feat: add Cloud Run sidecar deployment for Stunnel and update client-side setup

2026-01-23 19:45:32 +08:00 · 2026-01-23 19:45:32 +08:00 · e0915541a7
commit e0915541a7
parent b0c1ce813e
6 changed files with 105 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -58,3 +58,4 @@ build/
 dist/
 out/
 target/
+xcontrol-account
--- a/20
+++ b/20
@ -40,7 +40,8 @@ export PATH := /usr/local/go/bin:$(PATH)

 .PHONY: all init build clean start stop restart dev test help \
 	init-db-core init-db-replication init-db-pglogical \
-	reinit-pglogical account-sync-push account-sync-pull account-sync-mirror create-db-user db-reset
+	reinit-pglogical account-sync-push account-sync-pull account-sync-mirror create-db-user db-reset \
+	gcp-deploy gcp-replace-service

 all: build

@ -292,3 +293,20 @@ test:

 clean:
 	rm -f $(APP_NAME) *.pid *.log
+
+# =========================================
+# ☁️ Google Cloud Run
+# =========================================
+
+CLOUD_RUN_SERVICE := accounts-svc-plus
+GCP_REGION        := asia-northeast1
+
+gcp-deploy:
+	gcloud run deploy $(CLOUD_RUN_SERVICE) \
+		--source . \
+		--region $(GCP_REGION) \
+		--update-secrets="PGADMIN_PASSWORD=admin_password:latest,DB_PASSWORD=admin_password:latest" \
+		--set-env-vars="DB_TLS_HOST=postgresql.onwalk.net,DB_TLS_PORT=443,DB_USER=postgres,DB_NAME=postgres"
+
+gcp-replace-service:
+	gcloud run services replace deploy/gcp/cloud-run/service.yaml --region $(GCP_REGION)
--- a/deploy/gcp/cloud-run/service.yaml
+++ b/deploy/gcp/cloud-run/service.yaml
@ -0,0 +1,72 @@
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: accounts-svc-plus
+  labels:
+    cloud.googleapis.com/location: asia-northeast1
+  annotations:
+    run.googleapis.com/launch-stage: BETA
+    run.googleapis.com/ingress: all
+spec:
+  template:
+    metadata:
+      annotations:
+        run.googleapis.com/startup-cpu-boost: 'true'
+        autoscaling.knative.dev/maxScale: '20'
+    spec:
+      containerConcurrency: 80
+      timeoutSeconds: 300
+      serviceAccountName: 266500572462-compute@developer.gserviceaccount.com
+      containers:
+      # --- 主应用容器 ---
+      - name: accounts-api
+        image: asia-northeast1-docker.pkg.dev/xzerolab-480008/cloud-run-source-deploy/accounts.svc.plus/accounts-svc-plus:latest
+        ports:
+        - name: http1
+          containerPort: 8080
+        env:
+        - name: PGADMIN_PASSWORD
+          value: admin_password
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: admin_password
+              key: latest
+        - name: DB_HOST
+          value: "127.0.0.1"
+        - name: DB_PORT
+          value: "5432"
+        - name: DB_USER
+          value: postgres
+        - name: DB_NAME
+          value: postgres
+        resources:
+          limits:
+            cpu: 1000m
+            memory: 512Mi
+        startupProbe:
+          timeoutSeconds: 240
+          periodSeconds: 240
+          failureThreshold: 1
+          tcpSocket:
+            port: 8080
+
+      # --- Stunnel Sidecar 容器 ---
+      - name: stunnel-sidecar
+        image: dweomer/stunnel
+        volumeMounts:
+        - name: stunnel-conf-vol
+          mountPath: /etc/stunnel
+        command: ["stunnel", "/etc/stunnel/stunnel.conf"]
+        resources:
+          limits:
+            cpu: 200m
+            memory: 128Mi
+
+      volumes:
+      - name: stunnel-conf-vol
+        secret:
+          secretName: stunnel-config
+          items:
+          - key: latest
+            path: stunnel.conf
--- a/deploy/stunnel/stunnel-account-db-client.conf
+++ b/deploy/stunnel/stunnel-account-db-client.conf
@ -1,12 +1,10 @@
 foreground = yes
 pid = /var/run/stunnel/stunnel-account-db-client.pid

-[account-db]
+[postgres-client]
 client = yes
 accept = 127.0.0.1:15432
-connect = vps.example.com:8443
-
-# Optional TLS settings.
-# verifyChain = yes
-# CAfile = /etc/ssl/certs/ca-bundle.crt
-# sni = vps.example.com
+connect = postgresql.onwalk.net:443
+verify = 2
+CAfile = /etc/ssl/certs/ca-certificates.crt
+checkHost = postgresql.onwalk.net
--- a/docs/account-service-deployment.md
+++ b/docs/account-service-deployment.md
@ -173,8 +173,13 @@ accounts.svc.plus {
 示例 stunnel client（API/Account 服务所在机器）：

 ```ini
+[postgres-client]
+client = yes
 accept = 127.0.0.1:15432
-connect = vps.example.com:8443
+connect = postgresql.onwalk.net:443
+verify = 2
+CAfile = /etc/ssl/certs/ca-certificates.crt
+checkHost = postgresql.onwalk.net
 ```

 示例 stunnel server（数据库所在机器）：
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -43,6 +43,8 @@ EOF

  if [ -f "/etc/stunnel/ca.pem" ]; then
    echo "CAfile = /etc/stunnel/ca.pem" >> "${STUNNEL_CONF}"
+  elif [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
+    echo "CAfile = /etc/ssl/certs/ca-certificates.crt" >> "${STUNNEL_CONF}"
  fi
  if [ -f "/etc/stunnel/cert.pem" ] && [ -f "/etc/stunnel/key.pem" ]; then
    echo "cert = /etc/stunnel/cert.pem" >> "${STUNNEL_CONF}"