diff --git a/.github/workflows/app-pipeline-chartmuseum.yml b/.github/workflows/app-pipeline-chartmuseum.yml deleted file mode 100644 index ceda9f5d..00000000 --- a/.github/workflows/app-pipeline-chartmuseum.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Setup Chartmuseum Server - -on: - pull_request: - paths: - - '.github/workflows/app-pipeline-chartmuseum.yml' - workflow_dispatch: - branches: - - main - -jobs: - setup-chartmuseum-server: - uses: svc-design/actions/.github/workflows/setup-chartmuseum-server.yml@main - with: - domain: 'svc.plus' - cluster_name: 'k3s-server' - ssh_host_ip: '35.77.36.144' - ssh_host_name: 'k3s-server' - secrets: - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} diff --git a/.github/workflows/app-pipeline-grafana-alloy.yml b/.github/workflows/app-pipeline-grafana-alloy.yml deleted file mode 100644 index 7c31dd0d..00000000 --- a/.github/workflows/app-pipeline-grafana-alloy.yml +++ /dev/null @@ -1,98 +0,0 @@ -name: Deploy Grafana Alloy Agent - -on: - pull_request: - paths: - - '.github/workflows/app-pipeline-grafana-alloy.yml' - workflow_dispatch: - branches: - - main - -jobs: - setup-cn-gateway-log-agent: - uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main - with: - domain: 'svc.plus' - cluster_name: 'cn-k3s-cluster' - ssh_host_name: 'cn-gateway' - ssh_host_ip: '110.42.238.110' - loki_journal_sources: | - loki_journal_sources_vpn.yml - loki_journal_sources_gateway.yml - loki_journal_sources_k3s_agent.yml - dry-run: 'false' - secrets: - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} - - setup-cn-k3s-server-log-agent: - uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main - with: - domain: 'svc.plus' - cluster_name: 'cn-k3s-cluster' - ssh_host_name: 'cn-k3s-server' - ssh_host_ip: '8.130.93.47' - loki_journal_sources: | - loki_journal_sources_vpn.yml - loki_journal_sources_k3s_server.yml - dry-run: 'false' - secrets: - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} - - setup-cn-hw-node-log-agent: - uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main - with: - domain: 'svc.plus' - cluster_name: 'cn-k3s-cluster' - ssh_host_name: 'cn-hw-node' - ssh_host_ip: '139.9.139.22' - loki_journal_sources: | - loki_journal_sources_vpn.yml - loki_journal_sources_k3s_agent.yml - dry-run: 'false' - secrets: - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} - - setup-global-gateway-log-agent: - uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main - with: - domain: 'svc.plus' - cluster_name: 'global-k3s-cluster' - ssh_host_name: 'global-gateway' - ssh_host_ip: '52.196.108.28' - loki_journal_sources: | - loki_journal_sources_vpn.yml - loki_journal_sources_gateway.yml - loki_journal_sources_k3s_agent.yml - dry-run: 'false' - secrets: - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} - - setup-global-k3s-server-log-agent: - uses: svc-design/actions/.github/workflows/setup-grafana-alloy.yml@main - with: - domain: 'svc.plus' - cluster_name: 'global-k3s-cluster' - ssh_host_name: 'k3s-server' - ssh_host_ip: '43.207.193.125' - loki_journal_sources: | - loki_journal_sources_vpn.yml - loki_journal_sources_k3s_server.yml - loki_journal_sources_postgresql.yml - dry-run: 'false' - secrets: - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} diff --git a/.github/workflows/app-pipeline-harbor.yml b/.github/workflows/app-pipeline-harbor.yml deleted file mode 100644 index 482448d7..00000000 --- a/.github/workflows/app-pipeline-harbor.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Setup Harbor Server - -on: - pull_request: - paths: - - '.github/workflows/app-pipeline-harbor.yml' - workflow_dispatch: - branches: - - main - -jobs: - setup-global-harbor-server: - uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main - with: - domain: 'svc.plus' - cluster_name: 'global-k3s-server' - ssh_host_ip: '43.207.193.125' - ssh_host_name: 'k3s-server' - ssh_host_domain: 'global-k3s-server.svc.plus' - secrets: - OSS_AK: ${{ secrets.OSS_AK }} - OSS_SK: ${{ secrets.OSS_SK }} - SSH_USER: ${{ secrets.SSH_USER }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} - - setup-cn-harbor-server: - uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main - with: - domain: 'svc.plus' - cluster_name: 'cn-k3s-server' - ssh_host_ip: '8.130.93.47' - ssh_host_name: 'cn-k3s-server' - ssh_host_domain: 'cn-k3s-server.svc.plus' - registry: 'registry.cn-wulanchabu.aliyuncs.com/svc-design' - secrets: - OSS_AK: ${{ secrets.OSS_AK }} - OSS_SK: ${{ secrets.OSS_SK }} - SSH_USER: ${{ secrets.SSH_USER }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} diff --git a/.github/workflows/app-pipeline-keycloak-server.yml b/.github/workflows/app-pipeline-keycloak-server.yml deleted file mode 100644 index ab05fc9e..00000000 --- a/.github/workflows/app-pipeline-keycloak-server.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Setup Keycloak Server - -on: - pull_request: - paths: - - '.github/workflows/app-pipeline-keycloak-server.yml' - workflow_dispatch: - branches: - - main - -jobs: - setup-keycloak-server: - uses: svc-design/actions/.github/workflows/deploy-docker-keycloak-server.yml@main - with: - domain: 'onwalk.net' - ssh_host_ip: '139.9.139.22' - ssh_host_name: 'hw-node' - ssh_host_domain: 'hw-node.svc.plus' - secrets: - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} diff --git a/.github/workflows/app-pipeline-template.yaml b/.github/workflows/app-pipeline-template.yaml new file mode 100644 index 00000000..e89a3bfd --- /dev/null +++ b/.github/workflows/app-pipeline-template.yaml @@ -0,0 +1,123 @@ +name: GitOps Application Deployment Template + +env: + GITOPS_REPO: "https://github.com/svc-design/gitops" + +on: + pull_request: + paths: + - '.github/workflows/app-pipeline-template.yaml' + workflow_dispatch: + inputs: + environment: + description: 'Optional environment override for manual runs' + required: false + default: '' + application: + description: 'Optional application override for manual runs' + required: false + default: '' + +jobs: + setup-container-gitops: + name: Setup FluxCD Agent (${matrix.env} · ${matrix.cluster_or_vhosts}) + strategy: + matrix: &deployment_matrix + include: + - env: sit + cluster_or_vhosts: vhosts-sit + app_name: harbor + gitops_type: vhosts + gitops_branch: main + gitops_path: '' + gitops_playbook: sync/config.yaml + ssh_host: hw-node.svc.plus + ssh_host_ip: '139.9.139.22' + - env: nat + cluster_or_vhosts: k3s-nat + app_name: chaos-mesh + gitops_type: container + gitops_branch: main + gitops_path: clusters/k3s-nat + gitops_playbook: '' + - env: prod + cluster_or_vhosts: k3s-prod + app_name: cloud-native-app + gitops_type: container + gitops_branch: main + gitops_path: clusters/k3s-prod + gitops_playbook: '' + if: | + matrix.gitops_type == 'container' && + (github.event_name != 'workflow_dispatch' || + github.event.inputs.application == '' || + github.event.inputs.application == matrix.app_name) && + (github.event_name != 'workflow_dispatch' || + github.event.inputs.environment == '' || + github.event.inputs.environment == matrix.env) + runs-on: ubuntu-latest + steps: + - name: Prepare kubeconfig + env: + RAW_KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }} + run: scripts/workflows/prepare-kubeconfig.sh + shell: bash + + - name: Install Flux CLI + uses: fluxcd/flux2-action@v2 + with: + version: '2.2.3' + + - name: Install FluxCD components + run: scripts/workflows/install-flux-components.sh + shell: bash + + - name: Configure GitOps reconciliation + env: + GITOPS_BRANCH: ${{ matrix.gitops_branch }} + GITOPS_PATH: ${{ matrix.gitops_path }} + run: scripts/workflows/configure-flux-gitops.sh + shell: bash + + setup-vhosts-gitops: + name: Setup XConfig Agent (${matrix.env} · ${matrix.cluster_or_vhosts}) + needs: [] + strategy: + matrix: *deployment_matrix + if: | + matrix.gitops_type == 'vhosts' && + (github.event_name != 'workflow_dispatch' || + github.event.inputs.application == '' || + github.event.inputs.application == matrix.app_name) && + (github.event_name != 'workflow_dispatch' || + github.event.inputs.environment == '' || + github.event.inputs.environment == matrix.env) + runs-on: ubuntu-latest + steps: + - name: Install Ansible + run: scripts/workflows/install-ansible.sh + shell: bash + + - name: Configure SSH access and inventory + env: + SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} + SSH_USER: ${{ secrets.SSH_USER }} + TARGET_HOST: ${{ matrix.ssh_host }} + TARGET_IP: ${{ matrix.ssh_host_ip }} + run: scripts/workflows/configure-ssh-inventory.sh + shell: bash + + - name: Generate XConfig agent playbook + env: + GITOPS_BRANCH: ${{ matrix.gitops_branch }} + GITOPS_PLAYBOOK: ${{ matrix.gitops_playbook }} + run: scripts/workflows/generate-xconfig-playbook.sh + shell: bash + + - name: Deploy XConfig agent + env: + ANSIBLE_HOST_KEY_CHECKING: 'False' + GITOPS_BRANCH: ${{ matrix.gitops_branch }} + GITOPS_PLAYBOOK: ${{ matrix.gitops_playbook }} + run: scripts/workflows/deploy-xconfig-agent.sh + shell: bash diff --git a/.github/workflows/app-pipeline-vault.yml b/.github/workflows/app-pipeline-vault.yml deleted file mode 100644 index def487e3..00000000 --- a/.github/workflows/app-pipeline-vault.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Setup Vault Server - -on: - pull_request: - paths: - - '.github/workflows/app-pipeline-vault.yml' - workflow_dispatch: - branches: - - main - -jobs: - setup-vault-server: - uses: svc-design/actions/.github/workflows/setup-vault.yml@main - with: - domain: 'svc.plus' - cluster_name: 'k3s-server' - ssh_host_ip: '35.77.36.144' - ssh_host_name: 'k3s-server' - ssh_host_domain: 'k3s-server.svc.plus' - secrets: - SSH_USER: ${{ secrets.SSH_USER }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} diff --git a/.github/workflows/iac-pipeline-alicloud-landingzone-baseline.yaml b/.github/workflows/iac-pipeline-alicloud-landingzone-baseline.yaml deleted file mode 100644 index 90960208..00000000 --- a/.github/workflows/iac-pipeline-alicloud-landingzone-baseline.yaml +++ /dev/null @@ -1,83 +0,0 @@ -name: Alicloud Landing Zone Baseline - -on: - push: - paths: - - 'iac_modules/pulumi/**' - - 'config/alicloud/**' - - '.github/workflows/iac-pipeline-alicloud-landingzone-baseline.yaml' - pull_request: - branches: [main] - workflow_dispatch: - inputs: - deploy_action: - description: "Deployment action to execute" - type: choice - options: - - init - - magrate - - upgrade - - backup - - restore - - destroy - default: upgrade - deploy_dry_run: - description: "Run deployment steps in dry-run mode" - type: choice - options: - - 'true' - - 'false' - default: 'true' - -env: - PULUMI_CI: 'true' - CONFIG_PATH: config/alicloud - -jobs: - preview: - name: Preview baseline changes - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - name: Pulumi preview - uses: pulumi/actions@v4 - with: - command: preview - stack-name: alicloud/baseline-dev - work-dir: iac_modules/pulumi - env: - ALICLOUD_ACCESS_KEY_ID: ${{ secrets.ALICLOUD_ACCESS_KEY_ID }} - ALICLOUD_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUD_ACCESS_KEY_SECRET }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} - - apply: - name: Apply to production stack - needs: preview - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: '3.10' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - name: Pulumi up - uses: pulumi/actions@v4 - with: - command: up - stack-name: alicloud/baseline-prod - work-dir: iac_modules/pulumi - env: - ALICLOUD_ACCESS_KEY_ID: ${{ secrets.ALICLOUD_ACCESS_KEY_ID }} - ALICLOUD_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUD_ACCESS_KEY_SECRET }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/iac-pipeline-infrastructure-monitor-server.yml b/.github/workflows/iac-pipeline-infrastructure-monitor-server.yml deleted file mode 100644 index eb4185aa..00000000 --- a/.github/workflows/iac-pipeline-infrastructure-monitor-server.yml +++ /dev/null @@ -1,153 +0,0 @@ -name: Provision Monitor Server Infrastructure - -on: - workflow_dispatch: - inputs: - deploy_action: - description: "Deployment action to execute" - type: choice - options: - - init - - magrate - - upgrade - - backup - - restore - - destroy - default: upgrade - deploy_dry_run: - description: "Run deployment steps in dry-run mode" - type: choice - options: - - 'true' - - 'false' - default: 'true' - pull_request: - branches: [main] - push: - branches: - - main - paths: - - '.github/workflows/iac-pipeline-infrastructure-monitor-server.yml' - -env: - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || '' }} - DEPLOY_DRY_RUN: ${{ github.event.inputs.deploy_dry_run || '' }} - ANSIBLE_USER: ${{ secrets.VPS_USER }} - ANSIBLE_STDOUT_CALLBACK: yaml - ANSIBLE_LOAD_CALLBACK_PLUGINS: 'true' - -jobs: - pre-setup: - runs-on: ubuntu-latest - steps: - - name: Pre-setup confirmation - run: echo "Pre-setup stage completed" - - deploy: - needs: pre-setup - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - strategy: - matrix: - site: [otel.svc.plus] - steps: - - uses: actions/checkout@v4 - - - name: Determine deployment context - run: | - set -euo pipefail - dry_run="${DEPLOY_DRY_RUN}" - if [[ "${GITHUB_EVENT_NAME}" != "workflow_dispatch" ]]; then - dry_run="true" - fi - echo "EFFECTIVE_DRY_RUN=${dry_run}" >> "$GITHUB_ENV" - action="${DEPLOY_ACTION:-upgrade}" - if [[ -z "${action}" ]]; then - action="upgrade" - fi - echo "EFFECTIVE_DEPLOY_ACTION=${action}" >> "$GITHUB_ENV" - - - name: Checkout infrastructure playbooks - uses: actions/checkout@v4 - with: - repository: svc-design/gitops - path: gitops - - - name: Install Ansible - run: | - set -euo pipefail - python3 -m pip install --upgrade pip - python3 -m pip install ansible - cat <<'CFG' > ~/.ansible.cfg - [defaults] - stdout_callback = yaml - callbacks_enabled = profile_tasks,timer - bin_ansible_callbacks = True - CFG - - - name: Configure Ansible Vault password - env: - ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} - run: | - set -euo pipefail - if [[ -z "${ANSIBLE_VAULT_PASSWORD:-}" ]]; then - echo "ANSIBLE_VAULT_PASSWORD secret is not configured" >&2 - exit 1 - fi - printf '%s' "${ANSIBLE_VAULT_PASSWORD}" > ~/.vault_password - chmod 600 ~/.vault_password - - - name: Configure SSH access - env: - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - run: | - set -euo pipefail - install -m 700 -d ~/.ssh - echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa - chmod 600 ~/.ssh/id_rsa - ssh-keyscan -H "${{ matrix.site }}" >> ~/.ssh/known_hosts - - - name: Prepare provisioning inputs - id: prepare_provisioning - working-directory: gitops - run: | - set -euo pipefail - - echo "inventory=playbooks/inventory.ini" >> "$GITHUB_OUTPUT" - echo "skip=false" >> "$GITHUB_OUTPUT" - - extra_flags=() - if [[ "${EFFECTIVE_DRY_RUN}" == "true" ]]; then - extra_flags+=("--check") - fi - printf 'extra_flags=%s\n' "${extra_flags[*]}" >> "$GITHUB_OUTPUT" - - monitor_playbook="playbooks/deploy_monitor_server.yml" - if [[ ! -f "$monitor_playbook" ]]; then - echo "Required playbook ${monitor_playbook} was not found" >&2 - exit 1 - fi - echo "monitor_playbook=${monitor_playbook}" >> "$GITHUB_OUTPUT" - - case "${EFFECTIVE_DEPLOY_ACTION}" in - destroy|backup|backup-rollout|restore) - echo "skip=true" >> "$GITHUB_OUTPUT" - echo "Action ${EFFECTIVE_DEPLOY_ACTION} is not supported for monitor server provisioning" >&2 - exit 0 - ;; - esac - - - name: Provision Monitor Server - if: steps.prepare_provisioning.outputs.skip != 'true' - working-directory: gitops - env: - INVENTORY: ${{ steps.prepare_provisioning.outputs.inventory }} - EXTRA_FLAGS: ${{ steps.prepare_provisioning.outputs.extra_flags }} - MONITOR_PLAYBOOK: ${{ steps.prepare_provisioning.outputs.monitor_playbook }} - run: | - set -euo pipefail - flags=() - if [[ -n "${EXTRA_FLAGS}" ]]; then - flags+=(${EXTRA_FLAGS}) - fi - ansible-playbook -i "${INVENTORY}" "${MONITOR_PLAYBOOK}" "${flags[@]}" --limit "${{ matrix.site }}" diff --git a/.github/workflows/iac-pipeline-signal-cluster-argo-server.yml b/.github/workflows/iac-pipeline-signal-cluster-argo-server.yml deleted file mode 100644 index c4f98f3a..00000000 --- a/.github/workflows/iac-pipeline-signal-cluster-argo-server.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: Setup ArgoCD Server - -env: - STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy - CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - -on: - pull_request: - paths: - - '.github/workflows/iac-pipeline-signal-cluster-argo-server.yml' - workflow_dispatch: - branches: - - main - -jobs: - apply-cluster-resources: - uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main - with: - config: 'signal-cluster-config-argo-server.yaml' - secrets: - SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - - setup-k3s-cluster-with-argo-server: - uses: svc-design/actions/.github/workflows/setup-k3s-cluster-argocd.yml@main - with: - domain: 'onwalk.net' - cluster_name: 'argocd' - ssh_host_name: 'argocd' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - VAULT_URL: ${{ secrets.VAULT_URL }} - VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} - SSH_USER: ${{ secrets.HOST_USER }} - needs: - - apply-cluster-resources diff --git a/.github/workflows/iac-pipeline-signal-cluster-chaos-mesh.yml b/.github/workflows/iac-pipeline-signal-cluster-chaos-mesh.yml deleted file mode 100644 index d202a99f..00000000 --- a/.github/workflows/iac-pipeline-signal-cluster-chaos-mesh.yml +++ /dev/null @@ -1,73 +0,0 @@ -name: Setup Chaos-mesh Server - -env: - STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy - CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - -on: - pull_request: - paths: - - '.github/workflows/iac-pipeline-signal-cluster-chaos-mesh.yml' - workflow_dispatch: - branches: - - main - -jobs: - apply-cluster-resources: - uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main - with: - config: 'signal-cluster-config-chaosmesh-server.yaml' - secrets: - SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - - setup-k3s-cluster: - uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main - with: - domain: 'onwalk.net' - cluster_name: 'chaosmesh' - ssh_host_name: 'chaosmesh' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - VAULT_URL: ${{ secrets.VAULT_URL }} - VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} - SSH_USER: ${{ secrets.HOST_USER }} - needs: - - apply-cluster-resources - - setup-iac-pipeline-signal-cluster-chaos-mesh-server: - uses: svc-design/actions/.github/workflows/setup-chaos-mesh.yaml@main - with: - domain: 'onwalk.net' - cluster_name: 'chaosmesh' - ssh_host_name: 'chaosmesh' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - needs: - - setup-k3s-cluster - - setup-deepflow-server: - uses: svc-design/actions/.github/workflows/setup-deepflow-server.yml@main - with: - domain: 'onwalk.net' - cluster_name: 'chaosmesh' - ssh_host_name: 'chaosmesh' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - needs: - - setup-k3s-cluster diff --git a/.github/workflows/iac-pipeline-signal-cluster-harbor.yml b/.github/workflows/iac-pipeline-signal-cluster-harbor.yml deleted file mode 100644 index 3132284c..00000000 --- a/.github/workflows/iac-pipeline-signal-cluster-harbor.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Setup harbor Server with IAC - -env: - STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy - CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.SSH_USER }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - -on: - pull_request: - paths: - - '.github/workflows/setup-harbor-server.yml' - workflow_dispatch: - branches: - - main - -jobs: - apply-cluster-resources: - uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main - with: - config: 'signal-cluster-config-chaosmesh-server.yaml' - secrets: - SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - - setup-k3s-cluster: - uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main - with: - domain: 'onwalk.net' - cluster_name: 'chaosmesh' - ssh_host_name: 'chaosmesh' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - VAULT_URL: ${{ secrets.VAULT_URL }} - VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} - SSH_USER: ${{ secrets.SSH_USER }} - needs: - - apply-cluster-resources - - setup-iac-pipeline-signal-cluster-harbor-server: - uses: svc-design/actions/.github/workflows/setup-harbor-server.yml@main - with: - domain: 'onwalk.net' - cluster_name: 'chaosmesh' - ssh_host_name: 'chaosmesh' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - OSS_AK: ${{ secrets.OSS_AK }} - OSS_SK: ${{ secrets.OSS_SK }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.SSH_USER }} - needs: - - setup-k3s-cluster diff --git a/.github/workflows/iac-pipeline-signal-cluster-jenkins.yml b/.github/workflows/iac-pipeline-signal-cluster-jenkins.yml deleted file mode 100644 index a58372d1..00000000 --- a/.github/workflows/iac-pipeline-signal-cluster-jenkins.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Setup Jenkins Server - -env: - STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy - CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - -on: - pull_request: - paths: - - '.github/workflows/iac-pipeline-signal-cluster-jenkins.yml' - workflow_dispatch: - branches: - - main - -jobs: - apply-cluster-resources: - uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main - with: - config: 'signal-cluster-config-jenkins-server.yaml' - secrets: - SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - - setup-k3s-cluster: - uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main - with: - domain: 'onwalk.net' - cluster_name: 'jenkins' - ssh_host_name: 'jenkins' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - VAULT_URL: ${{ secrets.VAULT_URL }} - VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} - SSH_USER: ${{ secrets.HOST_USER }} - needs: - - apply-cluster-resources - - setup-jenkins-server: - uses: svc-design/actions/.github/workflows/setup-jenkins-server.yaml@main - with: - domain: 'onwalk.net' - cluster_name: 'jenkins' - ssh_host_name: 'jenkins' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }} - needs: - - setup-k3s-cluster diff --git a/.github/workflows/iac-pipeline-signal-cluster-keycloak.yml b/.github/workflows/iac-pipeline-signal-cluster-keycloak.yml deleted file mode 100644 index 5d2c0d25..00000000 --- a/.github/workflows/iac-pipeline-signal-cluster-keycloak.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Signal K3S Cluster Pipeline Keycloak with IAC tools - -env: - STATE: "create" # 可以根据需要更改初始状态, 可选create,update, destroy - CLOUD: "gcp" # 选择云服务商, 可选: gcp, aws, ali, azure - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - -on: - pull_request: - paths: - - '.github/workflows/iac-pipeline-signal-cluster-keycloak.yml' - workflow_dispatch: - branches: - - main - -jobs: - apply-cluster-resources: - uses: svc-design/actions/.github/workflows/setup-gcp-cloud.yml@main - with: - config: 'signal-cluster-config.yaml' - secrets: - SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - - setup-k3s-cluster: - uses: svc-design/actions/.github/workflows/setup-k3s-cluster.yml@main - with: - domain: 'svc-dev.ink' - cluster_name: 'monitor' - ssh_host_name: 'monitor' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - VAULT_URL: ${{ secrets.VAULT_URL }} - VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }} - SSH_USER: ${{ secrets.HOST_USER }} - needs: - - apply-cluster-resources - - setup-keycloak-server: - uses: svc-design/actions/.github/workflows/setup-keycloak-server.yml@main - with: - domain: 'svc-dev.ink' - cluster_name: 'monitor' - ssh_host_name: 'monitor' - secrets: - GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }} - SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} - DNS_AK: ${{ secrets.DNS_AK }} - DNS_SK: ${{ secrets.DNS_SK }} - SSH_USER: ${{ secrets.HOST_USER }} - ADMIN_PASSWORD: ${{ secrets.ADMIN_INIT_PASSWORD }} - needs: - - setup-k3s-cluster diff --git a/clusters/k3s-prod/cloud-native-app/helmfile.yaml b/clusters/k3s-prod/cloud-native-app/helmfile.yaml new file mode 100644 index 00000000..f8075bee --- /dev/null +++ b/clusters/k3s-prod/cloud-native-app/helmfile.yaml @@ -0,0 +1,2 @@ +# Placeholder helmfile for cloud-native-app deployments. +# Populate with real release definitions as needed. diff --git a/scripts/workflows/configure-flux-gitops.sh b/scripts/workflows/configure-flux-gitops.sh new file mode 100755 index 00000000..ccf8ed63 --- /dev/null +++ b/scripts/workflows/configure-flux-gitops.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +set -euo pipefail + +: "${GITOPS_REPO:?GITOPS_REPO is required}" +: "${GITOPS_BRANCH:?GITOPS_BRANCH is required}" +: "${GITOPS_PATH:?GitOps path is not configured for container matrix entry}" + +cat < git-repository.yaml +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: GitRepository +metadata: + name: ${GITOPS_PATH//\//-}-gitops + namespace: gitops-system +spec: + interval: 1m0s + ref: + branch: ${GITOPS_BRANCH} + url: ${GITOPS_REPO} +EOF_CONFIG + +cat < kustomization.yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: ${GITOPS_PATH//\//-}-sync + namespace: gitops-system +spec: + interval: 1m0s + sourceRef: + kind: GitRepository + name: ${GITOPS_PATH//\//-}-gitops + path: ./${GITOPS_PATH} + prune: true + wait: true +EOF_KUSTOMIZE + +kubectl apply -f git-repository.yaml +kubectl apply -f kustomization.yaml diff --git a/scripts/workflows/configure-ssh-inventory.sh b/scripts/workflows/configure-ssh-inventory.sh new file mode 100755 index 00000000..dc9e361f --- /dev/null +++ b/scripts/workflows/configure-ssh-inventory.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -euo pipefail + +: "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY is required}" +: "${SSH_USER:?SSH_USER is required}" +: "${TARGET_HOST:?TARGET_HOST is required}" +: "${TARGET_IP:?TARGET_IP is required}" + +install -m 700 -d "${HOME}/.ssh" +printf '%s\n' "${SSH_PRIVATE_KEY}" > "${HOME}/.ssh/id_rsa" +chmod 600 "${HOME}/.ssh/id_rsa" +ssh-keyscan -H "${TARGET_HOST}" >> "${HOME}/.ssh/known_hosts" 2>/dev/null || true +ssh-keyscan -H "${TARGET_IP}" >> "${HOME}/.ssh/known_hosts" 2>/dev/null || true + +cat < inventory.ini +[vhosts] +${TARGET_HOST} ansible_host=${TARGET_IP} ansible_user=${SSH_USER} +EOF_INVENTORY diff --git a/scripts/workflows/deploy-xconfig-agent.sh b/scripts/workflows/deploy-xconfig-agent.sh new file mode 100755 index 00000000..5dd9dd91 --- /dev/null +++ b/scripts/workflows/deploy-xconfig-agent.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +set -euo pipefail + +: "${GITOPS_REPO:?GITOPS_REPO is required}" +: "${GITOPS_BRANCH:?GITOPS_BRANCH is required}" +: "${GITOPS_PLAYBOOK:?GitOps playbook path is required for vhosts matrix entry}" + +ANSIBLE_HOST_KEY_CHECKING=${ANSIBLE_HOST_KEY_CHECKING:-False} +export ANSIBLE_HOST_KEY_CHECKING + +ansible-playbook -i inventory.ini install-xconfig-agent.yml \ + --extra-vars "gitops_repo=${GITOPS_REPO} gitops_branch=${GITOPS_BRANCH} gitops_playbook=${GITOPS_PLAYBOOK}" diff --git a/scripts/workflows/generate-xconfig-playbook.sh b/scripts/workflows/generate-xconfig-playbook.sh new file mode 100755 index 00000000..9a26de11 --- /dev/null +++ b/scripts/workflows/generate-xconfig-playbook.sh @@ -0,0 +1,101 @@ +#!/usr/bin/env bash +set -euo pipefail + +: "${GITOPS_PLAYBOOK:?GitOps playbook path is required for vhosts matrix entry}" + +cat <<'PLAYBOOK' > install-xconfig-agent.yml +- hosts: all + become: yes + tasks: + - name: Ensure build dependencies are installed + ansible.builtin.apt: + name: + - build-essential + - curl + - git + - pkg-config + - libssl-dev + state: present + update_cache: true + + - name: Install Rust toolchain when missing + ansible.builtin.shell: | + set -euo pipefail + if ! command -v rustup >/dev/null 2>&1; then + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + fi + args: + creates: "{{ ansible_env.HOME }}/.cargo/bin/rustup" + + - name: Build cw-agent binary + # noqa command-instead-of-shell + ansible.builtin.shell: | + set -euo pipefail + work_dir=$(mktemp -d) + trap 'rm -rf "${work_dir}"' EXIT + git clone --depth 1 https://github.com/svc-design/XConfig "${work_dir}/XConfig" + cd "${work_dir}/XConfig/CraftWeaveAgent" + . "{{ ansible_env.HOME }}/.cargo/env" + cargo build --release + install -D -m 0755 target/release/cw-agent /usr/local/bin/cw-agent + args: + creates: /usr/local/bin/cw-agent + + - name: Ensure agent working directories exist + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: '0755' + loop: + - /etc + - /var/lib/cw-agent + + - name: Configure cw-agent + ansible.builtin.copy: + dest: /etc/cw-agent.conf + owner: root + group: root + mode: '0644' + content: | + repo: "{{ gitops_repo }}" + branch: {{ gitops_branch }} + interval: 60 + playbook: + - {{ gitops_playbook }} + + - name: Install cw-agent systemd service + ansible.builtin.copy: + dest: /etc/systemd/system/cw-agent.service + owner: root + group: root + mode: '0644' + content: | + [Unit] + Description=Xconfig Agent Service + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/usr/local/bin/cw-agent daemon --config /etc/cw-agent.conf + Restart=on-failure + RestartSec=5 + User=root + Environment=RUST_LOG=info + WorkingDirectory=/var/lib/cw-agent + + [Install] + WantedBy=multi-user.target + + - name: Reload systemd manager configuration + ansible.builtin.systemd: + daemon_reload: true + + - name: Enable and restart cw-agent + ansible.builtin.systemd: + name: cw-agent.service + enabled: true + state: restarted +PLAYBOOK diff --git a/scripts/workflows/install-ansible.sh b/scripts/workflows/install-ansible.sh new file mode 100755 index 00000000..387a8402 --- /dev/null +++ b/scripts/workflows/install-ansible.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +set -euo pipefail + +sudo apt-get update +sudo apt-get install -y ansible diff --git a/scripts/workflows/install-flux-components.sh b/scripts/workflows/install-flux-components.sh new file mode 100755 index 00000000..a41d2998 --- /dev/null +++ b/scripts/workflows/install-flux-components.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +set -euo pipefail + +kubectl create namespace gitops-system --dry-run=client -o yaml | kubectl apply -f - +flux install --namespace=gitops-system --components-extra=image-reflector-controller,image-automation-controller diff --git a/scripts/workflows/prepare-kubeconfig.sh b/scripts/workflows/prepare-kubeconfig.sh new file mode 100755 index 00000000..06e2033d --- /dev/null +++ b/scripts/workflows/prepare-kubeconfig.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -euo pipefail + +RAW_KUBE_CONFIG=${RAW_KUBE_CONFIG:-} +if [[ -z "${RAW_KUBE_CONFIG}" ]]; then + echo "KUBE_CONFIG secret is not configured" >&2 + exit 1 +fi + +mkdir -p "${HOME}/.kube" + +if printf '%s' "${RAW_KUBE_CONFIG}" | base64 -d >"${HOME}/.kube/config" 2>/dev/null; then + true +else + printf '%s' "${RAW_KUBE_CONFIG}" >"${HOME}/.kube/config" +fi + +chmod 600 "${HOME}/.kube/config"