Add D601 platform-infra secret plane PoC

This commit is contained in:
Codex
2026-06-27 08:59:35 +00:00
parent 9a5cc21393
commit a78fa346d0
4 changed files with 1328 additions and 2 deletions
+65
View File
@@ -0,0 +1,65 @@
version: 1
kind: platform-infra-secret-plane
metadata:
id: hwlab-secret-plane
owner: HWLAB
spec: pikasTech/HWLAB#2233
relatedIssues:
- 2233
defaults:
targetId: D601
targets:
- id: D601
route: D601:k3s
namespace: platform-infra
role: active
enabled: true
createNamespace: true
eso:
enabled: true
version: v2.7.0
manifestUrl: https://github.com/external-secrets/external-secrets/releases/download/v2.7.0/external-secrets.yaml
releaseName: external-secrets
controllerDeploymentName: external-secrets
webhookDeploymentName: external-secrets-webhook
certControllerDeploymentName: external-secrets-cert-controller
crds:
- secretstores.external-secrets.io
- externalsecrets.external-secrets.io
- clustersecretstores.external-secrets.io
vault:
mode: dev-kv-v2
deploymentName: hwlab-secret-plane-vault
serviceName: hwlab-secret-plane-vault
tokenSecretName: hwlab-secret-plane-vault-token
tokenSecretKey: token
image:
repository: hashicorp/vault
tag: 1.20.3
pullPolicy: IfNotPresent
port: 8200
bootstrap:
tokenMode: generated-if-missing
tokenLengthBytes: 32
syncProbe:
secretStoreName: hwlab-secret-plane-vault
externalSecretName: hwlab-secret-plane-poc
targetSecretName: hwlab-secret-plane-poc-sync
refreshInterval: 15s
vaultMountPath: secret
remotePath: hwlab-secret-plane/poc
remoteProperty: password
expectedFingerprint: sha256:7b47b343642e442d94ae889778113b0137eb8db255d9c03cb42f2582adfa2f2f
testValueSource:
mode: repo-poc-static
value: hwlab-secret-plane-poc-d601
consumer:
deploymentName: hwlab-secret-plane-consumer
envName: POC_PASSWORD
image:
repository: busybox
tag: 1.36.1
pullPolicy: IfNotPresent
validation:
timeoutSeconds: 45
pollSeconds: 3
File diff suppressed because it is too large Load Diff
+7 -2
View File
@@ -314,7 +314,7 @@ export interface ManagedResourceCleanupPlan {
export function platformInfraHelp(): unknown {
const target = sub2ApiHelpTargetSummary();
return {
command: "platform-infra sub2api|langbot|n8n|wechat-archive|observability ...",
command: "platform-infra sub2api|langbot|n8n|wechat-archive|observability|secret-plane ...",
output: "json",
usage: [
"bun scripts/cli.ts platform-infra sub2api plan [--target G14|D601]",
@@ -360,8 +360,13 @@ export function platformInfraHelp(): unknown {
"bun scripts/cli.ts platform-infra observability search --target D601 --grep 'no rollout found' [--lookback-minutes 360] [--candidate-limit 80] [--limit 20]",
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --business-trace-id <trc_...> [--full|--raw]",
"bun scripts/cli.ts platform-infra observability diagnose-code-agent --target D601 --run-id <run_...> [--command-id <cmd_...>] [--runner-job-id <rjob_...>]",
"bun scripts/cli.ts platform-infra secret-plane plan --target D601",
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --dry-run",
"bun scripts/cli.ts platform-infra secret-plane apply --target D601 --confirm",
"bun scripts/cli.ts platform-infra secret-plane status --target D601",
"bun scripts/cli.ts platform-infra secret-plane validate --target D601",
],
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows and OpenTelemetry tracing. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
description: "Operate YAML-controlled platform-infra services such as Sub2API, LangBot, n8n, WeChat archive workflows, OpenTelemetry tracing and the independent D601 secret plane. Public services use PK01 Caddy+FRP rather than Kubernetes Ingress, NodePort, or LoadBalancer.",
target,
codexPool: {
usage: [
+4
View File
@@ -56,6 +56,10 @@ export async function runPlatformInfraCommand(config: UniDeskConfig, args: strin
const { runPlatformObservabilityCommand } = await import("../platform-infra-observability");
return await runPlatformObservabilityCommand(config, args.slice(1));
}
if (target === "secret-plane") {
const { runSecretPlaneCommand } = await import("../platform-infra-secret-plane");
return await runSecretPlaneCommand(config, args.slice(1));
}
if (target !== "sub2api") return unsupported(args);
if (action === "plan" || action === undefined) {
const planArgs = args.slice(2);