ai-workspace-infra/iac_modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove playbook iac_modules

Browse Source
This commit is contained in:
Haitao Pan 2023-12-20 18:55:44 +08:00
parent 393ff44697
commit acf4e78c5b
233 changed files with 667 additions and 6296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

199
.github/workflows/iac-pipeline-destroy.yml vendored Normal file
View File

@ -0,0 +1,199 @@
name: Destroy Resources by IAC tools
env:
STATE: "destroy" # 可以根据需要更改初始状态, 可选createupdate, destroy
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
on:
pull_request:
push:
paths:
- '.github/workflows/iac-pipeline-destroy.yml'
workflow_dispatch:
branches:
- main
jobs:
gcs:
runs-on: ubuntu-latest
needs:
- vhost
- network
- key_pair
- firewall
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Set up Google Cloud SDK
uses: 'google-github-actions/setup-gcloud@v1'
with:
version: '>= 363.0.0'
- name: Delete Google Cloud Storage Bucket
run: |
gsutil -m rm -r gs://iac_gcp_terraform_state || true
gcloud storage buckets delete gs://iac_gcp_terraform_state --quiet || true
network:
runs-on: ubuntu-latest
needs:
- vhost
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Terraform Init And Apply
run: |
bash run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/network/
vhost:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Fetch SSH Keys
run: echo "${{ secrets.SSH_PUBLIC_KEY }}" > ssh_keys.pub
working-directory: iac_modules/terraform/${{ env.CLOUD }}/vhost/
- name: Terraform Init And Apply
run: |
python3 scripts/init.py && bash scripts/run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/vhost/
key_pair:
runs-on: ubuntu-latest
needs:
- vhost
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Set up Google Cloud SDK
uses: 'google-github-actions/setup-gcloud@v1'
with:
version: '>= 363.0.0'
- name: Check if SSH Metadata exists
id: check_ssh_metadata
run: bash scripts/check_ssh_metadata.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/key_pair/
- name: Fetch SSH Keys
if: steps.check_ssh_metadata.outputs.ssh_metadata_exists == 'false'
run: echo "${{ secrets.SSH_PUBLIC_KEY }}" > ssh_keys.pub
working-directory: iac_modules/terraform/${{ env.CLOUD }}/key_pair/
- name: Terraform Init And Apply
if: steps.check_ssh_metadata.outputs.ssh_metadata_exists == 'false'
run: |
python3 scripts/init.py && bash scripts/run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/key_pair/
firewall:
runs-on: ubuntu-latest
needs:
- vhost
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Terraform Init And Apply
run: |
python3 scripts/init.py && bash scripts/run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/firewall/

360
.github/workflows/pipeline.yml vendored Normal file
View File

@ -0,0 +1,360 @@
name: Create Resources by IAC tools
env:
STATE: "create" # 可以根据需要更改初始状态, 可选createupdate, destroy
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
TZ: Asia/Shanghai
REPO: "artifact.onwalk.net"
IMAGE: base/${{ github.repository }}
TAG: ${{ github.sha }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
OSS_AK: ${{ secrets.OSS_AK }}
OSS_SK: ${{ secrets.OSS_SK }}
ROOT_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }}
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
GITLAB_OIDC_CLIENT_TOKEN: ${{ secrets.GITLAB_OIDC_CLIENT_TOKEN }}
HARBOR_OIDC_CLIENT_TOKEN: ${{ secrets.HARBOR_OIDC_CLIENT_TOKEN }}
SSH_USER: ${{ secrets.HOST_USER }}
SSH_HOST_DOMAIN: ${{ secrets.HOST_DOMAIN }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
on:
pull_request:
push:
paths:
- '.github/workflows/pipeline.yml'
workflow_dispatch:
branches:
- main
jobs:
gcs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Set up Google Cloud SDK
uses: 'google-github-actions/setup-gcloud@v1'
with:
version: '>= 363.0.0'
- name: Check if GCS bucket exists
id: check_bucket
run: |
BUCKET_NAME="iac_gcp_terraform_state"
gsutil ls -b gs://${BUCKET_NAME} || echo "::set-output name=bucket_exists::false"
- name: Terraform Init And Apply
if: steps.check_bucket.outputs.bucket_exists == 'false'
run: |
bash run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/gcs/
network:
runs-on: ubuntu-latest
needs:
- gcs
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Terraform Init And Apply
run: |
bash run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/network/
vhost:
runs-on: ubuntu-latest
needs:
- gcs
- network
- key_pair
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Fetch SSH Keys
run: echo "${{ secrets.SSH_PUBLIC_KEY }}" > ssh_keys.pub
working-directory: iac_modules/terraform/${{ env.CLOUD }}/vhost/
- name: Terraform Init And Apply
run: |
python3 scripts/init.py && bash scripts/run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/vhost/
key_pair:
runs-on: ubuntu-latest
needs:
- gcs
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Set up Google Cloud SDK
uses: 'google-github-actions/setup-gcloud@v1'
with:
version: '>= 363.0.0'
- name: Check if SSH Metadata exists
id: check_ssh_metadata
run: bash scripts/check_ssh_metadata.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/key_pair/
- name: Fetch SSH Keys
if: steps.check_ssh_metadata.outputs.ssh_metadata_exists == 'false'
run: echo "${{ secrets.SSH_PUBLIC_KEY }}" > ssh_keys.pub
working-directory: iac_modules/terraform/${{ env.CLOUD }}/key_pair/
- name: Terraform Init And Apply
if: steps.check_ssh_metadata.outputs.ssh_metadata_exists == 'false'
run: |
python3 scripts/init.py && bash scripts/run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/key_pair/
firewall:
runs-on: ubuntu-latest
needs:
- gcs
- network
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Terraform Init And Apply
run: |
python3 scripts/init.py && bash scripts/run_terraform.sh
working-directory: iac_modules/terraform/${{ env.CLOUD }}/firewall/
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Sync aritfacts
run: echo "to do"
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Test aritfacts
run: echo "to do"
setup-k3s:
runs-on: ubuntu-latest
needs:
- build
- test
- vhost
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Set GitHub Actions output variables
id: terraform-output
run: |
python3 scripts/init.py && terraform init
terraform output | while read -r line; do
if [ -z "$line" ]; then
break
else
k_v=$(echo "$line" | tr -d ' ' | awk -F= '{print $1"="$2}')
echo "$k_v" >> $GITHUB_OUTPUT
fi
done
working-directory: iac_modules/terraform/${{ env.CLOUD }}/vhost/
- name: Update playbook hosts
run: |
bash pre_setup.sh
env:
SSH_HOST_IP: ${{ steps.terraform-output.outputs.server }}
working-directory: playbook/
- name: Setup K3S Cluster
shell: bash
run: |
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook -i hosts/inventory init_k3s_cluster_std -D
working-directory: playbook/
deploy-Apps:
runs-on: ubuntu-latest
needs:
- setup-k3s
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
submodules: 'recursive'
- name: Pre Setup
run: |
sudo apt-get update
sudo apt-get install -y python3-pip jq
python -m pip install --upgrade pip jinja2
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.6.4
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS_JSON }}
- name: Set GitHub Actions output variables
id: terraform-output
run: |
python3 scripts/init.py && terraform init
terraform output | while read -r line; do
if [ -z "$line" ]; then
break
else
k_v=$(echo "$line" | tr -d ' ' | awk -F= '{print $1"="$2}')
echo "$k_v" >> $GITHUB_OUTPUT
fi
done
working-directory: iac_modules/terraform/${{ env.CLOUD }}/vhost/
- name: Update playbook hosts
run: |
bash pre_setup.sh
env:
SSH_HOST_IP: ${{ steps.terraform-output.outputs.server }}
working-directory: playbook/
- name: Deploy Gitlab
run: |
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook -i hosts/inventory init_gitlab -D
working-directory: playbook/
- name: Deploy Harbor
run: |
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook -i hosts/inventory init_harbor -D
working-directory: playbook/
- name: Deploy Chartmuseum
run: |
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook -i hosts/inventory init_chartmuseum -D
working-directory: playbook/

75
Architectures.uml Normal file
View File

@ -0,0 +1,75 @@
@startuml
!define RECTANGLE class
RECTANGLE GitHubCI
RECTANGLE Pulumi
RECTANGLE GitHub
RECTANGLE Harbor
RECTANGLE Loki
RECTANGLE Deepflow
RECTANGLE Prometheus
RECTANGLE Alertmanager
RECTANGLE Clickhouse
RECTANGLE Grafana
RECTANGLE Nginx
RECTANGLE DNS
RECTANGLE APIGateway
' 多环境定义
folder "Development Environment" {
RECTANGLE Dev_Kubernetes
RECTANGLE Dev_k3s
}
folder "Testing Environment" {
RECTANGLE Test_Kubernetes
RECTANGLE Test_k3s
}
folder "Production Environment" {
RECTANGLE Prod_Kubernetes
RECTANGLE Prod_k3s
}
GitHubCI --> GitHub : 使用
GitHub --> Pulumi : 配置
Pulumi --> Dev_Kubernetes
Pulumi --> Dev_k3s
Pulumi --> Test_Kubernetes
Pulumi --> Test_k3s
Pulumi --> Prod_Kubernetes
Pulumi --> Prod_k3s
Dev_Kubernetes --> Harbor : 容器注册
Dev_k3s --> Harbor : 容器注册
Test_Kubernetes --> Harbor : 容器注册
Test_k3s --> Harbor : 容器注册
Prod_Kubernetes --> Harbor : 容器注册
Prod_k3s --> Harbor : 容器注册
Dev_Kubernetes --> Nginx : Ingress
Dev_k3s --> Nginx : Ingress
Test_Kubernetes --> Nginx : Ingress
Test_k3s --> Nginx : Ingress
Prod_Kubernetes --> Nginx : Ingress
Prod_k3s --> Nginx : Ingress
Dev_Kubernetes --> Loki : 日志
Dev_k3s --> Loki : 日志
Test_Kubernetes --> Loki : 日志
Test_k3s --> Loki : 日志
Prod_Kubernetes --> Loki : 日志
Prod_k3s --> Loki : 日志
Loki --> Grafana : 可视化
Deepflow --> Grafana : 可视化
Prometheus --> Grafana : 可视化
Alertmanager --> Prometheus : 通知
Clickhouse --> Grafana : 数据存储
DNS --> APIGateway : 解析
APIGateway --> Dev_Kubernetes : 路由
APIGateway --> Dev_k3s : 路由
APIGateway --> Test_Kubernetes : 路由
APIGateway --> Test_k3s : 路由
APIGateway --> Prod_Kubernetes : 路由
APIGateway --> Prod_k3s : 路由
@enduml

30
Layered_Architecture.uml Normal file
View File

@ -0,0 +1,30 @@
@startuml
!define RECTANGLE class
' Central Container Platform
RECTANGLE ContainerPlatform {
RECTANGLE ServiceMeshSolutions
}
' Microservices at the top
RECTANGLE Microservices
' DevOps Solutions and Federated Identity Solutions on the left
RECTANGLE DevOpsSolutions
RECTANGLE FederatedIdentitySolutions
' Observability Platform Solutions on the right
RECTANGLE ObservabilityPlatformSolutions
' LangChainAI at the bottom
RECTANGLE LangChainAI
' Define relationships
Microservices -down- ContainerPlatform : "Supported by\n"
DevOpsSolutions -right- ContainerPlatform : "Integrated with\n"
FederatedIdentitySolutions -right- ContainerPlatform : "Secured by\n"
ObservabilityPlatformSolutions -left- ContainerPlatform : "Monitored by\n"
LangChainAI -up- ContainerPlatform : "Enhanced by\n"
ServiceMeshSolutions -- ContainerPlatform : "Interconnected within\n"
@enduml

3
README.md
View File

@ -9,6 +9,9 @@ We define modern app architectures as those driven by four characteristics: scal
- Resiliency Can fail over to newly spunup clusters or virtual environments in different availability regions, clouds, or data centers.
- Agility Ability to update through automated CI/CD pipelines with higher code velocity and more frequent code pushes.
![PlantUML Diagram](https://www.plantuml.com/plantuml/png/XPL1JnD15CVlxrECN3nnwis3WPIcD9A6A7UpRL_BfhkpP6QsQ8o9qKXY0ke1HNlGH2NqOglnO3WGlWopYz_26RAbmylkq5Ft_N_px__jpBokI1K8bSOHtEbXF-J87ZRgMwljvaQ3TQD0Ie15eHcgzRHJRpcbpJHAun0eunJM0z59X5FOI8RkWZN4dNwKxBgc8ebHRMCgdU9gX4B50Gy6wBhLex0xt4vIYMu84VGDwLJQWv0_SN-r_SZrtcmr0uMxmLE0kqp_6ETlP_hRApqTNvo-WNuIzL2mfJKSOPJinCWLQ_1HA19klo-nPy3CnsrfzFX1sa71KQ4i4OSr2S-lVRTGgf0F_9uM8gP49Qxc9VRIhWeJxZUs734cQc4Cy-rdoyltYtrczzZ5sNb-E2b4AnLdmaZ_NX_aPrCeder4tWnLXZMtH5kc4iLf8rIoEDmCOCNYW9guUdggFq-oFnEzjmz57Wz1ujr6-ir8-5j8lrbfbrSNm80jFX0efTiVrKXd7gR2W7JZOIeCIZkmSyCWsT6nFZzoybE5fYydoXVJv5L4-MAmZxO-7q16qkzcboTxUlyZp0TT9R0OUvM8EmIl86UDkMylnldNOrYCHEAJVVYL7Kprpq_wvGJ0Z42hEyFF89SdtxClxs5HAxcs5lixomz_bs73MhLETyR7UOteBdcv6qOho7lstmx-0m00)
## Modern Container Application Reference Architectures
This repository provides a reference architecture for modern container applications. It focuses on the following key principles:

1
infrastructure/Pulumi.dev.yaml
View File

@ -1 +0,0 @@
encryptionsalt: v1:5xsaM2aqu0Q=:v1:SKSxqD3qXFYZl1I2:RCwJV1UL9uatyI/CtjvL+wFRY8bmQA==

6
infrastructure/Pulumi.yaml
View File

@ -1,6 +0,0 @@
name: Modern-Container-Application-Reference-Architecture
runtime:
name: python
options:
virtualenv: venv
description: A minimal AWS Python Pulumi program

30
infrastructure/__main__.py
View File

@ -1,30 +0,0 @@
"""An AWS Python Pulumi AWS Module"""
import aws
import config
import pulumi
import pulumi_command
vpc_id = aws.vpc()
az_list = aws.availability_zones()
sg_id = aws.security_group( vpc_id )
igw_id = aws.internet_gateway( vpc_id )
route_table_id = aws.route_table( vpc_id, igw_id )
subnets = aws.subnets(vpc_id, az_list, route_table_id, 'public' )
ssh_key = config.get_env('SSH_PUBLIC_KEY')
key_pair = aws.key_pair(resource_name="my_ssh_key", public_key=ssh_key)
k3s_server = aws.ec2(
arch = 'arm64',
ec2_type = 't4g.small',
ec2_name = 'tky.onwalk.net',
key_name = key_pair,
subnet_id = subnets[0],
security_group_id = sg_id
)
pulumi.export("vpc", vpc_id)
pulumi.export("sg", sg_id)
pulumi.export("subnets", subnets)
pulumi.export("key_pair", key_pair)
pulumi.export("k3s_server_public_ip", k3s_server.public_ip )

0
infrastructure/cloud_manager/__init__.py
View File

25
infrastructure/cloud_manager/aws_provider.py
View File

@ -1,25 +0,0 @@
import pulumi
from pulumi_aws import s3, ec2
class AWSProvider:
def __init__(self):
self.resources = {}
def create_resources(self, resource_type, resource_config):
if resource_type == 's3':
self.resources['s3'] = s3.Bucket(resource_config['name'])
elif resource_type == 'ec2':
self.resources['ec2'] = ec2.Instance(resource_config['name'],
instance_type=resource_config['instance_type'],
ami=resource_config['ami'])
def delete_resources(self):
for resource in self.resources.values():
pulumi.destroy(resource)
def update_resources(self):
print("Updating AWS resources...")
def query_resources(self):
print("Querying AWS resources...")
return []

16
infrastructure/cloud_manager/main.py
View File

@ -1,16 +0,0 @@
from fastapi import FastAPI
from cloud_manager.models import ResourceConfig, CloudManager
from cloud_manager.providers.aws_provider import AWSProvider
app = FastAPI()
@app.post("/resources")
async def create_resource(resource: ResourceConfig):
if resource.provider == 'aws':
provider = AWSProvider()
else:
return {"error": "Unsupported provider"}
manager = CloudManager(provider, resource.resource_type, resource.config)
manager.create_resources()
return {"message": "Resource created successfully"}

30
infrastructure/cloud_manager/models.py
View File

@ -1,30 +0,0 @@
from pydantic import BaseModel
class ResourceConfig(BaseModel):
provider: str
resource_type: str
config: dict
class CloudManager:
def __init__(self, provider, resource_type, resource_config):
self.provider = provider
self.resource_type = resource_type
self.resource_config = resource_config
def create_resources(self):
self.provider.create_resources(self.resource_type, self.resource_config)
def delete_resources(self):
self.provider.delete_resources()
def update_resources(self):
self.provider.update_resources()
def query_resources(self):
return self.provider.query_resources()
def migrate_resources(self, to_provider):
resources = self.query_resources()
to_provider.create_resources(resources)
self.delete_resources()

0
infrastructure/cloud_manager/providers/__init__.py
View File

0
infrastructure/cloud_manager/providers/aws/__init__.py
View File

18
infrastructure/cloud_manager/providers/aws/ec2.py
View File

@ -1,18 +0,0 @@
class EC2:
@staticmethod
def create(config):
# 创建 EC2 实例的代码...
pass
def delete(self):
# 删除 EC2 实例的代码...
pass
def update(self):
# 更新 EC2 实例的代码...
pass
def query(self):
# 查询 EC2 实例的代码...
pass

0
infrastructure/cloud_manager/providers/aws/eks.py
View File

0
infrastructure/cloud_manager/providers/aws/iam.py
View File

0
infrastructure/cloud_manager/providers/aws/rds.py
View File

0
infrastructure/cloud_manager/providers/aws/s3.py
View File

0
infrastructure/cloud_manager/providers/aws/vpc.py
View File

27
infrastructure/cloud_manager/providers/aws_provider.py
View File

@ -1,27 +0,0 @@
from .aws import ec2, s3, rds, iam, vpc, eks
class AWSProvider:
def __init__(self):
self.resources = {}
def create_resources(self, resource_type, resource_config):
if resource_type == 's3':
self.resources['s3'] = s3.create(resource_config)
elif resource_type == 'ec2':
self.resources['ec2'] = ec2.create(resource_config)
# ...其他服务的创建逻辑...
def delete_resources(self):
for resource in self.resources.values():
resource.delete()
def update_resources(self):
for resource in self.resources.values():
resource.update()
def query_resources(self):
resources = {}
for name, resource in self.resources.items():
resources[name] = resource.query()
return resources

13
infrastructure/config/__init__.py
View File

@ -1,13 +0,0 @@
from pulumi_command import local
from pulumi_command import remote
def get_env( name ):
env = local.Command(
"command",
create=f"printenv {name}"
)
return env.stdout
def local_run( command: str ):
command = local.Command("local_command", create=command )
return command.stdout

16
infrastructure/main.py
View File

@ -1,16 +0,0 @@
from fastapi import FastAPI
from cloud_manager.models import ResourceConfig, CloudManager
from cloud_manager.providers.aws_provider import AWSProvider
app = FastAPI()
@app.post("/resources")
async def create_resource(resource: ResourceConfig):
if resource.provider == 'aws':
provider = AWSProvider()
else:
return {"error": "Unsupported provider"}
manager = CloudManager(provider, resource.resource_type, resource.config)
manager.create_resources()
return {"message": "Resource created successfully"}

3
infrastructure/requirements.txt
View File

@ -1,3 +0,0 @@
pulumi==3.58.0
pulumi-aws==5.32.0
pulumi_command==0.7.0

200
infrastructure/resource/aws/__init__.py
View File

@ -1,200 +0,0 @@
import pulumi
import pulumi_aws
#-----------global vars---------------#
stack_name = pulumi.get_stack()
project_name = pulumi.get_project()
#------------------------------------#
def vpc():
vpc = pulumi_aws.ec2.Vpc(
resource_name=f"eks-{project_name}-{stack_name}",
cidr_block="10.100.0.0/16",
enable_dns_support=True,
enable_dns_hostnames=True,
instance_tenancy='default',
tags={
"Project": project_name,
"Stack": stack_name
}
)
return vpc.id
#------------------------------------#
def key_pair( resource_name: str, public_key: str ):
key_pair = pulumi_aws.ec2.KeyPair( resource_name=resource_name, public_key=public_key )
return key_pair.key_name
#------------------------------------#
def ec2( arch, ec2_name, ec2_type, key_name, subnet_id, security_group_id ):
if arch == 'amd64':
ami = pulumi_aws.ec2.get_ami(
owners = ["099720109477"],
filters = [
pulumi_aws.ec2.GetAmiFilterArgs(
name = "name",
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
)],
most_recent = True)
if arch == 'arm64':
ami = pulumi_aws.ec2.get_ami(
owners = ["099720109477"],
filters = [
pulumi_aws.ec2.GetAmiFilterArgs(
name = "name",
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-arm64-server-*"]
)],
most_recent = True)
root_ebs = {
"deleteOnTermination": True,
"volume_size": 100,
"volumeType": 'gp3',
"encrypted": False
}
instance = pulumi_aws.ec2.Instance(
ami=ami.id,
resource_name = ec2_name,
instance_type = ec2_type,
key_name = key_name,
subnet_id = subnet_id,
root_block_device = root_ebs,
vpc_security_group_ids = [ security_group_id ],
tags = {
"Name": ec2_name
}
)
return instance
#------------------------------------#
def availability_zones():
az_list = pulumi_aws.get_availability_zones(state="available").names
return az_list
#------------------------------------#
def internet_gateway( vpc_id ):
igw = pulumi_aws.ec2.InternetGateway(
resource_name=f'vpc-igw-{project_name}-{stack_name}',
vpc_id=vpc_id,
tags={
"Project": project_name,
"Stack": stack_name
}
)
return igw.id
#------------------------------------#
def route_table( vpc_id, igw_id ):
route_table = pulumi_aws.ec2.RouteTable(
resource_name = f'vpc-route-table-{project_name}-{stack_name}',
vpc_id = vpc_id,
routes = [
pulumi_aws.ec2.RouteTableRouteArgs(
cidr_block='0.0.0.0/0',
gateway_id=igw_id
)
],
tags = {
"Project": project_name,
"Stack": stack_name
}
)
return route_table.id
#------------------------------------#
def security_group( vpc_id ):
security_group = pulumi_aws.ec2.SecurityGroup(
resource_name = f'ec2-default-sg-{project_name}-{stack_name}',
vpc_id = vpc_id,
description = "Allow all HTTP(s) traffic to EKS Cluster",
ingress = [
pulumi_aws.ec2.SecurityGroupIngressArgs(
protocol='tcp',
from_port=22,
to_port=22,
cidr_blocks=['0.0.0.0/0'],
description='Allow sshd connect'),
pulumi_aws.ec2.SecurityGroupIngressArgs(
protocol='tcp',
from_port=80,
to_port=80,
cidr_blocks=['0.0.0.0/0'],
description='Allow http 80'),
pulumi_aws.ec2.SecurityGroupIngressArgs(
protocol='tcp',
from_port=389,
to_port=389,
cidr_blocks=['0.0.0.0/0'],
description='Allow LDAP 389'),
pulumi_aws.ec2.SecurityGroupIngressArgs(
protocol='tcp',
from_port=443,
to_port=443,
cidr_blocks=['0.0.0.0/0'],
description='Allow https 443')
],
egress=[
pulumi_aws.ec2.SecurityGroupEgressArgs(
from_port=0,
to_port=0,
protocol="-1",
cidr_blocks=["0.0.0.0/0"]
)],
tags = {
"Project": project_name,
"Stack": stack_name
}
)
return security_group.id
#------------------------------------#
def subnets( vpc_id, az_name, route_table_id, net_type='private' ):
# If you wanted to double the number of subnets because you have few
# availability zones, you can redefine the variable below to something
# like: list(itertools.chain(azs, azs)) which would just repeat the
# same list of AZs twice. The iteration logic will pick it up for
# subnet creation and create unique names.
subnets = []
az_list = availability_zones()
az_enum = list(az_list)
if len(az_list) <= 0:
raise ValueError("There are no usable availability zones")
if len(az_list) == 1:
pulumi.log.warn("There is only a single usable availability zone")
elif len(az_list) == 2:
pulumi.log.warn("There are only two usable availability zones")
for i, az in enumerate(az_enum):
if net_type == 'public':
subnet_addr = i
map_eip=True
if net_type == 'private':
subnet_addr = (i + 1) * 16
map_eip=False
if not isinstance(az, str):
raise f'availability zone specified [{i}] is not a valid string value: [{az}]'
if az.strip() == "":
raise f'availability zone specified [{i}] is an empty string'
subnet_instance = pulumi_aws.ec2.Subnet(
resource_name = f'{az}-{net_type}-{project_name}-{stack_name}-{i}',
vpc_id=vpc_id,
availability_zone=az,
cidr_block=f"10.100.{subnet_addr}.0/24",
map_public_ip_on_launch=map_eip,
tags={
"Project": project_name,
"Stack": stack_name,
}
)
pulumi_aws.ec2.RouteTableAssociation(
f"route-table-assoc-{net_type}-{az}-{i}",
route_table_id=route_table_id,
subnet_id=subnet_instance.id
)
subnets.append(subnet_instance.id)
return subnets

0
infrastructure/scripts/create_resources.py
View File

0
infrastructure/scripts/delete_resources.py
View File

0
infrastructure/scripts/migrate_resources.py
View File

0
infrastructure/scripts/query_resources.py
View File

0
infrastructure/scripts/update_resources.py
View File

1
playbook/.gitignore vendored
View File

@ -1 +0,0 @@
osts/*

1
playbook/Pulumi.dev.yaml
View File

@ -1 +0,0 @@
encryptionsalt: v1:Yoj83pTAoq0=:v1:tLvk4ziwEsWJTRX7:Hxa7QbAwaerJCEBuuIZgDB0boChyDQ==

6
playbook/Pulumi.yaml
View File

@ -1,6 +0,0 @@
name: Modern-Container-Application-Reference-Architecture
runtime:
name: python
options:
virtualenv: venv
description: A minimal AWS Python Pulumi program

20
playbook/README.md
View File

@ -1,20 +0,0 @@
# playbook
# Getting started
## Delpoy Test
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring -D -C
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring_sit -D -C
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring_uat -D -C
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring_common -D -C
## Deploy
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring -D
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring_sit -D
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring_uat -D
ansible-playbook -i hosts/aws-hosts jobs/init_ec2_monitoring_common -D
## Troubleshooting
ansible -i hosts/aws-hosts sit -m shell -a 'sudo pkill -9 prometheus'

55
playbook/__main__.py
View File

@ -1,55 +0,0 @@
"""An AWS Python Pulumi AWS Module"""
import os
import sys
import json
import stat
import jinja2
import subprocess
import pulumi
import pulumi_command
THIS_DIR = os.path.dirname(os.path.abspath(__file__))
def run_cmd(cmd):
retcode, output = subprocess.getstatusoutput( cmd )
assert retcode == 0
return output
def render_template( template_source, template_result, template_vars ):
inventory_env = jinja2.Environment( loader=jinja2.FileSystemLoader(THIS_DIR), trim_blocks=True )
inventory_template = inventory_env.get_template(template_source)
inventory_output = inventory_template.render(vars=template_vars)
with open(template_result, "w+") as f:
f.write(inventory_output)
data = json.loads(
run_cmd('pulumi stack output --json')
)
vars = {}
vars['dns_ak'] = os.environ['DNS_AK']
vars['dns_sk'] = os.environ['DNS_SK']
vars['ssh_private_key'] = os.environ['SSH_PRIVATE_KEY']
vars['db_server_public_ip'] = data['db_server_public_ip']
vars['k3s_server_public_ip'] = data['k3s_server_public_ip']
render_template('templates/id_rsa', 'hosts/id_rsa', vars)
render_template('templates/inventory', 'hosts/inventory', vars)
setup_permission = pulumi_command.local.Command(
"SetupPermission",
create="chmod 0400 hosts/id_rsa"
)
install_k3s_cluster = pulumi_command.local.Command(
"SetupK3S",
create="ansible-playbook -i hosts/inventory jobs/init_k3s_cluster -D",
opts=pulumi.ResourceOptions(depends_on=[setup_permission])
)
install_log_agent = pulumi_command.local.Command(
"InstallAgent",
create="ansible-playbook -i hosts/inventory jobs/init_log_agent -D",
opts=pulumi.ResourceOptions(depends_on=[install_k3s_cluster])
)

13
playbook/ansible.cfg
View File

@ -1,13 +0,0 @@
[inventory]
cache: yes
cache_plugin: ansible.builtin.jsonfile
[defaults]
timeout = 10
forks = 10
poll_interval = 10
transport = smart
gathering = smart
stdout_callback = skippy
host_key_checking = False
deprecation_warnings = False

0
playbook/hosts/id_rsa
View File

0
playbook/hosts/inventory
View File

19
playbook/jobs/init_bookinfo
View File

@ -1,19 +0,0 @@
- name: set bookinfo with helm
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: bookinfo
vars:
group: master
domain: onwalk.net
namespace: bookinfo
auto_issuance: false
update_secret: true
storage_type: oss
tls:
- secret_name: bookinfo-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

19
playbook/jobs/init_chartmuseum
View File

@ -1,19 +0,0 @@
- name: setup harbor
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: chartmuseum
vars:
group: master
namespace: harbor
domain: onwalk.net
auto_issuance: true
update_secret: true
storage_type: oss
tls:
- secret_name: chartmuseum-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

18
playbook/jobs/init_chatwithgpt
View File

@ -1,18 +0,0 @@
- name: setup chatwithgpt app in k3s
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: chatwithgpt
vars:
group: master
namespace: chatwithgpt
domain: onwalk.net
auto_issuance: true
update_secret: true
tls:
- secret_name: chatwithgpt-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

10
playbook/jobs/init_clickhouse
View File

@ -1,10 +0,0 @@
- name: set k3s cluster with ec2 nodes
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: clickhouse
vars:
group: master

10
playbook/jobs/init_datadog_agent
View File

@ -1,10 +0,0 @@
- name: set datadog-agent with helm
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: datadog-agent
vars:
group: master

12
playbook/jobs/init_fluxcd
View File

@ -1,12 +0,0 @@
- name: set k3s cluster with vhosts
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: fluxcd
vars:
group: master
version: '2.7.0'
namespace: fluxcd

23
playbook/jobs/init_gitlab
View File

@ -1,23 +0,0 @@
- name: setup gitlab
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: gitlab
vars:
group: master
gitlab_version: '7.0.4'
namespace: gitlab
db_namespace: database
domain: onwalk.net
auto_issuance: false
update_secret: true
tls:
- secret_name: gitlab-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem
gitlab_oidc_client_id: gitlab-oidc
gitlab_oidc_isser: 'https://keycloak.onwalk.net/realms/cloud-sso'
gitlab_oidc_redirect_uri: 'https://gitlab.onwalk.net/users/auth/openid_connect/callback'

20
playbook/jobs/init_harbor
View File

@ -1,20 +0,0 @@
- name: setup harbor
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: harbor
vars:
group: master
namespace: harbor
domain: onwalk.net
db_namespace: database
auto_issuance: true
update_secret: true
storage_type: oss
tls:
- secret_name: harbor-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

19
playbook/jobs/init_jenkins
View File

@ -1,19 +0,0 @@
- name: setup jenkins server
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: jenkins
vars:
group: master
namespace: jenkins
db_namespace: database
domain: onwalk.net
auto_issuance: false
update_secret: true
tls:
- secret_name: jenkins-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

26
playbook/jobs/init_k3s_cluster
View File

@ -1,26 +0,0 @@
- name: set k3s cluster with vhosts
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: k3s
vars:
group: master
namespace: ingress
domain: onwalk.net
auto_issuance: false
update_secret: false
version: 'v1.24.7+k3s1'
cni: kubeovn
ingress: nginx
external_dns: enable
pod_cidr: '10.10.0.0/16'
pod_gateway: '10.10.0.1'
svc_cidr: '172.16.0.0/16'
cluster_dns: '172.16.0.10'
cluster_reset: false
join_cidr: '100.64.0.0/16'
cni_iface: 'eth0'
cni_tunnel: 'geneve'

54
playbook/jobs/init_k3s_cluster_apisix
View File

@ -1,54 +0,0 @@
- name: set apisix cluster with vhosts
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: k3s-reset
vars:
group: master
cluster_reset: 'disable'
- include_role:
name: k3s
vars:
group: master
cni: default
version: 'v1.27.2+k3s1'
pod_cidr: '10.10.0.0/16'
pod_gateway: '10.10.0.1'
svc_cidr: '172.16.0.0/16'
cluster_dns: '172.16.0.10'
node_ip: '10.170.0.8'
join_cidr: '100.64.0.0/16'
- include_role:
name: k3s-addon
vars:
group: master
ingress: apisix
domain: onwalk.net
namespace: ingress
auto_issuance: true
update_secret: false
svc_discovery: enable
external_dns: disable
- include_role:
name: secret-manger
vars:
group: master
namespace: ingress
update_secret: true
tls:
- secret_name: apisix-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem
- include_role:
name: secret-manger
vars:
group: master
namespace: nginx
update_secret: true
tls:
- secret_name: nginx-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

34
playbook/jobs/init_k3s_cluster_artifact
View File

@ -1,34 +0,0 @@
- name: set artifact cluster with vhosts
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: k3s-reset
vars:
group: master
cluster_reset: 'enable'
- include_role:
name: k3s
vars:
group: master
cni: default
version: 'v1.27.2+k3s1'
pod_cidr: '10.10.0.0/16'
pod_gateway: '10.10.0.1'
svc_cidr: '172.16.0.0/16'
cluster_dns: '172.16.0.10'
node_ip: '10.170.0.8'
join_cidr: '100.64.0.0/16'
- include_role:
name: k3s-addon
vars:
group: master
ingress: nginx
domain: onwalk.net
namespace: ingress
auto_issuance: true
external_dns: disable
svc_discovery: disable
update_secret: disable

22
playbook/jobs/init_k3s_cluster_bookinfo
View File

@ -1,22 +0,0 @@
- name: set apisix cluster with vhosts
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: k3s
vars:
group: master
cni: kubeovn
ingress: apisix
external_dns: disable
version: 'v1.24.7+k3s1'
pod_cidr: '10.20.0.0/16'
pod_gateway: '10.20.0.1'
svc_cidr: '172.16.0.0/16'
cluster_dns: '172.16.0.10'
cluster_domain: 'cluster.local'
join_cidr: '100.64.0.0/16'
cni_iface: 'eth0'
cni_tunnel: 'geneve'

30
playbook/jobs/init_k3s_cluster_gitlab
View File

@ -1,30 +0,0 @@
- name: set artifact cluster with vhosts
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: k3s-reset
vars:
group: master
cluster_reset: 'enable'
- include_role:
name: k3s
vars:
group: master
cni: default
version: 'v1.27.2+k3s1'
pod_cidr: '10.10.0.0/16'
svc_cidr: '172.16.0.0/16'
- include_role:
name: k3s-addon
vars:
group: master
ingress: default
domain: onwalk.net
namespace: ingress
external_dns: enable
auto_issuance: false
update_secret: false
svc_discovery: disable

30
playbook/jobs/init_k3s_cluster_std
View File

@ -1,30 +0,0 @@
- name: set artifact cluster with vhosts
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: k3s-reset
vars:
group: master
cluster_reset: 'enable'
- include_role:
name: k3s
vars:
group: master
cni: default
version: 'v1.27.2+k3s1'
pod_cidr: '10.10.0.0/16'
svc_cidr: '172.16.0.0/16'
- include_role:
name: k3s-addon
vars:
group: master
ingress: nginx
domain: onwalk.net
namespace: ingress
external_dns: enable
auto_issuance: false
update_secret: false
svc_discovery: disable

19
playbook/jobs/init_keycloak
View File

@ -1,19 +0,0 @@
- name: setup keycloak
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: keycloak
vars:
group: master
namespace: itsm
db_namespace: database
domain: onwalk.net
auto_issuance: true
update_secret: true
tls:
- secret_name: keycloak-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

13
playbook/jobs/init_log_agent
View File

@ -1,13 +0,0 @@
- name: set log agent for common group ec2 nodes
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: promtail-agent
vars:
group: all
label: "env: dev"
loki_host: "data-gateway.onwalk.net"
loki_port: "3100"

16
playbook/jobs/init_metric_agent
View File

@ -1,16 +0,0 @@
- name: set metric agent for all ec2 nodes
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: common
vars:
group: all
- include_role:
name: prometheus-agent
vars:
group: all
label: "cluster: dev"
remote_write: 'https://prometheus.onwalk.net/api/v1/write'

10
playbook/jobs/init_mysql
View File

@ -1,10 +0,0 @@
- name: set k3s cluster with ec2 nodes
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: mysql
vars:
group: master

18
playbook/jobs/init_nginx_oss
View File

@ -1,18 +0,0 @@
- name: setup nginx-oss
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: nginx-oss
vars:
group: master
namespace: nginx
domain: onwalk.net
auto_issuance: true
update_secret: true
tls:
- secret_name: nginx-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

15
playbook/jobs/init_observability-agent
View File

@ -1,15 +0,0 @@
- name: setup observability agent
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: observability-agent
vars:
group: master
namespace: monitoring
observableserver: prometheus.onwalk.net
port: 3100
deepflowserverip: 34.85.43.134
deepflowserverid: d-N5rfICv2PS

19
playbook/jobs/init_observability-server
View File

@ -1,19 +0,0 @@
- name: setup observability server
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: observability-server
vars:
group: master
namespace: monitoring
db_namespace: database
domain: onwalk.net
auto_issuance: true
update_secret: true
tls:
- secret_name: obs-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

17
playbook/jobs/init_openldap
View File

@ -1,17 +0,0 @@
- name: setup openldap
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: openldap
vars:
group: master
namespace: itsm
domain: onwalk.net
auto_issuance: true
tls:
- secret_name: openldap-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc.ssl/onwalk.net.pem

11
playbook/jobs/init_postgresql
View File

@ -1,11 +0,0 @@
- name: set postgresql
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: postgresql
vars:
group: master
db_namespace: database

10
playbook/jobs/init_redis
View File

@ -1,10 +0,0 @@
- name: setup redis
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: redis
vars:
group: master

12
playbook/jobs/init_ssl_cert
View File

@ -1,12 +0,0 @@
- name: create ssl cert
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: cert-manager
vars:
group: master
domain: onwalk.net
auto_issuance: true

18
playbook/jobs/init_ssl_certs
View File

@ -1,18 +0,0 @@
- name: setup nginx-oss
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: nginx-oss
vars:
group: master
namespace: nginx
domain: onwalk.net
auto_issuance: true
update_secret: true
tls:
- secret_name: nginx-tls
keyfile: /etc/ssl/onwalk.net.key
certfile: /etc/ssl/onwalk.net.pem

1
playbook/jobs/roles
View File

@ -1 +0,0 @@
../roles

4
playbook/requirements.txt
View File

@ -1,4 +0,0 @@
pulumi==3.58.0
pulumi-aws==5.32.0
pulumi_command==0.7.0
jinja2==3.1.2

102
playbook/roles/alerting/files/setup-observable-server.sh
View File

@ -1,102 +0,0 @@
#!/bin/bash
export domain=$1
export secret=$2
export namespace=$3
export mysql_db_password=$4
kubectl label nodes k3s-server prometheus=true --overwrite
cat > values.yaml << EOF
deepflow:
enabled: true
clickhouse:
enabled: false
mysql:
enabled: false
grafana:
enabled: true
ingress:
enabled: true
ingressClassName: nginx
hosts:
- grafana.${domain}
tls:
- secretName: ${secret}
hosts:
- grafana.${domain}
global:
externalClickHouse:
enabled: true
type: ep
clusterName: default
storagePolicy: default
username: default
password: ''
hosts:
- ip: 10.1.2.3
port: 9000
- ip: 10.1.2.4
port: 9000
- ip: 10.1.2.5
port: 9000
externalMySQL:
enabled: true
ip: mysql.database.svc.cluster.local
port: 3306
username: root
password: {{ mysql_db_password }}
prometheus:
enabled: true
alertmanager:
enabled: false
prometheus-pushgateway:
enabled: false
kube-state-metrics:
enabled: false
server:
ingress:
ingressClassName: nginx
hosts:
- prometheus.${domain}
tls:
- secretName: ${secret}
hosts:
- prometheus.${domain}
alertmanagers:
- static_configs:
- targets:
- alertmanager.${domain}
serverFiles:
prometheus.yml:
rule_files:
- /etc/config/recording_rules.yml
- /etc/config/alerting_rules.yml
alertmanager:
configmapReload:
enabled: false
config:
global:
resolve_timeout: 5m
smtp_smarthost: 'smtp.qq.com:465'
smtp_from: '11111111@qq.com'
smtp_auth_username: '11111111@qq.com'
smtp_auth_password: '123456'
smtp_require_tls: false
templates:
- '/etc/alertmanager/*.tmpl'
receivers:
- name: 'default-receiver'
email_configs:
- to: '{{ template "email.to" . }}'
html: '{{ template "email.to.html" . }}'
route:
group_wait: 10s
group_interval: 5m
receiver: default-receiver
repeat_interval: 1h
EOF
helm repo add stable https://artifact.onwalk.net/chartrepo/public/ || echo true
helm repo update
helm upgrade --install observable-server stable/observableserver -n ${namspace} -f values.yaml

2
playbook/roles/alerting/meta/main.yml
View File

@ -1,2 +0,0 @@
dependencies:
- role: cert-manager

17
playbook/roles/alerting/tasks/main.yml
View File

@ -1,17 +0,0 @@
roles/alerting/tasks/main.yml- name: get db password
shell: 'kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d'
register: command_raw
when: inventory_hostname in groups[group][0]
- name: set fact join command
set_fact:
mysql_db_password : "{{ command_raw.stdout_lines[0] }}"
when: inventory_hostname in groups[group][0]
- name: Setup OpenLdap Server
script: files/setup-observable-server.sh {{ domain }} {{ secret }} {{ namespace }} {{ mysql_db_password }}
when: inventory_hostname in groups[group]
- name: Check alerting rules config
shell: promtool check rules /path/to/example.rules.yml
when: inventory_hostname in groups[group]

37
playbook/roles/alerting/templates/alerting_rules
View File

@ -1,37 +0,0 @@
data:
alerting_rules.yml: |
groups:
- name: host-monitoring
rules:
- alert: HighLoad
expr: node_load1 > 2.0
for: 5m
labels:
severity: warning
annotations:
summary: High load on {{ $labels.instance }}
description: "Load is {{ $value }} (threshold: 2.0)"
- alert: HighCpuUsage
expr: 100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 90
for: 5m
labels:
severity: critical
annotations:
summary: High CPU usage on {{ $labels.instance }}
description: "CPU usage is {{ $value }}%"
- alert: HighMemoryUsage
expr: (node_memory_MemTotal_bytes - node_memory_MemFree_bytes - node_memory_Buffers_bytes - node_memory_Cached_bytes) / node_memory_MemTotal_bytes * 100 > 90
for: 5m
labels:
severity: warning
annotations:
summary: High memory usage on {{ $labels.instance }}
description: "Memory usage is {{ $value }}%"
- alert: HighDiskUsage
expr: node_filesystem_avail_bytes{fstype="ext4"} / node_filesystem_size_bytes{fstype="ext4"} * 100 < 10
for: 5m
labels:
severity: critical
annotations:
summary: High disk usage on {{ $labels.instance }}
description: "Disk usage is {{ $value }}%

55
playbook/roles/alerting/templates/recording_rules
View File

@ -1,55 +0,0 @@
data:
recording_rules.yml: |
groups:
- name: host-monitoring
rules:
- record: node_load1
expr: node_load1
- record: node_cpu_usage
expr: 100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)
- record: node_memory_usage
expr: (node_memory_MemTotal_bytes - node_memory_MemFree_bytes - node_memory_Buffers_bytes - node_memory_Cached_bytes) / node_memory_MemTotal_bytes * 100
- record: node_disk_usage
expr: 100 - (avg by (instance) (node_filesystem_avail_bytes{fstype="ext4"} / node_filesystem_size_bytes{fstype="ext4"}) * 100)
groups:
- name: 实例存活告警规则
rules:
- alert: 实例存活告警
expr: up == 0
for: 1m
labels:
user: prometheus
severity: warning
annotations:
summary: "主机宕机 !!!"
description: "该实例主机已经宕机超过一分钟了。"
- name: 内存报警规则
rules:
- alert: 内存使用率告警
expr: (1 - (node_memory_MemAvailable_bytes / (node_memory_MemTotal_bytes))) * 100 > 50
for: 1m
labels:
severity: warning
annotations:
summary: "服务器可用内存不足。"
description: "内存使用率已超过50%(当前值:{{ $value }}%"
- name: CPU报警规则
rules:
- alert: CPU使用率告警
expr: 100 - (avg by (instance)(irate(node_cpu_seconds_total{mode="idle"}[1m]) )) * 100 > 50
for: 1m
labels:
severity: warning
annotations:
summary: "CPU使用率正在飙升。"
description: "CPU使用率超过50%(当前值:{{ $value }}%"
- name: 磁盘使用率报警规则
rules:
- alert: 磁盘使用率告警
expr: 100 - node_filesystem_free_bytes{fstype=~"xfs|ext4"} / node_filesystem_size_bytes{fstype=~"xfs|ext4"} * 100 > 80
for: 20m
labels:
severity: warning
annotations:
summary: "硬盘分区使用率过高"
description: "分区使用大于80%(当前值:{{ $value }}%"

3
playbook/roles/bookinfo/meta/main.yml
View File

@ -1,3 +0,0 @@
dependencies:
- role: cert-manager
- role: secret-manger

26
playbook/roles/bookinfo/tasks/main.yml
View File

@ -1,26 +0,0 @@
- name: Prep DIR
shell: "mkdir -pv /tmp/bookinfo/datadog-apm/"
- name: Prep NameSpace
shell: "kubectl create namespace default || echo true"
- name: Sync bookinfo deploy yaml
template: src=templates/{{ item }} dest=/tmp/bookinfo/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
with_items:
- datadog-apm/apline-cli.yaml
- datadog-apm/bookinfo-productpage-python.yaml
- datadog-apm/bookinfo-reviews.yaml
- datadog-apm/bookinfo-details.yaml
- datadog-apm/bookinfo-ratings.yaml
- datadog-apm/bookinfo-ingress.yaml
- name: Setup bookinfo app
shell: "kubectl apply -f /tmp/bookinfo/{{ item }}"
when: inventory_hostname in groups[group]
with_items:
- datadog-apm/apline-cli.yaml
- datadog-apm/bookinfo-productpage-python.yaml
- datadog-apm/bookinfo-reviews.yaml
- datadog-apm/bookinfo-details.yaml
- datadog-apm/bookinfo-ratings.yaml
- datadog-apm/bookinfo-ingress.yaml

2
playbook/roles/bookinfo/templates/.gitignore vendored
View File

@ -1,2 +0,0 @@
/clickhouse-keeper-k8s.iml
/.idea/

20
playbook/roles/bookinfo/templates/datadog-apm/apline-cli.yaml
View File

@ -1,20 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: bookinfo
---
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: bookinfo
spec:
containers:
- image: alpine:3.13
command:
- /bin/sh
- "-c"
- "sleep 600m"
imagePullPolicy: IfNotPresent
name: alpine
restartPolicy: Always

55
playbook/roles/bookinfo/templates/datadog-apm/bookinfo-details.yaml
View File

@ -1,55 +0,0 @@
##################################################################################################
# Details service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: details
namespace: bookinfo
labels:
app: details
service: details
spec:
ports:
- port: 9080
name: http
selector:
app: details
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-details
namespace: bookinfo
labels:
account: details
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: details-v1
namespace: bookinfo
labels:
app: details
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: details
version: v1
template:
metadata:
labels:
app: details
version: v1
spec:
serviceAccountName: bookinfo-details
containers:
- name: details
image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
securityContext:
runAsUser: 1000

56
playbook/roles/bookinfo/templates/datadog-apm/bookinfo-ingress.yaml
View File

@ -1,56 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bookinfo
namespace: bookinfo
spec:
ingressClassName: nginx
rules:
- host: bookinfo.onwalk.net
http:
paths:
- backend:
service:
name: productpage
port:
number: 9080
path: /
pathType: Prefix
tls:
- hosts:
- bookinfo.onwalk.net
secretName: bookinfo-tls
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: bookinfo
namespace: bookinfo
spec:
http:
- name: root
match:
hosts:
- bookinfo.onwalk.net
paths:
- '/*'
backends:
- serviceName: productpage
servicePort: 9080
plugins:
- config:
http_to_https: true
enable: true
name: redirect
---
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: bookinfo
namespace: bookinfo
spec:
hosts:
- bookinfo.onwalk.net
secret:
name: bookinfo-tls
namespace: bookinfo

93
playbook/roles/bookinfo/templates/datadog-apm/bookinfo-productpage-python.yaml
View File

@ -1,93 +0,0 @@
##################################################################################################
# Productpage services
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: productpage
namespace: bookinfo
labels:
app: productpage
service: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-productpage
namespace: bookinfo
labels:
account: productpage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: productpage-v1
namespace: bookinfo
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "productpage"
tags.datadoghq.com/version: "v1"
app: productpage
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: productpage
version: v1
template:
metadata:
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "productpage"
tags.datadoghq.com/version: "v1"
admission.datadoghq.com/enabled: "true"
app: productpage
version: v1
annotations:
admission.datadoghq.com/python-lib.version: v1.12.0
spec:
serviceAccountName: bookinfo-productpage
containers:
- name: productpage
image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0
imagePullPolicy: IfNotPresent
env:
- name: DATADOG_HOST
value: datadog-agent
- name: DD_LOGS_INJECTION
value: "true"
- name: DD_AGENT_HOST
value: datadog-agent
- name: DD_TRACE_AGENT_PORT
value: "8126"
- name: DD_TRACE_SAMPLE_RATE
value: "1"
- name: DD_ENV
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/env']
- name: DD_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/service']
- name: DD_VERSION
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/version']
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
runAsUser: 1000
volumes:
- name: tmp
emptyDir: {}

86
playbook/roles/bookinfo/templates/datadog-apm/bookinfo-ratings.yaml
View File

@ -1,86 +0,0 @@
##################################################################################################
# Ratings service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: ratings
namespace: bookinfo
labels:
app: ratings
service: ratings
spec:
ports:
- port: 9080
name: http
selector:
app: ratings
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-ratings
namespace: bookinfo
labels:
account: ratings
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratings-v1
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "ratings"
tags.datadoghq.com/version: "v1"
app: ratings
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: ratings
version: v1
template:
metadata:
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "ratings"
tags.datadoghq.com/version: "v1"
admission.datadoghq.com/enabled: "true"
app: ratings
version: v1
annotations:
admission.datadoghq.com/js-lib.version: v3.17.1
spec:
serviceAccountName: bookinfo-ratings
containers:
- name: ratings
image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
securityContext:
runAsUser: 1000
env:
- name: DD_LOGS_INJECTION
value: "true"
- name: DD_AGENT_HOST
value: datadog-agent
- name: DD_TRACE_AGENT_PORT
value: "8126"
- name: DD_TRACE_SAMPLE_RATE
value: "1"
- name: DATADOG_HOST
value: datadog-agent
- name: DD_ENV
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/env']
- name: DD_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/service']
- name: DD_VERSION
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/version']

245
playbook/roles/bookinfo/templates/datadog-apm/bookinfo-reviews.yaml
View File

@ -1,245 +0,0 @@
##################################################################################################
# Reviews service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: reviews
namespace: bookinfo
labels:
app: reviews
service: reviews
spec:
ports:
- port: 9080
name: http
selector:
app: reviews
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-reviews
namespace: bookinfo
labels:
account: reviews
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v1
namespace: bookinfo
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "reviews"
tags.datadoghq.com/version: "v1"
app: reviews
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v1
template:
metadata:
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "reviews"
tags.datadoghq.com/version: "v1"
admission.datadoghq.com/enabled: "true"
app: reviews
version: v1
annotations:
admission.datadoghq.com/java-lib.version: v1.12.1
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0
imagePullPolicy: IfNotPresent
env:
- name: LOG_DIR
value: "/tmp/logs"
- name: DD_LOGS_INJECTION
value: "true"
- name: DD_AGENT_HOST
value: datadog-agent
- name: DD_TRACE_AGENT_PORT
value: "8126"
- name: DD_TRACE_SAMPLE_RATE
value: "1"
- name: DATADOG_HOST
value: datadog-agent
- name: DD_ENV
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/env']
- name: DD_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/service']
- name: DD_VERSION
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/version']
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v2
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "reviews"
tags.datadoghq.com/version: "v2"
app: reviews
version: v2
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v2
template:
metadata:
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "reviews"
tags.datadoghq.com/version: "v2"
admission.datadoghq.com/enabled: "true"
app: reviews
version: v2
annotations:
admission.datadoghq.com/java-lib.version: v1.12.1
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0
imagePullPolicy: IfNotPresent
env:
- name: DD_LOGS_INJECTION
value: "true"
- name: LOG_DIR
value: "/tmp/logs"
- name: DD_AGENT_HOST
value: datadog-agent
- name: DD_TRACE_AGENT_PORT
value: "8126"
- name: DD_TRACE_SAMPLE_RATE
value: "1"
- name: DATADOG_HOST
value: datadog-agent
- name: DD_ENV
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/env']
- name: DD_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/service']
- name: DD_VERSION
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/version']
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v3
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "reviews"
tags.datadoghq.com/version: "v3"
app: reviews
version: v3
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v3
template:
metadata:
labels:
tags.datadoghq.com/env: "dev"
tags.datadoghq.com/service: "reviews"
tags.datadoghq.com/version: "v3"
admission.datadoghq.com/enabled: "true"
app: reviews
version: v3
annotations:
admission.datadoghq.com/java-lib.version: v1.12.1
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0
imagePullPolicy: IfNotPresent
env:
- name: LOG_DIR
value: "/tmp/logs"
- name: DATADOG_HOST
value: datadog-agent
- name: DD_AGENT_HOST
value: datadog-agent
- name: DD_TRACE_AGENT_PORT
value: "8126"
- name: DD_LOGS_INJECTION
value: "true"
- name: DD_TRACE_SAMPLE_RATE
value: "1"
- name: DD_ENV
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/env']
- name: DD_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/service']
- name: DD_VERSION
valueFrom:
fieldRef:
fieldPath: metadata.labels['tags.datadoghq.com/version']
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}

20
playbook/roles/bookinfo/templates/deepflow-apm/apline-cli.yaml
View File

@ -1,20 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: bookinfo
---
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: bookinfo
spec:
containers:
- image: alpine:3.13
command:
- /bin/sh
- "-c"
- "sleep 600m"
imagePullPolicy: IfNotPresent
name: alpine
restartPolicy: Always

55
playbook/roles/bookinfo/templates/deepflow-apm/bookinfo-details.yaml
View File

@ -1,55 +0,0 @@
##################################################################################################
# Details service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: details
namespace: bookinfo
labels:
app: details
service: details
spec:
ports:
- port: 9080
name: http
selector:
app: details
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-details
namespace: bookinfo
labels:
account: details
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: details-v1
namespace: bookinfo
labels:
app: details
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: details
version: v1
template:
metadata:
labels:
app: details
version: v1
spec:
serviceAccountName: bookinfo-details
containers:
- name: details
image: docker.io/istio/examples-bookinfo-details-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
securityContext:
runAsUser: 1000

56
playbook/roles/bookinfo/templates/deepflow-apm/bookinfo-ingress.yaml
View File

@ -1,56 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bookinfo
namespace: bookinfo
spec:
ingressClassName: nginx
rules:
- host: bookinfo.onwalk.net
http:
paths:
- backend:
service:
name: productpage
port:
number: 9080
path: /
pathType: Prefix
tls:
- hosts:
- bookinfo.onwalk.net
secretName: bookinfo-tls
---
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: bookinfo
namespace: bookinfo
spec:
http:
- name: root
match:
hosts:
- bookinfo.onwalk.net
paths:
- '/*'
backends:
- serviceName: productpage
servicePort: 9080
plugins:
- config:
http_to_https: true
enable: true
name: redirect
---
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: bookinfo
namespace: bookinfo
spec:
hosts:
- bookinfo.onwalk.net
secret:
name: bookinfo-tls
namespace: bookinfo

61
playbook/roles/bookinfo/templates/deepflow-apm/bookinfo-productpage-python.yaml
View File

@ -1,61 +0,0 @@
##################################################################################################
# Productpage services
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: productpage
namespace: bookinfo
labels:
app: productpage
service: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-productpage
namespace: bookinfo
labels:
account: productpage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: productpage-v1
namespace: bookinfo
labels:
app: productpage
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: productpage
version: v1
template:
metadata:
labels:
app: productpage
version: v1
spec:
serviceAccountName: bookinfo-productpage
containers:
- name: productpage
image: docker.io/istio/examples-bookinfo-productpage-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
runAsUser: 1000
volumes:
- name: tmp
emptyDir: {}

55
playbook/roles/bookinfo/templates/deepflow-apm/bookinfo-ratings.yaml
View File

@ -1,55 +0,0 @@
##################################################################################################
# Ratings service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: ratings
namespace: bookinfo
labels:
app: ratings
service: ratings
spec:
ports:
- port: 9080
name: http
selector:
app: ratings
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-ratings
namespace: bookinfo
labels:
account: ratings
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratings-v1
namespace: bookinfo
labels:
app: ratings
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: ratings
version: v1
template:
metadata:
labels:
app: ratings
version: v1
spec:
serviceAccountName: bookinfo-ratings
containers:
- name: ratings
image: docker.io/istio/examples-bookinfo-ratings-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
securityContext:
runAsUser: 1000

145
playbook/roles/bookinfo/templates/deepflow-apm/bookinfo-reviews.yaml
View File

@ -1,145 +0,0 @@
##################################################################################################
# Reviews service
##################################################################################################
apiVersion: v1
kind: Service
metadata:
name: reviews
namespace: bookinfo
labels:
app: reviews
service: reviews
spec:
ports:
- port: 9080
name: http
selector:
app: reviews
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-reviews
namespace: bookinfo
labels:
account: reviews
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v1
namespace: bookinfo
labels:
app: reviews
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v1
template:
metadata:
labels:
app: reviews
version: v1
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v1:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v2
namespace: bookinfo
labels:
app: reviews
version: v2
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v2
template:
metadata:
labels:
app: reviews
version: v2
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v2:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: reviews-v3
namespace: bookinfo
labels:
app: reviews
version: v3
spec:
replicas: 1
selector:
matchLabels:
app: reviews
version: v3
template:
metadata:
labels:
app: reviews
version: v3
spec:
serviceAccountName: bookinfo-reviews
containers:
- name: reviews
image: docker.io/istio/examples-bookinfo-reviews-v3:1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
volumeMounts:
- name: tmp
mountPath: /tmp
- name: wlp-output
mountPath: /opt/ibm/wlp/output
securityContext:
runAsUser: 1000
volumes:
- name: wlp-output
emptyDir: {}
- name: tmp
emptyDir: {}

32
playbook/roles/cert-manager/files/certs_automated_issuance.sh
View File

@ -1,32 +0,0 @@
#!/bin/bash
#!/bin/bash
set -x
export domain=$1
export Ali_Key=$2
export Ali_Secret=$3
rm -rvf ${Domain}.* -f
rm -rvf /etc/ssl/${Domain}.* -f
# Try to issue a certificate from ZeroSSL. If it fails, try Let's Encrypt.
curl https://get.acme.sh | sh -s email=156405189@qq.com
sh ~/.acme.sh/acme.sh --set-default-ca --server zerossl --issue --force --dns dns_ali -d ${domain} -d "*.${domain}";
if [ $? -eq 0 ]; then
echo "Certificate from zerossl successfully issued"
else
sh ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --issue --force --dns dns_ali -d ${domain} -d "*.${domain}"
if [ $? -eq 0 ]; then
echo "Certificate from letsencrypt successfully issued"
else
echo "Command failed"
exit 1
fi
fi
cat ~/.acme.sh/${domain}_ecc/${domain}.cer > ${domain}.pem
cat ~/.acme.sh/${domain}_ecc/ca.cer >> ${domain}.pem
cat ~/.acme.sh/${domain}_ecc/${domain}.key > ${domain}.key
sudo cp ${domain}.pem /etc/ssl/ -f && sudo cp ${domain}.key /etc/ssl/ -f

10
playbook/roles/cert-manager/files/update-certs-secret.sh
View File

@ -1,10 +0,0 @@
#!/bin/bash
export secret=$1
export key_file=$2
export cert_file=$3
export namespace=$4
kubectl create namespace $namespace || echo true
kubectl delete secret tls $secret -n $namespace || echo true
kubectl create secret tls $secret --cert=$cert_file --key=$key_file -n $namespace

2
playbook/roles/cert-manager/meta/main.yml
View File

@ -1,2 +0,0 @@
dependencies:
- role: common

3
playbook/roles/cert-manager/tasks/main.yml
View File

@ -1,3 +0,0 @@
- name: certs automated issuance
script: files/certs_automated_issuance.sh {{ domain }} {{ dns_ak }} {{ dns_sk }}
when: (inventory_hostname in groups[group]) and (auto_issuance == true)

37
playbook/roles/chartmuseum/files/setup.sh
View File

@ -1,37 +0,0 @@
#!/bin/bash
domain=$1
namespace=$2
admin_password=$3
secret_name=$4
storage_type=$5
cat > values.yaml << EOF
env:
open:
STORAGE: local
DISABLE_API: false
AUTH_ANONYMOUS_GET: true
secret:
BASIC_AUTH_USER: admin
BASIC_AUTH_PASS: '$admin_password'
ingress:
enabled: true
hosts:
- name: charts.$domain
path: /
tls: true
tlsSecret: $secret_name
ingressClassName: nginx
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 8Gi
path: /storage
storageClass: "local-path"
EOF
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
helm repo add chartmuseum https://chartmuseum.github.io/charts
helm repo update
helm upgrade --install chartmuseum chartmuseum/chartmuseum -f values.yaml -n $namespace

3
playbook/roles/chartmuseum/meta/main.yml
View File

@ -1,3 +0,0 @@
dependencies:
- role: cert-manager
- role: secret-manger

4
playbook/roles/chartmuseum/tasks/main.yml
View File

@ -1,4 +0,0 @@
- name: Setup Chartmuseum Server
script: files/setup.sh {{ domain }} {{ namespace }} {{ admin_password }} {{ item.secret_name }}
loop: "{{ tls }}"
when: inventory_hostname in groups[group]

3
playbook/roles/chatwithgpt/meta/main.yml
View File

@ -1,3 +0,0 @@
dependencies:
- role: cert-manager
- role: secret-manger

11
playbook/roles/chatwithgpt/tasks/main.yml
View File

@ -1,11 +0,0 @@
- name: Pre setup
shell: "kubectl create namespace chatwithgpt || echo true; rm -f /tmp/chatwithgpt.yaml || echo true"
- name: Sync chatwithgpt deploy yaml
template: src=templates/{{ item }} dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
with_items:
- chatwithgpt.yaml
- name: Setup ChatWithGPT Server
shell: "kubectl apply -f /tmp/chatwithgpt.yaml"
when: inventory_hostname in groups[group]

2
playbook/roles/chatwithgpt/templates/.gitignore vendored
View File

@ -1,2 +0,0 @@
/clickhouse-keeper-k8s.iml
/.idea/

104
playbook/roles/chatwithgpt/templates/chatwithgpt.yaml
View File

@ -1,104 +0,0 @@
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: chatwithgpt
meta.helm.sh/release-namespace: chatwithgpt
labels:
app.kubernetes.io/name: chargpt
app.kubernetes.io/version: 0.2.0
app.kubernetes.io/instance: chatwithgpt
name: chatwithgpt
namespace: chatwithgpt
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 3000
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/name: chatwithgpt
app.kubernetes.io/instance: chatwithgpt
sessionAffinity: None
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: chatwithgpt
app.kubernetes.io/name: chatwithgpt
name: chatwithgpt
namespace: chatwithgpt
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: chatwithgpt
app.kubernetes.io/instance: chatwithgpt
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/name: chatwithgpt
app.kubernetes.io/instance: chatwithgpt
spec:
containers:
- name: chatwithgpt
image: artifact.onwalk.net/public/chatwithgpt:latest
imagePullPolicy: Always
env:
- name: PORT
value: "3000"
- name: WEBAPP_PORT
value: "3000"
ports:
- containerPort: 3000
name: http
protocol: TCP
resources: {}
securityContext: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/name: chatwithgpt
app.kubernetes.io/instance: chatwithgpt
name: chatwithgpt
namespace: chatwithgpt
spec:
ingressClassName: nginx
rules:
- host: chatwithgpt.onwalk.net
http:
paths:
- backend:
service:
name: chatwithgpt
port:
number: 3000
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- chatwithgpt.onwalk.net
secretName: chatwithgpt-tls

38
playbook/roles/clickhouse/tasks/main.yml
View File

@ -1,38 +0,0 @@
- name: Prep DIR
shell: "mkdir -pv /tmp/clickhouse-cluster/ && mkdir -pv /tmp/qryn"
- name: Prep NameSpace
shell: "kubectl create namespace clickhouse || echo true"
- name: sync clickhouse deploy yaml
template: src=templates/{{ item }} dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
with_items:
- clickhouse-cluster/clickhouse-config.yaml
- clickhouse-cluster/clickhouse-service.yaml
- clickhouse-cluster/clickhouse-user-config.yaml
- clickhouse-cluster/clickhouse-statefulset.yml
- name: Setup ClickHouse Server
shell: "cd /tmp/clickhouse-cluster && kubectl apply -f ."
when: inventory_hostname in groups[group]
- name: get clickhouse node ip
shell: "kubectl get pods -n clickhouse -o wide | grep clickhouse | awk '{print $6}'"
register: ck_node_ip_raw
when: inventory_hostname in groups[group][0]
- name: set fact join command for ck_node_ip
set_fact:
ck_node_ip : "{{ ck_node_ip_raw.stdout_lines[0] }}"
when: inventory_hostname in groups[group][0]
- name: sync clickhouse deploy yaml
template: src=templates/{{ item }} dest=/tmp/{{ item }} owner=root group=root mode=0644 force=yes unsafe_writes=yes
with_items:
- qryn/qryn-deployment.yaml
- qryn/qryn-service.yaml
- qryn/qryn-ingress.yaml
- name: Setup Qryn Server
shell: "cd /tmp/qryn && kubectl apply -f ."
when: inventory_hostname in groups[group]

2
playbook/roles/clickhouse/templates/.gitignore vendored
View File

@ -1,2 +0,0 @@
/clickhouse-keeper-k8s.iml
/.idea/

Some files were not shown because too many files have changed in this diff Show More