feat(prod2): add publisher and Kafka

Author: wuhuizuo

apps/prod2/zot/policies.yaml …application-pods-run-on-arm64-nodes.yamlapps/prod2/zot/policies.yaml renamed to apps/prod2/cluster-policies/avoid-application-pods-run-on-arm64-nodes.yaml apps/prod2/zot/policies.yaml renamed to apps/prod2/cluster-policies/avoid-application-pods-run-on-arm64-nodes.yaml

@@ -1,14 +1,23 @@
 apiVersion: kyverno.io/v1
-kind: Policy
+kind: ClusterPolicy
 metadata:
-  name: restrict-to-amd64-nodes
+  name: avoid-application-pods-run-on-arm64-nodes
 spec:
   rules:
-    - name: restrict-to-amd64-nodes
+    - name: inject-node-affinity
       match:
         resources:
           kinds:
             - Pod
+          namespaces:
+            - brc
+            - buildbarn
+            - jenkins-beta
+            - kafka
+            - publisher
+            - tekton-operator
+            - tekton-pipelines
+            - zot
       mutate:
         patchStrategicMerge:
           spec:

apps/prod2/cluster-policies/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - avoid-application-pods-run-on-arm64-nodes.yaml

apps/prod2/kustomization.yaml

@@ -2,8 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../_base
-  - buildbarn # experiment
+  - cluster-policies
   - brc
+  - tekton
+  - publisher
   - zot # experiment
+  - buildbarn # experiment
   - jenkins/beta # experiment
-  - tekton

apps/prod2/publisher/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: publisher
+resources:
+  - namespace.yaml
+  - pre.yaml
+  - release-prod-mirror.yaml
+  - release-staging-mirror.yaml

apps/prod2/publisher/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: publisher

apps/prod2/publisher/pre.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: publisher-pre
+spec:
+  interval: 5m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./apps/prod2/publisher/pre
+  prune: true

apps/prod2/publisher/pre/external-secrets/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - publisher-config-prod.yaml
+  - publisher-config-staging.yaml
+  - tiup-credentials-prod.yaml
+  - tiup-credentials-staging.yaml

apps/prod2/publisher/pre/external-secrets/publisher-config-prod.yaml

@@ -0,0 +1,51 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: publisher-config-prod
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: ee-gcp-sm
+  target:
+    name: publisher-config-prod
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        service.yaml: |
+          event_source: "http://publisher-prod.apps.svc"
+          kafka:
+            brokers:
+              - cluster-cd-kafka-bootstrap.kafka.svc:9092
+            topic: cd-publishing-requests-prod
+            client_id: publisher-prod
+          redis:
+            addr: "redis-master.redis:6379"
+            db: 0
+            password: {{ .data.redis_password }}
+        worker.yaml: |
+          tiup:
+            kafka:
+              brokers:
+                - cluster-cd-kafka-bootstrap.kafka.svc:9092
+              topic: cd-publishing-requests-prod
+              consumer_group: publisher-prod-tiup
+
+            options:
+              mirror_url: {{ .data.tiup_mirror_url}}
+              lark_webhook_url: {{ .data.lark_webhook_url }}
+              nightly_interval: 12h
+            redis:
+              addr: "redis-master.redis:6379"
+              db: 0
+              password: {{ .data.redis_password }}
+  data:
+    - secretKey: redis_password
+      remoteRef:
+        key: prod2_publisher_redis_password
+    - secretKey: tiup-prod-mirror-url
+      remoteRef:
+        key: prod2_publisher_redis_password
+    - secretKey: lark_webhook_url
+      remoteRef:
+        key: prod2_publisher_failure_lark_webhook_url

apps/prod2/publisher/pre/external-secrets/publisher-config-staging.yaml

@@ -0,0 +1,76 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: publisher-config-staging
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: ee-gcp-sm
+  target:
+    name: publisher-config-staging
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        service.yaml: |
+          event_source: "http://publisher-staging.apps.svc"
+          kafka:
+            brokers:
+              - cluster-cd-kafka-bootstrap.kafka.svc:9092
+            topic: cd-publishing-requests-staging
+            client_id: publisher-staging
+          redis:
+            addr: "redis-master.redis:6379"
+            db: 0
+            password: {{ .data.redis_password }}
+        worker.yaml: |
+          tiup:
+            kafka:
+              brokers:
+                - cluster-cd-kafka-bootstrap.kafka.svc:9092
+              topic: cd-publishing-requests-staging
+              consumer_group: publisher-staging-tiup
+
+            options:
+              mirror_url: {{ .data.tiup_mirror_url}}
+              lark_webhook_url: {{ .data.lark_webhook_url }}
+              nightly_interval: 12h
+            redis:
+              addr: "redis-master.redis:6379"
+              db: 0
+              password: {{ .data.redis_password }}
+
+          file_server:
+            kafka:
+              brokers:
+                - cluster-cd-kafka-bootstrap.kafka.svc:9092
+              topic: cd-publishing-requests-staging
+              consumer_group: publisher-staging-fs
+
+            redis:
+              addr: "redis-master.redis:6379"
+              db: 0
+              password: {{ .data.redis_password }}
+
+            options:
+              lark_webhook_url: {{ .data.lark_webhook_url }}
+              s3.endpoint: {{ .data.S3_REGION_ENDPOINT }}
+              s3.region: {{ .data.S3_REGION }}
+              s3.bucket_name: {{ .data.S3_BUCKET }}
+              s3.access_key: {{ .data.S3_ACCESS_KEY }}
+              s3.secret_key: {{ .data.S3_SECRET_KEY }}
+
+  data:
+    - secretKey: redis_password
+      remoteRef:
+        key: prod2_publisher_redis_password
+    - secretKey: tiup-prod-mirror-url
+      remoteRef:
+        key: prod2_publisher_redis_password
+    - secretKey: lark_webhook_url
+      remoteRef:
+        key: prod2_publisher_failure_lark_webhook_url
+  dataFrom:
+    - extract:
+        # json object contains keys: S3_*
+        key: prod2_publisher_fileserver_s3_json

apps/prod2/publisher/pre/external-secrets/tiup-credentials-prod.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tiup-credentials-prod
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: ee-gcp-sm
+  target:
+    name: tiup-credentials-prod
+    creationPolicy: Owner
+  data:
+    - secretKey: url
+      remoteRef:
+        key: tiup-prod-mirror-url
+    - secretKey: private.json
+      remoteRef:
+        key: tiup-prod-private-key-json