diff --git a/StackFlow/svc-plus.yaml b/StackFlow/svc-plus.yaml deleted file mode 100644 index 8bd388f..0000000 --- a/StackFlow/svc-plus.yaml +++ /dev/null @@ -1,140 +0,0 @@ -apiVersion: gitops.svc.plus/v1alpha1 -kind: StackFlow -metadata: - # Stack identifier (used in plans/artifacts). - name: svc-plus - -global: - # Root domain for this business stack. - # Runner enforces: every targets[].domains[] must be under this root. - domain: svc.plus - - # Declarative provider selector for future dns-apply (no secrets here). - dns_provider: cloudflare - - # Default cloud for this stack (future iac-apply/deploy/observe phases). - cloud: gcp - project: xzerolab-480008 - - # Optional: multi-environment overrides (selected by runner --env). - # Today CI only runs plan/validate; env selection is for future expansion. - environments: - prod: - dns_provider: cloudflare - cloud: gcp - gcp_project: xzerolab-480008 - dev: - dns_provider: cloudflare - cloud: gcp - gcp_project: xzerolab-480008 - - # Source-of-truth repos (informational). - gitops: https://github.com/cloud-neutral-toolkit/gitops - playbooks: https://github.com/cloud-neutral-toolkit/playbook - iac_modules: https://github.com/cloud-neutral-toolkit/iac_modules - -targets: - # ----------------------------------------- - # Vercel: www + console - # ----------------------------------------- - - id: vercel-console - type: vercel - vercel: - project_url: https://vercel.com/svc-designs-projects/console-svc-plus - team_slug: svc-designs-projects - project_slug: console-svc-plus - domains: - - www.svc.plus - - console.svc.plus - # Optional env-specific intent (not used by runner yet). - environments: - dev: - domains: - - www.dev.svc.plus - - console.dev.svc.plus - dns: - # Default policy: pure DNS. Proxy can be enabled per-record later. - records: - - name: www - type: CNAME - value: cname.vercel-dns.com. - proxied: false - - name: console - type: CNAME - value: cname.vercel-dns.com. - proxied: false - - # ----------------------------------------- - # GCE vhost: clawdbot - # ----------------------------------------- - - id: clawdbot - type: vhost - cloud: gcp - gcp: - project: xzerolab-480008 - zone: asia-east1-b - instance_name: clawdbot-svc-plus - console_url: https://console.cloud.google.com/compute/instancesDetail/zones/asia-east1-b/instances/clawdbot-svc-plus?project=xzerolab-480008 - domains: - - clawdbot.svc.plus - resources: - os: debian-13 - cpu: 2 - mem_mib: 4096 - disk_gb: 50 - endpoints: - # Will be filled by future iac-apply output. - public_ipv4: "" - dns: - records: - - name: clawdbot - type: A - valueFrom: endpoints.public_ipv4 - proxied: false - - # ----------------------------------------- - # GCP Cloud Run: accounts - # ----------------------------------------- - - id: accounts - type: cloud-run - cloud: gcp - repo: https://github.com/cloud-neutral-toolkit/accounts.svc.plus - gcp: - project: xzerolab-480008 - region: asia-northeast1 - service: accounts-svc-plus - console_url: https://console.cloud.google.com/run/detail/asia-northeast1/accounts-svc-plus/observability/metrics?project=xzerolab-480008 - domains: - - accounts.svc.plus - deploy: - mode: repo-dispatch - repository: cloud-neutral-toolkit/accounts.svc.plus - event_type: stackflow.deploy.cloudrun - dns: - # Cloud Run custom domain mapping needs provider-specific verification records. - # Keep explicit records here once known; plan/validate won't apply them. - records: [] - - # ----------------------------------------- - # Cloudflare Workers Containers: hk-xhttp - # ----------------------------------------- - - id: hk-xhttp - type: cloudflare-workers-containers - cloud: cloudflare - repo: https://github.com/cloud-neutral-toolkit/iac_modules - cloudflare: - account_id: e71be5efb76a6c54f78f008da4404f00 - worker_name: hk-xhttp-svc-plus - dashboard_url: https://dash.cloudflare.com/e71be5efb76a6c54f78f008da4404f00/workers-and-pages - domains: - - xhttp.svc.plus - deploy: - mode: wrangler - working_directory: vpn-overlay/xray/cloudflare-workers-containers - command: npx wrangler deploy - dns: - records: - - name: xhttp - type: CNAME - value: hk-xhttp-svc-plus.workers.dev. - proxied: true diff --git a/helm/app-service/Chart.yaml b/helm/app-service/Chart.yaml deleted file mode 100644 index d495e0c..0000000 --- a/helm/app-service/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: app-service -description: Reusable chart for single-node core services -type: application -version: 0.1.0 -appVersion: "1.0.0" - diff --git a/helm/app-service/templates/_helpers.tpl b/helm/app-service/templates/_helpers.tpl deleted file mode 100644 index 2c619ad..0000000 --- a/helm/app-service/templates/_helpers.tpl +++ /dev/null @@ -1,15 +0,0 @@ -{{- define "app-service.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "app-service.fullname" -}} -{{- include "app-service.name" . -}} -{{- end -}} - -{{- define "app-service.labels" -}} -app.kubernetes.io/name: {{ include "app-service.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -{{- end -}} - diff --git a/helm/app-service/templates/deployment.yaml b/helm/app-service/templates/deployment.yaml deleted file mode 100644 index d9b2f40..0000000 --- a/helm/app-service/templates/deployment.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "app-service.fullname" . }} - labels: - {{- include "app-service.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - revisionHistoryLimit: 3 - strategy: - type: {{ .Values.strategy.type }} - rollingUpdate: - maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }} - maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "app-service.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - {{- include "app-service.labels" . | nindent 8 }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - annotations: - {{- if and .Values.reloader.enabled .Values.existingSecretName }} - secret.reloader.stakater.com/reload: {{ default .Values.existingSecretName .Values.reloader.secretMatch | quote }} - {{- end }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - name: app - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: {{ .Values.containerPort }} - {{- if .Values.env }} - env: - {{- range $key, $value := .Values.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if .Values.existingSecretName }} - envFrom: - - secretRef: - name: {{ .Values.existingSecretName }} - {{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - readinessProbe: - {{- toYaml .Values.readinessProbe | nindent 12 }} - livenessProbe: - {{- toYaml .Values.livenessProbe | nindent 12 }} - diff --git a/helm/app-service/templates/pdb.yaml b/helm/app-service/templates/pdb.yaml deleted file mode 100644 index fff5026..0000000 --- a/helm/app-service/templates/pdb.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.pdb.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "app-service.fullname" . }} - labels: - {{- include "app-service.labels" . | nindent 4 }} -spec: - minAvailable: {{ .Values.pdb.minAvailable }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "app-service.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - diff --git a/helm/app-service/templates/service.yaml b/helm/app-service/templates/service.yaml deleted file mode 100644 index 3e73781..0000000 --- a/helm/app-service/templates/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "app-service.fullname" . }} - labels: - {{- include "app-service.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - selector: - app.kubernetes.io/name: {{ include "app-service.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - ports: - - name: http - port: {{ .Values.service.port }} - targetPort: http - diff --git a/helm/app-service/values.yaml b/helm/app-service/values.yaml deleted file mode 100644 index b4c1362..0000000 --- a/helm/app-service/values.yaml +++ /dev/null @@ -1,57 +0,0 @@ -nameOverride: "" - -replicaCount: 1 - -image: - repository: ghcr.io/example/app - tag: latest - pullPolicy: IfNotPresent - -containerPort: 8080 - -service: - port: 80 - type: ClusterIP - -strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 - -podLabels: {} -podAnnotations: {} - -env: {} -existingSecretName: "" - -resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 500m - memory: 512Mi - -readinessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - -livenessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 30 - periodSeconds: 20 - -pdb: - enabled: true - minAvailable: 1 - -reloader: - enabled: true - secretMatch: "" - diff --git a/infra/apps/core/accounts/base/helmrelease.yaml b/infra/apps/core/accounts/base/helmrelease.yaml index 2c98b93..6c8e7cc 100644 --- a/infra/apps/core/accounts/base/helmrelease.yaml +++ b/infra/apps/core/accounts/base/helmrelease.yaml @@ -1,25 +1,17 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: accounts spec: interval: 5m0s releaseName: accounts - chart: - spec: - chart: ./helm/app-service - sourceRef: - kind: GitRepository - name: platform-config - namespace: flux-system - interval: 1m0s + chartRef: + kind: OCIRepository + name: accounts-chart valuesFrom: - kind: ConfigMap name: accounts-base-values valuesKey: values.yaml - - kind: ConfigMap - name: accounts-channel-values - valuesKey: values.yaml - kind: ConfigMap name: accounts-env-values valuesKey: values.yaml diff --git a/infra/apps/core/accounts/base/kustomization.yaml b/infra/apps/core/accounts/base/kustomization.yaml new file mode 100644 index 0000000..d20636e --- /dev/null +++ b/infra/apps/core/accounts/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - oci-repository.yaml + - helmrelease.yaml +configMapGenerator: + - name: accounts-base-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/apps/core/accounts/base/oci-repository.yaml b/infra/apps/core/accounts/base/oci-repository.yaml new file mode 100644 index 0000000..de4a072 --- /dev/null +++ b/infra/apps/core/accounts/base/oci-repository.yaml @@ -0,0 +1,12 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: accounts-chart +spec: + interval: 10m0s + url: oci://ghcr.io/x-evor/charts/app-service + ref: + semver: "0.1.0" + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy diff --git a/infra/apps/core/accounts/channels/latest.yaml b/infra/apps/core/accounts/channels/latest.yaml deleted file mode 100644 index 78a89fa..0000000 --- a/infra/apps/core/accounts/channels/latest.yaml +++ /dev/null @@ -1,3 +0,0 @@ -image: - repository: ghcr.io/x-evor/accounts - tag: latest diff --git a/infra/apps/core/accounts/channels/release.yaml b/infra/apps/core/accounts/channels/release.yaml deleted file mode 100644 index b2ef9ba..0000000 --- a/infra/apps/core/accounts/channels/release.yaml +++ /dev/null @@ -1,3 +0,0 @@ -image: - repository: ghcr.io/x-evor/accounts - tag: release diff --git a/infra/apps/core/accounts/pre/kustomization.yaml b/infra/apps/core/accounts/pre/kustomization.yaml index 3da9fe2..a62a8e4 100644 --- a/infra/apps/core/accounts/pre/kustomization.yaml +++ b/infra/apps/core/accounts/pre/kustomization.yaml @@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: core-pre resources: - - ../base/helmrelease.yaml + - ../base - externalsecret.yaml - ingress.yaml configMapGenerator: - - name: accounts-base-values - files: - - values.yaml=../base/values.yaml - - name: accounts-channel-values - files: - - values.yaml=../channels/latest.yaml - name: accounts-env-values files: - values.yaml=values.yaml diff --git a/infra/apps/core/accounts/pre/values.yaml b/infra/apps/core/accounts/pre/values.yaml index b221baa..ab78289 100644 --- a/infra/apps/core/accounts/pre/values.yaml +++ b/infra/apps/core/accounts/pre/values.yaml @@ -1,4 +1,7 @@ replicaCount: 1 +image: + repository: ghcr.io/x-evor/accounts + tag: latest resources: requests: cpu: 100m diff --git a/infra/apps/core/accounts/prod/kustomization.yaml b/infra/apps/core/accounts/prod/kustomization.yaml index e7186e0..e96902f 100644 --- a/infra/apps/core/accounts/prod/kustomization.yaml +++ b/infra/apps/core/accounts/prod/kustomization.yaml @@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: core-prod resources: - - ../base/helmrelease.yaml + - ../base - externalsecret.yaml - ingress.yaml configMapGenerator: - - name: accounts-base-values - files: - - values.yaml=../base/values.yaml - - name: accounts-channel-values - files: - - values.yaml=../channels/release.yaml - name: accounts-env-values files: - values.yaml=values.yaml diff --git a/infra/apps/core/accounts/prod/values.yaml b/infra/apps/core/accounts/prod/values.yaml index 9c19d73..140cf88 100644 --- a/infra/apps/core/accounts/prod/values.yaml +++ b/infra/apps/core/accounts/prod/values.yaml @@ -1,4 +1,7 @@ replicaCount: 2 +image: + repository: ghcr.io/x-evor/accounts + tag: release resources: requests: cpu: 250m diff --git a/infra/apps/core/console/base/helmrelease.yaml b/infra/apps/core/console/base/helmrelease.yaml index 7d81ba2..303da75 100644 --- a/infra/apps/core/console/base/helmrelease.yaml +++ b/infra/apps/core/console/base/helmrelease.yaml @@ -1,25 +1,17 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: console spec: interval: 5m0s releaseName: console - chart: - spec: - chart: ./helm/app-service - sourceRef: - kind: GitRepository - name: platform-config - namespace: flux-system - interval: 1m0s + chartRef: + kind: OCIRepository + name: console-chart valuesFrom: - kind: ConfigMap name: console-base-values valuesKey: values.yaml - - kind: ConfigMap - name: console-channel-values - valuesKey: values.yaml - kind: ConfigMap name: console-env-values valuesKey: values.yaml diff --git a/infra/apps/core/console/base/kustomization.yaml b/infra/apps/core/console/base/kustomization.yaml new file mode 100644 index 0000000..3bbb949 --- /dev/null +++ b/infra/apps/core/console/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - oci-repository.yaml + - helmrelease.yaml +configMapGenerator: + - name: console-base-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/apps/core/console/base/oci-repository.yaml b/infra/apps/core/console/base/oci-repository.yaml new file mode 100644 index 0000000..9150428 --- /dev/null +++ b/infra/apps/core/console/base/oci-repository.yaml @@ -0,0 +1,12 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: console-chart +spec: + interval: 10m0s + url: oci://ghcr.io/x-evor/charts/app-service + ref: + semver: "0.1.0" + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy diff --git a/infra/apps/core/console/channels/latest.yaml b/infra/apps/core/console/channels/latest.yaml deleted file mode 100644 index d0a0042..0000000 --- a/infra/apps/core/console/channels/latest.yaml +++ /dev/null @@ -1,3 +0,0 @@ -image: - repository: ghcr.io/x-evor/console - tag: latest diff --git a/infra/apps/core/console/channels/release.yaml b/infra/apps/core/console/channels/release.yaml deleted file mode 100644 index de18475..0000000 --- a/infra/apps/core/console/channels/release.yaml +++ /dev/null @@ -1,3 +0,0 @@ -image: - repository: ghcr.io/x-evor/console - tag: release diff --git a/infra/apps/core/console/pre/kustomization.yaml b/infra/apps/core/console/pre/kustomization.yaml index 9cbb5b2..e883705 100644 --- a/infra/apps/core/console/pre/kustomization.yaml +++ b/infra/apps/core/console/pre/kustomization.yaml @@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: core-pre resources: - - ../base/helmrelease.yaml + - ../base - externalsecret.yaml - ingress.yaml configMapGenerator: - - name: console-base-values - files: - - values.yaml=../base/values.yaml - - name: console-channel-values - files: - - values.yaml=../channels/latest.yaml - name: console-env-values files: - values.yaml=values.yaml diff --git a/infra/apps/core/console/pre/values.yaml b/infra/apps/core/console/pre/values.yaml index dbaaf1a..a461aef 100644 --- a/infra/apps/core/console/pre/values.yaml +++ b/infra/apps/core/console/pre/values.yaml @@ -1,4 +1,7 @@ replicaCount: 1 +image: + repository: ghcr.io/x-evor/console + tag: latest resources: requests: cpu: 100m diff --git a/infra/apps/core/console/prod/kustomization.yaml b/infra/apps/core/console/prod/kustomization.yaml index c211e78..755b0bc 100644 --- a/infra/apps/core/console/prod/kustomization.yaml +++ b/infra/apps/core/console/prod/kustomization.yaml @@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: core-prod resources: - - ../base/helmrelease.yaml + - ../base - externalsecret.yaml - ingress.yaml configMapGenerator: - - name: console-base-values - files: - - values.yaml=../base/values.yaml - - name: console-channel-values - files: - - values.yaml=../channels/release.yaml - name: console-env-values files: - values.yaml=values.yaml diff --git a/infra/apps/core/console/prod/values.yaml b/infra/apps/core/console/prod/values.yaml index 7e3465c..2b3722e 100644 --- a/infra/apps/core/console/prod/values.yaml +++ b/infra/apps/core/console/prod/values.yaml @@ -1,4 +1,7 @@ replicaCount: 2 +image: + repository: ghcr.io/x-evor/console + tag: release resources: requests: cpu: 250m diff --git a/infra/clusters/pre/accounts-pre-kustomization.yaml b/infra/clusters/pre/accounts-pre-kustomization.yaml index 7eedad4..7e13f87 100644 --- a/infra/clusters/pre/accounts-pre-kustomization.yaml +++ b/infra/clusters/pre/accounts-pre-kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: accounts-pre @@ -11,4 +11,3 @@ spec: kind: GitRepository name: platform-config path: ./infra/apps/core/accounts/pre - diff --git a/infra/clusters/pre/console-pre-kustomization.yaml b/infra/clusters/pre/console-pre-kustomization.yaml index 9d88d4e..99051cf 100644 --- a/infra/clusters/pre/console-pre-kustomization.yaml +++ b/infra/clusters/pre/console-pre-kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: console-pre @@ -11,4 +11,3 @@ spec: kind: GitRepository name: platform-config path: ./infra/apps/core/console/pre - diff --git a/infra/clusters/prod/accounts-prod-kustomization.yaml b/infra/clusters/prod/accounts-prod-kustomization.yaml index 2b36db2..7fd41ab 100644 --- a/infra/clusters/prod/accounts-prod-kustomization.yaml +++ b/infra/clusters/prod/accounts-prod-kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: accounts-prod @@ -14,4 +14,3 @@ spec: dependsOn: - name: platform-stack - name: infrastructure-stack - diff --git a/infra/clusters/prod/console-prod-kustomization.yaml b/infra/clusters/prod/console-prod-kustomization.yaml index 7bbe74c..80f19d6 100644 --- a/infra/clusters/prod/console-prod-kustomization.yaml +++ b/infra/clusters/prod/console-prod-kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: console-prod @@ -14,4 +14,3 @@ spec: dependsOn: - name: platform-stack - name: infrastructure-stack - diff --git a/infra/clusters/prod/infrastructure-kustomization.yaml b/infra/clusters/prod/infrastructure-kustomization.yaml index c8bb97e..8e76df3 100644 --- a/infra/clusters/prod/infrastructure-kustomization.yaml +++ b/infra/clusters/prod/infrastructure-kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: infrastructure-stack @@ -12,4 +12,3 @@ spec: kind: GitRepository name: platform-config path: ./infra/infrastructure - diff --git a/infra/clusters/prod/kustomization.yaml b/infra/clusters/prod/kustomization.yaml index 381a44c..6ab8ebd 100644 --- a/infra/clusters/prod/kustomization.yaml +++ b/infra/clusters/prod/kustomization.yaml @@ -4,7 +4,7 @@ resources: - namespaces.yaml - platform-kustomization.yaml - infrastructure-kustomization.yaml + - observability-kustomization.yaml - console-prod-kustomization.yaml - accounts-prod-kustomization.yaml - pre-kustomization.yaml - diff --git a/infra/clusters/prod/observability-kustomization.yaml b/infra/clusters/prod/observability-kustomization.yaml new file mode 100644 index 0000000..29c8801 --- /dev/null +++ b/infra/clusters/prod/observability-kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: observability-stack + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + timeout: 10m0s + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/observability + dependsOn: + - name: platform-stack diff --git a/infra/clusters/prod/platform-kustomization.yaml b/infra/clusters/prod/platform-kustomization.yaml index a3f2aa9..1eab7c0 100644 --- a/infra/clusters/prod/platform-kustomization.yaml +++ b/infra/clusters/prod/platform-kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: platform-stack @@ -12,4 +12,3 @@ spec: kind: GitRepository name: platform-config path: ./infra/platform - diff --git a/infra/clusters/prod/pre-kustomization.yaml b/infra/clusters/prod/pre-kustomization.yaml index 3c3c6da..a54b616 100644 --- a/infra/clusters/prod/pre-kustomization.yaml +++ b/infra/clusters/prod/pre-kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: pre-stack @@ -14,4 +14,3 @@ spec: dependsOn: - name: platform-stack - name: infrastructure-stack - diff --git a/infra/infrastructure/kustomization.yaml b/infra/infrastructure/kustomization.yaml index dff4035..3551d76 100644 --- a/infra/infrastructure/kustomization.yaml +++ b/infra/infrastructure/kustomization.yaml @@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - repositories.yaml - - vault - postgresql - diff --git a/infra/infrastructure/postgresql/helmrelease.yaml b/infra/infrastructure/postgresql/helmrelease.yaml index 37da345..6f1eed1 100644 --- a/infra/infrastructure/postgresql/helmrelease.yaml +++ b/infra/infrastructure/postgresql/helmrelease.yaml @@ -1,39 +1,22 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: postgresql namespace: database spec: interval: 10m0s - chart: - spec: - chart: postgresql - version: ">=15.0.0 <16.0.0" - sourceRef: - kind: HelmRepository - name: bitnami - namespace: flux-system + releaseName: postgresql + chartRef: + kind: OCIRepository + name: postgresql-chart + namespace: database install: remediation: retries: 3 upgrade: remediation: retries: 3 - values: - architecture: standalone - auth: - existingSecret: postgresql-auth - primary: - persistence: - enabled: true - size: 20Gi - extraVolumes: - - name: initdb - configMap: - name: postgresql-initdb - extraVolumeMounts: - - name: initdb - mountPath: /docker-entrypoint-initdb.d - metrics: - enabled: false - + valuesFrom: + - kind: ConfigMap + name: postgresql-values + valuesKey: values.yaml diff --git a/infra/infrastructure/postgresql/kustomization.yaml b/infra/infrastructure/postgresql/kustomization.yaml index f5623a3..cefc50c 100644 --- a/infra/infrastructure/postgresql/kustomization.yaml +++ b/infra/infrastructure/postgresql/kustomization.yaml @@ -2,7 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: database resources: - - initdb-configmap.yaml - - externalsecret.yaml + - oci-repository.yaml - helmrelease.yaml - + - externalsecret.yaml + - stunnel-externalsecret.yaml +configMapGenerator: + - name: postgresql-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/infrastructure/postgresql/oci-repository.yaml b/infra/infrastructure/postgresql/oci-repository.yaml new file mode 100644 index 0000000..b58c658 --- /dev/null +++ b/infra/infrastructure/postgresql/oci-repository.yaml @@ -0,0 +1,13 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: postgresql-chart + namespace: database +spec: + interval: 10m0s + url: oci://ghcr.io/x-evor/charts/postgresql + ref: + semver: "1.1.0" + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy diff --git a/infra/infrastructure/postgresql/stunnel-externalsecret.yaml b/infra/infrastructure/postgresql/stunnel-externalsecret.yaml new file mode 100644 index 0000000..d3bec2e --- /dev/null +++ b/infra/infrastructure/postgresql/stunnel-externalsecret.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgresql-stunnel-server + namespace: database +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: vault-platform + target: + name: postgresql-stunnel-server + creationPolicy: Owner + data: + - secretKey: server-cert.pem + remoteRef: + key: database/postgresql-stunnel + property: server-cert.pem + - secretKey: server-key.pem + remoteRef: + key: database/postgresql-stunnel + property: server-key.pem diff --git a/infra/infrastructure/postgresql/values.yaml b/infra/infrastructure/postgresql/values.yaml new file mode 100644 index 0000000..5c6de57 --- /dev/null +++ b/infra/infrastructure/postgresql/values.yaml @@ -0,0 +1,66 @@ +server: + enabled: true + +image: + repository: ghcr.io/x-evor/postgresql-svc-plus + tag: "16" + pullPolicy: IfNotPresent + +auth: + username: postgres + database: postgres + existingSecret: postgresql-auth + secretKey: postgres-password + +initScripts: + enabled: true + scripts: + 01-core-schemas.sql: | + DO $$ + BEGIN + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_prod_user') THEN + CREATE ROLE core_prod_user LOGIN; + END IF; + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_pre_user') THEN + CREATE ROLE core_pre_user LOGIN; + END IF; + END + $$; + + CREATE SCHEMA IF NOT EXISTS core_prod AUTHORIZATION postgres; + CREATE SCHEMA IF NOT EXISTS core_pre AUTHORIZATION postgres; + + GRANT USAGE ON SCHEMA core_prod TO core_prod_user; + GRANT USAGE ON SCHEMA core_pre TO core_pre_user; + + ALTER DEFAULT PRIVILEGES IN SCHEMA core_prod + GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_prod_user; + ALTER DEFAULT PRIVILEGES IN SCHEMA core_pre + GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_pre_user; + +persistence: + enabled: true + size: 20Gi + +metrics: + enabled: false + +stunnel: + enabled: true + port: 5433 + certificatesSecret: postgresql-stunnel-server + +stunnelClient: + enabled: true + service: + port: 5432 + config: | + [postgres-client] + client = yes + accept = 0.0.0.0:5432 + connect = postgresql.database.svc.cluster.local:5433 + verifyChain = no + sslVersion = TLSv1.2 + options = NO_SSLv2 + options = NO_SSLv3 + ciphers = HIGH:!aNULL:!MD5 diff --git a/infra/infrastructure/repositories.yaml b/infra/infrastructure/repositories.yaml index f832736..37637f5 100644 --- a/infra/infrastructure/repositories.yaml +++ b/infra/infrastructure/repositories.yaml @@ -1,13 +1,4 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: hashicorp - namespace: flux-system -spec: - interval: 10m0s - url: https://helm.releases.hashicorp.com ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: bitnami @@ -15,4 +6,3 @@ metadata: spec: interval: 10m0s url: https://charts.bitnami.com/bitnami - diff --git a/infra/infrastructure/vault/bootstrap-job.yaml b/infra/infrastructure/vault/bootstrap-job.yaml deleted file mode 100644 index 0b145d9..0000000 --- a/infra/infrastructure/vault/bootstrap-job.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-bootstrap - namespace: extsvc -spec: - template: - spec: - serviceAccountName: vault-bootstrap - restartPolicy: OnFailure - containers: - - name: bootstrap - image: hashicorp/vault:1.16.3 - env: - - name: VAULT_ADDR - value: http://vault.extsvc.svc.cluster.local:8200 - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-bootstrap - key: rootToken - - name: CLOUDFLARE_API_TOKEN - valueFrom: - secretKeyRef: - name: vault-bootstrap - key: cloudflareApiToken - command: - - /bin/sh - - -ec - - | - until vault status >/dev/null 2>&1; do - sleep 5 - done - vault secrets enable -path=secret kv-v2 || true - cat <<'EOF' >/tmp/eso-policy.hcl - path "secret/data/*" { - capabilities = ["read"] - } - path "secret/metadata/*" { - capabilities = ["read", "list"] - } - EOF - vault policy write eso-read /tmp/eso-policy.hcl - vault auth enable kubernetes || true - vault write auth/kubernetes/config \ - kubernetes_host="https://kubernetes.default.svc:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" - vault write auth/kubernetes/role/external-secrets \ - bound_service_account_names="external-secrets" \ - bound_service_account_namespaces="platform" \ - policies="eso-read" \ - ttl="1h" - vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault-bootstrap - namespace: extsvc ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vault-bootstrap-auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: vault-bootstrap - namespace: extsvc diff --git a/infra/infrastructure/vault/helmrelease.yaml b/infra/infrastructure/vault/helmrelease.yaml deleted file mode 100644 index 076cefc..0000000 --- a/infra/infrastructure/vault/helmrelease.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: vault - namespace: extsvc -spec: - interval: 10m0s - chart: - spec: - chart: vault - version: ">=0.28.0 <1.0.0" - sourceRef: - kind: HelmRepository - name: hashicorp - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - injector: - enabled: false - server: - standalone: - enabled: false - dataStorage: - enabled: true - size: 8Gi - ha: - enabled: true - replicas: 1 - raft: - enabled: true - setNodeId: true - service: - enabled: true - diff --git a/infra/infrastructure/vault/kustomization.yaml b/infra/infrastructure/vault/kustomization.yaml deleted file mode 100644 index d02cbdb..0000000 --- a/infra/infrastructure/vault/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: extsvc -resources: - - helmrelease.yaml - - bootstrap-job.yaml - diff --git a/infra/platform/caddy/kustomization.yaml b/infra/observability/kustomization.yaml similarity index 61% rename from infra/platform/caddy/kustomization.yaml rename to infra/observability/kustomization.yaml index 2a50258..786999a 100644 --- a/infra/platform/caddy/kustomization.yaml +++ b/infra/observability/kustomization.yaml @@ -1,6 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: platform resources: - - helmrelease.yaml - + - repositories.yaml + - observability-stack diff --git a/infra/observability/observability-stack/helmrelease.yaml b/infra/observability/observability-stack/helmrelease.yaml new file mode 100644 index 0000000..f13d5f3 --- /dev/null +++ b/infra/observability/observability-stack/helmrelease.yaml @@ -0,0 +1,16 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: observability-stack + namespace: observability +spec: + interval: 10m0s + releaseName: observability + chartRef: + kind: OCIRepository + name: observability-chart + namespace: observability + valuesFrom: + - kind: ConfigMap + name: observability-values + valuesKey: values.yaml diff --git a/infra/observability/observability-stack/kustomization.yaml b/infra/observability/observability-stack/kustomization.yaml new file mode 100644 index 0000000..c8eeadc --- /dev/null +++ b/infra/observability/observability-stack/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: observability +resources: + - oci-repository.yaml + - helmrelease.yaml +configMapGenerator: + - name: observability-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/observability/observability-stack/oci-repository.yaml b/infra/observability/observability-stack/oci-repository.yaml new file mode 100644 index 0000000..acb0416 --- /dev/null +++ b/infra/observability/observability-stack/oci-repository.yaml @@ -0,0 +1,13 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: observability-chart + namespace: observability +spec: + interval: 10m0s + url: oci://ghcr.io/x-evor/charts/observability + ref: + semver: "0.1.0" + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy diff --git a/infra/observability/observability-stack/values.yaml b/infra/observability/observability-stack/values.yaml new file mode 100644 index 0000000..9db7bab --- /dev/null +++ b/infra/observability/observability-stack/values.yaml @@ -0,0 +1,182 @@ +namespaces: + observability: observability + +server: + prometheus: + enabled: true + releaseName: prometheus + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + chart: + name: prometheus + version: ">=25.0.0 <26.0.0" + values: + server: + persistentVolume: + enabled: true + size: 20Gi + victoriaMetrics: + enabled: true + releaseName: victoria-metrics + sourceRef: + kind: HelmRepository + name: victoria-metrics + namespace: flux-system + chart: + name: victoria-metrics-single + version: ">=0.13.0 <1.0.0" + values: + server: + persistentVolume: + enabled: true + size: 50Gi + victoriaLogs: + enabled: true + releaseName: victoria-logs + sourceRef: + kind: HelmRepository + name: victoria-metrics + namespace: flux-system + chart: + name: victoria-logs-single + version: ">=0.9.0 <1.0.0" + values: + server: + persistentVolume: + enabled: true + size: 50Gi + victoriaTraces: + enabled: true + releaseName: victoria-traces + sourceRef: + kind: HelmRepository + name: victoria-metrics + namespace: flux-system + chart: + name: victoria-traces-single + version: ">=0.0.1 <1.0.0" + values: {} + grafana: + enabled: true + releaseName: grafana + sourceRef: + kind: HelmRepository + name: grafana + namespace: flux-system + chart: + name: grafana + version: ">=8.0.0 <9.0.0" + values: + persistence: + enabled: true + size: 10Gi + otelConnector: + enabled: true + releaseName: otel-connector + sourceRef: + kind: HelmRepository + name: open-telemetry + namespace: flux-system + chart: + name: opentelemetry-collector + version: ">=0.104.0 <1.0.0" + values: + mode: deployment + config: + receivers: + otlp: + protocols: + grpc: {} + http: {} + processors: + batch: {} + exporters: + debug: {} + service: + pipelines: + traces: + receivers: [otlp] + processors: [batch] + exporters: [debug] + metrics: + receivers: [otlp] + processors: [batch] + exporters: [debug] + logs: + receivers: [otlp] + processors: [batch] + exporters: [debug] + +agent: + nodeExporter: + enabled: true + releaseName: node-exporter + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + chart: + name: prometheus-node-exporter + version: ">=4.30.0 <5.0.0" + values: {} + vector: + enabled: true + image: + repository: timberio/vector + tag: "0.36.0-distroless-libc" + pullPolicy: IfNotPresent + serviceAccountName: vector-agent + config: | + data_dir: /vector-data-dir + + sources: + journald: + type: journald + + transforms: + normalize: + type: remap + inputs: ["journald"] + source: | + .cluster = "k3s" + .origin = "vector-agent" + + sinks: + vlogs: + type: elasticsearch + inputs: ["normalize"] + endpoints: + - http://victoria-logs-victoria-logs-single-server.observability.svc.cluster.local:9428/insert/elasticsearch/ + mode: bulk + compression: gzip + resources: + limits: + cpu: 300m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + processExporter: + enabled: true + image: + repository: ncabatoff/process-exporter + tag: v0.8.3 + pullPolicy: IfNotPresent + serviceAccountName: process-exporter + port: 9256 + config: | + process_names: + - name: "{{.Comm}}" + cmdline: + - '.+' + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 25m + memory: 64Mi + +extraObjects: [] diff --git a/infra/observability/repositories.yaml b/infra/observability/repositories.yaml new file mode 100644 index 0000000..6ecc2f8 --- /dev/null +++ b/infra/observability/repositories.yaml @@ -0,0 +1,35 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + interval: 10m0s + url: https://prometheus-community.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: victoria-metrics + namespace: flux-system +spec: + interval: 10m0s + url: https://victoriametrics.github.io/helm-charts/ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: grafana + namespace: flux-system +spec: + interval: 10m0s + url: https://grafana.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: open-telemetry + namespace: flux-system +spec: + interval: 10m0s + url: https://open-telemetry.github.io/opentelemetry-helm-charts diff --git a/infra/platform/apisix/helmrelease.yaml b/infra/platform/apisix/helmrelease.yaml deleted file mode 100644 index 353ff82..0000000 --- a/infra/platform/apisix/helmrelease.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: apisix - namespace: platform -spec: - interval: 10m0s - chart: - spec: - chart: apisix - version: ">=2.7.0 <3.0.0" - sourceRef: - kind: HelmRepository - name: apisix - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - etcd: - enabled: false - ingress-controller: - enabled: false - dashboard: - enabled: false - gateway: - type: ClusterIP - apisix: - deployment: - role: traditional - roleTraditional: - configProvider: yaml - standalone: - enabled: true - admin: - enabled: false - diff --git a/infra/platform/apisix/ingress.yaml b/infra/platform/apisix/ingress.yaml deleted file mode 100644 index a406fce..0000000 --- a/infra/platform/apisix/ingress.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: apisix-gateway - namespace: platform - annotations: - external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus -spec: - ingressClassName: caddy - tls: - - hosts: - - api.svc.plus - - api-pre.svc.plus - secretName: apisix-gateway-tls - rules: - - host: api.svc.plus - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: apisix-gateway - port: - number: 80 - - host: api-pre.svc.plus - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: apisix-gateway - port: - number: 80 - diff --git a/infra/platform/apisix/kustomization.yaml b/infra/platform/apisix/kustomization.yaml deleted file mode 100644 index 05cceb1..0000000 --- a/infra/platform/apisix/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: platform -resources: - - helmrelease.yaml - - ingress.yaml - diff --git a/infra/platform/caddy/helmrelease.yaml b/infra/platform/caddy/helmrelease.yaml deleted file mode 100644 index 9036036..0000000 --- a/infra/platform/caddy/helmrelease.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: caddy - namespace: platform -spec: - interval: 10m0s - chart: - spec: - chart: caddy-ingress-controller - version: ">=1.0.0 <2.0.0" - sourceRef: - kind: HelmRepository - name: caddy-ingress - namespace: flux-system - install: - createNamespace: false - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - ingressController: - enabled: true - ingressClass: - create: true - name: caddy - default: false - service: - type: LoadBalancer - diff --git a/infra/platform/external-dns/helmrelease.yaml b/infra/platform/external-dns/helmrelease.yaml index c4db44f..5d6030b 100644 --- a/infra/platform/external-dns/helmrelease.yaml +++ b/infra/platform/external-dns/helmrelease.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: external-dns @@ -34,4 +34,3 @@ spec: secretKeyRef: name: cloudflare-api-token key: api-token - diff --git a/infra/platform/external-secrets/helmrelease.yaml b/infra/platform/external-secrets/helmrelease.yaml index 2483b18..7796369 100644 --- a/infra/platform/external-secrets/helmrelease.yaml +++ b/infra/platform/external-secrets/helmrelease.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: external-secrets @@ -21,4 +21,3 @@ spec: crds: CreateReplace remediation: retries: 3 - diff --git a/infra/platform/k3s-platform/helmrelease.yaml b/infra/platform/k3s-platform/helmrelease.yaml new file mode 100644 index 0000000..a7fc541 --- /dev/null +++ b/infra/platform/k3s-platform/helmrelease.yaml @@ -0,0 +1,16 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: k3s-platform + namespace: platform +spec: + interval: 10m0s + releaseName: k3s-platform + chartRef: + kind: OCIRepository + name: k3s-platform-chart + namespace: platform + valuesFrom: + - kind: ConfigMap + name: k3s-platform-values + valuesKey: values.yaml diff --git a/infra/platform/k3s-platform/kustomization.yaml b/infra/platform/k3s-platform/kustomization.yaml new file mode 100644 index 0000000..931670d --- /dev/null +++ b/infra/platform/k3s-platform/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: platform +resources: + - oci-repository.yaml + - helmrelease.yaml +configMapGenerator: + - name: k3s-platform-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/platform/k3s-platform/oci-repository.yaml b/infra/platform/k3s-platform/oci-repository.yaml new file mode 100644 index 0000000..238777a --- /dev/null +++ b/infra/platform/k3s-platform/oci-repository.yaml @@ -0,0 +1,13 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: k3s-platform-chart + namespace: platform +spec: + interval: 10m0s + url: oci://ghcr.io/x-evor/charts/k3s-platform-chart + ref: + semver: "0.1.0" + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy diff --git a/infra/platform/k3s-platform/values.yaml b/infra/platform/k3s-platform/values.yaml new file mode 100644 index 0000000..c7aea93 --- /dev/null +++ b/infra/platform/k3s-platform/values.yaml @@ -0,0 +1,111 @@ +namespaces: + platform: platform + vault: extsvc + +components: + caddy: + enabled: true + releaseName: caddy + sourceRef: + kind: HelmRepository + name: caddy-ingress + namespace: flux-system + chart: + name: caddy-ingress-controller + version: ">=1.0.0 <2.0.0" + values: + ingressController: + enabled: true + ingressClass: + create: true + name: caddy + default: false + service: + type: LoadBalancer + apisix: + enabled: true + releaseName: apisix + sourceRef: + kind: HelmRepository + name: apisix + namespace: flux-system + chart: + name: apisix + version: ">=2.7.0 <3.0.0" + values: + etcd: + enabled: false + ingress-controller: + enabled: false + dashboard: + enabled: false + gateway: + type: ClusterIP + apisix: + deployment: + role: traditional + roleTraditional: + configProvider: yaml + standalone: + enabled: true + admin: + enabled: false + vault: + enabled: true + releaseName: vault + sourceRef: + kind: HelmRepository + name: hashicorp + namespace: flux-system + chart: + name: vault + version: ">=0.28.0 <1.0.0" + values: + injector: + enabled: false + server: + standalone: + enabled: false + dataStorage: + enabled: true + size: 8Gi + ha: + enabled: true + replicas: 1 + raft: + enabled: true + setNodeId: true + service: + enabled: true + +apisixIngress: + enabled: true + name: apisix-gateway + namespace: platform + className: caddy + annotations: + external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus + tls: + secretName: apisix-gateway-tls + hosts: + - api.svc.plus + - api-pre.svc.plus + hosts: + - host: api.svc.plus + serviceName: apisix-gateway + servicePort: 80 + - host: api-pre.svc.plus + serviceName: apisix-gateway + servicePort: 80 + +vaultBootstrap: + enabled: true + image: hashicorp/vault:1.16.3 + serviceAccountName: vault-bootstrap + cloudflareSecretName: vault-bootstrap + cloudflareSecretKey: cloudflareApiToken + rootTokenSecretName: vault-bootstrap + rootTokenSecretKey: rootToken + externalSecretsRoleNamespace: platform + +extraObjects: [] diff --git a/infra/platform/kustomization.yaml b/infra/platform/kustomization.yaml index 58ba013..d6d236a 100644 --- a/infra/platform/kustomization.yaml +++ b/infra/platform/kustomization.yaml @@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - repositories.yaml - - caddy - - apisix + - k3s-platform - external-secrets - external-dns - reloader - diff --git a/infra/platform/reloader/helmrelease.yaml b/infra/platform/reloader/helmrelease.yaml index a82668e..64c0a0d 100644 --- a/infra/platform/reloader/helmrelease.yaml +++ b/infra/platform/reloader/helmrelease.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: reloader @@ -19,4 +19,3 @@ spec: upgrade: remediation: retries: 3 - diff --git a/infra/platform/repositories.yaml b/infra/platform/repositories.yaml index a661952..66a25a5 100644 --- a/infra/platform/repositories.yaml +++ b/infra/platform/repositories.yaml @@ -1,4 +1,4 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: caddy-ingress @@ -7,7 +7,7 @@ spec: interval: 10m0s url: https://caddyserver.github.io/ingress/ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: apisix @@ -16,7 +16,16 @@ spec: interval: 10m0s url: https://charts.apiseven.com --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: hashicorp + namespace: flux-system +spec: + interval: 10m0s + url: https://helm.releases.hashicorp.com +--- +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: external-dns @@ -25,7 +34,7 @@ spec: interval: 10m0s url: https://kubernetes-sigs.github.io/external-dns/ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: external-secrets @@ -34,7 +43,7 @@ spec: interval: 10m0s url: https://charts.external-secrets.io --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: stakater @@ -42,4 +51,3 @@ metadata: spec: interval: 10m0s url: https://stakater.github.io/stakater-charts -