ai-workspace-infra/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(gitops): add single-node k3s platform stack

Browse Source
This commit is contained in:
Haitao Pan 2026-04-02 12:32:12 +08:00
parent faf90196c5
commit ad647de91a
65 changed files with 1297 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
StackFlow/svc-plus.yaml
View File

@ -114,3 +114,27 @@ targets:
# Cloud Run custom domain mapping needs provider-specific verification records.
# Keep explicit records here once known; plan/validate won't apply them.
records: []
# -----------------------------------------
# Cloudflare Workers Containers: hk-xhttp
# -----------------------------------------
- id: hk-xhttp
type: cloudflare-workers-containers
cloud: cloudflare
repo: https://github.com/cloud-neutral-toolkit/iac_modules
cloudflare:
account_id: e71be5efb76a6c54f78f008da4404f00
worker_name: hk-xhttp-svc-plus
dashboard_url: https://dash.cloudflare.com/e71be5efb76a6c54f78f008da4404f00/workers-and-pages
domains:
- xhttp.svc.plus
deploy:
mode: wrangler
working_directory: vpn-overlay/xray/cloudflare-workers-containers
command: npx wrangler deploy
dns:
records:
- name: xhttp
type: CNAME
value: hk-xhttp-svc-plus.workers.dev.
proxied: true

7
helm/app-service/Chart.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v2
name: app-service
description: Reusable chart for single-node core services
type: application
version: 0.1.0
appVersion: "1.0.0"

15
helm/app-service/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,15 @@
{{- define "app-service.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "app-service.fullname" -}}
{{- include "app-service.name" . -}}
{{- end -}}
{{- define "app-service.labels" -}}
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
{{- end -}}

59
helm/app-service/templates/deployment.yaml Normal file
View File

@ -0,0 +1,59 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "app-service.fullname" . }}
labels:
{{- include "app-service.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: 3
strategy:
type: {{ .Values.strategy.type }}
rollingUpdate:
maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
{{- include "app-service.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- if and .Values.reloader.enabled .Values.existingSecretName }}
secret.reloader.stakater.com/reload: {{ default .Values.existingSecretName .Values.reloader.secretMatch | quote }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
containers:
- name: app
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.containerPort }}
{{- if .Values.env }}
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.existingSecretName }}
envFrom:
- secretRef:
name: {{ .Values.existingSecretName }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}

15
helm/app-service/templates/pdb.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if .Values.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "app-service.fullname" . }}
labels:
{{- include "app-service.labels" . | nindent 4 }}
spec:
minAvailable: {{ .Values.pdb.minAvailable }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

16
helm/app-service/templates/service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "app-service.fullname" . }}
labels:
{{- include "app-service.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
selector:
app.kubernetes.io/name: {{ include "app-service.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
ports:
- name: http
port: {{ .Values.service.port }}
targetPort: http

57
helm/app-service/values.yaml Normal file
View File

@ -0,0 +1,57 @@
nameOverride: ""
replicaCount: 1
image:
repository: ghcr.io/example/app
tag: latest
pullPolicy: IfNotPresent
containerPort: 8080
service:
port: 80
type: ClusterIP
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
podLabels: {}
podAnnotations: {}
env: {}
existingSecretName: ""
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
periodSeconds: 20
pdb:
enabled: true
minAvailable: 1
reloader:
enabled: true
secretMatch: ""

25
infra/apps/core/accounts/base/helmrelease.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: accounts
spec:
interval: 5m0s
releaseName: accounts
chart:
spec:
chart: ./helm/app-service
sourceRef:
kind: GitRepository
name: platform-config
namespace: flux-system
interval: 1m0s
valuesFrom:
- kind: ConfigMap
name: accounts-base-values
valuesKey: values.yaml
- kind: ConfigMap
name: accounts-channel-values
valuesKey: values.yaml
- kind: ConfigMap
name: accounts-env-values
valuesKey: values.yaml

22
infra/apps/core/accounts/base/values.yaml Normal file
View File

@ -0,0 +1,22 @@
nameOverride: accounts
containerPort: 8080
service:
port: 80
existingSecretName: accounts-env
env:
PORT: "8080"
SERVICE_NAME: accounts
HEALTHCHECK_PATH: /healthz
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
periodSeconds: 20

3
infra/apps/core/accounts/channels/latest.yaml Normal file
View File

@ -0,0 +1,3 @@
image:
repository: ghcr.io/x-evor/accounts
tag: latest

3
infra/apps/core/accounts/channels/release.yaml Normal file
View File

@ -0,0 +1,3 @@
image:
repository: ghcr.io/x-evor/accounts
tag: release

16
infra/apps/core/accounts/pre/externalsecret.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: accounts-env
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: vault-platform
target:
name: accounts-env
creationPolicy: Owner
dataFrom:
- extract:
key: core/pre/accounts

24
infra/apps/core/accounts/pre/ingress.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: accounts
annotations:
external-dns.alpha.kubernetes.io/hostname: accounts-pre.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- accounts-pre.svc.plus
secretName: accounts-pre-tls
rules:
- host: accounts-pre.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: accounts
port:
number: 80

19
infra/apps/core/accounts/pre/kustomization.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-pre
resources:
- ../base/helmrelease.yaml
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: accounts-base-values
files:
- values.yaml=../base/values.yaml
- name: accounts-channel-values
files:
- values.yaml=../channels/latest.yaml
- name: accounts-env-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

13
infra/apps/core/accounts/pre/values.yaml Normal file
View File

@ -0,0 +1,13 @@
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 384Mi
pdb:
minAvailable: 1
env:
APP_ENV: pre
DB_SCHEMA: core_pre

16
infra/apps/core/accounts/prod/externalsecret.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: accounts-env
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: vault-platform
target:
name: accounts-env
creationPolicy: Owner
dataFrom:
- extract:
key: core/prod/accounts

24
infra/apps/core/accounts/prod/ingress.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: accounts
annotations:
external-dns.alpha.kubernetes.io/hostname: accounts.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- accounts.svc.plus
secretName: accounts-prod-tls
rules:
- host: accounts.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: accounts
port:
number: 80

19
infra/apps/core/accounts/prod/kustomization.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-prod
resources:
- ../base/helmrelease.yaml
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: accounts-base-values
files:
- values.yaml=../base/values.yaml
- name: accounts-channel-values
files:
- values.yaml=../channels/release.yaml
- name: accounts-env-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

13
infra/apps/core/accounts/prod/values.yaml Normal file
View File

@ -0,0 +1,13 @@
replicaCount: 2
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 1
memory: 768Mi
pdb:
minAvailable: 1
env:
APP_ENV: production
DB_SCHEMA: core_prod

25
infra/apps/core/console/base/helmrelease.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: console
spec:
interval: 5m0s
releaseName: console
chart:
spec:
chart: ./helm/app-service
sourceRef:
kind: GitRepository
name: platform-config
namespace: flux-system
interval: 1m0s
valuesFrom:
- kind: ConfigMap
name: console-base-values
valuesKey: values.yaml
- kind: ConfigMap
name: console-channel-values
valuesKey: values.yaml
- kind: ConfigMap
name: console-env-values
valuesKey: values.yaml

22
infra/apps/core/console/base/values.yaml Normal file
View File

@ -0,0 +1,22 @@
nameOverride: console
containerPort: 3000
service:
port: 80
existingSecretName: console-env
env:
PORT: "3000"
SERVICE_NAME: console
HEALTHCHECK_PATH: /healthz
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
periodSeconds: 20

3
infra/apps/core/console/channels/latest.yaml Normal file
View File

@ -0,0 +1,3 @@
image:
repository: ghcr.io/x-evor/console
tag: latest

3
infra/apps/core/console/channels/release.yaml Normal file
View File

@ -0,0 +1,3 @@
image:
repository: ghcr.io/x-evor/console
tag: release

16
infra/apps/core/console/pre/externalsecret.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: console-env
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: vault-platform
target:
name: console-env
creationPolicy: Owner
dataFrom:
- extract:
key: core/pre/console

24
infra/apps/core/console/pre/ingress.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: console
annotations:
external-dns.alpha.kubernetes.io/hostname: console-pre.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- console-pre.svc.plus
secretName: console-pre-tls
rules:
- host: console-pre.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: console
port:
number: 80

19
infra/apps/core/console/pre/kustomization.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-pre
resources:
- ../base/helmrelease.yaml
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: console-base-values
files:
- values.yaml=../base/values.yaml
- name: console-channel-values
files:
- values.yaml=../channels/latest.yaml
- name: console-env-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

13
infra/apps/core/console/pre/values.yaml Normal file
View File

@ -0,0 +1,13 @@
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 384Mi
pdb:
minAvailable: 1
env:
APP_ENV: pre
ACCOUNTS_BASE_URL: https://accounts-pre.svc.plus

16
infra/apps/core/console/prod/externalsecret.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: console-env
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: vault-platform
target:
name: console-env
creationPolicy: Owner
dataFrom:
- extract:
key: core/prod/console

24
infra/apps/core/console/prod/ingress.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: console
annotations:
external-dns.alpha.kubernetes.io/hostname: console.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- console.svc.plus
secretName: console-prod-tls
rules:
- host: console.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: console
port:
number: 80

19
infra/apps/core/console/prod/kustomization.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: core-prod
resources:
- ../base/helmrelease.yaml
- externalsecret.yaml
- ingress.yaml
configMapGenerator:
- name: console-base-values
files:
- values.yaml=../base/values.yaml
- name: console-channel-values
files:
- values.yaml=../channels/release.yaml
- name: console-env-values
files:
- values.yaml=values.yaml
generatorOptions:
disableNameSuffixHash: true

13
infra/apps/core/console/prod/values.yaml Normal file
View File

@ -0,0 +1,13 @@
replicaCount: 2
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 1
memory: 768Mi
pdb:
minAvailable: 1
env:
APP_ENV: production
ACCOUNTS_BASE_URL: https://accounts.svc.plus

14
infra/clusters/pre/accounts-pre-kustomization.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: accounts-pre
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/apps/core/accounts/pre

14
infra/clusters/pre/console-pre-kustomization.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: console-pre
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/apps/core/console/pre

6
infra/clusters/pre/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- console-pre-kustomization.yaml
- accounts-pre-kustomization.yaml

17
infra/clusters/prod/accounts-prod-kustomization.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: accounts-prod
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/apps/core/accounts/prod
dependsOn:
- name: platform-stack
- name: infrastructure-stack

17
infra/clusters/prod/console-prod-kustomization.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: console-prod
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/apps/core/console/prod
dependsOn:
- name: platform-stack
- name: infrastructure-stack

15
infra/clusters/prod/infrastructure-kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: infrastructure-stack
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
timeout: 10m0s
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/infrastructure

10
infra/clusters/prod/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespaces.yaml
- platform-kustomization.yaml
- infrastructure-kustomization.yaml
- console-prod-kustomization.yaml
- accounts-prod-kustomization.yaml
- pre-kustomization.yaml

30
infra/clusters/prod/namespaces.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Namespace
metadata:
name: platform
---
apiVersion: v1
kind: Namespace
metadata:
name: database
---
apiVersion: v1
kind: Namespace
metadata:
name: extsvc
---
apiVersion: v1
kind: Namespace
metadata:
name: observability
---
apiVersion: v1
kind: Namespace
metadata:
name: core-prod
---
apiVersion: v1
kind: Namespace
metadata:
name: core-pre

15
infra/clusters/prod/platform-kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: platform-stack
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
timeout: 5m0s
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/platform

17
infra/clusters/prod/pre-kustomization.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: pre-stack
namespace: flux-system
spec:
interval: 5m0s
prune: true
wait: true
sourceRef:
kind: GitRepository
name: platform-config
path: ./infra/clusters/pre
dependsOn:
- name: platform-stack
- name: infrastructure-stack

7
infra/infrastructure/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- repositories.yaml
- vault
- postgresql

22
infra/infrastructure/postgresql/externalsecret.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: postgresql-auth
namespace: database
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: vault-platform
target:
name: postgresql-auth
creationPolicy: Owner
data:
- secretKey: postgres-password
remoteRef:
key: database/postgresql
property: postgres-password
- secretKey: password
remoteRef:
key: database/postgresql
property: app-password

39
infra/infrastructure/postgresql/helmrelease.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: postgresql
namespace: database
spec:
interval: 10m0s
chart:
spec:
chart: postgresql
version: ">=15.0.0 <16.0.0"
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
architecture: standalone
auth:
existingSecret: postgresql-auth
primary:
persistence:
enabled: true
size: 20Gi
extraVolumes:
- name: initdb
configMap:
name: postgresql-initdb
extraVolumeMounts:
- name: initdb
mountPath: /docker-entrypoint-initdb.d
metrics:
enabled: false

28
infra/infrastructure/postgresql/initdb-configmap.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: postgresql-initdb
namespace: database
data:
01-core-schemas.sql: |
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_prod_user') THEN
CREATE ROLE core_prod_user LOGIN;
END IF;
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_pre_user') THEN
CREATE ROLE core_pre_user LOGIN;
END IF;
END
$$;
CREATE SCHEMA IF NOT EXISTS core_prod AUTHORIZATION postgres;
CREATE SCHEMA IF NOT EXISTS core_pre AUTHORIZATION postgres;
GRANT USAGE ON SCHEMA core_prod TO core_prod_user;
GRANT USAGE ON SCHEMA core_pre TO core_pre_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA core_prod
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_prod_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA core_pre
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_pre_user;

8
infra/infrastructure/postgresql/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: database
resources:
- initdb-configmap.yaml
- externalsecret.yaml
- helmrelease.yaml

18
infra/infrastructure/repositories.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: hashicorp
namespace: flux-system
spec:
interval: 10m0s
url: https://helm.releases.hashicorp.com
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bitnami
namespace: flux-system
spec:
interval: 10m0s
url: https://charts.bitnami.com/bitnami

73
infra/infrastructure/vault/bootstrap-job.yaml Normal file
View File

@ -0,0 +1,73 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap
namespace: extsvc
spec:
template:
spec:
serviceAccountName: vault-bootstrap
restartPolicy: OnFailure
containers:
- name: bootstrap
image: hashicorp/vault:1.16.3
env:
- name: VAULT_ADDR
value: http://vault.extsvc.svc.cluster.local:8200
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-bootstrap
key: rootToken
- name: CLOUDFLARE_API_TOKEN
valueFrom:
secretKeyRef:
name: vault-bootstrap
key: cloudflareApiToken
command:
- /bin/sh
- -ec
- |
until vault status >/dev/null 2>&1; do
sleep 5
done
vault secrets enable -path=secret kv-v2 || true
cat <<'EOF' >/tmp/eso-policy.hcl
path "secret/data/*" {
capabilities = ["read"]
}
path "secret/metadata/*" {
capabilities = ["read", "list"]
}
EOF
vault policy write eso-read /tmp/eso-policy.hcl
vault auth enable kubernetes || true
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
vault write auth/kubernetes/role/external-secrets \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="platform" \
policies="eso-read" \
ttl="1h"
vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-bootstrap
namespace: extsvc
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-bootstrap-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-bootstrap
namespace: extsvc

39
infra/infrastructure/vault/helmrelease.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: vault
namespace: extsvc
spec:
interval: 10m0s
chart:
spec:
chart: vault
version: ">=0.28.0 <1.0.0"
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
injector:
enabled: false
server:
standalone:
enabled: false
dataStorage:
enabled: true
size: 8Gi
ha:
enabled: true
replicas: 1
raft:
enabled: true
setNodeId: true
service:
enabled: true

7
infra/infrastructure/vault/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: extsvc
resources:
- helmrelease.yaml
- bootstrap-job.yaml

40
infra/platform/apisix/helmrelease.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: apisix
namespace: platform
spec:
interval: 10m0s
chart:
spec:
chart: apisix
version: ">=2.7.0 <3.0.0"
sourceRef:
kind: HelmRepository
name: apisix
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
etcd:
enabled: false
ingress-controller:
enabled: false
dashboard:
enabled: false
gateway:
type: ClusterIP
apisix:
deployment:
role: traditional
roleTraditional:
configProvider: yaml
standalone:
enabled: true
admin:
enabled: false

36
infra/platform/apisix/ingress.yaml Normal file
View File

@ -0,0 +1,36 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apisix-gateway
namespace: platform
annotations:
external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus
spec:
ingressClassName: caddy
tls:
- hosts:
- api.svc.plus
- api-pre.svc.plus
secretName: apisix-gateway-tls
rules:
- host: api.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: apisix-gateway
port:
number: 80
- host: api-pre.svc.plus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: apisix-gateway
port:
number: 80

7
infra/platform/apisix/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- helmrelease.yaml
- ingress.yaml

32
infra/platform/caddy/helmrelease.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: caddy
namespace: platform
spec:
interval: 10m0s
chart:
spec:
chart: caddy-ingress-controller
version: ">=1.0.0 <2.0.0"
sourceRef:
kind: HelmRepository
name: caddy-ingress
namespace: flux-system
install:
createNamespace: false
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
ingressController:
enabled: true
ingressClass:
create: true
name: caddy
default: false
service:
type: LoadBalancer

6
infra/platform/caddy/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- helmrelease.yaml

19
infra/platform/external-dns/externalsecret.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cloudflare-api-token
namespace: platform
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: vault-platform
target:
name: cloudflare-api-token
creationPolicy: Owner
data:
- secretKey: api-token
remoteRef:
key: platform/cloudflare
property: api-token

37
infra/platform/external-dns/helmrelease.yaml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: external-dns
namespace: platform
spec:
interval: 10m0s
chart:
spec:
chart: external-dns
version: ">=1.14.0 <2.0.0"
sourceRef:
kind: HelmRepository
name: external-dns
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
provider: cloudflare
policy: sync
registry: txt
txtOwnerId: svc-plus-k3s
sources:
- ingress
domainFilters:
- svc.plus
env:
- name: CF_API_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-api-token
key: api-token

7
infra/platform/external-dns/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- externalsecret.yaml
- helmrelease.yaml

18
infra/platform/external-secrets/clustersecretstore.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-platform
spec:
provider:
vault:
server: http://vault.extsvc.svc.cluster.local:8200
path: secret
version: v2
auth:
kubernetes:
mountPath: kubernetes
role: external-secrets
serviceAccountRef:
name: external-secrets
namespace: platform

24
infra/platform/external-secrets/helmrelease.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: external-secrets
namespace: platform
spec:
interval: 10m0s
chart:
spec:
chart: external-secrets
version: ">=0.10.0 <1.0.0"
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: flux-system
install:
crds: CreateReplace
remediation:
retries: 3
upgrade:
crds: CreateReplace
remediation:
retries: 3

5
infra/platform/external-secrets/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease.yaml
- clustersecretstore.yaml

10
infra/platform/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- repositories.yaml
- caddy
- apisix
- external-secrets
- external-dns
- reloader

22
infra/platform/reloader/helmrelease.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: reloader
namespace: platform
spec:
interval: 10m0s
chart:
spec:
chart: reloader
version: ">=1.0.0 <2.0.0"
sourceRef:
kind: HelmRepository
name: stakater
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3

6
infra/platform/reloader/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: platform
resources:
- helmrelease.yaml

45
infra/platform/repositories.yaml Normal file
View File

@ -0,0 +1,45 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: caddy-ingress
namespace: flux-system
spec:
interval: 10m0s
url: https://caddyserver.github.io/ingress/
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: apisix
namespace: flux-system
spec:
interval: 10m0s
url: https://charts.apiseven.com
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: external-dns
namespace: flux-system
spec:
interval: 10m0s
url: https://kubernetes-sigs.github.io/external-dns/
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 10m0s
url: https://charts.external-secrets.io
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: stakater
namespace: flux-system
spec:
interval: 10m0s
url: https://stakater.github.io/stakater-charts