diff --git a/StackFlow/svc-plus.yaml b/StackFlow/svc-plus.yaml index 60cf9eb..8bd388f 100644 --- a/StackFlow/svc-plus.yaml +++ b/StackFlow/svc-plus.yaml @@ -114,3 +114,27 @@ targets: # Cloud Run custom domain mapping needs provider-specific verification records. # Keep explicit records here once known; plan/validate won't apply them. records: [] + + # ----------------------------------------- + # Cloudflare Workers Containers: hk-xhttp + # ----------------------------------------- + - id: hk-xhttp + type: cloudflare-workers-containers + cloud: cloudflare + repo: https://github.com/cloud-neutral-toolkit/iac_modules + cloudflare: + account_id: e71be5efb76a6c54f78f008da4404f00 + worker_name: hk-xhttp-svc-plus + dashboard_url: https://dash.cloudflare.com/e71be5efb76a6c54f78f008da4404f00/workers-and-pages + domains: + - xhttp.svc.plus + deploy: + mode: wrangler + working_directory: vpn-overlay/xray/cloudflare-workers-containers + command: npx wrangler deploy + dns: + records: + - name: xhttp + type: CNAME + value: hk-xhttp-svc-plus.workers.dev. + proxied: true diff --git a/helm/app-service/Chart.yaml b/helm/app-service/Chart.yaml new file mode 100644 index 0000000..d495e0c --- /dev/null +++ b/helm/app-service/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: app-service +description: Reusable chart for single-node core services +type: application +version: 0.1.0 +appVersion: "1.0.0" + diff --git a/helm/app-service/templates/_helpers.tpl b/helm/app-service/templates/_helpers.tpl new file mode 100644 index 0000000..2c619ad --- /dev/null +++ b/helm/app-service/templates/_helpers.tpl @@ -0,0 +1,15 @@ +{{- define "app-service.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "app-service.fullname" -}} +{{- include "app-service.name" . -}} +{{- end -}} + +{{- define "app-service.labels" -}} +app.kubernetes.io/name: {{ include "app-service.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +{{- end -}} + diff --git a/helm/app-service/templates/deployment.yaml b/helm/app-service/templates/deployment.yaml new file mode 100644 index 0000000..d9b2f40 --- /dev/null +++ b/helm/app-service/templates/deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "app-service.fullname" . }} + labels: + {{- include "app-service.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: 3 + strategy: + type: {{ .Values.strategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }} + maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "app-service.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + {{- include "app-service.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- if and .Values.reloader.enabled .Values.existingSecretName }} + secret.reloader.stakater.com/reload: {{ default .Values.existingSecretName .Values.reloader.secretMatch | quote }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: app + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.containerPort }} + {{- if .Values.env }} + env: + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .Values.existingSecretName }} + envFrom: + - secretRef: + name: {{ .Values.existingSecretName }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + diff --git a/helm/app-service/templates/pdb.yaml b/helm/app-service/templates/pdb.yaml new file mode 100644 index 0000000..fff5026 --- /dev/null +++ b/helm/app-service/templates/pdb.yaml @@ -0,0 +1,15 @@ +{{- if .Values.pdb.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "app-service.fullname" . }} + labels: + {{- include "app-service.labels" . | nindent 4 }} +spec: + minAvailable: {{ .Values.pdb.minAvailable }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "app-service.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/helm/app-service/templates/service.yaml b/helm/app-service/templates/service.yaml new file mode 100644 index 0000000..3e73781 --- /dev/null +++ b/helm/app-service/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "app-service.fullname" . }} + labels: + {{- include "app-service.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + selector: + app.kubernetes.io/name: {{ include "app-service.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ports: + - name: http + port: {{ .Values.service.port }} + targetPort: http + diff --git a/helm/app-service/values.yaml b/helm/app-service/values.yaml new file mode 100644 index 0000000..b4c1362 --- /dev/null +++ b/helm/app-service/values.yaml @@ -0,0 +1,57 @@ +nameOverride: "" + +replicaCount: 1 + +image: + repository: ghcr.io/example/app + tag: latest + pullPolicy: IfNotPresent + +containerPort: 8080 + +service: + port: 80 + type: ClusterIP + +strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + +podLabels: {} +podAnnotations: {} + +env: {} +existingSecretName: "" + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + +readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + +livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 30 + periodSeconds: 20 + +pdb: + enabled: true + minAvailable: 1 + +reloader: + enabled: true + secretMatch: "" + diff --git a/infra/apps/core/accounts/base/helmrelease.yaml b/infra/apps/core/accounts/base/helmrelease.yaml new file mode 100644 index 0000000..2c98b93 --- /dev/null +++ b/infra/apps/core/accounts/base/helmrelease.yaml @@ -0,0 +1,25 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: accounts +spec: + interval: 5m0s + releaseName: accounts + chart: + spec: + chart: ./helm/app-service + sourceRef: + kind: GitRepository + name: platform-config + namespace: flux-system + interval: 1m0s + valuesFrom: + - kind: ConfigMap + name: accounts-base-values + valuesKey: values.yaml + - kind: ConfigMap + name: accounts-channel-values + valuesKey: values.yaml + - kind: ConfigMap + name: accounts-env-values + valuesKey: values.yaml diff --git a/infra/apps/core/accounts/base/values.yaml b/infra/apps/core/accounts/base/values.yaml new file mode 100644 index 0000000..e343bb3 --- /dev/null +++ b/infra/apps/core/accounts/base/values.yaml @@ -0,0 +1,22 @@ +nameOverride: accounts +containerPort: 8080 +service: + port: 80 +existingSecretName: accounts-env +env: + PORT: "8080" + SERVICE_NAME: accounts + HEALTHCHECK_PATH: /healthz +readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 10 +livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 30 + periodSeconds: 20 + diff --git a/infra/apps/core/accounts/channels/latest.yaml b/infra/apps/core/accounts/channels/latest.yaml new file mode 100644 index 0000000..78a89fa --- /dev/null +++ b/infra/apps/core/accounts/channels/latest.yaml @@ -0,0 +1,3 @@ +image: + repository: ghcr.io/x-evor/accounts + tag: latest diff --git a/infra/apps/core/accounts/channels/release.yaml b/infra/apps/core/accounts/channels/release.yaml new file mode 100644 index 0000000..b2ef9ba --- /dev/null +++ b/infra/apps/core/accounts/channels/release.yaml @@ -0,0 +1,3 @@ +image: + repository: ghcr.io/x-evor/accounts + tag: release diff --git a/infra/apps/core/accounts/pre/externalsecret.yaml b/infra/apps/core/accounts/pre/externalsecret.yaml new file mode 100644 index 0000000..5b91669 --- /dev/null +++ b/infra/apps/core/accounts/pre/externalsecret.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: accounts-env +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: vault-platform + target: + name: accounts-env + creationPolicy: Owner + dataFrom: + - extract: + key: core/pre/accounts + diff --git a/infra/apps/core/accounts/pre/ingress.yaml b/infra/apps/core/accounts/pre/ingress.yaml new file mode 100644 index 0000000..8fa1144 --- /dev/null +++ b/infra/apps/core/accounts/pre/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: accounts + annotations: + external-dns.alpha.kubernetes.io/hostname: accounts-pre.svc.plus +spec: + ingressClassName: caddy + tls: + - hosts: + - accounts-pre.svc.plus + secretName: accounts-pre-tls + rules: + - host: accounts-pre.svc.plus + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: accounts + port: + number: 80 + diff --git a/infra/apps/core/accounts/pre/kustomization.yaml b/infra/apps/core/accounts/pre/kustomization.yaml new file mode 100644 index 0000000..3da9fe2 --- /dev/null +++ b/infra/apps/core/accounts/pre/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: core-pre +resources: + - ../base/helmrelease.yaml + - externalsecret.yaml + - ingress.yaml +configMapGenerator: + - name: accounts-base-values + files: + - values.yaml=../base/values.yaml + - name: accounts-channel-values + files: + - values.yaml=../channels/latest.yaml + - name: accounts-env-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/apps/core/accounts/pre/values.yaml b/infra/apps/core/accounts/pre/values.yaml new file mode 100644 index 0000000..b221baa --- /dev/null +++ b/infra/apps/core/accounts/pre/values.yaml @@ -0,0 +1,13 @@ +replicaCount: 1 +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 384Mi +pdb: + minAvailable: 1 +env: + APP_ENV: pre + DB_SCHEMA: core_pre diff --git a/infra/apps/core/accounts/prod/externalsecret.yaml b/infra/apps/core/accounts/prod/externalsecret.yaml new file mode 100644 index 0000000..e8541c1 --- /dev/null +++ b/infra/apps/core/accounts/prod/externalsecret.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: accounts-env +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: vault-platform + target: + name: accounts-env + creationPolicy: Owner + dataFrom: + - extract: + key: core/prod/accounts + diff --git a/infra/apps/core/accounts/prod/ingress.yaml b/infra/apps/core/accounts/prod/ingress.yaml new file mode 100644 index 0000000..1e1aba2 --- /dev/null +++ b/infra/apps/core/accounts/prod/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: accounts + annotations: + external-dns.alpha.kubernetes.io/hostname: accounts.svc.plus +spec: + ingressClassName: caddy + tls: + - hosts: + - accounts.svc.plus + secretName: accounts-prod-tls + rules: + - host: accounts.svc.plus + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: accounts + port: + number: 80 + diff --git a/infra/apps/core/accounts/prod/kustomization.yaml b/infra/apps/core/accounts/prod/kustomization.yaml new file mode 100644 index 0000000..e7186e0 --- /dev/null +++ b/infra/apps/core/accounts/prod/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: core-prod +resources: + - ../base/helmrelease.yaml + - externalsecret.yaml + - ingress.yaml +configMapGenerator: + - name: accounts-base-values + files: + - values.yaml=../base/values.yaml + - name: accounts-channel-values + files: + - values.yaml=../channels/release.yaml + - name: accounts-env-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/apps/core/accounts/prod/values.yaml b/infra/apps/core/accounts/prod/values.yaml new file mode 100644 index 0000000..9c19d73 --- /dev/null +++ b/infra/apps/core/accounts/prod/values.yaml @@ -0,0 +1,13 @@ +replicaCount: 2 +resources: + requests: + cpu: 250m + memory: 256Mi + limits: + cpu: 1 + memory: 768Mi +pdb: + minAvailable: 1 +env: + APP_ENV: production + DB_SCHEMA: core_prod diff --git a/infra/apps/core/console/base/helmrelease.yaml b/infra/apps/core/console/base/helmrelease.yaml new file mode 100644 index 0000000..7d81ba2 --- /dev/null +++ b/infra/apps/core/console/base/helmrelease.yaml @@ -0,0 +1,25 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: console +spec: + interval: 5m0s + releaseName: console + chart: + spec: + chart: ./helm/app-service + sourceRef: + kind: GitRepository + name: platform-config + namespace: flux-system + interval: 1m0s + valuesFrom: + - kind: ConfigMap + name: console-base-values + valuesKey: values.yaml + - kind: ConfigMap + name: console-channel-values + valuesKey: values.yaml + - kind: ConfigMap + name: console-env-values + valuesKey: values.yaml diff --git a/infra/apps/core/console/base/values.yaml b/infra/apps/core/console/base/values.yaml new file mode 100644 index 0000000..0118cfe --- /dev/null +++ b/infra/apps/core/console/base/values.yaml @@ -0,0 +1,22 @@ +nameOverride: console +containerPort: 3000 +service: + port: 80 +existingSecretName: console-env +env: + PORT: "3000" + SERVICE_NAME: console + HEALTHCHECK_PATH: /healthz +readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 10 +livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 30 + periodSeconds: 20 + diff --git a/infra/apps/core/console/channels/latest.yaml b/infra/apps/core/console/channels/latest.yaml new file mode 100644 index 0000000..d0a0042 --- /dev/null +++ b/infra/apps/core/console/channels/latest.yaml @@ -0,0 +1,3 @@ +image: + repository: ghcr.io/x-evor/console + tag: latest diff --git a/infra/apps/core/console/channels/release.yaml b/infra/apps/core/console/channels/release.yaml new file mode 100644 index 0000000..de18475 --- /dev/null +++ b/infra/apps/core/console/channels/release.yaml @@ -0,0 +1,3 @@ +image: + repository: ghcr.io/x-evor/console + tag: release diff --git a/infra/apps/core/console/pre/externalsecret.yaml b/infra/apps/core/console/pre/externalsecret.yaml new file mode 100644 index 0000000..e29e6fa --- /dev/null +++ b/infra/apps/core/console/pre/externalsecret.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: console-env +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: vault-platform + target: + name: console-env + creationPolicy: Owner + dataFrom: + - extract: + key: core/pre/console + diff --git a/infra/apps/core/console/pre/ingress.yaml b/infra/apps/core/console/pre/ingress.yaml new file mode 100644 index 0000000..aa66b2a --- /dev/null +++ b/infra/apps/core/console/pre/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: console + annotations: + external-dns.alpha.kubernetes.io/hostname: console-pre.svc.plus +spec: + ingressClassName: caddy + tls: + - hosts: + - console-pre.svc.plus + secretName: console-pre-tls + rules: + - host: console-pre.svc.plus + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: console + port: + number: 80 + diff --git a/infra/apps/core/console/pre/kustomization.yaml b/infra/apps/core/console/pre/kustomization.yaml new file mode 100644 index 0000000..9cbb5b2 --- /dev/null +++ b/infra/apps/core/console/pre/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: core-pre +resources: + - ../base/helmrelease.yaml + - externalsecret.yaml + - ingress.yaml +configMapGenerator: + - name: console-base-values + files: + - values.yaml=../base/values.yaml + - name: console-channel-values + files: + - values.yaml=../channels/latest.yaml + - name: console-env-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/apps/core/console/pre/values.yaml b/infra/apps/core/console/pre/values.yaml new file mode 100644 index 0000000..dbaaf1a --- /dev/null +++ b/infra/apps/core/console/pre/values.yaml @@ -0,0 +1,13 @@ +replicaCount: 1 +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 384Mi +pdb: + minAvailable: 1 +env: + APP_ENV: pre + ACCOUNTS_BASE_URL: https://accounts-pre.svc.plus diff --git a/infra/apps/core/console/prod/externalsecret.yaml b/infra/apps/core/console/prod/externalsecret.yaml new file mode 100644 index 0000000..67d2824 --- /dev/null +++ b/infra/apps/core/console/prod/externalsecret.yaml @@ -0,0 +1,16 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: console-env +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: vault-platform + target: + name: console-env + creationPolicy: Owner + dataFrom: + - extract: + key: core/prod/console + diff --git a/infra/apps/core/console/prod/ingress.yaml b/infra/apps/core/console/prod/ingress.yaml new file mode 100644 index 0000000..f667634 --- /dev/null +++ b/infra/apps/core/console/prod/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: console + annotations: + external-dns.alpha.kubernetes.io/hostname: console.svc.plus +spec: + ingressClassName: caddy + tls: + - hosts: + - console.svc.plus + secretName: console-prod-tls + rules: + - host: console.svc.plus + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: console + port: + number: 80 + diff --git a/infra/apps/core/console/prod/kustomization.yaml b/infra/apps/core/console/prod/kustomization.yaml new file mode 100644 index 0000000..c211e78 --- /dev/null +++ b/infra/apps/core/console/prod/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: core-prod +resources: + - ../base/helmrelease.yaml + - externalsecret.yaml + - ingress.yaml +configMapGenerator: + - name: console-base-values + files: + - values.yaml=../base/values.yaml + - name: console-channel-values + files: + - values.yaml=../channels/release.yaml + - name: console-env-values + files: + - values.yaml=values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/infra/apps/core/console/prod/values.yaml b/infra/apps/core/console/prod/values.yaml new file mode 100644 index 0000000..7e3465c --- /dev/null +++ b/infra/apps/core/console/prod/values.yaml @@ -0,0 +1,13 @@ +replicaCount: 2 +resources: + requests: + cpu: 250m + memory: 256Mi + limits: + cpu: 1 + memory: 768Mi +pdb: + minAvailable: 1 +env: + APP_ENV: production + ACCOUNTS_BASE_URL: https://accounts.svc.plus diff --git a/infra/clusters/pre/accounts-pre-kustomization.yaml b/infra/clusters/pre/accounts-pre-kustomization.yaml new file mode 100644 index 0000000..7eedad4 --- /dev/null +++ b/infra/clusters/pre/accounts-pre-kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: accounts-pre + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/apps/core/accounts/pre + diff --git a/infra/clusters/pre/console-pre-kustomization.yaml b/infra/clusters/pre/console-pre-kustomization.yaml new file mode 100644 index 0000000..9d88d4e --- /dev/null +++ b/infra/clusters/pre/console-pre-kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: console-pre + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/apps/core/console/pre + diff --git a/infra/clusters/pre/kustomization.yaml b/infra/clusters/pre/kustomization.yaml new file mode 100644 index 0000000..2563a8d --- /dev/null +++ b/infra/clusters/pre/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - console-pre-kustomization.yaml + - accounts-pre-kustomization.yaml + diff --git a/infra/clusters/prod/accounts-prod-kustomization.yaml b/infra/clusters/prod/accounts-prod-kustomization.yaml new file mode 100644 index 0000000..2b36db2 --- /dev/null +++ b/infra/clusters/prod/accounts-prod-kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: accounts-prod + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/apps/core/accounts/prod + dependsOn: + - name: platform-stack + - name: infrastructure-stack + diff --git a/infra/clusters/prod/console-prod-kustomization.yaml b/infra/clusters/prod/console-prod-kustomization.yaml new file mode 100644 index 0000000..7bbe74c --- /dev/null +++ b/infra/clusters/prod/console-prod-kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: console-prod + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/apps/core/console/prod + dependsOn: + - name: platform-stack + - name: infrastructure-stack + diff --git a/infra/clusters/prod/infrastructure-kustomization.yaml b/infra/clusters/prod/infrastructure-kustomization.yaml new file mode 100644 index 0000000..c8bb97e --- /dev/null +++ b/infra/clusters/prod/infrastructure-kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: infrastructure-stack + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + timeout: 10m0s + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/infrastructure + diff --git a/infra/clusters/prod/kustomization.yaml b/infra/clusters/prod/kustomization.yaml new file mode 100644 index 0000000..381a44c --- /dev/null +++ b/infra/clusters/prod/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespaces.yaml + - platform-kustomization.yaml + - infrastructure-kustomization.yaml + - console-prod-kustomization.yaml + - accounts-prod-kustomization.yaml + - pre-kustomization.yaml + diff --git a/infra/clusters/prod/namespaces.yaml b/infra/clusters/prod/namespaces.yaml new file mode 100644 index 0000000..0314602 --- /dev/null +++ b/infra/clusters/prod/namespaces.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: platform +--- +apiVersion: v1 +kind: Namespace +metadata: + name: database +--- +apiVersion: v1 +kind: Namespace +metadata: + name: extsvc +--- +apiVersion: v1 +kind: Namespace +metadata: + name: observability +--- +apiVersion: v1 +kind: Namespace +metadata: + name: core-prod +--- +apiVersion: v1 +kind: Namespace +metadata: + name: core-pre + diff --git a/infra/clusters/prod/platform-kustomization.yaml b/infra/clusters/prod/platform-kustomization.yaml new file mode 100644 index 0000000..a3f2aa9 --- /dev/null +++ b/infra/clusters/prod/platform-kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: platform-stack + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + timeout: 5m0s + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/platform + diff --git a/infra/clusters/prod/pre-kustomization.yaml b/infra/clusters/prod/pre-kustomization.yaml new file mode 100644 index 0000000..3c3c6da --- /dev/null +++ b/infra/clusters/prod/pre-kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: pre-stack + namespace: flux-system +spec: + interval: 5m0s + prune: true + wait: true + sourceRef: + kind: GitRepository + name: platform-config + path: ./infra/clusters/pre + dependsOn: + - name: platform-stack + - name: infrastructure-stack + diff --git a/infra/infrastructure/kustomization.yaml b/infra/infrastructure/kustomization.yaml new file mode 100644 index 0000000..dff4035 --- /dev/null +++ b/infra/infrastructure/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repositories.yaml + - vault + - postgresql + diff --git a/infra/infrastructure/postgresql/externalsecret.yaml b/infra/infrastructure/postgresql/externalsecret.yaml new file mode 100644 index 0000000..3b79ab5 --- /dev/null +++ b/infra/infrastructure/postgresql/externalsecret.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgresql-auth + namespace: database +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: vault-platform + target: + name: postgresql-auth + creationPolicy: Owner + data: + - secretKey: postgres-password + remoteRef: + key: database/postgresql + property: postgres-password + - secretKey: password + remoteRef: + key: database/postgresql + property: app-password diff --git a/infra/infrastructure/postgresql/helmrelease.yaml b/infra/infrastructure/postgresql/helmrelease.yaml new file mode 100644 index 0000000..37da345 --- /dev/null +++ b/infra/infrastructure/postgresql/helmrelease.yaml @@ -0,0 +1,39 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: postgresql + namespace: database +spec: + interval: 10m0s + chart: + spec: + chart: postgresql + version: ">=15.0.0 <16.0.0" + sourceRef: + kind: HelmRepository + name: bitnami + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + architecture: standalone + auth: + existingSecret: postgresql-auth + primary: + persistence: + enabled: true + size: 20Gi + extraVolumes: + - name: initdb + configMap: + name: postgresql-initdb + extraVolumeMounts: + - name: initdb + mountPath: /docker-entrypoint-initdb.d + metrics: + enabled: false + diff --git a/infra/infrastructure/postgresql/initdb-configmap.yaml b/infra/infrastructure/postgresql/initdb-configmap.yaml new file mode 100644 index 0000000..c192b8f --- /dev/null +++ b/infra/infrastructure/postgresql/initdb-configmap.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgresql-initdb + namespace: database +data: + 01-core-schemas.sql: | + DO $$ + BEGIN + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_prod_user') THEN + CREATE ROLE core_prod_user LOGIN; + END IF; + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_pre_user') THEN + CREATE ROLE core_pre_user LOGIN; + END IF; + END + $$; + + CREATE SCHEMA IF NOT EXISTS core_prod AUTHORIZATION postgres; + CREATE SCHEMA IF NOT EXISTS core_pre AUTHORIZATION postgres; + + GRANT USAGE ON SCHEMA core_prod TO core_prod_user; + GRANT USAGE ON SCHEMA core_pre TO core_pre_user; + + ALTER DEFAULT PRIVILEGES IN SCHEMA core_prod + GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_prod_user; + ALTER DEFAULT PRIVILEGES IN SCHEMA core_pre + GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_pre_user; diff --git a/infra/infrastructure/postgresql/kustomization.yaml b/infra/infrastructure/postgresql/kustomization.yaml new file mode 100644 index 0000000..f5623a3 --- /dev/null +++ b/infra/infrastructure/postgresql/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: database +resources: + - initdb-configmap.yaml + - externalsecret.yaml + - helmrelease.yaml + diff --git a/infra/infrastructure/repositories.yaml b/infra/infrastructure/repositories.yaml new file mode 100644 index 0000000..f832736 --- /dev/null +++ b/infra/infrastructure/repositories.yaml @@ -0,0 +1,18 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: hashicorp + namespace: flux-system +spec: + interval: 10m0s + url: https://helm.releases.hashicorp.com +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: bitnami + namespace: flux-system +spec: + interval: 10m0s + url: https://charts.bitnami.com/bitnami + diff --git a/infra/infrastructure/vault/bootstrap-job.yaml b/infra/infrastructure/vault/bootstrap-job.yaml new file mode 100644 index 0000000..0b145d9 --- /dev/null +++ b/infra/infrastructure/vault/bootstrap-job.yaml @@ -0,0 +1,73 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-bootstrap + namespace: extsvc +spec: + template: + spec: + serviceAccountName: vault-bootstrap + restartPolicy: OnFailure + containers: + - name: bootstrap + image: hashicorp/vault:1.16.3 + env: + - name: VAULT_ADDR + value: http://vault.extsvc.svc.cluster.local:8200 + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: vault-bootstrap + key: rootToken + - name: CLOUDFLARE_API_TOKEN + valueFrom: + secretKeyRef: + name: vault-bootstrap + key: cloudflareApiToken + command: + - /bin/sh + - -ec + - | + until vault status >/dev/null 2>&1; do + sleep 5 + done + vault secrets enable -path=secret kv-v2 || true + cat <<'EOF' >/tmp/eso-policy.hcl + path "secret/data/*" { + capabilities = ["read"] + } + path "secret/metadata/*" { + capabilities = ["read", "list"] + } + EOF + vault policy write eso-read /tmp/eso-policy.hcl + vault auth enable kubernetes || true + vault write auth/kubernetes/config \ + kubernetes_host="https://kubernetes.default.svc:443" \ + kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + vault write auth/kubernetes/role/external-secrets \ + bound_service_account_names="external-secrets" \ + bound_service_account_namespaces="platform" \ + policies="eso-read" \ + ttl="1h" + vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-bootstrap + namespace: extsvc +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-bootstrap-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault-bootstrap + namespace: extsvc diff --git a/infra/infrastructure/vault/helmrelease.yaml b/infra/infrastructure/vault/helmrelease.yaml new file mode 100644 index 0000000..076cefc --- /dev/null +++ b/infra/infrastructure/vault/helmrelease.yaml @@ -0,0 +1,39 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: vault + namespace: extsvc +spec: + interval: 10m0s + chart: + spec: + chart: vault + version: ">=0.28.0 <1.0.0" + sourceRef: + kind: HelmRepository + name: hashicorp + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + injector: + enabled: false + server: + standalone: + enabled: false + dataStorage: + enabled: true + size: 8Gi + ha: + enabled: true + replicas: 1 + raft: + enabled: true + setNodeId: true + service: + enabled: true + diff --git a/infra/infrastructure/vault/kustomization.yaml b/infra/infrastructure/vault/kustomization.yaml new file mode 100644 index 0000000..d02cbdb --- /dev/null +++ b/infra/infrastructure/vault/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: extsvc +resources: + - helmrelease.yaml + - bootstrap-job.yaml + diff --git a/infra/platform/apisix/helmrelease.yaml b/infra/platform/apisix/helmrelease.yaml new file mode 100644 index 0000000..353ff82 --- /dev/null +++ b/infra/platform/apisix/helmrelease.yaml @@ -0,0 +1,40 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: apisix + namespace: platform +spec: + interval: 10m0s + chart: + spec: + chart: apisix + version: ">=2.7.0 <3.0.0" + sourceRef: + kind: HelmRepository + name: apisix + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + etcd: + enabled: false + ingress-controller: + enabled: false + dashboard: + enabled: false + gateway: + type: ClusterIP + apisix: + deployment: + role: traditional + roleTraditional: + configProvider: yaml + standalone: + enabled: true + admin: + enabled: false + diff --git a/infra/platform/apisix/ingress.yaml b/infra/platform/apisix/ingress.yaml new file mode 100644 index 0000000..a406fce --- /dev/null +++ b/infra/platform/apisix/ingress.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: apisix-gateway + namespace: platform + annotations: + external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus +spec: + ingressClassName: caddy + tls: + - hosts: + - api.svc.plus + - api-pre.svc.plus + secretName: apisix-gateway-tls + rules: + - host: api.svc.plus + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: apisix-gateway + port: + number: 80 + - host: api-pre.svc.plus + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: apisix-gateway + port: + number: 80 + diff --git a/infra/platform/apisix/kustomization.yaml b/infra/platform/apisix/kustomization.yaml new file mode 100644 index 0000000..05cceb1 --- /dev/null +++ b/infra/platform/apisix/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: platform +resources: + - helmrelease.yaml + - ingress.yaml + diff --git a/infra/platform/caddy/helmrelease.yaml b/infra/platform/caddy/helmrelease.yaml new file mode 100644 index 0000000..9036036 --- /dev/null +++ b/infra/platform/caddy/helmrelease.yaml @@ -0,0 +1,32 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: caddy + namespace: platform +spec: + interval: 10m0s + chart: + spec: + chart: caddy-ingress-controller + version: ">=1.0.0 <2.0.0" + sourceRef: + kind: HelmRepository + name: caddy-ingress + namespace: flux-system + install: + createNamespace: false + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + ingressController: + enabled: true + ingressClass: + create: true + name: caddy + default: false + service: + type: LoadBalancer + diff --git a/infra/platform/caddy/kustomization.yaml b/infra/platform/caddy/kustomization.yaml new file mode 100644 index 0000000..2a50258 --- /dev/null +++ b/infra/platform/caddy/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: platform +resources: + - helmrelease.yaml + diff --git a/infra/platform/external-dns/externalsecret.yaml b/infra/platform/external-dns/externalsecret.yaml new file mode 100644 index 0000000..91da99b --- /dev/null +++ b/infra/platform/external-dns/externalsecret.yaml @@ -0,0 +1,19 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: cloudflare-api-token + namespace: platform +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: vault-platform + target: + name: cloudflare-api-token + creationPolicy: Owner + data: + - secretKey: api-token + remoteRef: + key: platform/cloudflare + property: api-token + diff --git a/infra/platform/external-dns/helmrelease.yaml b/infra/platform/external-dns/helmrelease.yaml new file mode 100644 index 0000000..c4db44f --- /dev/null +++ b/infra/platform/external-dns/helmrelease.yaml @@ -0,0 +1,37 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: external-dns + namespace: platform +spec: + interval: 10m0s + chart: + spec: + chart: external-dns + version: ">=1.14.0 <2.0.0" + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + provider: cloudflare + policy: sync + registry: txt + txtOwnerId: svc-plus-k3s + sources: + - ingress + domainFilters: + - svc.plus + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: cloudflare-api-token + key: api-token + diff --git a/infra/platform/external-dns/kustomization.yaml b/infra/platform/external-dns/kustomization.yaml new file mode 100644 index 0000000..93594b4 --- /dev/null +++ b/infra/platform/external-dns/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: platform +resources: + - externalsecret.yaml + - helmrelease.yaml + diff --git a/infra/platform/external-secrets/clustersecretstore.yaml b/infra/platform/external-secrets/clustersecretstore.yaml new file mode 100644 index 0000000..1933b51 --- /dev/null +++ b/infra/platform/external-secrets/clustersecretstore.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-platform +spec: + provider: + vault: + server: http://vault.extsvc.svc.cluster.local:8200 + path: secret + version: v2 + auth: + kubernetes: + mountPath: kubernetes + role: external-secrets + serviceAccountRef: + name: external-secrets + namespace: platform + diff --git a/infra/platform/external-secrets/helmrelease.yaml b/infra/platform/external-secrets/helmrelease.yaml new file mode 100644 index 0000000..2483b18 --- /dev/null +++ b/infra/platform/external-secrets/helmrelease.yaml @@ -0,0 +1,24 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: external-secrets + namespace: platform +spec: + interval: 10m0s + chart: + spec: + chart: external-secrets + version: ">=0.10.0 <1.0.0" + sourceRef: + kind: HelmRepository + name: external-secrets + namespace: flux-system + install: + crds: CreateReplace + remediation: + retries: 3 + upgrade: + crds: CreateReplace + remediation: + retries: 3 + diff --git a/infra/platform/external-secrets/kustomization.yaml b/infra/platform/external-secrets/kustomization.yaml new file mode 100644 index 0000000..7f00af5 --- /dev/null +++ b/infra/platform/external-secrets/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helmrelease.yaml + - clustersecretstore.yaml diff --git a/infra/platform/kustomization.yaml b/infra/platform/kustomization.yaml new file mode 100644 index 0000000..58ba013 --- /dev/null +++ b/infra/platform/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repositories.yaml + - caddy + - apisix + - external-secrets + - external-dns + - reloader + diff --git a/infra/platform/reloader/helmrelease.yaml b/infra/platform/reloader/helmrelease.yaml new file mode 100644 index 0000000..a82668e --- /dev/null +++ b/infra/platform/reloader/helmrelease.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: reloader + namespace: platform +spec: + interval: 10m0s + chart: + spec: + chart: reloader + version: ">=1.0.0 <2.0.0" + sourceRef: + kind: HelmRepository + name: stakater + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + diff --git a/infra/platform/reloader/kustomization.yaml b/infra/platform/reloader/kustomization.yaml new file mode 100644 index 0000000..2a50258 --- /dev/null +++ b/infra/platform/reloader/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: platform +resources: + - helmrelease.yaml + diff --git a/infra/platform/repositories.yaml b/infra/platform/repositories.yaml new file mode 100644 index 0000000..a661952 --- /dev/null +++ b/infra/platform/repositories.yaml @@ -0,0 +1,45 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: caddy-ingress + namespace: flux-system +spec: + interval: 10m0s + url: https://caddyserver.github.io/ingress/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: apisix + namespace: flux-system +spec: + interval: 10m0s + url: https://charts.apiseven.com +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-dns + namespace: flux-system +spec: + interval: 10m0s + url: https://kubernetes-sigs.github.io/external-dns/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-secrets + namespace: flux-system +spec: + interval: 10m0s + url: https://charts.external-secrets.io +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: stakater + namespace: flux-system +spec: + interval: 10m0s + url: https://stakater.github.io/stakater-charts +