fix(k01): force glibc pthread rseq for mongo to bypass tcmalloc crash on kernel 6.19+

deploy/k01/.env.example

@@ -12,7 +12,7 @@ EMAIL_SMTP_PORT=587
 EMAIL_SMTP_USERNAME=
 EMAIL_SMTP_PASSWORD=
 EMAIL_FROM_ADDRESS=dev@juwan.xhttp.zip
-EMAIL_FROM_NAME=Juwan Team
+EMAIL_FROM_NAME="Juwan Team"
 EMAIL_REPLY_TO=
 
 S3_ENDPOINT=https://s3.juwan.xhttp.zip

deploy/k01/README.md

@@ -2,7 +2,7 @@
 
 该目录是 juwan-backend 所有 k3s 节点的初始化配置。公网入口由 center 的 Caddy 接管——`/wt/*` 走 UDP 直达 chat-api，其余路径反代到 envoy-gateway NodePort 30080。
 
-第一台机器按以下步骤初始化为 k3s server；后续加入的 k02、k03 只运行 `install-k3s.sh agent`，其他步骤（k8s Secret、CR、业务 yaml）在 server 上 apply 一次即可。
+第一台机器按以下步骤初始化为 k3s server；后续加入的 k02、k03 只运行 `install.sh agent`，其他步骤在 server 上执行一次即可。
 
 ## 前置条件
 
@@ -10,57 +10,41 @@
 - center 已部署，`registry.juwan.xhttp.zip` 可推可拉
 - 已从 Gitea 拉取仓库：`git clone https://git.juwan.xhttp.zip/juwan/juwan-backend.git`
 - `/root/registry-password` 文件存放 zot admin 密码（`chmod 600`）
+- `.env` 已按 `.env.example` 填好（zot admin 密码、Brevo SMTP、Garage S3 凭据）
+
+如果还没 `.env`：先 `cp .env.example .env && nano .env`，再跑 `secrets.sh`。
 
 ## k3s server 初始化
 
 ```bash
 cd /root/juwan-backend/deploy/k01
 
-# 装 k3s（禁用内置 traefik）+ Helm + 四个 Operator
+bash install.sh          # k3s + Helm + 四个 Operator
-bash install-k3s.sh
+bash secrets.sh          # 生成所有 k8s Secret
+bash apply-infra.sh      # 数据层 + envoy + ratelimit，分批等待 Ready
+bash apply-schema.sh     # 向 CNPG 写入 schema 与 fixture
+bash apply-services.sh   # 启动业务 Deployment
 
-# 准备 .env，填 zot Admin 密码 / Brevo SMTP / Garage S3 凭据
+# 可以用 `bash teardown.sh` 来卸载数据层和业务层
-cp .env.example .env
-nano .env
-
-# 应用 namespace + RBAC，生成全部 k8s Secret
-kubectl apply -f 00-base/
-bash secrets.sh
-
-# 应用基础设施（Operator CR）
-kubectl apply -f 01-infra/postgres.yaml
-kubectl apply -f 01-infra/redis.yaml
-kubectl apply -f 01-infra/mongo.yaml
-kubectl apply -f 01-infra/kafka.yaml
-kubectl apply -f 01-infra/ratelimit.yaml
-kubectl apply -f 01-infra/envoy.yaml
-
-# 等 PostgreSQL Cluster 全部 Ready 后再灌 schema
-bash 01-infra/load-schema.sh
-
-# 启动业务服务
-kubectl apply -f 02-service/
-
-kubectl -n juwan get pods -w
 ```
 
 ## 做什么
 
-四层结构。控制面是 k3s server，跑着 CNPG / Strimzi / Redis / MongoDB 四个 Operator 管理有状态服务。
+控制面是 k3s server，跑着 CNPG / Strimzi / Redis / MongoDB 四个 Operator 管理有状态服务。
 
-数据层 11 个 per-domain PostgreSQL Cluster + 12 个 RedisReplication + 1 个 MongoDBCommunity（chat）+ Strimzi KRaft Kafka（1 broker）。
+数据层 11 个 per-domain PostgreSQL Cluster + 12 个 RedisReplication + 1 个 MongoDBCommunity + Strimzi KRaft Kafka。
 
 业务层 27 个 Go 服务镜像指向 `registry.juwan.xhttp.zip/juwan/<name>:latest`，每个 domain 一套 rpc + api，外加 snowflake、authz-adapter、email-mq 和 frontend。所有 Deployment 带 `imagePullSecrets: registry-creds`，containerd 的 `registries.yaml` 配了 zot admin 凭据。
 
 email-api 跟 user-rpc 共用 user-redis 实例，因为注册和重置密码的验证码 key 跨服务读写。
 
-chat-api 的 WebTransport 走 UDP 8443 hostPort，center Caddy 的 PR 7669 fork 把这路流量终结后反代过来。
+chat-api 的 WebTransport 走 UDP 8443 hostPort，center Caddy 的 PR 7669 fork 在中心握手后反向代理 WebTransport 连接到 chat-api。
 
 ## 生成的 Secret
 
 `secrets.sh` 生成随机密码写入 `secrets/` 目录，同时 `kubectl create secret` 到 `juwan` namespace。需要手动填的是 `.env` 里的 zot admin 密码、Brevo SMTP key 和 Garage S3 access key。
 
-CNPG 每个 Cluster Ready 后自动生成 `<cluster>-app` Secret（username/password/dbname/host/port），业务 pod 的 env 直接从这些 Secret 取值。
+CNPG 每个 Cluster Ready 后自动生成 `<cluster>-app` Secret（username/password/dbname/host/port），业务 pod 的 env 由这些 Secret 提供。
 
 ## 加节点
 
@@ -76,7 +60,7 @@ cat /var/lib/rancher/k3s/server/node-token
 cd /root/juwan-backend/deploy/k01
 echo "<zot-admin-password>" > /root/registry-password && chmod 600 /root/registry-password
 
-K3S_URL=https://<server-ip>:6443 K3S_TOKEN=<token> bash install-k3s.sh agent
+K3S_URL=https://<server-ip>:6443 K3S_TOKEN=<token> bash install.sh agent
 ```
 
 ## 日常操作

deploy/k01/apply-infra.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+INFRA_DIR="$(cd "$(dirname "$0")/infra" && pwd)"
+export KUBECONFIG="${KUBECONFIG:-/etc/rancher/k3s/k3s.yaml}"
+
+apply_docs() {
+	local file="$1" kind="$2" wait_expr="$3" buf i
+	i=0
+	buf=""
+	while IFS= read -r line; do
+		if [[ "$line" == "---" ]]; then
+			printf '%s\n' "$buf" | kubectl apply -f -
+			i=$((i+1))
+			echo "  ($i) applied"
+			buf=""
+		else
+			[[ -n "$buf" ]] && buf+=$'\n'
+			buf+="$line"
+		fi
+	done < "$file"
+	printf '%s\n' "$buf" | kubectl apply -f -
+	i=$((i+1))
+	echo "  ($i) applied"
+
+	if [ -n "$kind" ]; then
+		kubectl -n juwan wait --for="$wait_expr" --timeout=900s "$kind" --all || true
+	fi
+}
+
+echo envoy + ratelimit
+kubectl apply -f "${INFRA_DIR}/envoy.yaml"
+kubectl apply -f "${INFRA_DIR}/ratelimit.yaml"
+kubectl -n juwan wait --for=condition=Ready pod -l app=envoy-gateway --timeout=120s || true
+kubectl -n juwan wait --for=condition=Ready pod -l "app in (ratelimit,rl-redis)" --timeout=120s || true
+
+echo redis
+apply_docs "${INFRA_DIR}/redis.yaml" "" ""
+kubectl -n juwan wait --for=condition=Ready pod -l redis_setup_type=replication --timeout=600s || true
+
+echo postgres
+apply_docs "${INFRA_DIR}/postgres.yaml" cluster.postgresql.cnpg.io "condition=Ready"
+
+echo mongo
+kubectl apply -f "${INFRA_DIR}/mongo.yaml"
+kubectl -n juwan wait --for=jsonpath='{.status.phase}'=Running mongodbcommunity/chat-mongodb --timeout=600s || true
+
+echo kafka
+kubectl apply -f "${INFRA_DIR}/kafka.yaml"
+kubectl -n kafka wait --for=condition=Ready kafka/juwan-kafka --timeout=900s || true
+
+kubectl get pods -A

deploy/k01/apply-schema.sh

@@ -8,19 +8,12 @@ FIXTURE_DIR="$REPO_ROOT/deploy/dev/fixture"
 
 export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
 
-declare -A SCHEMA_MAP=(
+domain_dir() {
-	[user-db]=users
+	case "$1" in
-	[player-db]=player
+		user) echo users ;;
-	[game-db]=game
+		*) echo "$1" ;;
-	[shop-db]=shop
+	esac
-	[order-db]=order
+}
-	[wallet-db]=wallet
-	[community-db]=community
-	[review-db]=review
-	[dispute-db]=dispute
-	[notification-db]=notification
-	[search-db]=search
-)
 
 psql_exec() {
 	local cluster="$1" sql="$2"
@@ -34,25 +27,27 @@ psql_file() {
 		-v ON_ERROR_STOP=1 -U app -d app < "$file"
 }
 
-for cluster in "${!SCHEMA_MAP[@]}"; do
+clusters=()
-	domain="${SCHEMA_MAP[$cluster]}"
+while IFS= read -r name; do
-	echo ">>> $cluster ($domain)"
+	clusters+=("$name")
+done < <(kubectl -n juwan get cluster -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n')
 
+for cluster in "${clusters[@]}"; do
+	domain="${cluster%-db}"
+	dir="$(domain_dir "$domain")"
+	echo "$cluster"
 	kubectl -n juwan wait --for=condition=Ready "cluster.postgresql.cnpg.io/${cluster}" --timeout=300s
-
 	psql_file "$cluster" "$SQL_DIR/common/update_updated_at_column.sql"
-
+	for f in "$SQL_DIR/$dir"/*.sql; do
-	for f in "$SQL_DIR/$domain"/*.sql; do
 		[ -f "$f" ] || continue
-		echo "    schema: $(basename "$f")"
+		echo "  $(basename "$f")"
 		psql_file "$cluster" "$f"
 	done
-
+	if [ -f "$FIXTURE_DIR/$dir.sql" ]; then
-	if [ -f "$FIXTURE_DIR/$domain.sql" ]; then
+		echo "  $dir.sql"
-		echo "    fixture: $domain.sql"
+		psql_file "$cluster" "$FIXTURE_DIR/$dir.sql"
-		psql_file "$cluster" "$FIXTURE_DIR/$domain.sql"
 	fi
 done
 
 echo
-echo "schema + fixture loaded into 11 CNPG clusters"
+echo "schema + fixture loaded, ${#clusters[@]} clusters"

deploy/k01/apply-services.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SVC_DIR="$(cd "$(dirname "$0")/services" && pwd)"
+export KUBECONFIG="${KUBECONFIG:-/etc/rancher/k3s/k3s.yaml}"
+
+apply_wait() {
+	for f in "$@"; do
+		echo "${f%.yaml}"
+		kubectl apply -f "${SVC_DIR}/${f}"
+	done
+	kubectl -n juwan wait --for=condition=Available deploy --all --timeout=600s || true
+}
+
+cd "$SVC_DIR"
+
+apply_wait snowflake.yaml authz-adapter.yaml
+
+domain_files=()
+for f in *.yaml; do
+	case "$f" in
+		snowflake.yaml|authz-adapter.yaml|chat.yaml|email.yaml|frontend.yaml) ;;
+		*) domain_files+=("$f") ;;
+	esac
+done
+apply_wait "${domain_files[@]}"
+
+apply_wait chat.yaml email.yaml frontend.yaml
+
+kubectl get pods -n juwan

deploy/k01/infra/envoy.yaml

@@ -1058,8 +1058,10 @@ spec:
             periodSeconds: 10
           resources:
             requests:
-              cpu: 100m
+              cpu: 50m
               memory: 128Mi
+            limits:
+              memory: 512Mi
       volumes:
         - name: config
           configMap:

deploy/k01/infra/kafka.yaml

@@ -1,4 +1,4 @@
-apiVersion: kafka.strimzi.io/v1beta2
+apiVersion: kafka.strimzi.io/v1
 kind: KafkaNodePool
 metadata:
   name: controller
@@ -13,9 +13,18 @@ spec:
     type: persistent-claim
     size: 1Gi
     deleteClaim: false
+  resources:
+    requests:
+      cpu: 30m
+      memory: 64Mi
+    limits:
+      memory: 768Mi
+  jvmOptions:
+    -Xms: "192M"
+    -Xmx: "384M"
 
 ---
-apiVersion: kafka.strimzi.io/v1beta2
+apiVersion: kafka.strimzi.io/v1
 kind: KafkaNodePool
 metadata:
   name: broker
@@ -30,9 +39,18 @@ spec:
     type: persistent-claim
     size: 5Gi
     deleteClaim: false
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      memory: 1536Mi
+  jvmOptions:
+    -Xms: "256M"
+    -Xmx: "1024M"
 
 ---
-apiVersion: kafka.strimzi.io/v1beta2
+apiVersion: kafka.strimzi.io/v1
 kind: Kafka
 metadata:
   name: juwan-kafka
@@ -56,11 +74,23 @@ spec:
       default.replication.factor: 1
       min.insync.replicas: 1
   entityOperator:
-    topicOperator: {}
+    topicOperator:
-    userOperator: {}
+      resources:
+        requests:
+          cpu: 20m
+          memory: 80Mi
+        limits:
+          memory: 256Mi
+    userOperator:
+      resources:
+        requests:
+          cpu: 20m
+          memory: 80Mi
+        limits:
+          memory: 256Mi
 
 ---
-apiVersion: kafka.strimzi.io/v1beta2
+apiVersion: kafka.strimzi.io/v1
 kind: KafkaTopic
 metadata:
   name: email-task

deploy/k01/infra/mongo.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   members: 1
   type: ReplicaSet
-  version: "8.2.6"
+  version: "8.3.1"
   security:
     authentication:
       modes:
@@ -24,6 +24,29 @@ spec:
     storage.wiredTiger.engineConfig.journalCompressor: zlib
   statefulSet:
     spec:
+      template:
+        spec:
+          containers:
+            - name: mongod
+              env:
+                - name: GLIBC_TUNABLES
+                  value: glibc.pthread.rseq=1
+              resources:
+                requests:
+                  cpu: 30m
+                  memory: 100Mi
+                limits:
+                  memory: 1Gi
+            - name: mongodb-agent
+              env:
+                - name: GLIBC_TUNABLES
+                  value: glibc.pthread.rseq=1
+              resources:
+                requests:
+                  cpu: 30m
+                  memory: 80Mi
+                limits:
+                  memory: 200Mi
       volumeClaimTemplates:
         - metadata:
             name: data-volume

deploy/k01/infra/postgres.yaml

@@ -13,6 +13,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -30,6 +36,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -47,6 +59,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -64,6 +82,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -81,6 +105,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -98,6 +128,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -115,6 +151,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -132,6 +174,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -149,6 +197,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -166,6 +220,12 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi
 
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -183,3 +243,9 @@ spec:
       owner: app
   storage:
     size: 1Gi
+  resources:
+    requests:
+      cpu: 30m
+      memory: 30Mi
+    limits:
+      memory: 1Gi

deploy/k01/infra/ratelimit.yaml

@@ -56,13 +56,15 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:8.6.2-alpine
+          image: redis:8.6.3-alpine
           ports:
             - containerPort: 6379
           resources:
             requests:
               cpu: 20m
               memory: 32Mi
+            limits:
+              memory: 64Mi
 
 ---
 apiVersion: v1
@@ -95,6 +97,10 @@ spec:
       labels:
         app: ratelimit
     spec:
+      initContainers:
+        - name: wait-rl-redis
+          image: busybox:1.37
+          command: ["sh", "-c", "until nc -z rl-redis-svc 6379; do sleep 1; done"]
       containers:
         - name: ratelimit
           image: envoyproxy/ratelimit:fe26676d
@@ -124,8 +130,10 @@ spec:
               mountPath: /data/ratelimit/config
           resources:
             requests:
-              cpu: 50m
+              cpu: 20m
               memory: 64Mi
+            limits:
+              memory: 256Mi
       volumes:
         - name: config
           configMap:

deploy/k01/infra/redis.yaml

@@ -6,12 +6,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: user-redis
       key: password
@@ -35,12 +37,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: player-redis
       key: password
@@ -64,12 +68,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: game-redis
       key: password
@@ -93,12 +99,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: shop-redis
       key: password
@@ -122,12 +130,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: order-redis
       key: password
@@ -151,12 +161,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: wallet-redis
       key: password
@@ -180,12 +192,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: community-redis
       key: password
@@ -209,12 +223,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: review-redis
       key: password
@@ -238,12 +254,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: dispute-redis
       key: password
@@ -267,12 +285,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: notification-redis
       key: password
@@ -296,12 +316,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: search-redis
       key: password
@@ -325,12 +347,14 @@ metadata:
 spec:
   clusterSize: 1
   kubernetesConfig:
-    image: quay.io/opstree/redis:v7.0.15
+    image: quay.io/opstree/redis:v8.6.2
     imagePullPolicy: IfNotPresent
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
-        memory: 64Mi
+        memory: 24Mi
+      limits:
+        memory: 1Gi
     redisSecret:
       name: chat-redis
       key: password

deploy/k01/install.sh

@@ -19,6 +19,8 @@ if [ ! -f /root/registry-password ]; then
 	exit 1
 fi
 
+K01_DIR="$(cd "$(dirname "$0")" && pwd)"
+
 write_registries() {
 	mkdir -p /etc/rancher/k3s
 	cat > /etc/rancher/k3s/registries.yaml <<EOF
@@ -73,15 +75,19 @@ systemctl restart k3s
 export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
 until kubectl get nodes >/dev/null 2>&1; do sleep 2; done
 
-K01_DIR="$(cd "$(dirname "$0")" && pwd)"
+kubectl apply -f "${K01_DIR}/base/"
-kubectl apply -f "${K01_DIR}/00-base/"
 
-kubectl apply -f \
+kubectl apply --server-side --force-conflicts -f \
 	"https://github.com/cloudnative-pg/cloudnative-pg/releases/download/v${CNPG_VERSION}/cnpg-${CNPG_VERSION}.yaml"
+kubectl -n cnpg-system set resources deploy/cnpg-controller-manager \
+	--requests=cpu=50m,memory=64Mi --limits=cpu=200m,memory=256Mi
 
 kubectl create namespace kafka 2>/dev/null || true
-kubectl apply -n kafka \
+curl -sfL "https://github.com/strimzi/strimzi-kafka-operator/releases/download/${STRIMZI_VERSION}/strimzi-cluster-operator-${STRIMZI_VERSION}.yaml" \
-	-f "https://github.com/strimzi/strimzi-kafka-operator/releases/download/${STRIMZI_VERSION}/strimzi-cluster-operator-${STRIMZI_VERSION}.yaml"
+	| sed 's/namespace: .*/namespace: kafka/' \
+	| kubectl apply --server-side --force-conflicts -n kafka -f -
+kubectl -n kafka set resources deploy/strimzi-cluster-operator \
+	--requests=cpu=50m,memory=200Mi --limits=cpu=500m,memory=500Mi
 
 helm repo add ot-helm https://ot-container-kit.github.io/helm-charts/ 2>/dev/null || true
 helm repo add mongodb https://mongodb.github.io/helm-charts 2>/dev/null || true
@@ -89,12 +95,20 @@ helm repo update
 
 helm upgrade --install redis-operator ot-helm/redis-operator \
 	--version "${REDIS_OP_VERSION}" \
-	--namespace redis-operator --create-namespace
+	--namespace redis-operator --create-namespace \
+	--set resources.requests.cpu=50m \
+	--set resources.requests.memory=100Mi \
+	--set resources.limits.cpu=500m \
+	--set resources.limits.memory=500Mi
 
 helm upgrade --install mongodb-kubernetes mongodb/mongodb-kubernetes \
 	--version "${MONGODB_OP_VERSION}" \
 	--namespace mongodb-operator --create-namespace \
-	--set operator.watchNamespace=juwan
+	--set operator.watchNamespace=juwan \
+	--set operator.resources.requests.cpu=50m \
+	--set operator.resources.requests.memory=100Mi \
+	--set operator.resources.limits.cpu=500m \
+	--set operator.resources.limits.memory=300Mi
 
 kubectl -n cnpg-system rollout status deploy/cnpg-controller-manager --timeout=300s
 kubectl -n kafka rollout status deploy/strimzi-cluster-operator --timeout=300s

deploy/k01/secrets.sh

@@ -69,7 +69,11 @@ kubectl -n juwan create secret tls chat-wt-tls \
 	--key="${DEV_CERTS}/tls.key" \
 	--dry-run=client -o yaml | kubectl apply -f -
 
-DOMAINS=(user player game shop order wallet community review dispute notification search chat)
+DOMAINS=()
+while IFS= read -r name; do
+	DOMAINS+=("${name%-redis}")
+done < <(grep -E '^  name: [a-z-]+-redis$' "$K01_DIR/infra/redis.yaml" | awk '{print $2}')
+
 for d in "${DOMAINS[@]}"; do
 	pwd_val="$(openssl rand -hex 16)"
 	write_secret "redis-${d}-password" "$pwd_val"

deploy/k01/services/authz-adapter.yaml

@@ -30,8 +30,10 @@ spec:
             value: "user-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/chat.yaml

@@ -65,8 +65,10 @@ spec:
           readOnly: true
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
       volumes:
         - name: certs
           secret:

deploy/k01/services/community.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -115,8 +117,10 @@ spec:
             value: "user-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/dispute.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -117,8 +119,10 @@ spec:
             value: "player-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/email.yaml

@@ -39,8 +39,10 @@ spec:
             value: "juwan-kafka-kafka-bootstrap.kafka:9092"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -125,8 +127,10 @@ spec:
                 key: reply-to
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/frontend.yaml

@@ -25,8 +25,10 @@ spec:
           containerPort: 3000
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/game.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -113,8 +115,10 @@ spec:
             value: "game-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/notification.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -113,8 +115,10 @@ spec:
             value: "notification-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/objectstory.yaml

@@ -53,8 +53,10 @@ spec:
                 key: region
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -106,8 +108,10 @@ spec:
             value: "objectstory-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/order.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -117,8 +119,10 @@ spec:
             value: "shop-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/player.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -115,8 +117,10 @@ spec:
             value: "user-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/review.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -117,8 +119,10 @@ spec:
             value: "review-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/search.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -113,8 +115,10 @@ spec:
             value: "search-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/shop.yaml

@@ -62,8 +62,10 @@ spec:
             value: "user-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -117,8 +119,10 @@ spec:
             value: "shop-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/snowflake.yaml

@@ -38,8 +38,10 @@ spec:
           containerPort: 8080
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/user-verifications.yaml

@@ -62,8 +62,10 @@ spec:
             value: "user-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/user.yaml

@@ -80,8 +80,10 @@ spec:
                 key: secret-key
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -135,8 +137,10 @@ spec:
             value: "user-verifications-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/services/wallet.yaml

@@ -60,8 +60,10 @@ spec:
             value: "snowflake-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1
@@ -113,8 +115,10 @@ spec:
             value: "wallet-rpc-svc.juwan:8080"
         resources:
           requests:
-            cpu: 20m
+            cpu: 10m
             memory: 32Mi
+          limits:
+            memory: 512Mi
 
 ---
 apiVersion: v1

deploy/k01/teardown.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+K01_DIR="$(cd "$(dirname "$0")" && pwd)"
+export KUBECONFIG="${KUBECONFIG:-/etc/rancher/k3s/k3s.yaml}"
+
+echo services
+for f in "${K01_DIR}/services/"*.yaml; do
+	kubectl delete -f "$f" --ignore-not-found --wait=false
+done
+
+echo data crs
+kubectl -n juwan delete cluster.postgresql.cnpg.io --all --wait=false 2>/dev/null || true
+kubectl -n juwan delete redisreplication --all --wait=false 2>/dev/null || true
+kubectl -n juwan delete redissentinel --all --wait=false 2>/dev/null || true
+kubectl -n juwan delete mongodbcommunity --all --wait=false 2>/dev/null || true
+kubectl -n kafka delete kafkatopic --all --wait=false 2>/dev/null || true
+kubectl -n kafka delete kafka --all --wait=false 2>/dev/null || true
+kubectl -n kafka delete kafkanodepool --all --wait=false 2>/dev/null || true
+
+echo network
+kubectl delete -f "${K01_DIR}/infra/envoy.yaml" --ignore-not-found --wait=false
+kubectl delete -f "${K01_DIR}/infra/ratelimit.yaml" --ignore-not-found --wait=false
+
+sleep 30
+
+echo cleanup orphaned
+kubectl -n juwan delete pod --all --force --grace-period=0 2>/dev/null || true
+kubectl -n juwan delete pvc --all --wait=false 2>/dev/null || true
+kubectl -n kafka delete pod -l strimzi.io/cluster=juwan-kafka --force --grace-period=0 2>/dev/null || true
+kubectl -n kafka delete pvc -l strimzi.io/cluster=juwan-kafka --wait=false 2>/dev/null || true
+
+kubectl get pods,pvc -n juwan
+kubectl get pods,pvc -n kafka
+kubectl describe node | grep -A 6 Allocated