feat(platform-infra): add YAML-controlled nginx deployment

This commit is contained in:
Codex
2026-07-13 14:04:47 +02:00
parent 21567bafbf
commit 635589d79e
6 changed files with 812 additions and 1 deletions
+15
View File
@@ -191,3 +191,18 @@ Interpretation guide:
| `/home/ubuntu/.vscode-server` | VS Code remote server, extensions, and cache | Do not delete installed servers/extensions by default; cached VSIX cleanup needs an explicit policy. |
| `/var/lib/docker` | Docker overlay/image/container state for PK01 workloads | Do not prune generically; inspect running containers first. |
| `/var/log/journal` | systemd journal | Managed by journald cap; use sudo when vacuuming manually. |
## Nginx Host-Docker 受控部署
- PK01 的 Nginx 负载均衡器由 `config/platform-infra/nginx.yaml` 管理。
- 部署形态与 PK01 Sub2API 一致,使用 UniDesk YAML-first 的 host-Docker Compose 入口。
- 正式命令是 `bun scripts/cli.ts platform-infra nginx apply --target PK01 --confirm`。
- apply 默认提交异步 job;长传输、镜像加载和验证不能占用单次 SSH 长连接。
- 容器使用 host network,并限制为 `64m` 内存、`0.25` CPU 和 64 个 PID。
- 业务监听端口、上游列表、管理端口、日志上限和 logger API key 来源均来自 owning YAML。
- PK01 不构建镜像;镜像在 NC01 构建后以 SHA-256 和镜像 ID 校验的产物下发。
- 验证期间临时创建两个 loopback host Python/systemd 后端。
- 验证固定发送四个串行请求,并核对响应后端与 Nginx JSONL 记录顺序。
- 验证 logger API 的未认证拒绝、查询、tail、下载和清理能力。
- 验证结束后删除两个后端及其 unit,保留 Nginx 容器和已清空的日志文件。
- `platform-infra nginx status --target PK01` 必须报告测试后端活动数为零。
+18
View File
@@ -323,3 +323,21 @@ spec:
This policy must be included in the `sub2api plan` / `apply` manifest rendering so that it is created as part of the normal deployment flow, not maintained as a manual one-off.
`platform-infra sub2api status` must report whether `NetworkPolicy/allow-all` exists and still has `podSelector: {}`, `policyTypes: [Ingress, Egress]`, `ingress: [{}]`, and `egress: [{}]`. For active bundled targets, `platform-infra sub2api validate` must also run temporary in-namespace probe pods that connect to `sub2api-postgres:5432` and `sub2api-redis:6379`; local `pg_isready` inside the PostgreSQL pod alone is insufficient because it does not exercise kube-router cross-pod policy evaluation. For external-DB standby targets, `validate --target` checks the predeployment shape: no local PostgreSQL, app replicas zero, ClusterIP services, allow-all NetworkPolicy, local Redis declared as ephemeral cache with readiness required only when Redis replicas are above zero, and no standby-disabled public FRP, egress proxy, or sentinel CronJob remains. For external-DB active targets, `validate --target` checks that the app uses the external database endpoint, local Redis is ephemeral, no local PostgreSQL StatefulSet exists, and any YAML-declared egress proxy and public exposure resources are present and probed through their configured paths.
## Nginx 负载均衡与 Logger 边界
- Nginx host-Docker 服务的配置真相是 `config/platform-infra/nginx.yaml`
- 正式入口是 `platform-infra nginx plan|apply|status`,不得用 Demo 脚本直接修改 PK01。
- 镜像由 owning YAML 固定产物路径、SHA-256 和镜像 ID,并在 NC01 构建。
- `targets.<id>.runtime.routes` 是业务监听端口与上游的唯一真相。
- 一个 target 可以声明一个或多个监听端口,每个端口可以声明一个或多个 HTTP 上游。
- CLI 将路由数组渲染为容器的 `NGINX_ROUTES`,不在源码中保存应用专用端口。
- Nginx 配置使用 `NGINX_*`,日志收集和管理配置使用 `LOGGER_*`
- logger API key 只允许由 YAML `sourceRef``sourceKey``targetKey` 下发。
- API key 输出只披露 presence 与 fingerprint,禁止输出或嵌入受控 job 命令。
- 除健康检查外,logger 查询、tail、下载和清理接口均要求 `X-API-Key`
- JSONL 文件由 Nginx `access_log` 写入,验证器不得生成或补写日志。
- `LOGGER_MAX_BYTES` 与检查周期必须由 YAML 明确设置,避免日志无限增长。
- PK01 验证只发送四个串行请求,不执行压力测试。
- 两个验证后端必须是 PK01 host Python/systemd 服务,不能作为容器部署。
- 验证退出时必须停止并删除后端脚本和 unit;正式 Nginx 容器继续运行。