Add D601 platform-infra secret plane PoC
This commit is contained in:
@@ -0,0 +1,65 @@
|
||||
version: 1
|
||||
kind: platform-infra-secret-plane
|
||||
metadata:
|
||||
id: hwlab-secret-plane
|
||||
owner: HWLAB
|
||||
spec: pikasTech/HWLAB#2233
|
||||
relatedIssues:
|
||||
- 2233
|
||||
defaults:
|
||||
targetId: D601
|
||||
targets:
|
||||
- id: D601
|
||||
route: D601:k3s
|
||||
namespace: platform-infra
|
||||
role: active
|
||||
enabled: true
|
||||
createNamespace: true
|
||||
eso:
|
||||
enabled: true
|
||||
version: v2.7.0
|
||||
manifestUrl: https://github.com/external-secrets/external-secrets/releases/download/v2.7.0/external-secrets.yaml
|
||||
releaseName: external-secrets
|
||||
controllerDeploymentName: external-secrets
|
||||
webhookDeploymentName: external-secrets-webhook
|
||||
certControllerDeploymentName: external-secrets-cert-controller
|
||||
crds:
|
||||
- secretstores.external-secrets.io
|
||||
- externalsecrets.external-secrets.io
|
||||
- clustersecretstores.external-secrets.io
|
||||
vault:
|
||||
mode: dev-kv-v2
|
||||
deploymentName: hwlab-secret-plane-vault
|
||||
serviceName: hwlab-secret-plane-vault
|
||||
tokenSecretName: hwlab-secret-plane-vault-token
|
||||
tokenSecretKey: token
|
||||
image:
|
||||
repository: hashicorp/vault
|
||||
tag: 1.20.3
|
||||
pullPolicy: IfNotPresent
|
||||
port: 8200
|
||||
bootstrap:
|
||||
tokenMode: generated-if-missing
|
||||
tokenLengthBytes: 32
|
||||
syncProbe:
|
||||
secretStoreName: hwlab-secret-plane-vault
|
||||
externalSecretName: hwlab-secret-plane-poc
|
||||
targetSecretName: hwlab-secret-plane-poc-sync
|
||||
refreshInterval: 15s
|
||||
vaultMountPath: secret
|
||||
remotePath: hwlab-secret-plane/poc
|
||||
remoteProperty: password
|
||||
expectedFingerprint: sha256:7b47b343642e442d94ae889778113b0137eb8db255d9c03cb42f2582adfa2f2f
|
||||
testValueSource:
|
||||
mode: repo-poc-static
|
||||
value: hwlab-secret-plane-poc-d601
|
||||
consumer:
|
||||
deploymentName: hwlab-secret-plane-consumer
|
||||
envName: POC_PASSWORD
|
||||
image:
|
||||
repository: busybox
|
||||
tag: 1.36.1
|
||||
pullPolicy: IfNotPresent
|
||||
validation:
|
||||
timeoutSeconds: 45
|
||||
pollSeconds: 3
|
||||
File diff suppressed because it is too large
Load Diff
@@ -314,7 +314,7 @@ export interface ManagedResourceCleanupPlan {
|
||||
export function platformInfraHelp(): unknown {
|
||||
const target = sub2ApiHelpTargetSummary();
|
||||
return {
|
||||
command: "platform-infra sub2api|langbot|n8n|wechat-archive|observability ...",
|
||||
command: "platform-infra sub2api|langbot|n8n|wechat-archive|observability|secret-plane ...",
|
||||
output: "json",
|
||||
usage: [
|
||||
"bun scripts/cli.ts platform-infra sub2api plan [--target G14|D601]",
|
||||
@@ -360,8 +360,13 @@ export function platformInfraHelp(): unknown {
|
||||
"bun scripts/cli.ts platform-infra observability search --target D601 --grep 'no rollout found' [--lookback-minutes 360] [--candidate-limit 80] [--limit 20]",
|
||||
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --business-trace-id <trc_...> [--full|--raw]",
|
||||
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --run-id <run_...> [--command-id <cmd_...>] [--runner-job-id <rjob_...>]",
|
||||
"bun scripts/cli.ts platform-infra secret-plane plan --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run",
|
||||
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm",
|
||||
"bun scripts/cli.ts platform-infra secret-plane status --target D601",
|
||||
"bun scripts/cli.ts platform-infra secret-plane validate --target D601",
|
||||
],
|
||||
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows and OpenTelemetry tracing. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
|
||||
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent D601 secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
|
||||
target,
|
||||
codexPool: {
|
||||
usage: [
|
||||
|
||||
@@ -56,6 +56,10 @@ export async function runPlatformInfraCommand(config: UniDeskConfig, args: strin
|
||||
const { runPlatformObservabilityCommand } = await import("../platform-infra-observability");
|
||||
return await runPlatformObservabilityCommand(config, args.slice(1));
|
||||
}
|
||||
if (target === "secret-plane") {
|
||||
const { runSecretPlaneCommand } = await import("../platform-infra-secret-plane");
|
||||
return await runSecretPlaneCommand(config, args.slice(1));
|
||||
}
|
||||
if (target !== "sub2api") return unsupported(args);
|
||||
if (action === "plan" || action === undefined) {
|
||||
const planArgs = args.slice(2);
|
||||
|
||||
Reference in New Issue
Block a user