feat(platform-infra): add YAML-controlled nginx deployment
This commit is contained in:
@@ -191,3 +191,18 @@ Interpretation guide:
|
||||
| `/home/ubuntu/.vscode-server` | VS Code remote server, extensions, and cache | Do not delete installed servers/extensions by default; cached VSIX cleanup needs an explicit policy. |
|
||||
| `/var/lib/docker` | Docker overlay/image/container state for PK01 workloads | Do not prune generically; inspect running containers first. |
|
||||
| `/var/log/journal` | systemd journal | Managed by journald cap; use sudo when vacuuming manually. |
|
||||
|
||||
## Nginx Host-Docker 受控部署
|
||||
|
||||
- PK01 的 Nginx 负载均衡器由 `config/platform-infra/nginx.yaml` 管理。
|
||||
- 部署形态与 PK01 Sub2API 一致,使用 UniDesk YAML-first 的 host-Docker Compose 入口。
|
||||
- 正式命令是 `bun scripts/cli.ts platform-infra nginx apply --target PK01 --confirm`。
|
||||
- apply 默认提交异步 job;长传输、镜像加载和验证不能占用单次 SSH 长连接。
|
||||
- 容器使用 host network,并限制为 `64m` 内存、`0.25` CPU 和 64 个 PID。
|
||||
- 业务监听端口、上游列表、管理端口、日志上限和 logger API key 来源均来自 owning YAML。
|
||||
- PK01 不构建镜像;镜像在 NC01 构建后以 SHA-256 和镜像 ID 校验的产物下发。
|
||||
- 验证期间临时创建两个 loopback host Python/systemd 后端。
|
||||
- 验证固定发送四个串行请求,并核对响应后端与 Nginx JSONL 记录顺序。
|
||||
- 验证 logger API 的未认证拒绝、查询、tail、下载和清理能力。
|
||||
- 验证结束后删除两个后端及其 unit,保留 Nginx 容器和已清空的日志文件。
|
||||
- `platform-infra nginx status --target PK01` 必须报告测试后端活动数为零。
|
||||
|
||||
@@ -323,3 +323,21 @@ spec:
|
||||
This policy must be included in the `sub2api plan` / `apply` manifest rendering so that it is created as part of the normal deployment flow, not maintained as a manual one-off.
|
||||
|
||||
`platform-infra sub2api status` must report whether `NetworkPolicy/allow-all` exists and still has `podSelector: {}`, `policyTypes: [Ingress, Egress]`, `ingress: [{}]`, and `egress: [{}]`. For active bundled targets, `platform-infra sub2api validate` must also run temporary in-namespace probe pods that connect to `sub2api-postgres:5432` and `sub2api-redis:6379`; local `pg_isready` inside the PostgreSQL pod alone is insufficient because it does not exercise kube-router cross-pod policy evaluation. For external-DB standby targets, `validate --target` checks the predeployment shape: no local PostgreSQL, app replicas zero, ClusterIP services, allow-all NetworkPolicy, local Redis declared as ephemeral cache with readiness required only when Redis replicas are above zero, and no standby-disabled public FRP, egress proxy, or sentinel CronJob remains. For external-DB active targets, `validate --target` checks that the app uses the external database endpoint, local Redis is ephemeral, no local PostgreSQL StatefulSet exists, and any YAML-declared egress proxy and public exposure resources are present and probed through their configured paths.
|
||||
|
||||
## Nginx 负载均衡与 Logger 边界
|
||||
|
||||
- Nginx host-Docker 服务的配置真相是 `config/platform-infra/nginx.yaml`。
|
||||
- 正式入口是 `platform-infra nginx plan|apply|status`,不得用 Demo 脚本直接修改 PK01。
|
||||
- 镜像由 owning YAML 固定产物路径、SHA-256 和镜像 ID,并在 NC01 构建。
|
||||
- `targets.<id>.runtime.routes` 是业务监听端口与上游的唯一真相。
|
||||
- 一个 target 可以声明一个或多个监听端口,每个端口可以声明一个或多个 HTTP 上游。
|
||||
- CLI 将路由数组渲染为容器的 `NGINX_ROUTES`,不在源码中保存应用专用端口。
|
||||
- Nginx 配置使用 `NGINX_*`,日志收集和管理配置使用 `LOGGER_*`。
|
||||
- logger API key 只允许由 YAML `sourceRef`、`sourceKey` 和 `targetKey` 下发。
|
||||
- API key 输出只披露 presence 与 fingerprint,禁止输出或嵌入受控 job 命令。
|
||||
- 除健康检查外,logger 查询、tail、下载和清理接口均要求 `X-API-Key`。
|
||||
- JSONL 文件由 Nginx `access_log` 写入,验证器不得生成或补写日志。
|
||||
- `LOGGER_MAX_BYTES` 与检查周期必须由 YAML 明确设置,避免日志无限增长。
|
||||
- PK01 验证只发送四个串行请求,不执行压力测试。
|
||||
- 两个验证后端必须是 PK01 host Python/systemd 服务,不能作为容器部署。
|
||||
- 验证退出时必须停止并删除后端脚本和 unit;正式 Nginx 容器继续运行。
|
||||
|
||||
Reference in New Issue
Block a user