From 7ea686eee2e058a58d50d5872a6084d54c1547ce Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Fri, 23 Jan 2026 19:45:32 +0800
Subject: [PATCH] feat: add Cloud Run sidecar deployment for Stunnel and update
 client-side setup

---
 .gitignore                                    |  1 +
 Makefile                                      | 20 +++++-
 deploy/gcp/cloud-run/service.yaml             | 72 +++++++++++++++++++
 deploy/stunnel/stunnel-account-db-client.conf | 12 ++--
 docs/account-service-deployment.md            |  7 +-
 entrypoint.sh                                 |  2 +
 6 files changed, 105 insertions(+), 9 deletions(-)
 create mode 100644 deploy/gcp/cloud-run/service.yaml

diff --git a/.gitignore b/.gitignore
index 26b3a79..03f3049 100644
--- a/.gitignore
+++ b/.gitignore
@@ -58,3 +58,4 @@ build/
 dist/
 out/
 target/
+xcontrol-account
diff --git a/Makefile b/Makefile
index 2541559..36f055d 100644
--- a/Makefile
+++ b/Makefile
@@ -40,7 +40,8 @@ export PATH := /usr/local/go/bin:$(PATH)
 
 .PHONY: all init build clean start stop restart dev test help \
 	init-db-core init-db-replication init-db-pglogical \
-	reinit-pglogical account-sync-push account-sync-pull account-sync-mirror create-db-user db-reset
+	reinit-pglogical account-sync-push account-sync-pull account-sync-mirror create-db-user db-reset \
+	gcp-deploy gcp-replace-service
 
 all: build
 
@@ -292,3 +293,20 @@ test:
 
 clean:
 	rm -f $(APP_NAME) *.pid *.log
+
+# =========================================
+# ☁️ Google Cloud Run
+# =========================================
+
+CLOUD_RUN_SERVICE := accounts-svc-plus
+GCP_REGION        := asia-northeast1
+
+gcp-deploy:
+	gcloud run deploy $(CLOUD_RUN_SERVICE) \
+		--source . \
+		--region $(GCP_REGION) \
+		--update-secrets="PGADMIN_PASSWORD=admin_password:latest,DB_PASSWORD=admin_password:latest" \
+		--set-env-vars="DB_TLS_HOST=postgresql.onwalk.net,DB_TLS_PORT=443,DB_USER=postgres,DB_NAME=postgres"
+
+gcp-replace-service:
+	gcloud run services replace deploy/gcp/cloud-run/service.yaml --region $(GCP_REGION)
diff --git a/deploy/gcp/cloud-run/service.yaml b/deploy/gcp/cloud-run/service.yaml
new file mode 100644
index 0000000..8dc9ca2
--- /dev/null
+++ b/deploy/gcp/cloud-run/service.yaml
@@ -0,0 +1,72 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: accounts-svc-plus
+  labels:
+    cloud.googleapis.com/location: asia-northeast1
+  annotations:
+    run.googleapis.com/launch-stage: BETA
+    run.googleapis.com/ingress: all
+spec:
+  template:
+    metadata:
+      annotations:
+        run.googleapis.com/startup-cpu-boost: 'true'
+        autoscaling.knative.dev/maxScale: '20'
+    spec:
+      containerConcurrency: 80
+      timeoutSeconds: 300
+      serviceAccountName: 266500572462-compute@developer.gserviceaccount.com
+      containers:
+      # --- 主应用容器 ---
+      - name: accounts-api
+        image: asia-northeast1-docker.pkg.dev/xzerolab-480008/cloud-run-source-deploy/accounts.svc.plus/accounts-svc-plus:latest
+        ports:
+        - name: http1
+          containerPort: 8080
+        env:
+        - name: PGADMIN_PASSWORD
+          value: admin_password
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: admin_password
+              key: latest
+        - name: DB_HOST
+          value: "127.0.0.1"
+        - name: DB_PORT
+          value: "5432"
+        - name: DB_USER
+          value: postgres
+        - name: DB_NAME
+          value: postgres
+        resources:
+          limits:
+            cpu: 1000m
+            memory: 512Mi
+        startupProbe:
+          timeoutSeconds: 240
+          periodSeconds: 240
+          failureThreshold: 1
+          tcpSocket:
+            port: 8080
+
+      # --- Stunnel Sidecar 容器 ---
+      - name: stunnel-sidecar
+        image: dweomer/stunnel
+        volumeMounts:
+        - name: stunnel-conf-vol
+          mountPath: /etc/stunnel
+        command: ["stunnel", "/etc/stunnel/stunnel.conf"]
+        resources:
+          limits:
+            cpu: 200m
+            memory: 128Mi
+
+      volumes:
+      - name: stunnel-conf-vol
+        secret:
+          secretName: stunnel-config
+          items:
+          - key: latest
+            path: stunnel.conf
diff --git a/deploy/stunnel/stunnel-account-db-client.conf b/deploy/stunnel/stunnel-account-db-client.conf
index 99c32b3..b8e2d34 100644
--- a/deploy/stunnel/stunnel-account-db-client.conf
+++ b/deploy/stunnel/stunnel-account-db-client.conf
@@ -1,12 +1,10 @@
 foreground = yes
 pid = /var/run/stunnel/stunnel-account-db-client.pid
 
-[account-db]
+[postgres-client]
 client = yes
 accept = 127.0.0.1:15432
-connect = vps.example.com:8443
-
-# Optional TLS settings.
-# verifyChain = yes
-# CAfile = /etc/ssl/certs/ca-bundle.crt
-# sni = vps.example.com
+connect = postgresql.onwalk.net:443
+verify = 2
+CAfile = /etc/ssl/certs/ca-certificates.crt
+checkHost = postgresql.onwalk.net
diff --git a/docs/account-service-deployment.md b/docs/account-service-deployment.md
index debf3b5..2cb13e6 100644
--- a/docs/account-service-deployment.md
+++ b/docs/account-service-deployment.md
@@ -173,8 +173,13 @@ accounts.svc.plus {
 示例 stunnel client（API/Account 服务所在机器）：
 
 ```ini
+[postgres-client]
+client = yes
 accept = 127.0.0.1:15432
-connect = vps.example.com:8443
+connect = postgresql.onwalk.net:443
+verify = 2
+CAfile = /etc/ssl/certs/ca-certificates.crt
+checkHost = postgresql.onwalk.net
 ```
 
 示例 stunnel server（数据库所在机器）：
diff --git a/entrypoint.sh b/entrypoint.sh
index 6f72f1a..db9ec3b 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -43,6 +43,8 @@ EOF
 
   if [ -f "/etc/stunnel/ca.pem" ]; then
     echo "CAfile = /etc/stunnel/ca.pem" >> "${STUNNEL_CONF}"
+  elif [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
+    echo "CAfile = /etc/ssl/certs/ca-certificates.crt" >> "${STUNNEL_CONF}"
   fi
   if [ -f "/etc/stunnel/cert.pem" ] && [ -f "/etc/stunnel/key.pem" ]; then
     echo "cert = /etc/stunnel/cert.pem" >> "${STUNNEL_CONF}"