ai-workspace-infra/iac_modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor workflow steps into reusable scripts

Browse Source
This commit is contained in:
shenlan 2025-09-29 19:53:11 +08:00
parent 02c30229ca
commit ffb5510382
21 changed files with 322 additions and 744 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.github/workflows/app-pipeline-chartmuseum.yml vendored
View File

@ -1,26 +0,0 @@
name: Setup Chartmuseum Server
on:
pull_request:
paths:
- '.github/workflows/app-pipeline-chartmuseum.yml'
workflow_dispatch:
branches:
- main
jobs:
setup-chartmuseum-server:
uses: svc-design/actions/.github/workflows/setup-chartmuseum-server.yml@main
with:
domain: 'svc.plus'
cluster_name: 'k3s-server'
ssh_host_ip: '35.77.36.144'
ssh_host_name: 'k3s-server'
secrets:
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}

98
.github/workflows/app-pipeline-grafana-alloy.yml vendored
View File

@ -1,98 +0,0 @@
name: Deploy Grafana Alloy Agent
on:
pull_request:
paths:
- '.github/workflows/app-pipeline-grafana-alloy.yml'
workflow_dispatch:
branches:
- main
jobs:
setup-cn-gateway-log-agent:
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
with:
domain: 'svc.plus'
cluster_name: 'cn-k3s-cluster'
ssh_host_name: 'cn-gateway'
ssh_host_ip: '110.42.238.110'
loki_journal_sources: |
loki_journal_sources_vpn.yml
loki_journal_sources_gateway.yml
loki_journal_sources_k3s_agent.yml
dry-run: 'false'
secrets:
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
setup-cn-k3s-server-log-agent:
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
with:
domain: 'svc.plus'
cluster_name: 'cn-k3s-cluster'
ssh_host_name: 'cn-k3s-server'
ssh_host_ip: '8.130.93.47'
loki_journal_sources: |
loki_journal_sources_vpn.yml
loki_journal_sources_k3s_server.yml
dry-run: 'false'
secrets:
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
setup-cn-hw-node-log-agent:
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
with:
domain: 'svc.plus'
cluster_name: 'cn-k3s-cluster'
ssh_host_name: 'cn-hw-node'
ssh_host_ip: '139.9.139.22'
loki_journal_sources: |
loki_journal_sources_vpn.yml
loki_journal_sources_k3s_agent.yml
dry-run: 'false'
secrets:
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
setup-global-gateway-log-agent:
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
with:
domain: 'svc.plus'
cluster_name: 'global-k3s-cluster'
ssh_host_name: 'global-gateway'
ssh_host_ip: '52.196.108.28'
loki_journal_sources: |
loki_journal_sources_vpn.yml
loki_journal_sources_gateway.yml
loki_journal_sources_k3s_agent.yml
dry-run: 'false'
secrets:
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
setup-global-k3s-server-log-agent:
uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main
with:
domain: 'svc.plus'
cluster_name: 'global-k3s-cluster'
ssh_host_name: 'k3s-server'
ssh_host_ip: '43.207.193.125'
loki_journal_sources: |
loki_journal_sources_vpn.yml
loki_journal_sources_k3s_server.yml
loki_journal_sources_postgresql.yml
dry-run: 'false'
secrets:
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}

43
.github/workflows/app-pipeline-harbor.yml vendored
View File

@ -1,43 +0,0 @@
name: Setup Harbor Server
on:
pull_request:
paths:
- '.github/workflows/app-pipeline-harbor.yml'
workflow_dispatch:
branches:
- main
jobs:
setup-global-harbor-server:
uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main
with:
domain: 'svc.plus'
cluster_name: 'global-k3s-server'
ssh_host_ip: '43.207.193.125'
ssh_host_name: 'k3s-server'
ssh_host_domain: 'global-k3s-server.svc.plus'
secrets:
OSS_AK: ${{ secrets.OSS_AK }}
OSS_SK: ${{ secrets.OSS_SK }}
SSH_USER: ${{ secrets.SSH_USER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
setup-cn-harbor-server:
uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main
with:
domain: 'svc.plus'
cluster_name: 'cn-k3s-server'
ssh_host_ip: '8.130.93.47'
ssh_host_name: 'cn-k3s-server'
ssh_host_domain: 'cn-k3s-server.svc.plus'
registry: 'registry.cn-wulanchabu.aliyuncs.com/svc-design'
secrets:
OSS_AK: ${{ secrets.OSS_AK }}
OSS_SK: ${{ secrets.OSS_SK }}
SSH_USER: ${{ secrets.SSH_USER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}

23
.github/workflows/app-pipeline-keycloak-server.yml vendored
View File

@ -1,23 +0,0 @@
name: Setup Keycloak Server
on:
pull_request:
paths:
- '.github/workflows/app-pipeline-keycloak-server.yml'
workflow_dispatch:
branches:
- main
jobs:
setup-keycloak-server:
uses: svc-design/actions/.github/workflows/deploy-docker-keycloak-server.yml@main
with:
domain: 'onwalk.net'
ssh_host_ip: '139.9.139.22'
ssh_host_name: 'hw-node'
ssh_host_domain: 'hw-node.svc.plus'
secrets:
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}

123
.github/workflows/app-pipeline-template.yaml vendored Normal file
View File

@ -0,0 +1,123 @@
name: GitOps Application Deployment Template
env:
GITOPS_REPO: "https://github.com/svc-design/gitops"
on:
pull_request:
paths:
- '.github/workflows/app-pipeline-template.yaml'
workflow_dispatch:
inputs:
environment:
description: 'Optional environment override for manual runs'
required: false
default: ''
application:
description: 'Optional application override for manual runs'
required: false
default: ''
jobs:
setup-container-gitops:
name: Setup FluxCD Agent (${matrix.env} · ${matrix.cluster_or_vhosts})
strategy:
matrix: &deployment_matrix
include:
- env: sit
cluster_or_vhosts: vhosts-sit
app_name: harbor
gitops_type: vhosts
gitops_branch: main
gitops_path: ''
gitops_playbook: sync/config.yaml
ssh_host: hw-node.svc.plus
ssh_host_ip: '139.9.139.22'
- env: nat
cluster_or_vhosts: k3s-nat
app_name: chaos-mesh
gitops_type: container
gitops_branch: main
gitops_path: clusters/k3s-nat
gitops_playbook: ''
- env: prod
cluster_or_vhosts: k3s-prod
app_name: cloud-native-app
gitops_type: container
gitops_branch: main
gitops_path: clusters/k3s-prod
gitops_playbook: ''
if: |
matrix.gitops_type == 'container' &&
(github.event_name != 'workflow_dispatch' ||
github.event.inputs.application == '' ||
github.event.inputs.application == matrix.app_name) &&
(github.event_name != 'workflow_dispatch' ||
github.event.inputs.environment == '' ||
github.event.inputs.environment == matrix.env)
runs-on: ubuntu-latest
steps:
- name: Prepare kubeconfig
env:
RAW_KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
run: scripts/workflows/prepare-kubeconfig.sh
shell: bash
- name: Install Flux CLI
uses: fluxcd/flux2-action@v2
with:
version: '2.2.3'
- name: Install FluxCD components
run: scripts/workflows/install-flux-components.sh
shell: bash
- name: Configure GitOps reconciliation
env:
GITOPS_BRANCH: ${{ matrix.gitops_branch }}
GITOPS_PATH: ${{ matrix.gitops_path }}
run: scripts/workflows/configure-flux-gitops.sh
shell: bash
setup-vhosts-gitops:
name: Setup XConfig Agent (${matrix.env} · ${matrix.cluster_or_vhosts})
needs: []
strategy:
matrix: *deployment_matrix
if: |
matrix.gitops_type == 'vhosts' &&
(github.event_name != 'workflow_dispatch' ||
github.event.inputs.application == '' ||
github.event.inputs.application == matrix.app_name) &&
(github.event_name != 'workflow_dispatch' ||
github.event.inputs.environment == '' ||
github.event.inputs.environment == matrix.env)
runs-on: ubuntu-latest
steps:
- name: Install Ansible
run: scripts/workflows/install-ansible.sh
shell: bash
- name: Configure SSH access and inventory
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
SSH_USER: ${{ secrets.SSH_USER }}
TARGET_HOST: ${{ matrix.ssh_host }}
TARGET_IP: ${{ matrix.ssh_host_ip }}
run: scripts/workflows/configure-ssh-inventory.sh
shell: bash
- name: Generate XConfig agent playbook
env:
GITOPS_BRANCH: ${{ matrix.gitops_branch }}
GITOPS_PLAYBOOK: ${{ matrix.gitops_playbook }}
run: scripts/workflows/generate-xconfig-playbook.sh
shell: bash
- name: Deploy XConfig agent
env:
ANSIBLE_HOST_KEY_CHECKING: 'False'
GITOPS_BRANCH: ${{ matrix.gitops_branch }}
GITOPS_PLAYBOOK: ${{ matrix.gitops_playbook }}
run: scripts/workflows/deploy-xconfig-agent.sh
shell: bash

24
.github/workflows/app-pipeline-vault.yml vendored
View File

@ -1,24 +0,0 @@
name: Setup Vault Server
on:
pull_request:
paths:
- '.github/workflows/app-pipeline-vault.yml'
workflow_dispatch:
branches:
- main
jobs:
setup-vault-server:
uses: svc-design/actions/.github/workflows/setup-vault.yml@main
with:
domain: 'svc.plus'
cluster_name: 'k3s-server'
ssh_host_ip: '35.77.36.144'
ssh_host_name: 'k3s-server'
ssh_host_domain: 'k3s-server.svc.plus'
secrets:
SSH_USER: ${{ secrets.SSH_USER }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}

83
.github/workflows/iac-pipeline-alicloud-landingzone-baseline.yaml vendored
View File

@ -1,83 +0,0 @@
name: Alicloud Landing Zone Baseline
on:
push:
paths:
- 'iac_modules/pulumi/**'
- 'config/alicloud/**'
- '.github/workflows/iac-pipeline-alicloud-landingzone-baseline.yaml'
pull_request:
branches: [main]
workflow_dispatch:
inputs:
deploy_action:
description: "Deployment action to execute"
type: choice
options:
- init
- magrate
- upgrade
- backup
- restore
- destroy
default: upgrade
deploy_dry_run:
description: "Run deployment steps in dry-run mode"
type: choice
options:
- 'true'
- 'false'
default: 'true'
env:
PULUMI_CI: 'true'
CONFIG_PATH: config/alicloud
jobs:
preview:
name: Preview baseline changes
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Pulumi preview
uses: pulumi/actions@v4
with:
command: preview
stack-name: alicloud/baseline-dev
work-dir: iac_modules/pulumi
env:
ALICLOUD_ACCESS_KEY_ID: ${{ secrets.ALICLOUD_ACCESS_KEY_ID }}
ALICLOUD_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUD_ACCESS_KEY_SECRET }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
apply:
name: Apply to production stack
needs: preview
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Pulumi up
uses: pulumi/actions@v4
with:
command: up
stack-name: alicloud/baseline-prod
work-dir: iac_modules/pulumi
env:
ALICLOUD_ACCESS_KEY_ID: ${{ secrets.ALICLOUD_ACCESS_KEY_ID }}
ALICLOUD_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUD_ACCESS_KEY_SECRET }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}

153
.github/workflows/iac-pipeline-infrastructure-monitor-server.yml vendored
View File

@ -1,153 +0,0 @@
name: Provision Monitor Server Infrastructure
on:
workflow_dispatch:
inputs:
deploy_action:
description: "Deployment action to execute"
type: choice
options:
- init
- magrate
- upgrade
- backup
- restore
- destroy
default: upgrade
deploy_dry_run:
description: "Run deployment steps in dry-run mode"
type: choice
options:
- 'true'
- 'false'
default: 'true'
pull_request:
branches: [main]
push:
branches:
- main
paths:
- '.github/workflows/iac-pipeline-infrastructure-monitor-server.yml'
env:
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || '' }}
DEPLOY_DRY_RUN: ${{ github.event.inputs.deploy_dry_run || '' }}
ANSIBLE_USER: ${{ secrets.VPS_USER }}
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LOAD_CALLBACK_PLUGINS: 'true'
jobs:
pre-setup:
runs-on: ubuntu-latest
steps:
- name: Pre-setup confirmation
run: echo "Pre-setup stage completed"
deploy:
needs: pre-setup
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
strategy:
matrix:
site: [otel.svc.plus]
steps:
- uses: actions/checkout@v4
- name: Determine deployment context
run: |
set -euo pipefail
dry_run="${DEPLOY_DRY_RUN}"
if [[ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then
dry_run="true"
fi
echo "EFFECTIVE_DRY_RUN=${dry_run}" >> "$GITHUB_ENV"
action="${DEPLOY_ACTION:-upgrade}"
if [[ -z "${action}" ]]; then
action="upgrade"
fi
echo "EFFECTIVE_DEPLOY_ACTION=${action}" >> "$GITHUB_ENV"
- name: Checkout infrastructure playbooks
uses: actions/checkout@v4
with:
repository: svc-design/gitops
path: gitops
- name: Install Ansible
run: |
set -euo pipefail
python3 -m pip install --upgrade pip
python3 -m pip install ansible
cat <<'CFG' > ~/.ansible.cfg
[defaults]
stdout_callback = yaml
callbacks_enabled = profile_tasks,timer
bin_ansible_callbacks = True
CFG
- name: Configure Ansible Vault password
env:
ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
run: |
set -euo pipefail
if [[ -z "${ANSIBLE_VAULT_PASSWORD:-}" ]]; then
echo "ANSIBLE_VAULT_PASSWORD secret is not configured" >&2
exit 1
fi
printf '%s' "${ANSIBLE_VAULT_PASSWORD}" > ~/.vault_password
chmod 600 ~/.vault_password
- name: Configure SSH access
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
run: |
set -euo pipefail
install -m 700 -d ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H "${{ matrix.site }}" >> ~/.ssh/known_hosts
- name: Prepare provisioning inputs
id: prepare_provisioning
working-directory: gitops
run: |
set -euo pipefail
echo "inventory=playbooks/inventory.ini" >> "$GITHUB_OUTPUT"
echo "skip=false" >> "$GITHUB_OUTPUT"
extra_flags=()
if [[ "${EFFECTIVE_DRY_RUN}" == "true" ]]; then
extra_flags+=("--check")
fi
printf 'extra_flags=%s\n' "${extra_flags[*]}" >> "$GITHUB_OUTPUT"
monitor_playbook="playbooks/deploy_monitor_server.yml"
if [[ ! -f "$monitor_playbook" ]]; then
echo "Required playbook ${monitor_playbook} was not found" >&2
exit 1
fi
echo "monitor_playbook=${monitor_playbook}" >> "$GITHUB_OUTPUT"
case "${EFFECTIVE_DEPLOY_ACTION}" in
destroy|backup|backup-rollout|restore)
echo "skip=true" >> "$GITHUB_OUTPUT"
echo "Action ${EFFECTIVE_DEPLOY_ACTION} is not supported for monitor server provisioning" >&2
exit 0
;;
esac
- name: Provision Monitor Server
if: steps.prepare_provisioning.outputs.skip != 'true'
working-directory: gitops
env:
INVENTORY: ${{ steps.prepare_provisioning.outputs.inventory }}
EXTRA_FLAGS: ${{ steps.prepare_provisioning.outputs.extra_flags }}
MONITOR_PLAYBOOK: ${{ steps.prepare_provisioning.outputs.monitor_playbook }}
run: |
set -euo pipefail
flags=()
if [[ -n "${EXTRA_FLAGS}" ]]; then
flags+=(${EXTRA_FLAGS})
fi
ansible-playbook -i "${INVENTORY}" "${MONITOR_PLAYBOOK}" "${flags[@]}" --limit "${{ matrix.site }}"

43
.github/workflows/iac-pipeline-signal-cluster-argo-server.yml vendored
View File

@ -1,43 +0,0 @@
name: Setup ArgoCD Server
env:
STATE: "create" # 可以根据需要更改初始状态, 可选createupdate, destroy
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
on:
pull_request:
paths:
- '.github/workflows/iac-pipeline-signal-cluster-argo-server.yml'
workflow_dispatch:
branches:
- main
jobs:
apply-cluster-resources:
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
with:
config: 'signal-cluster-config-argo-server.yaml'
secrets:
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
setup-k3s-cluster-with-argo-server:
uses: svc-design/actions/.github/workflows/setup-k3s-cluster-argocd.yml@main
with:
domain: 'onwalk.net'
cluster_name: 'argocd'
ssh_host_name: 'argocd'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
VAULT_URL: ${{ secrets.VAULT_URL }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
SSH_USER: ${{ secrets.HOST_USER }}
needs:
- apply-cluster-resources

73
.github/workflows/iac-pipeline-signal-cluster-chaos-mesh.yml vendored
View File

@ -1,73 +0,0 @@
name: Setup Chaos-mesh Server
env:
STATE: "create" # 可以根据需要更改初始状态, 可选createupdate, destroy
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
on:
pull_request:
paths:
- '.github/workflows/iac-pipeline-signal-cluster-chaos-mesh.yml'
workflow_dispatch:
branches:
- main
jobs:
apply-cluster-resources:
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
with:
config: 'signal-cluster-config-chaosmesh-server.yaml'
secrets:
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
setup-k3s-cluster:
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
with:
domain: 'onwalk.net'
cluster_name: 'chaosmesh'
ssh_host_name: 'chaosmesh'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
VAULT_URL: ${{ secrets.VAULT_URL }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
SSH_USER: ${{ secrets.HOST_USER }}
needs:
- apply-cluster-resources
setup-iac-pipeline-signal-cluster-chaos-mesh-server:
uses: svc-design/actions/.github/workflows/setup-chaos-mesh.yaml@main
with:
domain: 'onwalk.net'
cluster_name: 'chaosmesh'
ssh_host_name: 'chaosmesh'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
needs:
- setup-k3s-cluster
setup-deepflow-server:
uses: svc-design/actions/.github/workflows/setup-deepflow-server.yml@main
with:
domain: 'onwalk.net'
cluster_name: 'chaosmesh'
ssh_host_name: 'chaosmesh'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
needs:
- setup-k3s-cluster

60
.github/workflows/iac-pipeline-signal-cluster-harbor.yml vendored
View File

@ -1,60 +0,0 @@
name: Setup harbor Server with IAC
env:
STATE: "create" # 可以根据需要更改初始状态, 可选createupdate, destroy
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.SSH_USER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
on:
pull_request:
paths:
- '.github/workflows/setup-harbor-server.yml'
workflow_dispatch:
branches:
- main
jobs:
apply-cluster-resources:
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
with:
config: 'signal-cluster-config-chaosmesh-server.yaml'
secrets:
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
setup-k3s-cluster:
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
with:
domain: 'onwalk.net'
cluster_name: 'chaosmesh'
ssh_host_name: 'chaosmesh'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
VAULT_URL: ${{ secrets.VAULT_URL }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
SSH_USER: ${{ secrets.SSH_USER }}
needs:
- apply-cluster-resources
setup-iac-pipeline-signal-cluster-harbor-server:
uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main
with:
domain: 'onwalk.net'
cluster_name: 'chaosmesh'
ssh_host_name: 'chaosmesh'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
OSS_AK: ${{ secrets.OSS_AK }}
OSS_SK: ${{ secrets.OSS_SK }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.SSH_USER }}
needs:
- setup-k3s-cluster

59
.github/workflows/iac-pipeline-signal-cluster-jenkins.yml vendored
View File

@ -1,59 +0,0 @@
name: Setup Jenkins Server
env:
STATE: "create" # 可以根据需要更改初始状态, 可选createupdate, destroy
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
on:
pull_request:
paths:
- '.github/workflows/iac-pipeline-signal-cluster-jenkins.yml'
workflow_dispatch:
branches:
- main
jobs:
apply-cluster-resources:
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
with:
config: 'signal-cluster-config-jenkins-server.yaml'
secrets:
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
setup-k3s-cluster:
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
with:
domain: 'onwalk.net'
cluster_name: 'jenkins'
ssh_host_name: 'jenkins'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
VAULT_URL: ${{ secrets.VAULT_URL }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
SSH_USER: ${{ secrets.HOST_USER }}
needs:
- apply-cluster-resources
setup-jenkins-server:
uses: svc-design/actions/.github/workflows/setup-jenkins-server.yaml@main
with:
domain: 'onwalk.net'
cluster_name: 'jenkins'
ssh_host_name: 'jenkins'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }}
needs:
- setup-k3s-cluster

59
.github/workflows/iac-pipeline-signal-cluster-keycloak.yml vendored
View File

@ -1,59 +0,0 @@
name: Signal K3S Cluster Pipeline Keycloak with IAC tools
env:
STATE: "create" # 可以根据需要更改初始状态, 可选createupdate, destroy
CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
on:
pull_request:
paths:
- '.github/workflows/iac-pipeline-signal-cluster-keycloak.yml'
workflow_dispatch:
branches:
- main
jobs:
apply-cluster-resources:
uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main
with:
config: 'signal-cluster-config.yaml'
secrets:
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
setup-k3s-cluster:
uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main
with:
domain: 'svc-dev.ink'
cluster_name: 'monitor'
ssh_host_name: 'monitor'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
VAULT_URL: ${{ secrets.VAULT_URL }}
VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
SSH_USER: ${{ secrets.HOST_USER }}
needs:
- apply-cluster-resources
setup-keycloak-server:
uses: svc-design/actions/.github/workflows/setup-keycloak-server.yml@main
with:
domain: 'svc-dev.ink'
cluster_name: 'monitor'
ssh_host_name: 'monitor'
secrets:
GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_USER: ${{ secrets.HOST_USER }}
ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }}
needs:
- setup-k3s-cluster

2
clusters/k3s-prod/cloud-native-app/helmfile.yaml Normal file
View File

@ -0,0 +1,2 @@
# Placeholder helmfile for cloud-native-app deployments.
# Populate with real release definitions as needed.

38
scripts/workflows/configure-flux-gitops.sh Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env bash
set -euo pipefail
: "${GITOPS_REPO:?GITOPS_REPO is required}"
: "${GITOPS_BRANCH:?GITOPS_BRANCH is required}"
: "${GITOPS_PATH:?GitOps path is not configured for container matrix entry}"
cat <<EOF_CONFIG > git-repository.yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: ${GITOPS_PATH//\//-}-gitops
namespace: gitops-system
spec:
interval: 1m0s
ref:
branch: ${GITOPS_BRANCH}
url: ${GITOPS_REPO}
EOF_CONFIG
cat <<EOF_KUSTOMIZE > kustomization.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: ${GITOPS_PATH//\//-}-sync
namespace: gitops-system
spec:
interval: 1m0s
sourceRef:
kind: GitRepository
name: ${GITOPS_PATH//\//-}-gitops
path: ./${GITOPS_PATH}
prune: true
wait: true
EOF_KUSTOMIZE
kubectl apply -f git-repository.yaml
kubectl apply -f kustomization.yaml

18
scripts/workflows/configure-ssh-inventory.sh Executable file
View File

@ -0,0 +1,18 @@
#!/usr/bin/env bash
set -euo pipefail
: "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY is required}"
: "${SSH_USER:?SSH_USER is required}"
: "${TARGET_HOST:?TARGET_HOST is required}"
: "${TARGET_IP:?TARGET_IP is required}"
install -m 700 -d "${HOME}/.ssh"
printf '%s\n' "${SSH_PRIVATE_KEY}" > "${HOME}/.ssh/id_rsa"
chmod 600 "${HOME}/.ssh/id_rsa"
ssh-keyscan -H "${TARGET_HOST}" >> "${HOME}/.ssh/known_hosts" 2>/dev/null || true
ssh-keyscan -H "${TARGET_IP}" >> "${HOME}/.ssh/known_hosts" 2>/dev/null || true
cat <<EOF_INVENTORY > inventory.ini
[vhosts]
${TARGET_HOST} ansible_host=${TARGET_IP} ansible_user=${SSH_USER}
EOF_INVENTORY

12
scripts/workflows/deploy-xconfig-agent.sh Executable file
View File

@ -0,0 +1,12 @@
#!/usr/bin/env bash
set -euo pipefail
: "${GITOPS_REPO:?GITOPS_REPO is required}"
: "${GITOPS_BRANCH:?GITOPS_BRANCH is required}"
: "${GITOPS_PLAYBOOK:?GitOps playbook path is required for vhosts matrix entry}"
ANSIBLE_HOST_KEY_CHECKING=${ANSIBLE_HOST_KEY_CHECKING:-False}
export ANSIBLE_HOST_KEY_CHECKING
ansible-playbook -i inventory.ini install-xconfig-agent.yml \
--extra-vars "gitops_repo=${GITOPS_REPO} gitops_branch=${GITOPS_BRANCH} gitops_playbook=${GITOPS_PLAYBOOK}"

101
scripts/workflows/generate-xconfig-playbook.sh Executable file
View File

@ -0,0 +1,101 @@
#!/usr/bin/env bash
set -euo pipefail
: "${GITOPS_PLAYBOOK:?GitOps playbook path is required for vhosts matrix entry}"
cat <<'PLAYBOOK' > install-xconfig-agent.yml
- hosts: all
become: yes
tasks:
- name: Ensure build dependencies are installed
ansible.builtin.apt:
name:
- build-essential
- curl
- git
- pkg-config
- libssl-dev
state: present
update_cache: true
- name: Install Rust toolchain when missing
ansible.builtin.shell: |
set -euo pipefail
if ! command -v rustup >/dev/null 2>&1; then
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
fi
args:
creates: "{{ ansible_env.HOME }}/.cargo/bin/rustup"
- name: Build cw-agent binary
# noqa command-instead-of-shell
ansible.builtin.shell: |
set -euo pipefail
work_dir=$(mktemp -d)
trap 'rm -rf "${work_dir}"' EXIT
git clone --depth 1 https://github.com/svc-design/XConfig "${work_dir}/XConfig"
cd "${work_dir}/XConfig/CraftWeaveAgent"
. "{{ ansible_env.HOME }}/.cargo/env"
cargo build --release
install -D -m 0755 target/release/cw-agent /usr/local/bin/cw-agent
args:
creates: /usr/local/bin/cw-agent
- name: Ensure agent working directories exist
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: '0755'
loop:
- /etc
- /var/lib/cw-agent
- name: Configure cw-agent
ansible.builtin.copy:
dest: /etc/cw-agent.conf
owner: root
group: root
mode: '0644'
content: |
repo: "{{ gitops_repo }}"
branch: {{ gitops_branch }}
interval: 60
playbook:
- {{ gitops_playbook }}
- name: Install cw-agent systemd service
ansible.builtin.copy:
dest: /etc/systemd/system/cw-agent.service
owner: root
group: root
mode: '0644'
content: |
[Unit]
Description=Xconfig Agent Service
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/cw-agent daemon --config /etc/cw-agent.conf
Restart=on-failure
RestartSec=5
User=root
Environment=RUST_LOG=info
WorkingDirectory=/var/lib/cw-agent
[Install]
WantedBy=multi-user.target
- name: Reload systemd manager configuration
ansible.builtin.systemd:
daemon_reload: true
- name: Enable and restart cw-agent
ansible.builtin.systemd:
name: cw-agent.service
enabled: true
state: restarted
PLAYBOOK

5
scripts/workflows/install-ansible.sh Executable file
View File

@ -0,0 +1,5 @@
#!/usr/bin/env bash
set -euo pipefail
sudo apt-get update
sudo apt-get install -y ansible

5
scripts/workflows/install-flux-components.sh Executable file
View File

@ -0,0 +1,5 @@
#!/usr/bin/env bash
set -euo pipefail
kubectl create namespace gitops-system --dry-run=client -o yaml | kubectl apply -f -
flux install --namespace=gitops-system --components-extra=image-reflector-controller,image-automation-controller

18
scripts/workflows/prepare-kubeconfig.sh Executable file
View File

@ -0,0 +1,18 @@
#!/usr/bin/env bash
set -euo pipefail
RAW_KUBE_CONFIG=${RAW_KUBE_CONFIG:-}
if [[ -z "${RAW_KUBE_CONFIG}" ]]; then
echo "KUBE_CONFIG secret is not configured" >&2
exit 1
fi
mkdir -p "${HOME}/.kube"
if printf '%s' "${RAW_KUBE_CONFIG}" | base64 -d >"${HOME}/.kube/config" 2>/dev/null; then
true
else
printf '%s' "${RAW_KUBE_CONFIG}" >"${HOME}/.kube/config"
fi
chmod 600 "${HOME}/.kube/config"