zhongwei/gh-anton-abyzov-specweave-plugins-specweave-kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:56:51 +08:00
commit b441ad1cf4
24 changed files with 6617 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

262
commands/cluster-setup.md Normal file
View File

@@ -0,0 +1,262 @@
# Kubernetes Cluster Setup
Set up a production-ready Kubernetes cluster with essential components.
## Task
You are a Kubernetes infrastructure expert. Guide users through setting up a production cluster.
### Steps:
1. **Ask for Platform**:
- Managed (EKS, GKE, AKS)
- Self-hosted (kubeadm, k3s, kind)
- Local dev (minikube, kind, k3d)
2. **Generate Cluster Configuration**:
#### EKS (AWS):
```bash
# eksctl config
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: production-cluster
region: us-east-1
version: "1.28"
managedNodeGroups:
- name: general-purpose
instanceType: t3.medium
minSize: 3
maxSize: 10
desiredCapacity: 3
volumeSize: 50
ssh:
allow: true
labels:
workload-type: general
tags:
nodegroup-role: general-purpose
iam:
withAddonPolicies:
autoScaler: true
certManager: true
externalDNS: true
ebs: true
efs: true
addons:
- name: vpc-cni
- name: coredns
- name: kube-proxy
- name: aws-ebs-csi-driver
```
#### GKE (Google Cloud):
```bash
gcloud container clusters create production-cluster \
--region us-central1 \
--num-nodes 3 \
--machine-type n1-standard-2 \
--disk-size 50 \
--enable-autoscaling \
--min-nodes 3 \
--max-nodes 10 \
--enable-autorepair \
--enable-autoupgrade \
--maintenance-window-start "2024-01-01T00:00:00Z" \
--maintenance-window-duration 4h \
--addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
--workload-pool=production-cluster.svc.id.goog \
--enable-shielded-nodes \
--enable-ip-alias \
--network default \
--subnetwork default \
--cluster-version latest
```
#### AKS (Azure):
```bash
az aks create \
--resource-group production-rg \
--name production-cluster \
--location eastus \
--kubernetes-version 1.28.0 \
--node-count 3 \
--node-vm-size Standard_D2s_v3 \
--enable-cluster-autoscaler \
--min-count 3 \
--max-count 10 \
--network-plugin azure \
--enable-managed-identity \
--enable-pod-security-policy \
--enable-addons monitoring,azure-policy \
--generate-ssh-keys
```
3. **Install Essential Add-ons**:
#### Ingress Controller (NGINX):
```yaml
# Helm install
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.replicaCount=3 \
--set controller.service.type=LoadBalancer \
--set controller.metrics.enabled=true
```
#### Cert-Manager (TLS certificates):
```yaml
helm repo add jetstack https://charts.jetstack.io
helm upgrade --install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true
# ClusterIssuer for Let's Encrypt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
```
#### Prometheus + Grafana (Monitoring):
```bash
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm upgrade --install kube-prometheus-stack prometheus-community/kube-prometheus-stack \
--namespace monitoring \
--create-namespace \
--set prometheus.prometheusSpec.retention=30d \
--set prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage=50Gi \
--set grafana.adminPassword=admin123
```
#### External DNS (auto DNS records):
```yaml
helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
helm upgrade --install external-dns external-dns/external-dns \
--namespace kube-system \
--set provider=aws \ # or google, azure
--set txtOwnerId=production-cluster \
--set policy=sync
```
#### ArgoCD (GitOps):
```bash
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
# Access UI
kubectl port-forward svc/argocd-server -n argocd 8080:443
# Get admin password
kubectl -n argocd get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d
```
4. **Security Setup**:
#### Network Policies:
```yaml
# Default deny all
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
# Allow DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
```
#### Pod Security Standards:
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
```
5. **Storage Classes**:
```yaml
# Fast SSD storage
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fast
provisioner: ebs.csi.aws.com # or pd.csi.storage.gke.io, disk.csi.azure.com
parameters:
type: gp3
iops: "3000"
throughput: "125"
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
reclaimPolicy: Delete
```
### Best Practices Included:
- Multi-AZ/region deployment
- Auto-scaling (cluster and pods)
- Monitoring and logging
- TLS certificate automation
- GitOps with ArgoCD
- Network policies
- Resource quotas
- RBAC configuration
### Example Usage:
```
User: "Set up production EKS cluster with monitoring"
Result: Complete EKS config + all essential add-ons
```

242
commands/deployment-generate.md Normal file
View File

@@ -0,0 +1,242 @@
# Kubernetes Deployment Generator
Generate production-ready Kubernetes deployment manifests.
## Task
You are a Kubernetes expert. Generate complete deployment manifests with best practices.
### Steps:
1. **Ask for Required Information**:
- Application name
- Docker image
- Port(s)
- Environment variables
- Resource requirements
- Replicas
2. **Generate Deployment Manifest**:
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
version: v1.0.0
annotations:
kubernetes.io/change-cause: "Initial deployment"
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
version: v1.0.0
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
spec:
# Security context
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
# Init containers (if needed)
initContainers:
- name: init-db
image: busybox:1.36
command: ['sh', '-c', 'until nc -z postgres 5432; do echo waiting for db; sleep 2; done;']
containers:
- name: myapp
image: myapp:1.0.0
imagePullPolicy: IfNotPresent
# Ports
ports:
- name: http
containerPort: 8080
protocol: TCP
# Environment variables
env:
- name: NODE_ENV
value: "production"
- name: DB_HOST
valueFrom:
configMapKeyRef:
name: myapp-config
key: db-host
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: myapp-secrets
key: db-password
# Resource limits
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
# Health checks
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: http
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
# Volume mounts
volumeMounts:
- name: config
mountPath: /etc/config
readOnly: true
- name: cache
mountPath: /tmp/cache
# Volumes
volumes:
- name: config
configMap:
name: myapp-config
- name: cache
emptyDir: {}
# Affinity rules
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- myapp
topologyKey: kubernetes.io/hostname
```
3. **Generate Service Manifest**:
```yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
labels:
app: myapp
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app: myapp
```
4. **Generate ConfigMap**:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: myapp-config
data:
db-host: "postgres.default.svc.cluster.local"
log-level: "info"
config.json: |
{
"feature_flags": {
"new_feature": true
}
}
```
5. **Generate Secret** (base64 encoded):
```yaml
apiVersion: v1
kind: Secret
metadata:
name: myapp-secrets
type: Opaque
data:
db-password: cGFzc3dvcmQxMjM= # base64 encoded
```
6. **Generate HPA (Horizontal Pod Autoscaler)**:
```yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: myapp-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: myapp
minReplicas: 3
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
```
### Best Practices Included:
- Security context (non-root user)
- Resource requests and limits
- Liveness and readiness probes
- Rolling update strategy
- Pod anti-affinity
- ConfigMap and Secret separation
- Horizontal pod autoscaling
### Example Usage:
```
User: "Generate deployment for Node.js API on port 3000"
Result: Complete deployment + service + configmap + secret + HPA
```

333
commands/helm-scaffold.md Normal file
View File

@@ -0,0 +1,333 @@
# Helm Chart Scaffolding
Generate production-ready Helm charts with best practices.
## Task
You are a Helm expert. Generate complete Helm chart structure for applications.
### Steps:
1. **Ask for Information**:
- Chart name
- Application type (web app, API, worker, etc.)
- Dependencies (databases, caches, etc.)
2. **Generate Chart Structure**:
```
my-app/
├── Chart.yaml
├── values.yaml
├── values-dev.yaml
├── values-staging.yaml
├── values-prod.yaml
├── templates/
│ ├── NOTES.txt
│ ├── _helpers.tpl
│ ├── deployment.yaml
│ ├── service.yaml
│ ├── ingress.yaml
│ ├── configmap.yaml
│ ├── secret.yaml
│ ├── hpa.yaml
│ ├── serviceaccount.yaml
│ ├── networkpolicy.yaml
│ └── tests/
│ └── test-connection.yaml
├── charts/ # Subcharts
└── .helmignore
```
3. **Generate Chart.yaml**:
```yaml
apiVersion: v2
name: my-app
description: A Helm chart for my-app
type: application
version: 1.0.0 # Chart version
appVersion: "1.0.0" # Application version
keywords:
- application
- api
home: https://github.com/myorg/my-app
sources:
- https://github.com/myorg/my-app
maintainers:
- name: Your Name
email: you@example.com
url: https://example.com
dependencies:
- name: postgresql
version: "12.x.x"
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
- name: redis
version: "17.x.x"
repository: https://charts.bitnami.com/bitnami
condition: redis.enabled
```
4. **Generate values.yaml**:
```yaml
# Default values for my-app
# This is a YAML-formatted file
replicaCount: 3
image:
repository: myapp
pullPolicy: IfNotPresent
tag: "" # Overrides appVersion
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
create: true
annotations: {}
name: ""
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
service:
type: ClusterIP
port: 80
targetPort: 8080
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
hosts:
- host: myapp.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: myapp-tls
hosts:
- myapp.example.com
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- my-app
topologyKey: kubernetes.io/hostname
# Application-specific configs
config:
logLevel: info
nodeEnv: production
# Dependencies
postgresql:
enabled: true
auth:
database: myapp
username: myapp
primary:
persistence:
enabled: true
size: 10Gi
redis:
enabled: true
architecture: standalone
auth:
enabled: true
```
5. **Generate deployment.yaml (templated)**:
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "my-app.fullname" . }}
labels:
{{- include "my-app.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "my-app.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "my-app.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "my-app.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.targetPort }}
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: http
readinessProbe:
httpGet:
path: /ready
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
env:
- name: NODE_ENV
value: {{ .Values.config.nodeEnv }}
- name: LOG_LEVEL
value: {{ .Values.config.logLevel }}
{{- if .Values.postgresql.enabled }}
- name: DB_HOST
value: {{ include "my-app.fullname" . }}-postgresql
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "my-app.fullname" . }}-postgresql
key: password
{{- end }}
```
6. **Generate _helpers.tpl**:
```yaml
{{/*
Expand the name of the chart.
*/}}
{{- define "my-app.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
*/}}
{{- define "my-app.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "my-app.labels" -}}
helm.sh/chart: {{ include "my-app.chart" . }}
{{ include "my-app.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "my-app.selectorLabels" -}}
app.kubernetes.io/name: {{ include "my-app.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
```
### Deployment Commands:
```bash
# Install chart
helm install my-app ./my-app -f values-dev.yaml
# Upgrade
helm upgrade my-app ./my-app -f values-prod.yaml
# Template (dry-run)
helm template my-app ./my-app -f values-prod.yaml
# Lint
helm lint ./my-app
# Package
helm package ./my-app
# Test
helm test my-app
```
### Example Usage:
```
User: "Create Helm chart for Node.js API with PostgreSQL"
Result: Complete Helm chart with all templates and values files
```