/console/prod/kustomization.yaml
View File

@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-prod
resources:
- ../base/helmrelease.yaml
- ../base
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: console-base-values
files:
- values.yaml=../base/values.yaml
- name: console-channel-values
files:
- values.yaml=../channels/release.yaml
- name: console-env-values
files:
- values.yaml=values.yaml

3
infra/apps/core/console/prod/values.yaml
View File

@ -1,4 +1,7 @@
replicaCount: 2
image:
repository: ghcr.io/x-evor/console
tag: release
resources:
requests:
cpu: 250m

3
infra/clusters/pre/accounts-pre-kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: accounts-pre
@ -11,4 +11,3 @@ spec:
kind: GitRepository
name: platform-config
path: ./infra/apps/core/accounts/pre

3
infra/clusters/pre/console-pre-kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: console-pre
@ -11,4 +11,3 @@ spec:
kind: GitRepository
name: platform-config
path: ./infra/apps/core/console/pre

3
infra/clusters/prod/accounts-prod-kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: accounts-prod
@ -14,4 +14,3 @@ spec:
dependsOn:
- name: platform-stack
- name: infrastructure-stack

3
infra/clusters/prod/console-prod-kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: console-prod
@ -14,4 +14,3 @@ spec:
dependsOn:
- name: platform-stack
- name: infrastructure-stack

3
infra/clusters/prod/infrastructure-kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infrastructure-stack
@ -12,4 +12,3 @@ spec:
kind: GitRepository
name: platform-config
path: ./infra/infrastructure

2
infra/clusters/prod/kustomization.yaml
View File

@ -4,7 +4,7 @@ resources:
- namespaces.yaml
- platform-kustomization.yaml
- infrastructure-kustomization.yaml
- observability-kustomization.yaml
- console-prod-kustomization.yaml
- accounts-prod-kustomization.yaml
- pre-kustomization.yaml

16
infra/clusters/prod/observability-kustomization.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: observability-stack
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
timeout: 10m0s
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/observability
dependsOn:
- name: platform-stack

3
infra/clusters/prod/platform-kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: platform-stack
@ -12,4 +12,3 @@ spec:
kind: GitRepository
name: platform-config
path: ./infra/platform

3
infra/clusters/prod/pre-kustomization.yaml
View File

@ -1,4 +1,4 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: pre-stack
@ -14,4 +14,3 @@ spec:
dependsOn:
- name: platform-stack
- name: infrastructure-stack

2
infra/infrastructure/kustomization.yaml
View File

@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- repositories.yaml
- vault
- postgresql

37
infra/infrastructure/postgresql/helmrelease.yaml
View File

@ -1,39 +1,22 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: database
spec:
interval: 10m0s
chart:
spec:
chart: postgresql
version: ">=15.0.0 <16.0.0"
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
releaseName: postgresql
chartRef:
kind: OCIRepository
name: postgresql-chart
namespace: database
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
architecture: standalone
auth:
existingSecret: postgresql-auth
primary:
persistence:
enabled: true
size: 20Gi
extraVolumes:
- name: initdb
configMap:
name: postgresql-initdb
extraVolumeMounts:
- name: initdb
mountPath: /docker-entrypoint-initdb.d
metrics:
enabled: false
valuesFrom:
- kind: ConfigMap
name: postgresql-values
valuesKey: values.yaml

12
infra/infrastructure/postgresql/kustomization.yaml
View File

@ -2,7 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: database
resources:
- initdb-configmap.yaml
- externalsecret.yaml
- oci-repository.yaml
- helmrelease.yaml
- externalsecret.yaml
- stunnel-externalsecret.yaml
configMapGenerator:
- name: postgresql-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

13
infra/infrastructure/postgresql/oci-repository.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: postgresql-chart
namespace: database
spec:
interval: 10m0s
url: oci://ghcr.io/x-evor/charts/postgresql
ref:
semver: "1.1.0"
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy

22
infra/infrastructure/postgresql/stunnel-externalsecret.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: postgresql-stunnel-server
namespace: database
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: vault-platform
target:
name: postgresql-stunnel-server
creationPolicy: Owner
data:
- secretKey: server-cert.pem
remoteRef:
key: database/postgresql-stunnel
property: server-cert.pem
- secretKey: server-key.pem
remoteRef:
key: database/postgresql-stunnel
property: server-key.pem

66
infra/infrastructure/postgresql/values.yaml Normal file
View File

@ -0,0 +1,66 @@
server:
enabled: true
image:
repository: ghcr.io/x-evor/postgresql-svc-plus
tag: "16"
pullPolicy: IfNotPresent
auth:
username: postgres
database: postgres
existingSecret: postgresql-auth
secretKey: postgres-password
initScripts:
enabled: true
scripts:
01-core-schemas.sql: |
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_prod_user') THEN
CREATE ROLE core_prod_user LOGIN;
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_pre_user') THEN
CREATE ROLE core_pre_user LOGIN;
END IF;
END
$$;
CREATE SCHEMA IF NOT EXISTS core_prod AUTHORIZATION postgres;
CREATE SCHEMA IF NOT EXISTS core_pre AUTHORIZATION postgres;
GRANT USAGE ON SCHEMA core_prod TO core_prod_user;
GRANT USAGE ON SCHEMA core_pre TO core_pre_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA core_prod
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_prod_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA core_pre
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_pre_user;
persistence:
enabled: true
size: 20Gi
metrics:
enabled: false
stunnel:
enabled: true
port: 5433
certificatesSecret: postgresql-stunnel-server
stunnelClient:
enabled: true
service:
port: 5432
config: |
[postgres-client]
client = yes
accept = 0.0.0.0:5432
connect = postgresql.database.svc.cluster.local:5433
verifyChain = no
sslVersion = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3
ciphers = HIGH:!aNULL:!MD5

12
infra/infrastructure/repositories.yaml
View File

@ -1,13 +1,4 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: hashicorp
namespace: flux-system
spec:
interval: 10m0s
url: https://helm.releases.hashicorp.com
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bitnami
@ -15,4 +6,3 @@ metadata:
spec:
interval: 10m0s
url: https://charts.bitnami.com/bitnami

73
infra/infrastructure/vault/bootstrap-job.yaml
View File

@ -1,73 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap
namespace: extsvc
spec:
template:
spec:
serviceAccountName: vault-bootstrap
restartPolicy: OnFailure
containers:
- name: bootstrap
image: hashicorp/vault:1.16.3
env:
- name: VAULT_ADDR
value: http://vault.extsvc.svc.cluster.local:8200
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-bootstrap
key: rootToken
- name: CLOUDFLARE_API_TOKEN
valueFrom:
secretKeyRef:
name: vault-bootstrap
key: cloudflareApiToken
command:
- /bin/sh
- -ec
- |
until vault status >/dev/null 2>&1; do
sleep 5
done
vault secrets enable -path=secret kv-v2 || true
cat <<'EOF' >/tmp/eso-policy.hcl
path "secret/data/*" {
capabilities = ["read"]
}
path "secret/metadata/*" {
capabilities = ["read", "list"]
}
EOF
vault policy write eso-read /tmp/eso-policy.hcl
vault auth enable kubernetes || true
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
vault write auth/kubernetes/role/external-secrets \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="platform" \
policies="eso-read" \
ttl="1h"
vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-bootstrap
namespace: extsvc
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-bootstrap-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-bootstrap
namespace: extsvc

39
infra/infrastructure/vault/helmrelease.yaml
View File

@ -1,39 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: vault
namespace: extsvc
spec:
interval: 10m0s
chart:
spec:
chart: vault
version: ">=0.28.0 <1.0.0"
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
injector:
enabled: false
server:
standalone:
enabled: false
dataStorage:
enabled: true
size: 8Gi
ha:
enabled: true
replicas: 1
raft:
enabled: true
setNodeId: true
service:
enabled: true

7
infra/infrastructure/vault/kustomization.yaml
View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: extsvc
resources:
- helmrelease.yaml
- bootstrap-job.yaml

5
infra/platform/caddy/kustomization.yaml → infra/observability/kustomization.yaml
View File

@ -1,6 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- helmrelease.yaml
- repositories.yaml
- observability-stack

16
infra/observability/observability-stack/helmrelease.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: observability-stack
namespace: observability
spec:
interval: 10m0s
releaseName: observability
chartRef:
kind: OCIRepository
name: observability-chart
namespace: observability
valuesFrom:
- kind: ConfigMap
name: observability-values
valuesKey: values.yaml

12
infra/observability/observability-stack/kustomization.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: observability
resources:
- oci-repository.yaml
- helmrelease.yaml
configMapGenerator:
- name: observability-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

13
infra/observability/observability-stack/oci-repository.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: observability-chart
namespace: observability
spec:
interval: 10m0s
url: oci://ghcr.io/x-evor/charts/observability
ref:
semver: "0.1.0"
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy

182
infra/observability/observability-stack/values.yaml Normal file
View File

@ -0,0 +1,182 @@
namespaces:
observability: observability
server:
prometheus:
enabled: true
releaseName: prometheus
sourceRef:
kind: HelmRepository
name: prometheus-community
namespace: flux-system
chart:
name: prometheus
version: ">=25.0.0 <26.0.0"
values:
server:
persistentVolume:
enabled: true
size: 20Gi
victoriaMetrics:
enabled: true
releaseName: victoria-metrics
sourceRef:
kind: HelmRepository
name: victoria-metrics
namespace: flux-system
chart:
name: victoria-metrics-single
version: ">=0.13.0 <1.0.0"
values:
server:
persistentVolume:
enabled: true
size: 50Gi
victoriaLogs:
enabled: true
releaseName: victoria-logs
sourceRef:
kind: HelmRepository
name: victoria-metrics
namespace: flux-system
chart:
name: victoria-logs-single
version: ">=0.9.0 <1.0.0"
values:
server:
persistentVolume:
enabled: true
size: 50Gi
victoriaTraces:
enabled: true
releaseName: victoria-traces
sourceRef:
kind: HelmRepository
name: victoria-metrics
namespace: flux-system
chart:
name: victoria-traces-single
version: ">=0.0.1 <1.0.0"
values: {}
grafana:
enabled: true
releaseName: grafana
sourceRef:
kind: HelmRepository
name: grafana
namespace: flux-system
chart:
name: grafana
version: ">=8.0.0 <9.0.0"
values:
persistence:
enabled: true
size: 10Gi
otelConnector:
enabled: true
releaseName: otel-connector
sourceRef:
kind: HelmRepository
name: open-telemetry
namespace: flux-system
chart:
name: opentelemetry-collector
version: ">=0.104.0 <1.0.0"
values:
mode: deployment
config:
receivers:
otlp:
protocols:
grpc: {}
http: {}
processors:
batch: {}
exporters:
debug: {}
service:
pipelines:
traces:
receivers: [otlp]
processors: [batch]
exporters: [debug]
metrics:
receivers: [otlp]
processors: [batch]
exporters: [debug]
logs:
receivers: [otlp]
processors: [batch]
exporters: [debug]
agent:
nodeExporter:
enabled: true
releaseName: node-exporter
sourceRef:
kind: HelmRepository
name: prometheus-community
namespace: flux-system
chart:
name: prometheus-node-exporter
version: ">=4.30.0 <5.0.0"
values: {}
vector:
enabled: true
image:
repository: timberio/vector
tag: "0.36.0-distroless-libc"
pullPolicy: IfNotPresent
serviceAccountName: vector-agent
config: |
data_dir: /vector-data-dir
sources:
journald:
type: journald
transforms:
normalize:
type: remap
inputs: ["journald"]
source: |
.cluster = "k3s"
.origin = "vector-agent"
sinks:
vlogs:
type: elasticsearch
inputs: ["normalize"]
endpoints:
- http://victoria-logs-victoria-logs-single-server.observability.svc.cluster.local:9428/insert/elasticsearch/
mode: bulk
compression: gzip
resources:
limits:
cpu: 300m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
processExporter:
enabled: true
image:
repository: ncabatoff/process-exporter
tag: v0.8.3
pullPolicy: IfNotPresent
serviceAccountName: process-exporter
port: 9256
config: |
process_names:
- name: "{{.Comm}}"
cmdline:
- '.+'
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 25m
memory: 64Mi
extraObjects: []

35
infra/observability/repositories.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: prometheus-community
namespace: flux-system
spec:
interval: 10m0s
url: https://prometheus-community.github.io/helm-charts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: victoria-metrics
namespace: flux-system
spec:
interval: 10m0s
url: https://victoriametrics.github.io/helm-charts/
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: grafana
namespace: flux-system
spec:
interval: 10m0s
url: https://grafana.github.io/helm-charts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: open-telemetry
namespace: flux-system
spec:
interval: 10m0s
url: https://open-telemetry.github.io/opentelemetry-helm-charts

40
infra/platform/apisix/helmrelease.yaml
View File

@ -1,40 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: apisix
namespace: platform
spec:
interval: 10m0s
chart:
spec:
chart: apisix
version: ">=2.7.0 <3.0.0"
sourceRef:
kind: HelmRepository
name: apisix
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
etcd:
enabled: false
ingress-controller:
enabled: false
dashboard:
enabled: false
gateway:
type: ClusterIP
apisix:
deployment:
role: traditional
roleTraditional:
configProvider: yaml
standalone:
enabled: true
admin:
enabled: false

36
infra/platform/apisix/ingress.yaml
View File

@ -1,36 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apisix-gateway
namespace: platform
annotations:
external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- api.svc.plus
- api-pre.svc.plus
secretName: apisix-gateway-tls
rules:
- host: api.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: apisix-gateway
port:
number: 80
- host: api-pre.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: apisix-gateway
port:
number: 80

7
infra/platform/apisix/kustomization.yaml
View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- helmrelease.yaml
- ingress.yaml

32
infra/platform/caddy/helmrelease.yaml
View File

@ -1,32 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: caddy
namespace: platform
spec:
interval: 10m0s
chart:
spec:
chart: caddy-ingress-controller
version: ">=1.0.0 <2.0.0"
sourceRef:
kind: HelmRepository
name: caddy-ingress
namespace: flux-system
install:
createNamespace: false
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
ingressController:
enabled: true
ingressClass:
create: true
name: caddy
default: false
service:
type: LoadBalancer

3
infra/platform/external-dns/helmrelease.yaml
View File

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-dns
@ -34,4 +34,3 @@ spec:
secretKeyRef:
name: cloudflare-api-token
key: api-token

3
infra/platform/external-secrets/helmrelease.yaml
View File

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
@ -21,4 +21,3 @@ spec:
crds: CreateReplace
remediation:
retries: 3

16
infra/platform/k3s-platform/helmrelease.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: k3s-platform
namespace: platform
spec:
interval: 10m0s
releaseName: k3s-platform
chartRef:
kind: OCIRepository
name: k3s-platform-chart
namespace: platform
valuesFrom:
- kind: ConfigMap
name: k3s-platform-values
valuesKey: values.yaml

12
infra/platform/k3s-platform/kustomization.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- oci-repository.yaml
- helmrelease.yaml
configMapGenerator:
- name: k3s-platform-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

13
infra/platform/k3s-platform/oci-repository.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: k3s-platform-chart
namespace: platform
spec:
interval: 10m0s
url: oci://ghcr.io/x-evor/charts/k3s-platform-chart
ref:
semver: "0.1.0"
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy

111
infra/platform/k3s-platform/values.yaml Normal file
View File

@ -0,0 +1,111 @@
namespaces:
platform: platform
vault: extsvc
components:
caddy:
enabled: true
releaseName: caddy
sourceRef:
kind: HelmRepository
name: caddy-ingress
namespace: flux-system
chart:
name: caddy-ingress-controller
version: ">=1.0.0 <2.0.0"
values:
ingressController:
enabled: true
ingressClass:
create: true
name: caddy
default: false
service:
type: LoadBalancer
apisix:
enabled: true
releaseName: apisix
sourceRef:
kind: HelmRepository
name: apisix
namespace: flux-system
chart:
name: apisix
version: ">=2.7.0 <3.0.0"
values:
etcd:
enabled: false
ingress-controller:
enabled: false
dashboard:
enabled: false
gateway:
type: ClusterIP
apisix:
deployment:
role: traditional
roleTraditional:
configProvider: yaml
standalone:
enabled: true
admin:
enabled: false
vault:
enabled: true
releaseName: vault
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: flux-system
chart:
name: vault
version: ">=0.28.0 <1.0.0"
values:
injector:
enabled: false
server:
standalone:
enabled: false
dataStorage:
enabled: true
size: 8Gi
ha:
enabled: true
replicas: 1
raft:
enabled: true
setNodeId: true
service:
enabled: true
apisixIngress:
enabled: true
name: apisix-gateway
namespace: platform
className: caddy
annotations:
external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus
tls:
secretName: apisix-gateway-tls
hosts:
- api.svc.plus
- api-pre.svc.plus
hosts:
- host: api.svc.plus
serviceName: apisix-gateway
servicePort: 80
- host: api-pre.svc.plus
serviceName: apisix-gateway
servicePort: 80
vaultBootstrap:
enabled: true
image: hashicorp/vault:1.16.3
serviceAccountName: vault-bootstrap
cloudflareSecretName: vault-bootstrap
cloudflareSecretKey: cloudflareApiToken
rootTokenSecretName: vault-bootstrap
rootTokenSecretKey: rootToken
externalSecretsRoleNamespace: platform
extraObjects: []

4
infra/platform/kustomization.yaml
View File

@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- repositories.yaml
- caddy
- apisix
- k3s-platform
- external-secrets
- external-dns
- reloader

3
infra/platform/reloader/helmrelease.yaml
View File

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: reloader
@ -19,4 +19,3 @@ spec:
upgrade:
remediation:
retries: 3

20
infra/platform/repositories.yaml
View File

@ -1,4 +1,4 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: caddy-ingress
@ -7,7 +7,7 @@ spec:
interval: 10m0s
url: https://caddyserver.github.io/ingress/
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: apisix
@ -16,7 +16,16 @@ spec:
interval: 10m0s
url: https://charts.apiseven.com
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: hashicorp
namespace: flux-system
spec:
interval: 10m0s
url: https://helm.releases.hashicorp.com
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-dns
@ -25,7 +34,7 @@ spec:
interval: 10m0s
url: https://kubernetes-sigs.github.io/external-dns/
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-secrets
@ -34,7 +43,7 @@ spec:
interval: 10m0s
url: https://charts.external-secrets.io
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: stakater
@ -42,4 +51,3 @@ metadata:
spec:
interval: 10m0s
url: https://stakater.github.io/stakater-charts