diff --git a/README.md b/README.md index 3992fec..6fa6974 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,31 @@ -# ircs-prod-config +# ircs-prod-config -Independent GitOps repository for IRCS V3 production namespace `ircs-prod`. +独立 GitOps 仓库,负责 IRCS V3 生产 namespace `ircs-prod` 的 Kubernetes 运行配置。 -This repo intentionally separates production runtime state from the source repository: +代码仓库只负责构建和推送镜像;Argo CD 不再同步后端仓库中的生产清单。所有生产配置入口都在本仓库: -- source repo: `gitea-admin/ircs-project-v3`, builds and pushes service images. -- GitOps repo: `gitea-admin/ircs-prod-config`, declares Kubernetes runtime resources. +- Argo CD Application:`apps/` +- 生产 core 清单:`ircs-prod/core/` +- 生产 edge HTTPRoute:`ircs-prod/edge-cutover/` +- 数据库迁移 Job:`ircs-prod/migration/` -Secrets are not stored here. Run `scripts/prepare-prod-secrets.ps1` before syncing the core ArgoCD application. +当前 Argo CD repoURL: -Deployment order: +```text +http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git +``` -1. Prepare `ircs-prod` namespace and secrets. -2. Apply `apps/ircs-prod-core-application.yaml` to ArgoCD and sync it. -3. Let the V3 migrator initialize a clean database. Do not migrate legacy `ircs-system` data by default. -4. Verify portals and BFF through cluster endpoints. -5. Sync `apps/ircs-prod-edge-application.yaml` or apply `ircs-prod/edge-cutover`, then remove old `ircs-system` business routes. +## 发布链路 -Edge cutover is isolated from core to avoid hostname conflict while the old `ircs-system` routes still own production domains. +1. 后端或前端仓库的 Gitea Actions 构建 ARM64 镜像并推送到 `registry.mnnu.eu.org/ircs`。 +2. Actions clone 本仓库并更新 `ircs-prod/` 中对应镜像标签。 +3. Actions 将 tag 回写 commit push 到本仓库 `main`。 +4. Argo CD 同步本仓库中的 `ircs-prod-core` 和 `ircs-prod-edge`。 +5. `ircs-prod-migrator` 保留为手动同步对象,避免迁移 Job 被镜像标签变化反复触发。 -Current cutover state: +## 当前域名 -- `ircs-prod-core`: Synced/Healthy. -- `ircs-prod-edge`: Synced/Healthy. -- `ircs-system/huawai-route` and `ircs-system/ircs-route`: removed. -- `ircs-system/kibana-route`: retained. +- `huawai.mnnu.eu.org` -> `ircs-portal-frontend:3000` +- `admin.mnnu.eu.org` -> `ircs-admin-frontend:80` + +公网 TLS 由 Envoy Gateway 和基础设施处理,业务 Pod 内部不配置 TLS。 diff --git a/apps/ircs-prod-core-application.yaml b/apps/ircs-prod-core-application.yaml index eae6d04..ccf7b7c 100644 --- a/apps/ircs-prod-core-application.yaml +++ b/apps/ircs-prod-core-application.yaml @@ -9,7 +9,7 @@ metadata: spec: project: default source: - repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git + repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git targetRevision: main path: ircs-prod/core destination: diff --git a/apps/ircs-prod-edge-application.yaml b/apps/ircs-prod-edge-application.yaml index 913da4a..1d2f387 100644 --- a/apps/ircs-prod-edge-application.yaml +++ b/apps/ircs-prod-edge-application.yaml @@ -9,13 +9,16 @@ metadata: spec: project: default source: - repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git + repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git targetRevision: main path: ircs-prod/edge-cutover destination: server: https://kubernetes.default.svc namespace: ircs-prod syncPolicy: + automated: + prune: true + selfHeal: true syncOptions: - CreateNamespace=true - ServerSideApply=true diff --git a/apps/ircs-prod-migrator-application.yaml b/apps/ircs-prod-migrator-application.yaml index 12f82bb..59e70a1 100644 --- a/apps/ircs-prod-migrator-application.yaml +++ b/apps/ircs-prod-migrator-application.yaml @@ -9,7 +9,7 @@ metadata: spec: project: default source: - repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git + repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git targetRevision: main path: ircs-prod/migration destination: diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml new file mode 100644 index 0000000..7bbb54e --- /dev/null +++ b/apps/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ircs-prod-core-application.yaml + - ircs-prod-edge-application.yaml + - ircs-prod-migrator-application.yaml diff --git a/docs/cutover-runbook.md b/docs/cutover-runbook.md index c0d9e15..58e00a3 100644 --- a/docs/cutover-runbook.md +++ b/docs/cutover-runbook.md @@ -1,22 +1,17 @@ -# HTTPRoute cutover runbook +# HTTPRoute cutover runbook -Current production domains are owned by `ircs-system` routes: +状态:历史记录 -- `huawai.sophia.fr.eu.org` -> `ircs-system/huawai-svc:80` -- `ircs.sophia.fr.eu.org` -> `ircs-system/ircs-frontend-svc:80` +当前 `mnnu.eu.org` 生产入口已由本仓库 `ircs-prod/edge-cutover/httproutes.yaml` 管理;本文只保留旧 `sophia` 域名切流思路,不再作为当前操作步骤。 -V3 production routes are declared under `ircs-prod/edge-cutover`: +当前生产域名: -- `huawai.sophia.fr.eu.org` -> `ircs-prod/ircs-frontend-gateway:80` -- `ircs.sophia.fr.eu.org` -> `ircs-prod/ircs-frontend-gateway:8080` +- `huawai.mnnu.eu.org` -> `ircs-prod/ircs-portal-frontend:3000` +- `admin.mnnu.eu.org` -> `ircs-prod/ircs-admin-frontend:80` -Cutover order: +当前 API 路由: -1. Confirm `ircs-prod` pods are Ready. -2. Confirm cluster-internal portal/admin smoke is healthy. -3. Disable automated sync on old `argocd/ircs-app` so it does not recreate old routes. -4. Apply edge routes and delete old `ircs-system` business routes. -5. Verify Envoy Gateway accepts the new routes. -6. Verify external domains through the NLB/Cloudflare path. +- `huawai.mnnu.eu.org/api/backend`、`/api/portal`、`/media` -> `ircs-prod/ircs-portal-bff:8080` +- `admin.mnnu.eu.org/api/v1`、`/media` -> `ircs-prod/ircs-admin-bff:8080` -Use `scripts/cutover-httproute.ps1 -Execute` from this repo root when ready. +切流或新增域名时,直接修改 `ircs-prod/edge-cutover/httproutes.yaml` 并提交本仓库,由 Argo CD 自动同步。 diff --git a/docs/data-migration-runbook.md b/docs/data-migration-runbook.md index 1f548d6..37d0f50 100644 --- a/docs/data-migration-runbook.md +++ b/docs/data-migration-runbook.md @@ -1,20 +1,15 @@ -# ircs-system to ircs-prod compatible data migration +# ircs-prod data migration runbook -Goal: migrate old `ircs-system` business data into V3 `ircs-prod` while allowing incompatible runtime tables to be discarded. +状态:历史记录 -Required order: +当前 `ircs-prod` 按新环境干净初始化,不迁移旧 `ircs-system` 业务数据。`ircs-prod-migrator` 仍保留在 `ircs-prod/migration/`,但由 Argo CD 手动同步,避免迁移 Job 自动反复执行。 -1. Back up old `ircs-system` PostgreSQL. -2. Prepare `ircs-prod` secrets with `scripts/prepare-prod-secrets.ps1`. -3. Sync `ircs-prod-core` and wait for PostgreSQL, RabbitMQ, Valkey, Elasticsearch, services, and migrator. -4. Run `scripts/migrate-compatible-data.ps1` once without `-Execute` to compare table presence. -5. Run `scripts/migrate-compatible-data.ps1 -Execute -TruncateTarget` only when `ircs-prod` has no valuable data. -6. Rebuild search/index derived state through V3 ops runners after migration. +如果未来确实需要导入旧数据,先新增一份独立迁移方案并明确: -Migration policy: +- 源库和目标库。 +- 需要复制的业务表。 +- 必须跳过的 runtime、audit、outbox、lock、Liquibase 表。 +- 回滚方式。 +- 迁移前后只读校验 SQL。 -- Copy compatible V1 business tables only. -- Do not copy `databasechangelog` or `databasechangeloglock`. -- Do not copy V3 derived audit/outbox/maintenance tables. -- If a table or column becomes incompatible, prefer explicit table-level skip plus a written note over silent lossy conversion. -- Existing R2 bucket remains `ircs` so historical media URLs stay valid. +不要直接复用旧 `ircs-system` 兼容迁移脚本作为生产操作入口。 diff --git a/ircs-prod/core/00-namespace.yaml b/ircs-prod/core/00-namespace.yaml index b469b7f..8a8c3fd 100644 --- a/ircs-prod/core/00-namespace.yaml +++ b/ircs-prod/core/00-namespace.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: Namespace metadata: name: ircs-prod diff --git a/ircs-prod/core/01-app-config.yaml b/ircs-prod/core/01-app-config.yaml index ee1db25..6ea08a8 100644 --- a/ircs-prod/core/01-app-config.yaml +++ b/ircs-prod/core/01-app-config.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: ConfigMap metadata: name: ircs-prod-app-config diff --git a/ircs-prod/core/02-resource-quota.yaml b/ircs-prod/core/02-resource-quota.yaml index 7e1bb92..80ce5a1 100644 --- a/ircs-prod/core/02-resource-quota.yaml +++ b/ircs-prod/core/02-resource-quota.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: ResourceQuota metadata: name: ircs-prod-quota diff --git a/ircs-prod/core/kustomization.yaml b/ircs-prod/core/kustomization.yaml index 13a93aa..f5c0870 100644 --- a/ircs-prod/core/kustomization.yaml +++ b/ircs-prod/core/kustomization.yaml @@ -1,4 +1,4 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 +apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - 00-namespace.yaml @@ -29,4 +29,3 @@ resources: - manifests/storage-service.yaml - manifests/task-service.yaml - manifests/valkey.yaml - diff --git a/ircs-prod/core/manifests/aggregation-worker.yaml b/ircs-prod/core/manifests/aggregation-worker.yaml index 0312a3a..e0613ac 100644 --- a/ircs-prod/core/manifests/aggregation-worker.yaml +++ b/ircs-prod/core/manifests/aggregation-worker.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-aggregation-worker@sha256:659fd4e8e59dde4263b9710c5edd132e34d656aa9b58fe489ae1cac83fb28c14 + image: registry.mnnu.eu.org/ircs/ircs-aggregation-worker:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -99,4 +99,3 @@ spec: limits: cpu: 250m memory: 512Mi - diff --git a/ircs-prod/core/manifests/catalog-service.yaml b/ircs-prod/core/manifests/catalog-service.yaml index 7319db0..2486b0b 100644 --- a/ircs-prod/core/manifests/catalog-service.yaml +++ b/ircs-prod/core/manifests/catalog-service.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-catalog-service@sha256:c460196c3fba553431fb0642d22995f389577628dee445e1397dcd5e7e8b4dc0 + image: registry.mnnu.eu.org/ircs/ircs-catalog-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -99,4 +99,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/config-service.yaml b/ircs-prod/core/manifests/config-service.yaml index 6ee2be5..23547c4 100644 --- a/ircs-prod/core/manifests/config-service.yaml +++ b/ircs-prod/core/manifests/config-service.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-config-service@sha256:f09efcc3c57412ef4a5c879a93a67ce00aa022ef4178ba73ac757434b3f77a76 + image: registry.mnnu.eu.org/ircs/ircs-config-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -107,4 +107,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/content-service.yaml b/ircs-prod/core/manifests/content-service.yaml index 398c2df..0c51c57 100644 --- a/ircs-prod/core/manifests/content-service.yaml +++ b/ircs-prod/core/manifests/content-service.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-content-service@sha256:b0761d6b17f95b87528e494b23bc4c09e8fee5dc0917724809d1108223f32bf0 + image: registry.mnnu.eu.org/ircs/ircs-content-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -125,4 +125,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/credential-service.yaml b/ircs-prod/core/manifests/credential-service.yaml index 1f0488e..822766e 100644 --- a/ircs-prod/core/manifests/credential-service.yaml +++ b/ircs-prod/core/manifests/credential-service.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-credential-service@sha256:749095ecaad722df22b593163bc1ed643861592a4160384b7365e6337a7741d8 + image: registry.mnnu.eu.org/ircs/ircs-credential-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -110,4 +110,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/elasticsearch.yaml b/ircs-prod/core/manifests/elasticsearch.yaml index 3fa3717..90f5fdd 100644 --- a/ircs-prod/core/manifests/elasticsearch.yaml +++ b/ircs-prod/core/manifests/elasticsearch.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: Service metadata: name: elasticsearch-svc @@ -40,7 +40,6 @@ spec: type: RollingUpdate rollingUpdate: partition: 0 - maxUnavailable: 1 selector: matchLabels: app: elasticsearch @@ -54,7 +53,9 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - securityContext: {} + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch terminationGracePeriodSeconds: 30 initContainers: - name: install-plugins @@ -173,4 +174,3 @@ spec: resources: requests: storage: 5Gi - diff --git a/ircs-prod/core/manifests/frontend-bff.yaml b/ircs-prod/core/manifests/frontend-bff.yaml index 3ef0a12..0e97f96 100644 --- a/ircs-prod/core/manifests/frontend-bff.yaml +++ b/ircs-prod/core/manifests/frontend-bff.yaml @@ -27,10 +27,10 @@ spec: ircs.prodigalgal.com/config-version: "bff-prod-targets-20260614-1" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-portal-bff@sha256:4d3f2b8115635b111ec14cf5ac501707eb29b207487ce2317db117032b939e56 + image: registry.mnnu.eu.org/ircs/ircs-portal-bff:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -140,10 +140,10 @@ spec: ircs.prodigalgal.com/config-version: "bff-prod-targets-20260614-1" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-admin-bff@sha256:e043f6a537aea4e02572e93766212bf4dc4465359ed1dbd255ae5b365fc9ca23 + image: registry.mnnu.eu.org/ircs/ircs-admin-bff:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -232,4 +232,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/frontend-portal-admin.yaml b/ircs-prod/core/manifests/frontend-portal-admin.yaml index f033802..26fb1ee 100644 --- a/ircs-prod/core/manifests/frontend-portal-admin.yaml +++ b/ircs-prod/core/manifests/frontend-portal-admin.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: ConfigMap metadata: name: ircs-frontend-gateway-nginx @@ -308,10 +308,10 @@ spec: ircs.prodigalgal.com/config-version: "bff-20260606-1" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: huawai - image: harbor.mnnu.eu.org/ircs/huawai@sha256:a411c3498cd2871093953b570616a6e89b3f0d1621308e175692dffd109b2751 + image: registry.mnnu.eu.org/ircs/ircs-huawai-frontend:sha-fbd4430f6682 imagePullPolicy: IfNotPresent ports: - name: http @@ -369,10 +369,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: ircs-admin-frontend - image: harbor.mnnu.eu.org/ircs/ircs-frontend@sha256:132b7d3bb073734ab8072769521e94885b25f8e9e319253e7c1c433d87c91302 + image: registry.mnnu.eu.org/ircs/ircs-admin-frontend:sha-7a74ebb402ab imagePullPolicy: IfNotPresent ports: - name: http @@ -465,4 +465,3 @@ spec: - name: nginx-config configMap: name: ircs-frontend-gateway-nginx - diff --git a/ircs-prod/core/manifests/identity-service.yaml b/ircs-prod/core/manifests/identity-service.yaml index 81b46a7..0900eb4 100644 --- a/ircs-prod/core/manifests/identity-service.yaml +++ b/ircs-prod/core/manifests/identity-service.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-identity-service@sha256:f055eeda67241fffde05adcd90904a9f92000910a182401c6f1f375f09db0777 + image: registry.mnnu.eu.org/ircs/ircs-identity-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -146,4 +146,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/ingestion-worker.yaml b/ircs-prod/core/manifests/ingestion-worker.yaml index b5fd9b4..7ab8f92 100644 --- a/ircs-prod/core/manifests/ingestion-worker.yaml +++ b/ircs-prod/core/manifests/ingestion-worker.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-ingestion-worker@sha256:600b2f614b204a01d0dfd6565e87619f73bd5bc136f58ee92d12dee24c77ed8d + image: registry.mnnu.eu.org/ircs/ircs-ingestion-worker:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -93,4 +93,3 @@ spec: limits: cpu: 250m memory: 512Mi - diff --git a/ircs-prod/core/manifests/interaction-service.yaml b/ircs-prod/core/manifests/interaction-service.yaml index 3d69382..ecc3839 100644 --- a/ircs-prod/core/manifests/interaction-service.yaml +++ b/ircs-prod/core/manifests/interaction-service.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-interaction-service@sha256:77477b1dd77eb41752d8971c5a961b3903c44d87d74b34017f682c07fd52b7a4 + image: registry.mnnu.eu.org/ircs/ircs-interaction-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -118,4 +118,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/magnet-service.yaml b/ircs-prod/core/manifests/magnet-service.yaml index af5f3e3..18b396a 100644 --- a/ircs-prod/core/manifests/magnet-service.yaml +++ b/ircs-prod/core/manifests/magnet-service.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-magnet-service@sha256:88783970566a3f9aa2667fe6001af5f9ccc3882d965f425d715cf4b0f4146bb0 + image: registry.mnnu.eu.org/ircs/ircs-magnet-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -103,4 +103,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/metadata-worker.yaml b/ircs-prod/core/manifests/metadata-worker.yaml index d815fd4..620e169 100644 --- a/ircs-prod/core/manifests/metadata-worker.yaml +++ b/ircs-prod/core/manifests/metadata-worker.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-metadata-worker@sha256:c8389f1bd63d7d9b663ff434ed90bb87e2dfd6caa735148c6521b6eb44ea3189 + image: registry.mnnu.eu.org/ircs/ircs-metadata-worker:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -113,4 +113,3 @@ spec: limits: cpu: 250m memory: 512Mi - diff --git a/ircs-prod/core/manifests/migrator-job.yaml b/ircs-prod/core/manifests/migrator-job.yaml deleted file mode 100644 index c961a44..0000000 --- a/ircs-prod/core/manifests/migrator-job.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: ircs-migrator - namespace: ircs-prod - labels: - app: ircs-migrator - app.kubernetes.io/part-of: ircs - environment: prod -spec: - backoffLimit: 0 - ttlSecondsAfterFinished: 300 - template: - metadata: - labels: - app: ircs-migrator - app.kubernetes.io/part-of: ircs - environment: prod - spec: - restartPolicy: Never - imagePullSecrets: - - name: harbor-secret - containers: - - name: migrator - image: harbor.mnnu.eu.org/ircs/ircs-migrator@sha256:64223fa99f7c2793b0145cc539bafa4b0c70fa3cc0af0e9059a2fed3bf7a2437 - imagePullPolicy: IfNotPresent - env: - - name: SPRING_DATASOURCE_URL - valueFrom: - configMapKeyRef: - name: ircs-prod-app-config - key: DB_URL - - name: SPRING_DATASOURCE_USERNAME - value: postgres - - name: SPRING_DATASOURCE_PASSWORD - valueFrom: - secretKeyRef: - name: ircs-prod-secrets - key: DB_PASSWORD - - name: SPRING_DATASOURCE_HIKARI_MAXIMUM_POOL_SIZE - value: "2" - - name: SPRING_DATASOURCE_HIKARI_MINIMUM_IDLE - value: "0" - - name: SPRING_DATASOURCE_HIKARI_IDLE_TIMEOUT - value: "30000" - resources: - requests: - cpu: 25m - memory: 128Mi - limits: - cpu: 250m - memory: 512Mi - diff --git a/ircs-prod/core/manifests/normalization-worker.yaml b/ircs-prod/core/manifests/normalization-worker.yaml index daface1..1ea8fd7 100644 --- a/ircs-prod/core/manifests/normalization-worker.yaml +++ b/ircs-prod/core/manifests/normalization-worker.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-normalization-worker@sha256:1f82b17374a8c3e2307bbdd406a106587b5bacc28db4a3e6386a435fbcd8d697 + image: registry.mnnu.eu.org/ircs/ircs-normalization-worker:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -124,4 +124,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/notification-worker.yaml b/ircs-prod/core/manifests/notification-worker.yaml index c3e48cb..f7ffb59 100644 --- a/ircs-prod/core/manifests/notification-worker.yaml +++ b/ircs-prod/core/manifests/notification-worker.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-notification-worker@sha256:46f41e02c0c76de3e1497ad1c1eaf554f72e0f6a47dfc3a56c798c5e6fc4cf82 + image: registry.mnnu.eu.org/ircs/ircs-notification-worker:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -135,4 +135,3 @@ spec: limits: cpu: 250m memory: 512Mi - diff --git a/ircs-prod/core/manifests/observability-monitoring.yaml b/ircs-prod/core/manifests/observability-monitoring.yaml index 2a1a5a4..bc3f091 100644 --- a/ircs-prod/core/manifests/observability-monitoring.yaml +++ b/ircs-prod/core/manifests/observability-monitoring.yaml @@ -1,4 +1,4 @@ -apiVersion: monitoring.coreos.com/v1 +apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: ircs-prod-service-monitor @@ -67,4 +67,3 @@ spec: interval: 30s scrapeTimeout: 10s honorLabels: true - diff --git a/ircs-prod/core/manifests/ops-service.yaml b/ircs-prod/core/manifests/ops-service.yaml index 9011438..36ffcd1 100644 --- a/ircs-prod/core/manifests/ops-service.yaml +++ b/ircs-prod/core/manifests/ops-service.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-ops-service@sha256:12bf1e9983f92145f318ad370370ef7ae27fdb68cd3f05c72b281cac94e761ce + image: registry.mnnu.eu.org/ircs/ircs-ops-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -138,4 +138,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/portal-service.yaml b/ircs-prod/core/manifests/portal-service.yaml index 1200ce4..10bc302 100644 --- a/ircs-prod/core/manifests/portal-service.yaml +++ b/ircs-prod/core/manifests/portal-service.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-portal-service@sha256:c4270d97a20098164c5b68cec1fcad99a4e56f99f1493aa78683afd5395bb33e + image: registry.mnnu.eu.org/ircs/ircs-portal-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -116,4 +116,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/postgres.yaml b/ircs-prod/core/manifests/postgres.yaml index 8277bfa..d0980ca 100644 --- a/ircs-prod/core/manifests/postgres.yaml +++ b/ircs-prod/core/manifests/postgres.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: Service metadata: name: postgres-svc @@ -37,7 +37,6 @@ spec: type: RollingUpdate rollingUpdate: partition: 0 - maxUnavailable: 1 selector: matchLabels: app: postgres @@ -121,4 +120,3 @@ spec: resources: requests: storage: 2Gi - diff --git a/ircs-prod/core/manifests/rabbitmq.yaml b/ircs-prod/core/manifests/rabbitmq.yaml index f65cc49..0d9566c 100644 --- a/ircs-prod/core/manifests/rabbitmq.yaml +++ b/ircs-prod/core/manifests/rabbitmq.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: Service metadata: name: rabbitmq-svc @@ -40,7 +40,6 @@ spec: type: RollingUpdate rollingUpdate: partition: 0 - maxUnavailable: 1 selector: matchLabels: app: rabbitmq @@ -123,4 +122,3 @@ spec: resources: requests: storage: 1Gi - diff --git a/ircs-prod/core/manifests/scraper-service.yaml b/ircs-prod/core/manifests/scraper-service.yaml index 80e7053..55728bf 100644 --- a/ircs-prod/core/manifests/scraper-service.yaml +++ b/ircs-prod/core/manifests/scraper-service.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-scraper-service@sha256:2a48db6d3df769248bf174129c534361be1303e1d7d7a87b973504ba29b82731 + image: registry.mnnu.eu.org/ircs/ircs-scraper-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -130,4 +130,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/search-service.yaml b/ircs-prod/core/manifests/search-service.yaml index a247e03..9918dea 100644 --- a/ircs-prod/core/manifests/search-service.yaml +++ b/ircs-prod/core/manifests/search-service.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-search-service@sha256:a7d4173655f20e7796b46bbc0cfe940c178d8f970d8b55f0b43e3f8b4e6fcfbf + image: registry.mnnu.eu.org/ircs/ircs-search-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -146,4 +146,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/storage-service.yaml b/ircs-prod/core/manifests/storage-service.yaml index 2c2c5b4..221b8f0 100644 --- a/ircs-prod/core/manifests/storage-service.yaml +++ b/ircs-prod/core/manifests/storage-service.yaml @@ -22,10 +22,10 @@ spec: environment: prod spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-storage-service@sha256:df6bfcdeb3a285e8b3842b0c0d99da2312b8f755c5fb1f49d35b0ccac8369749 + image: registry.mnnu.eu.org/ircs/ircs-storage-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -144,4 +144,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/task-service.yaml b/ircs-prod/core/manifests/task-service.yaml index 9e80dcd..afd2ef7 100644 --- a/ircs-prod/core/manifests/task-service.yaml +++ b/ircs-prod/core/manifests/task-service.yaml @@ -24,10 +24,10 @@ spec: ircs.prodigalgal.com/no-public-route: "true" spec: imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: app - image: harbor.mnnu.eu.org/ircs/ircs-task-service@sha256:b1897407cca7efa0223e0beceb0e03826940d7f694e2b5d7071f8b3ddba4ed5b + image: registry.mnnu.eu.org/ircs/ircs-task-service:sha-de9957f9ced5 imagePullPolicy: IfNotPresent ports: - name: http @@ -149,4 +149,3 @@ spec: - name: http port: 8080 targetPort: http - diff --git a/ircs-prod/core/manifests/valkey.yaml b/ircs-prod/core/manifests/valkey.yaml index 234f68b..2a1ad0b 100644 --- a/ircs-prod/core/manifests/valkey.yaml +++ b/ircs-prod/core/manifests/valkey.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 kind: Service metadata: name: valkey-svc @@ -74,4 +74,3 @@ spec: limits: cpu: 250m memory: 256Mi - diff --git a/ircs-prod/edge-cutover/httproutes.yaml b/ircs-prod/edge-cutover/httproutes.yaml index e2088ed..34beb21 100644 --- a/ircs-prod/edge-cutover/httproutes.yaml +++ b/ircs-prod/edge-cutover/httproutes.yaml @@ -1,4 +1,32 @@ -apiVersion: gateway.networking.k8s.io/v1 +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: huawai-http-redirect + namespace: ircs-prod + labels: + app.kubernetes.io/part-of: ircs + environment: prod +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: mnnu-gateway + namespace: gateway-system + sectionName: http + hostnames: + - huawai.mnnu.eu.org + rules: + - matches: + - path: + type: PathPrefix + value: / + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 +--- +apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: huawai-route @@ -7,14 +35,31 @@ metadata: app.kubernetes.io/part-of: ircs environment: prod spec: - hostnames: - - huawai.sophia.fr.eu.org parentRefs: - group: gateway.networking.k8s.io kind: Gateway - name: production-gateway - namespace: envoy-gateway-system + name: mnnu-gateway + namespace: gateway-system + sectionName: https + hostnames: + - huawai.mnnu.eu.org rules: + - matches: + - path: + type: PathPrefix + value: /api/backend + - path: + type: PathPrefix + value: /api/portal + - path: + type: PathPrefix + value: /media + backendRefs: + - group: "" + kind: Service + name: ircs-portal-bff + port: 8080 + weight: 1 - matches: - path: type: PathPrefix @@ -22,27 +67,69 @@ spec: backendRefs: - group: "" kind: Service - name: ircs-frontend-gateway - port: 80 + name: ircs-portal-frontend + port: 3000 weight: 1 --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - name: ircs-route + name: admin-http-redirect namespace: ircs-prod labels: app.kubernetes.io/part-of: ircs environment: prod spec: - hostnames: - - ircs.sophia.fr.eu.org parentRefs: - group: gateway.networking.k8s.io kind: Gateway - name: production-gateway - namespace: envoy-gateway-system + name: mnnu-gateway + namespace: gateway-system + sectionName: http + hostnames: + - admin.mnnu.eu.org rules: + - matches: + - path: + type: PathPrefix + value: / + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: admin-route + namespace: ircs-prod + labels: + app.kubernetes.io/part-of: ircs + environment: prod +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: mnnu-gateway + namespace: gateway-system + sectionName: https + hostnames: + - admin.mnnu.eu.org + rules: + - matches: + - path: + type: PathPrefix + value: /api/v1 + - path: + type: PathPrefix + value: /media + backendRefs: + - group: "" + kind: Service + name: ircs-admin-bff + port: 8080 + weight: 1 - matches: - path: type: PathPrefix @@ -50,6 +137,6 @@ spec: backendRefs: - group: "" kind: Service - name: ircs-frontend-gateway - port: 8080 + name: ircs-admin-frontend + port: 80 weight: 1 diff --git a/ircs-prod/edge-cutover/kustomization.yaml b/ircs-prod/edge-cutover/kustomization.yaml index 11613f8..85d5f44 100644 --- a/ircs-prod/edge-cutover/kustomization.yaml +++ b/ircs-prod/edge-cutover/kustomization.yaml @@ -1,5 +1,4 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 +apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - httproutes.yaml - diff --git a/ircs-prod/migration/migrator-job.yaml b/ircs-prod/migration/migrator-job.yaml index cc442d4..57cc592 100644 --- a/ircs-prod/migration/migrator-job.yaml +++ b/ircs-prod/migration/migrator-job.yaml @@ -9,7 +9,6 @@ metadata: environment: prod spec: backoffLimit: 0 - ttlSecondsAfterFinished: 300 template: metadata: labels: @@ -19,10 +18,10 @@ spec: spec: restartPolicy: Never imagePullSecrets: - - name: harbor-secret + - name: registry-secret containers: - name: migrator - image: harbor.mnnu.eu.org/ircs/ircs-migrator@sha256:64223fa99f7c2793b0145cc539bafa4b0c70fa3cc0af0e9059a2fed3bf7a2437 + image: registry.mnnu.eu.org/ircs/ircs-migrator:sha-de9957f9ced5 imagePullPolicy: IfNotPresent env: - name: SPRING_DATASOURCE_URL