diff --git a/README.md b/README.md index a0ddf20..7f16541 100644 --- a/README.md +++ b/README.md @@ -10,27 +10,72 @@ This project provides a collection of Helm chart configurations for popular serv The following services are currently supported: +### Databases & Storage + - ClickHouse +- DuckDB - Elasticsearch - etcd +- HBase - Kafka -- Keycloak -- Kibana -- Langfuse - MariaDB - Milvus - MinIO - MongoDB -- Nginx -- OpenTelemetry Collector -- Phoenix +- MySQL +- Neo4j - PostgreSQL +- Pulsar - RabbitMQ - RabbitMQ Cluster Operator - Redis - Valkey +- Vault - ZooKeeper +### DevOps & CI/CD + +- ArgoCD +- Gitea +- Gitea Runner +- GitLab +- GitLab Runner +- Harbor +- Jenkins +- Nexus + +### Data & Analytics + +- Airflow +- Apache Flink + +### Observability & Monitoring + +- Grafana +- Kibana +- Langfuse +- Loki +- OpenTelemetry Collector +- Phoenix +- Prometheus + +### Streaming & API Gateway + +- Apache Pulsar +- Kong +- Nginx + +### AI & ML + +- LiteLLM +- MLflow +- Open WebUI + +### Identity & Service Mesh + +- Keycloak +- Nacos + Each service has its own directory under `src/`, containing: - `Makefile`: Service-specific configuration diff --git a/src/airflow/Makefile b/src/airflow/Makefile new file mode 100644 index 0000000..8970b0b --- /dev/null +++ b/src/airflow/Makefile @@ -0,0 +1,16 @@ +HELM_RELEASE_NAME ?= airflow +HELM_APPLICATION_NAME ?= airflow +HELM_NAMESPACE ?= airflow +HELM_DIR ?= ./helm +HELM_CHART_VERSION ?= +HELM_VALUES_FILE ?= ./values.yaml +HELM_OCI_REGISTRY ?= +HELM_OCI_NAMESPACE ?= +HELM_OCI_USERNAME ?= +HELM_OCI_PASSWORD ?= +HELM_REPO_NAME ?= apache-airflow +HELM_REPO_URL ?= https://airflow.apache.org +HELM_CHART_REPO ?= $(HELM_REPO_NAME)/$(HELM_APPLICATION_NAME) +HELM_LANE ?= + +include ../_template/base.mk diff --git a/src/airflow/README.md b/src/airflow/README.md new file mode 100644 index 0000000..e0eaeaa --- /dev/null +++ b/src/airflow/README.md @@ -0,0 +1,61 @@ +# Apache Airflow + +## Introduction + +Apache Airflow is a platform to programmatically author, schedule, and monitor workflows. It uses directed acyclic graphs (DAGs) to manage workflow orchestration. + +## Installation + +To install Airflow, run: + +```bash +make install +``` + +## Usage + +After installation, access Airflow: + +```bash +# Port forward to access web UI +kubectl port-forward svc/airflow-webserver -n airflow 8080:8080 +``` + +Then open in your browser. + +Default credentials: + +- Username: `admin` +- Password: `admin` + +## Configuration + +The default configuration includes: + +- CeleryExecutor for distributed task execution +- Built-in PostgreSQL for metadata database +- Built-in Redis for Celery broker +- Single replicas for webserver, scheduler, workers, and triggerer +- 10Gi for logs persistence + +## Components + +- **Webserver**: Serves the UI and API +- **Scheduler**: Schedules and triggers tasks +- **Workers**: Execute tasks (CeleryExecutor) +- **Triggerer**: Runs event-based triggers +- **Flower**: Celery monitoring tool + +## Adding DAGs + +To add your DAGs: + +1. Enable `dags.gitSync` and configure your Git repository, OR +2. Mount a persistent volume with your DAG files, OR +3. Use the Airflow UI to upload DAG files (not recommended for production) + +## Customization + +- Edit `values.yaml` to configure connections, variables, and pools +- Scale workers by increasing `workers.replicas` +- Enable ingress for external access diff --git a/src/airflow/README.zh.md b/src/airflow/README.zh.md new file mode 100644 index 0000000..836742f --- /dev/null +++ b/src/airflow/README.zh.md @@ -0,0 +1,61 @@ +# Apache Airflow + +## 简介 + +Apache Airflow 是一个以编程方式编写、调度和监控工作流的平台。它使用有向无环图 (DAG) 来管理工作流编排。 + +## 安装 + +安装 Airflow: + +```bash +make install +``` + +## 使用 + +安装完成后,访问 Airflow: + +```bash +# 端口转发以访问 Web UI +kubectl port-forward svc/airflow-webserver -n airflow 8080:8080 +``` + +然后在浏览器中打开 。 + +默认凭据: + +- 用户名:`admin` +- 密码:`admin` + +## 配置 + +默认配置包括: + +- CeleryExecutor 用于分布式任务执行 +- 内置 PostgreSQL 作为元数据库 +- 内置 Redis 作为 Celery 代理 +- Webserver、Scheduler、Workers 和 Triggerer 均为单副本 +- 10Gi 日志持久化存储 + +## 组件 + +- **Webserver**: 提供 UI 和 API +- **Scheduler**: 调度和触发任务 +- **Workers**: 执行任务 (CeleryExecutor) +- **Triggerer**: 运行基于事件的触发器 +- **Flower**: Celery 监控工具 + +## 添加 DAG + +添加您的 DAG: + +1. 启用 `dags.gitSync` 并配置 Git 仓库,或 +2. 挂载包含 DAG 文件的持久卷,或 +3. 使用 Airflow UI 上传 DAG 文件(不推荐用于生产环境) + +## 自定义 + +- 编辑 `values.yaml` 配置连接、变量和池 +- 增加 `workers.replicas` 扩展 Workers +- 启用 ingress 用于外部访问 diff --git a/src/airflow/values.yaml b/src/airflow/values.yaml new file mode 100644 index 0000000..5ba5f8b --- /dev/null +++ b/src/airflow/values.yaml @@ -0,0 +1,118 @@ +# Apache Airflow Configuration +# https://github.com/apache/airflow/blob/main/chart/values.yaml + +# Default airflow repository +defaultAirflowRepository: apache/airflow + +# Default airflow tag +defaultAirflowTag: 2.9.0 + +# Airflow version +airflowVersion: 2.9.0 + +# Executor type +executor: CeleryExecutor + +# Environment variables +env: + - name: AIRFLOW__CORE__LOAD_EXAMPLES + value: 'False' + - name: AIRFLOW__WEBSERVER__EXPOSE_CONFIG + value: 'True' + +# Webserver configuration +webserver: + replicas: 1 + resources: + requests: + cpu: 500m + memory: 1Gi + limits: + cpu: 1000m + memory: 2Gi + service: + type: ClusterIP + +# Scheduler configuration +scheduler: + replicas: 1 + resources: + requests: + cpu: 500m + memory: 1Gi + limits: + cpu: 1000m + memory: 2Gi + +# Worker configuration (for CeleryExecutor) +workers: + replicas: 1 + resources: + requests: + cpu: 500m + memory: 1Gi + limits: + cpu: 1000m + memory: 2Gi + +# Triggerer configuration +triggerer: + enabled: true + replicas: 1 + resources: + requests: + cpu: 250m + memory: 512Mi + limits: + cpu: 500m + memory: 1Gi + +# DAGs configuration +dags: + persistence: + enabled: true + size: 5Gi + accessMode: ReadWriteOnce + gitSync: + enabled: false + +# Logs configuration +logs: + persistence: + enabled: true + size: 10Gi + +# PostgreSQL configuration (subchart) +postgresql: + enabled: true + auth: + username: postgres + database: airflow + primary: + persistence: + enabled: true + size: 10Gi + +# Redis configuration (subchart for Celery) +redis: + enabled: true + architecture: standalone + auth: + enabled: false + master: + persistence: + enabled: true + size: 5Gi + +# Flower configuration +flower: + enabled: true + service: + type: ClusterIP + +# Ingress configuration +ingress: + web: + enabled: false + flower: + enabled: false diff --git a/src/argocd/Makefile b/src/argocd/Makefile new file mode 100644 index 0000000..bc0bec6 --- /dev/null +++ b/src/argocd/Makefile @@ -0,0 +1,16 @@ +HELM_RELEASE_NAME ?= argocd +HELM_APPLICATION_NAME ?= argo-cd +HELM_NAMESPACE ?= argocd +HELM_DIR ?= ./helm +HELM_CHART_VERSION ?= +HELM_VALUES_FILE ?= ./values.yaml +HELM_OCI_REGISTRY ?= +HELM_OCI_NAMESPACE ?= +HELM_OCI_USERNAME ?= +HELM_OCI_PASSWORD ?= +HELM_REPO_NAME ?= argo +HELM_REPO_URL ?= https://argoproj.github.io/argo-helm +HELM_CHART_REPO ?= $(HELM_REPO_NAME)/$(HELM_APPLICATION_NAME) +HELM_LANE ?= + +include ../_template/base.mk diff --git a/src/argocd/README.md b/src/argocd/README.md new file mode 100644 index 0000000..e8be1c0 --- /dev/null +++ b/src/argocd/README.md @@ -0,0 +1,43 @@ +# ArgoCD + +## Introduction + +ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. It follows the GitOps pattern of using Git repositories as the source of truth for defining the desired application state. + +## Installation + +To install ArgoCD, run: + +```bash +make install +``` + +Default credentials: + +- Username: `admin` +- Password: `admin` + +## Usage + +After installation, access ArgoCD: + +```bash +# Port forward to access UI +kubectl port-forward svc/argocd-server -n argocd 8080:443 + +# Get admin password +kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d +``` + +Then open in your browser. + +## Configuration + +The default configuration includes: + +- Single Redis instance +- Single controller replica +- Single repo server +- Dex enabled for SSO + +For production, consider enabling HA mode with multiple replicas. diff --git a/src/argocd/README.zh.md b/src/argocd/README.zh.md new file mode 100644 index 0000000..fd0d1ff --- /dev/null +++ b/src/argocd/README.zh.md @@ -0,0 +1,43 @@ +# ArgoCD + +## 简介 + +ArgoCD 是一个用于 Kubernetes 的声明式、GitOps 持续交付工具。它遵循 GitOps 模式,使用 Git 仓库作为定义期望应用状态的单一事实来源。 + +## 安装 + +安装 ArgoCD: + +```bash +make install +``` + +默认凭据: + +- 用户名:`admin` +- 密码:`admin` + +## 使用 + +安装完成后,访问 ArgoCD: + +```bash +# 端口转发以访问 UI +kubectl port-forward svc/argocd-server -n argocd 8080:443 + +# 获取管理员密码 +kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d +``` + +然后在浏览器中打开 。 + +## 配置 + +默认配置包括: + +- 单 Redis 实例 +- 单控制器副本 +- 单仓库服务器 +- 启用 Dex 用于 SSO + +生产环境建议启用 HA 模式,使用多副本部署。 diff --git a/src/argocd/values.yaml b/src/argocd/values.yaml new file mode 100644 index 0000000..6fe031c --- /dev/null +++ b/src/argocd/values.yaml @@ -0,0 +1,31 @@ +# Argo CD Configuration +# https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml + +configs: + secret: + argocdServerAdminPassword: $2a$10$m9ZR7FP.6zSFhjDHndyeJuruTzZNjf7qCkybF7N7sNCGBqDXm7vwK # admin + argocdServerAdminPasswordMtime: '2024-01-01T00:00:00Z' + +server: + service: + type: ClusterIP + ingress: + enabled: false + +dex: + enabled: true + +redis: + enabled: true + +repoServer: + replicas: 1 + +controller: + replicas: 1 + +applicationSet: + enabled: true + +notifications: + enabled: false diff --git a/src/gitea-runner/Makefile b/src/gitea-runner/Makefile index 3a03eda..06bc1dc 100644 --- a/src/gitea-runner/Makefile +++ b/src/gitea-runner/Makefile @@ -8,7 +8,7 @@ HELM_OCI_REGISTRY ?= HELM_OCI_NAMESPACE ?= HELM_OCI_USERNAME ?= HELM_OCI_PASSWORD ?= -HELM_REPO_NAME ?= gitea-charts +HELM_REPO_NAME ?= gitea HELM_REPO_URL ?= https://dl.gitea.com/charts HELM_CHART_REPO ?= $(HELM_REPO_NAME)/actions HELM_LANE ?= diff --git a/src/gitea/README.md b/src/gitea/README.md index 364de48..77e86ae 100644 --- a/src/gitea/README.md +++ b/src/gitea/README.md @@ -9,9 +9,18 @@ Gitea is a community managed lightweight code hosting solution written in Go. It To install Gitea, run: ```bash +make repo-add make install ``` +Or directly: + +```bash +helm repo add gitea https://dl.gitea.com/charts +helm repo update +helm install gitea gitea/gitea -f values.yaml +``` + ## Usage After installation, verify the deployment: @@ -28,7 +37,116 @@ kubectl port-forward svc/gitea-http 3000:3000 -n gitea Then open in your browser. +Default admin credentials: + +- Username: `gitea_admin` +- Password: `r8sA8CPHD9!bt6d` + +## Configuration + +### Current Configuration (Development) + +当前配置为单实例开发环境,使用 SQLite 数据库。 + +### Production Configuration (High Availability) + +生产环境建议使用以下配置(需取消注释并配置): + +```yaml +# 1. 禁用 SQLite,启用 PostgreSQL +valkey-cluster: + enabled: true # 启用 Valkey 集群(缓存/会话/队列) + +postgresql-ha: + enabled: true # 启用 PostgreSQL HA + +gitea: + config: + database: + DB_TYPE: postgres +``` + +### Single-Pod Production (Non-HA) + +如需单机生产环境(非高可用): + +```yaml +valkey-cluster: + enabled: false +valkey: + enabled: true +postgresql: + enabled: true +postgresql-ha: + enabled: false + +gitea: + config: + database: + DB_TYPE: postgres +``` + +### External Database + +使用外部数据库: + +```yaml +postgresql: + enabled: false +postgresql-ha: + enabled: false + +gitea: + config: + database: + DB_TYPE: postgres # or mysql + HOST: my-db-host:5432 + NAME: gitea + USER: gitea + PASSWD: secret +``` + +### Ingress Configuration + +```yaml +ingress: + enabled: true + hosts: + - host: git.example.com + paths: + - path: / + tls: + - secretName: gitea-tls + hosts: + - git.example.com +``` + +## Helm Chart Values + +查看所有可配置参数: + +```bash +make values +# 或 +helm show values gitea/gitea > gitea-values.yaml +``` + +## Important Changes (v12.x) + +- **Redis → Valkey**: Chart v12.x 从 Redis 迁移到 Valkey/Valkey-cluster 作为缓存 +- **Rootless by default**: 默认使用 rootless 镜像(更安全) +- **PostgreSQL-HA by default**: 默认使用 PostgreSQL HA(高可用) + ## Documentation -- [Official Gitea Documentation](https://docs.gitea.com/) -- [Helm Chart Source](https://gitea.com/gitea/helm-chart) +- [Gitea Documentation](https://docs.gitea.com/) +- [Gitea Chinese Documentation](https://docs.gitea.cn/) +- [Gitea Helm Chart Source](https://gitea.com/gitea/helm-gitea) +- [Kubernetes Installation Guide](https://docs.gitea.cn/installation/install-on-kubernetes) +- [Gitea Configuration Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet) + +## Upgrade Notes + +从旧版本升级时请参考: + +- [Helm Chart Upgrading Guide](https://gitea.com/gitea/helm-gitea#upgrading) diff --git a/src/gitea/README.zh.md b/src/gitea/README.zh.md index d6618c5..2428029 100644 --- a/src/gitea/README.zh.md +++ b/src/gitea/README.zh.md @@ -9,9 +9,18 @@ Gitea 是一个社区管理的轻量级代码托管解决方案,使用 Go 语 要安装 Gitea,请运行: ```bash +make repo-add make install ``` +或者直接使用 Helm: + +```bash +helm repo add gitea https://dl.gitea.com/charts +helm repo update +helm install gitea gitea/gitea -f values.yaml +``` + ## 使用 安装完成后,验证部署: @@ -28,7 +37,114 @@ kubectl port-forward svc/gitea-http 3000:3000 -n gitea 然后在浏览器中打开 。 -## 文档 +默认管理员账户: -- [官方 Gitea 文档](https://docs.gitea.com/) -- [Helm Chart 源码](https://gitea.com/gitea/helm-chart) +- 用户名:`gitea_admin` +- 密码:`r8sA8CPHD9!bt6d` + +## 配置说明 + +### 当前配置(开发环境) + +当前配置为单实例开发环境,使用 SQLite 数据库,适合快速测试和开发。 + +### 生产环境配置(高可用) + +生产环境建议使用以下配置: + +```yaml +# 启用 Valkey 集群和 PostgreSQL HA +valkey-cluster: + enabled: true # 启用 Valkey 集群作为缓存/会话/队列存储 + +postgresql-ha: + enabled: true # 启用 PostgreSQL 高可用 + +gitea: + config: + database: + DB_TYPE: postgres +``` + +### 单机生产环境(非高可用) + +如需单机生产环境: + +```yaml +valkey-cluster: + enabled: false +valkey: + enabled: true +postgresql: + enabled: true +postgresql-ha: + enabled: false + +gitea: + config: + database: + DB_TYPE: postgres +``` + +### 使用外部数据库 + +如需使用外部数据库: + +```yaml +postgresql: + enabled: false +postgresql-ha: + enabled: false + +gitea: + config: + database: + DB_TYPE: postgres # 或 mysql + HOST: my-db-host:5432 + NAME: gitea + USER: gitea + PASSWD: secret +``` + +### Ingress 配置 + +```yaml +ingress: + enabled: true + hosts: + - host: git.example.com + paths: + - path: / + tls: + - secretName: gitea-tls + hosts: + - git.example.com +``` + +## 查看所有配置参数 + +```bash +make values +# 或 +helm show values gitea/gitea > gitea-values.yaml +``` + +## v12.x 重要变更 + +- **Redis → Valkey**: Chart v12.x 从 Redis 迁移到 Valkey/Valkey-cluster 作为缓存组件 +- **默认使用 rootless 镜像**: 更安全,但 SSH 监听端口改为 2222 +- **默认使用 PostgreSQL HA**: 高可用数据库配置 + +## 文档链接 + +- [Gitea 文档](https://docs.gitea.com/) +- [Gitea 中文文档](https://docs.gitea.cn/) +- [Gitea Helm Chart 源码](https://gitea.com/gitea/helm-gitea) +- [Kubernetes 安装指南](https://docs.gitea.cn/installation/install-on-kubernetes) +- [Gitea 配置速查表](https://docs.gitea.com/administration/config-cheat-sheet) + +## 升级注意事项 + +从旧版本升级时请参考: + +- [Helm Chart 升级指南](https://gitea.com/gitea/helm-gitea#upgrading) diff --git a/src/gitea/values.yaml b/src/gitea/values.yaml index 7863363..3187b75 100644 --- a/src/gitea/values.yaml +++ b/src/gitea/values.yaml @@ -7,8 +7,7 @@ replicaCount: 1 image: - repository: gitea/gitea - tag: latest + repository: gitea pullPolicy: IfNotPresent service: diff --git a/src/jenkins/Makefile b/src/jenkins/Makefile new file mode 100644 index 0000000..9a16ab1 --- /dev/null +++ b/src/jenkins/Makefile @@ -0,0 +1,16 @@ +HELM_RELEASE_NAME ?= jenkins +HELM_APPLICATION_NAME ?= jenkins +HELM_NAMESPACE ?= jenkins +HELM_DIR ?= ./helm +HELM_CHART_VERSION ?= +HELM_VALUES_FILE ?= ./values.yaml +HELM_OCI_REGISTRY ?= +HELM_OCI_NAMESPACE ?= +HELM_OCI_USERNAME ?= +HELM_OCI_PASSWORD ?= +HELM_REPO_NAME ?= jenkins +HELM_REPO_URL ?= https://charts.jenkins.io +HELM_CHART_REPO ?= $(HELM_REPO_NAME)/$(HELM_APPLICATION_NAME) +HELM_LANE ?= + +include ../_template/base.mk diff --git a/src/jenkins/README.md b/src/jenkins/README.md new file mode 100644 index 0000000..46177e4 --- /dev/null +++ b/src/jenkins/README.md @@ -0,0 +1,54 @@ +# Jenkins + +## Introduction + +Jenkins is an open-source automation server that enables developers to build, test, and deploy their software reliably. It supports thousands of plugins for various CI/CD pipelines. + +## Installation + +To install Jenkins, run: + +```bash +make install +``` + +## Usage + +After installation, access Jenkins: + +```bash +# Port forward to access Jenkins +kubectl port-forward svc/jenkins -n jenkins 8080:8080 + +# Get admin password +kubectl get secret jenkins -n jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 -d +``` + +Then open and complete the setup wizard. + +## Configuration + +The default configuration includes: + +- Pre-installed plugins for Kubernetes, Git, Pipeline, and Blue Ocean +- 1 controller replica with 2Gi memory limit +- 1Gi persistent volume for build data +- Configuration as Code (CasC) enabled + +## Installed Plugins + +- kubernetes - Kubernetes plugin for dynamic agents +- workflow-aggregator - Pipeline plugin suite +- git - Git integration +- configuration-as-code - CasC support +- blue-ocean - Modern UI +- docker-workflow - Docker pipeline support +- pipeline-stage-view - Pipeline visualization + +## Customization + +To customize Jenkins: + +1. Edit `values.yaml` to add more plugins +2. Configure CasC scripts for pre-configured jobs +3. Adjust resource limits based on your workload diff --git a/src/jenkins/README.zh.md b/src/jenkins/README.zh.md new file mode 100644 index 0000000..f2458b8 --- /dev/null +++ b/src/jenkins/README.zh.md @@ -0,0 +1,54 @@ +# Jenkins + +## 简介 + +Jenkins 是一个开源自动化服务器,使开发人员能够可靠地构建、测试和部署软件。它支持数千个插件,用于各种 CI/CD 流水线。 + +## 安装 + +安装 Jenkins: + +```bash +make install +``` + +## 使用 + +安装完成后,访问 Jenkins: + +```bash +# 端口转发以访问 Jenkins +kubectl port-forward svc/jenkins -n jenkins 8080:8080 + +# 获取管理员密码 +kubectl get secret jenkins -n jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 -d +``` + +然后打开 完成设置向导。 + +## 配置 + +默认配置包括: + +- 预装 Kubernetes、Git、Pipeline 和 Blue Ocean 插件 +- 1 个控制器副本,内存限制 2Gi +- 1Gi 持久卷用于构建数据 +- 启用配置即代码 (CasC) + +## 已安装插件 + +- kubernetes - Kubernetes 动态代理插件 +- workflow-aggregator - Pipeline 插件套件 +- git - Git 集成 +- configuration-as-code - CasC 支持 +- blue-ocean - 现代化 UI +- docker-workflow - Docker 流水线支持 +- pipeline-stage-view - 流水线可视化 + +## 自定义 + +自定义 Jenkins: + +1. 编辑 `values.yaml` 添加更多插件 +2. 配置 CasC 脚本用于预配置任务 +3. 根据工作负载调整资源限制 diff --git a/src/jenkins/values.yaml b/src/jenkins/values.yaml new file mode 100644 index 0000000..ec28d6d --- /dev/null +++ b/src/jenkins/values.yaml @@ -0,0 +1,85 @@ +# Jenkins Configuration +# https://github.com/jenkinsci/helm-charts/blob/main/charts/jenkins/values.yaml + +controller: + image: + repository: jenkins/jenkins + tag: lts + pullPolicy: IfNotPresent + + # Resource configuration + resources: + requests: + cpu: 1000m + memory: 2Gi + limits: + cpu: 2000m + memory: 4Gi + + # Java options + javaOpts: '-XX:MaxRAMPercentage=75.0' + + # Service configuration + serviceType: ClusterIP + servicePort: 8080 + targetPort: 8080 + + # Ingress configuration + ingress: + enabled: false + + # Number of Jenkins controllers + replicaCount: 1 + + # Install plugins + installPlugins: + - kubernetes:3937.vd7b_82db_e347b_ + - workflow-aggregator:596.v8c21c963d92d + - git:5.2.1 + - configuration-as-code:1775.v810dc950b_514 + - blue-ocean:1.27.13 + - docker-workflow:572.v950f58993843 + - pipeline-stage-view:2.34 + - credentials-binding:642.v737c34dea_6c2 + - credentials:1319.v7eb_51b_3a_c97b_ + + # Initialize configuration as code + JCasC: + enabled: true + defaultConfig: true + configScripts: {} + + # Sidecars + sidecars: + configAutoReload: + enabled: true + image: kiwigrid/k8s-sidecar:1.26.1 + +# Agent configuration +agent: + enabled: true + image: + repository: jenkins/inbound-agent + tag: latest + + # Resource configuration for agents + resources: + requests: + cpu: 500m + memory: 1Gi + limits: + cpu: 1000m + memory: 2Gi + + # Working directory + workingDir: /home/jenkins/agent + + # Pod template configuration + podName: default + customJenkinsLabels: [] + +# Persistence +persistence: + enabled: true + size: 10Gi + accessMode: ReadWriteOnce diff --git a/src/nexus/Makefile b/src/nexus/Makefile new file mode 100644 index 0000000..a8f19ff --- /dev/null +++ b/src/nexus/Makefile @@ -0,0 +1,16 @@ +HELM_RELEASE_NAME ?= nexus +HELM_APPLICATION_NAME ?= nexus-repository-manager +HELM_NAMESPACE ?= nexus +HELM_DIR ?= ./helm +HELM_CHART_VERSION ?= +HELM_VALUES_FILE ?= ./values.yaml +HELM_OCI_REGISTRY ?= +HELM_OCI_NAMESPACE ?= +HELM_OCI_USERNAME ?= +HELM_OCI_PASSWORD ?= +HELM_REPO_NAME ?= sonatype +HELM_REPO_URL ?= https://sonatype.github.io/helm3-charts/ +HELM_CHART_REPO ?= $(HELM_REPO_NAME)/$(HELM_APPLICATION_NAME) +HELM_LANE ?= + +include ../_template/base.mk diff --git a/src/nexus/README.md b/src/nexus/README.md new file mode 100644 index 0000000..ac7e3fd --- /dev/null +++ b/src/nexus/README.md @@ -0,0 +1,70 @@ +# Nexus Repository Manager + +## Introduction + +Nexus Repository Manager is a powerful artifact repository manager that supports various formats including Maven, npm, NuGet, Docker, and more. It acts as a central hub for storing and managing software artifacts. + +## Installation + +To install Nexus, run: + +```bash +make install +``` + +## Usage + +After installation, access Nexus: + +```bash +# Port forward to access Nexus +kubectl port-forward svc/nexus-repository-manager -n nexus 8081:8081 +``` + +Then open in your browser. + +Default credentials: + +- Username: `admin` +- Password: Retrieve from pod + +```bash +# Get admin password +kubectl exec -it deployment/nexus-repository-manager -n nexus -- cat /nexus-data/admin.password +``` + +## Configuration + +The default configuration includes: + +- 100Gi persistent storage for artifacts +- 4Gi memory limit +- Single replica deployment +- JVM heap size: 2g + +## Repository Types + +Nexus supports various repository formats: + +- **Maven** (Java artifacts) +- **npm** (Node.js packages) +- **NuGet** (.NET packages) +- **Docker** (Container images) +- **PyPI** (Python packages) +- **Raw** (Generic files) +- **Yum/APT** (Linux packages) + +## Docker Registry + +To enable Docker registry support: + +1. Edit `values.yaml` and set `nexus.docker.enabled: true` +2. Configure registries with ports +3. Expose via NodePort or Ingress + +## Backup + +Consider enabling scheduled backups: + +1. Configure `backup.enabled: true` +2. Set up backup schedule and storage diff --git a/src/nexus/README.zh.md b/src/nexus/README.zh.md new file mode 100644 index 0000000..4733acc --- /dev/null +++ b/src/nexus/README.zh.md @@ -0,0 +1,70 @@ +# Nexus Repository Manager + +## 简介 + +Nexus Repository Manager 是一个强大的制品仓库管理器,支持多种格式,包括 Maven、npm、NuGet、Docker 等。它充当存储和管理软件制品的中心枢纽。 + +## 安装 + +安装 Nexus: + +```bash +make install +``` + +## 使用 + +安装完成后,访问 Nexus: + +```bash +# 端口转发以访问 Nexus +kubectl port-forward svc/nexus-repository-manager -n nexus 8081:8081 +``` + +然后在浏览器中打开 。 + +默认凭据: + +- 用户名:`admin` +- 密码:从 Pod 获取 + +```bash +# 获取管理员密码 +kubectl exec -it deployment/nexus-repository-manager -n nexus -- cat /nexus-data/admin.password +``` + +## 配置 + +默认配置包括: + +- 100Gi 持久化存储用于制品 +- 4Gi 内存限制 +- 单副本部署 +- JVM 堆大小:2g + +## 仓库类型 + +Nexus 支持多种仓库格式: + +- **Maven** (Java 制品) +- **npm** (Node.js 包) +- **NuGet** (.NET 包) +- **Docker** (容器镜像) +- **PyPI** (Python 包) +- **Raw** (通用文件) +- **Yum/APT** (Linux 包) + +## Docker 仓库 + +启用 Docker 仓库支持: + +1. 编辑 `values.yaml` 设置 `nexus.docker.enabled: true` +2. 配置带端口的仓库 +3. 通过 NodePort 或 Ingress 暴露 + +## 备份 + +建议启用定时备份: + +1. 配置 `backup.enabled: true` +2. 设置备份计划和存储 diff --git a/src/nexus/values.yaml b/src/nexus/values.yaml new file mode 100644 index 0000000..751df3e --- /dev/null +++ b/src/nexus/values.yaml @@ -0,0 +1,84 @@ +# Nexus Repository Manager Configuration +# https://github.com/sonatype/helm3-charts/blob/main/charts/nexus-repository-manager/values.yaml + +image: + repository: sonatype/nexus3 + tag: 3.68.1 + pullPolicy: IfNotPresent + +# Resource configuration +resources: + requests: + cpu: 500m + memory: 2Gi + limits: + cpu: 2000m + memory: 4Gi + +# JVM options +env: + - name: INSTALL4J_ADD_VM_PARAMS + value: '-Xms2g -Xmx2g -XX:MaxDirectMemorySize=2g -XX:+UseG1GC' + +# Service configuration +service: + type: ClusterIP + port: 8081 + +# Ingress configuration +ingress: + enabled: false + +# Persistence +persistence: + enabled: true + storageSize: 100Gi + accessMode: ReadWriteOnce + +# Nexus configuration +nexus: + # Security context + securityContext: + runAsUser: 200 + + # Additional volumes + extraVolumes: [] + + # Additional volume mounts + extraVolumeMounts: [] + + # Service configuration + service: + type: ClusterIP + port: 8081 + + # Docker registries configuration + docker: + enabled: false + registries: [] + +# ConfigMap for initial configuration +config: + enabled: false + mountPath: /sonatype-nexus-conf + +# License configuration (for Nexus Pro) +license: + enabled: false + secretFilePath: + +# Backup configuration +backup: + enabled: false + +# Route configuration (OpenShift) +route: + enabled: false + +# ServiceAccount configuration +serviceAccount: + create: true + +# RBAC configuration +rbac: + create: true diff --git a/src/vault/Makefile b/src/vault/Makefile new file mode 100644 index 0000000..d4131e6 --- /dev/null +++ b/src/vault/Makefile @@ -0,0 +1,16 @@ +HELM_RELEASE_NAME ?= vault +HELM_APPLICATION_NAME ?= vault +HELM_NAMESPACE ?= vault +HELM_DIR ?= ./helm +HELM_CHART_VERSION ?= +HELM_VALUES_FILE ?= ./values.yaml +HELM_OCI_REGISTRY ?= +HELM_OCI_NAMESPACE ?= +HELM_OCI_USERNAME ?= +HELM_OCI_PASSWORD ?= +HELM_REPO_NAME ?= hashicorp +HELM_REPO_URL ?= https://helm.releases.hashicorp.com +HELM_CHART_REPO ?= $(HELM_REPO_NAME)/$(HELM_APPLICATION_NAME) +HELM_LANE ?= + +include ../_template/base.mk diff --git a/src/vault/README.md b/src/vault/README.md new file mode 100644 index 0000000..2841e87 --- /dev/null +++ b/src/vault/README.md @@ -0,0 +1,60 @@ +# Vault + +## Introduction + +HashiCorp Vault is an identity-based secrets and encryption management system. It provides secure secret storage, dynamic secrets, data encryption, and identity-based access. + +## Installation + +To install Vault, run: + +```bash +make install +``` + +## Usage + +After installation, initialize and unseal Vault: + +```bash +# Port forward to access Vault +kubectl port-forward svc/vault -n vault 8200:8200 + +# Initialize Vault (save the unseal keys!) +vault operator init + +# Unseal Vault (run 3 times with different keys) +vault operator unseal + +# Login with root token +vault login +``` + +Access the UI at . + +## Configuration + +The default configuration runs Vault in standalone mode with: + +- File storage backend +- 10Gi data storage +- 10Gi audit storage +- Kubernetes auth method enabled + +For production, consider using: + +- Integrated Raft storage with HA mode +- Auto-unseal with cloud KMS +- External PostgreSQL/MySQL backend + +## Security Notes + +⚠️ **Important**: The default configuration is suitable for development only. + +For production deployments: + +1. Enable TLS for all communications +2. Use auto-unseal with cloud KMS +3. Configure proper RBAC policies +4. Enable audit logging +5. Use HA mode with multiple replicas diff --git a/src/vault/README.zh.md b/src/vault/README.zh.md new file mode 100644 index 0000000..3cfc670 --- /dev/null +++ b/src/vault/README.zh.md @@ -0,0 +1,60 @@ +# Vault + +## 简介 + +HashiCorp Vault 是一个基于身份的秘密和加密管理系统。它提供安全的秘密存储、动态秘密、数据加密和基于身份的访问控制。 + +## 安装 + +安装 Vault: + +```bash +make install +``` + +## 使用 + +安装完成后,初始化并解封 Vault: + +```bash +# 端口转发以访问 Vault +kubectl port-forward svc/vault -n vault 8200:8200 + +# 初始化 Vault(保存解封密钥!) +vault operator init + +# 解封 Vault(使用不同的密钥运行 3 次) +vault operator unseal + +# 使用根令牌登录 +vault login +``` + +在 访问 UI。 + +## 配置 + +默认配置以单机模式运行 Vault,包括: + +- 文件存储后端 +- 10Gi 数据存储 +- 10Gi 审计存储 +- 启用 Kubernetes 认证方法 + +生产环境建议使用: + +- 集成 Raft 存储的 HA 模式 +- 使用云 KMS 自动解封 +- 外部 PostgreSQL/MySQL 后端 + +## 安全注意事项 + +⚠️ **重要**:默认配置仅适用于开发环境。 + +生产环境部署需要: + +1. 为所有通信启用 TLS +2. 使用云 KMS 自动解封 +3. 配置适当的 RBAC 策略 +4. 启用审计日志 +5. 使用多副本 HA 模式 diff --git a/src/vault/values.yaml b/src/vault/values.yaml new file mode 100644 index 0000000..a4f2010 --- /dev/null +++ b/src/vault/values.yaml @@ -0,0 +1,56 @@ +# HashiCorp Vault Configuration +# https://github.com/hashicorp/vault-helm/blob/main/values.yaml + +server: + enabled: true + + # Run Vault in standalone mode with file storage + # For production, consider using Raft or Consul backend + ha: + enabled: false + + # Resource configuration + resources: + requests: + memory: 256Mi + cpu: 250m + limits: + memory: 512Mi + cpu: 500m + + # Data storage configuration + dataStorage: + enabled: true + size: 10Gi + mountPath: /vault/data + + auditStorage: + enabled: true + size: 10Gi + mountPath: /vault/audit + + # Service configuration + service: + enabled: true + type: ClusterIP + port: 8200 + targetPort: 8200 + + # Ingress configuration + ingress: + enabled: false + + # Enable dev mode for testing only + dev: + enabled: false + devRootToken: root + +# UI configuration +ui: + enabled: true + serviceType: ClusterIP + +# Injector configuration +injector: + enabled: true + replicas: 1