wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 6 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/infrastructure/DEPLOYMENT_TOPOLOGY.md
OG T 496c569d51 docs: 紅區治理 + 部署文檔更新 
- RED_ZONES.md: Tier 3/2 紅區清單
- setup-hooks.sh: Git Hook 安裝腳本
- infrastructure docs: 部署拓撲更新

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-26 09:55:58 +08:00

571 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# AWOOOI 部署拓撲與服務位置定義
> **版本**: v1.0
> **建立日期**: 2026-03-20
> **負責人**: CIO
> **強制等級**: 絕對遵守
---
## 概述
**每個服務必須明確定義其部署位置**
- **Host (主機直裝)**: 直接安裝在主機上的服務
- **Docker**: 使用 Docker / Docker Compose 運行的容器
- **K3s**: 部署在 K3s 叢集中的 Pod
---
## 四主機部署總覽
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ AWOOOI 部署拓撲圖 │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────┐ ┌─────────────────────────┐
│ 192.168.0.110 │ │ 192.168.0.112 │
│ DevOps 金庫 │ │ Kali Security │
├─────────────────────────┤ ├─────────────────────────┤
│ [Docker] │ │ [Docker] │
│ ├─ Harbor :5000 │ │ └─ Scanner API :8080 │
│ └─ GH Runner │ │ │
└─────────────────────────┘ └─────────────────────────┘
│ │
└──────────────┬───────────────┘
┌─────────────────────────────────────────────────────────────────────────────┐
│ 192.168.0.188 │
│ AI + Web 中心 (Gateway) │
├─────────────────────────────────────────────────────────────────────────────┤
│ [Host 直裝] │
│ ├─ Nginx (SSL Gateway) :443 │
│ └─ PostgreSQL :5432 │
│ │
│ [Docker] │
│ ├─ Ollama :11434 │
│ ├─ OpenClaw :8089 │
│ ├─ OpenClaw Legacy :8088 (凍結) │
│ ├─ Redis Stack :6380 │
│ └─ SigNoz :3301 │
└─────────────────────────────────────────────────────────────────────────────┘
│ Nginx Proxy
┌─────────────────────────────────────────────────────────────────────────────┐
│ K3s 叢集 (192.168.0.120 + 121) │
├─────────────────────────────────────────────────────────────────────────────┤
│ [K3s - awoooi-prod Namespace] │
│ ├─ awoooi-web (Frontend) → NodePort :32335 │
│ ├─ awoooi-api (Backend) → NodePort :32334 │
│ └─ (未來擴充服務) │
│ │
│ [K3s - wooo-aiops Namespace] (凍結) │
│ ├─ Legacy Frontend → NodePort :31235 │
│ └─ Legacy API → NodePort :31234 │
└─────────────────────────────────────────────────────────────────────────────┘
```
---
## 服務部署位置詳細定義
### 192.168.0.110 (DevOps 金庫)
| 服務 | 部署方式 | Port | 說明 |
|------|---------|------|------|
| **Harbor** | Docker | 5000 | 映像倉庫Project: `awoooi/` |
| **GitHub Runner** | Docker | - | CI/CD 執行器Label: `awoooi-runner` |
```yaml
# docker-compose.yaml (110)
services:
harbor:
image: goharbor/harbor:v2.x
ports:
- "5000:5000"
volumes:
- /data/harbor:/data
gh-runner:
image: myoung34/github-runner:latest
labels:
- "awoooi-runner"
```
---
### 192.168.0.112 (Kali Security)
| 服務 | 部署方式 | Port | 說明 |
|------|---------|------|------|
| **Scanner API** | Docker | 8080 | 安全掃描 APIHeader: `X-Source: awoooi` |
```yaml
# docker-compose.yaml (112)
services:
scanner-api:
image: kali-scanner:latest
ports:
- "8080:8080"
environment:
- ALLOWED_SOURCES=awoooi,wooo-aiops
```
---
### 192.168.0.188 (AI + Web 中心)
| 服務 | 部署方式 | Port | 說明 |
|------|---------|------|------|
| **Nginx** | **Host 直裝** | 443 | SSL Gateway路由分流 |
| **PostgreSQL** | **Host 直裝** | 5432 | 主資料庫 |
| **Ollama** | Docker | 11434 | 本地 LLM 推理 |
| **OpenClaw** | Docker | 8089 | AI 大腦 (唯一決策中心) |
| **OpenClaw Legacy** | Docker | 8088 | 凍結版本 |
| **Redis Stack** | Docker | 6380 | 快取 + 向量搜尋 |
| **SigNoz** | Docker | 3301 | APM / 觀測平台 |
#### Nginx (Host 直裝)
```bash
# 安裝方式
sudo apt install nginx
sudo systemctl enable nginx
# 配置檔位置
/etc/nginx/conf.d/awoooi-prod.conf
```
#### PostgreSQL (Host 直裝)
```bash
# 安裝方式
sudo apt install postgresql-15
sudo systemctl enable postgresql
# 資料庫
awoooi_prod # AWOOOI 專用
wooo_aiops # Legacy (凍結)
```
#### Docker 服務
```yaml
# docker-compose.yaml (188)
services:
ollama:
image: ollama/ollama:latest
ports:
- "11434:11434"
volumes:
- /data/ollama:/root/.ollama
deploy:
resources:
reservations:
devices:
- capabilities: [gpu]
openclaw:
image: 192.168.0.110:5000/awoooi/openclaw:latest
ports:
- "8089:8089"
environment:
- OLLAMA_URL=http://localhost:11434
- REDIS_URL=redis://localhost:6380/10
openclaw-legacy:
image: 192.168.0.110:5000/wooo-aiops/openclaw:frozen
ports:
- "8088:8088"
# 凍結版本,不再更新
redis-stack:
image: redis/redis-stack:latest
ports:
- "6380:6379"
volumes:
- /data/redis:/data
signoz:
image: signoz/signoz:latest
ports:
- "3301:3301"
```
---
### 192.168.0.120 / 121 (K3s 叢集)
| 節點 | 角色 | 說明 |
|------|------|------|
| 192.168.0.120 | Master | K3s 控制平面 + Worker |
| 192.168.0.121 | Worker | HA 備援節點 |
#### K3s Namespace 定義
| Namespace | 用途 | 狀態 |
|-----------|------|------|
| `awoooi-prod` | AWOOOI 正式環境 | **Active** |
| `wooo-aiops` | Legacy 系統 | **凍結** |
#### AWOOOI 服務 (K3s)
| 服務 | Deployment | Service | NodePort |
|------|------------|---------|----------|
| **Frontend** | awoooi-web | awoooi-web-svc | 32335 |
| **Backend** | awoooi-api | awoooi-api-svc | 32334 |
```yaml
# k8s/awoooi-prod/03-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: awoooi-web
namespace: awoooi-prod
spec:
replicas: 2
selector:
matchLabels:
app: awoooi-web
template:
metadata:
labels:
app: awoooi-web
spec:
containers:
- name: web
image: 192.168.0.110:5000/awoooi/web:${IMAGE_TAG}
ports:
- containerPort: 3000
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "500m"
memory: "512Mi"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: awoooi-api
namespace: awoooi-prod
spec:
replicas: 2
selector:
matchLabels:
app: awoooi-api
template:
metadata:
labels:
app: awoooi-api
spec:
containers:
- name: api
image: 192.168.0.110:5000/awoooi/api:${IMAGE_TAG}
ports:
- containerPort: 8000
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: awoooi-secrets
key: DATABASE_URL
- name: REDIS_URL
value: "redis://192.168.0.188:6380/10"
- name: OLLAMA_URL
value: "http://192.168.0.188:11434"
- name: OPENCLAW_URL
value: "http://192.168.0.188:8088"
resources:
requests:
cpu: "200m"
memory: "512Mi"
limits:
cpu: "1"
memory: "1Gi"
```
---
## 環境對照表 (最終版)
| 環境 | 用途 | 域名 | 部署位置 |
|------|------|------|---------|
| **Dev** | 本機開發 | `localhost:3000` | 開發者本機 |
| **Prod** | 正式環境 | `awoooi.wooo.work` | K3s (awoooi-prod) |
> ⚠️ **無 UAT 環境**: 測試驗收在 Dev 完成後直接部署 Prod
---
## 網路流量走向
```
用戶 (Internet)
┌─────────────────────────────────────────────────────────────────┐
│ Cloudflare (CDN + WAF) │
└─────────────────────────────────────────────────────────────────┘
▼ HTTPS :443
┌─────────────────────────────────────────────────────────────────┐
│ 192.168.0.188 - Nginx (Host 直裝) │
│ server_name: awoooi.wooo.work │
└─────────────────────────────────────────────────────────────────┘
├──────────────────────────────────────┐
│ │
▼ /api/* → :32334 ▼ /* → :32335
┌─────────────────────┐ ┌─────────────────────┐
│ awoooi-api (K3s) │ │ awoooi-web (K3s) │
│ 120:32334, 121:32334│ │ 120:32335, 121:32335│
└─────────────────────┘ └─────────────────────┘
├─────────────────────────────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ PostgreSQL │ │ Redis │ │ Ollama │
│ 188:5432 │ │ 188:6380 │ │ 188:11434 │
│ (Host) │ │ (Docker) │ │ (Docker) │
└─────────────┘ └─────────────┘ └─────────────┘
┌─────────────┐
│ OpenClaw │
│ 188:8089 │
│ (Docker) │
└─────────────┘
```
---
## 部署位置決策原則
| 服務類型 | 建議部署方式 | 原因 |
|---------|-------------|------|
| **Gateway (Nginx)** | Host 直裝 | SSL 終止、效能關鍵 |
| **資料庫 (PostgreSQL)** | Host 直裝 | 資料持久性、備份策略 |
| **AI 服務 (Ollama)** | Docker | GPU 資源管理、版本切換 |
| **應用服務 (Web/API)** | K3s | 水平擴展、滾動更新 |
| **快取 (Redis)** | Docker | 簡易管理、資料可失 |
| **監控 (SigNoz)** | Docker | 獨立運行、不影響業務 |
---
## K8s 資源配置
### Namespace 資源配額
```yaml
# k8s/awoooi-prod/01-namespace-quota.yaml
apiVersion: v1
kind: Namespace
metadata:
name: awoooi-prod
labels:
environment: prod
system: awoooi
---
apiVersion: v1
kind: ResourceQuota
metadata:
name: awoooi-prod-quota
namespace: awoooi-prod
spec:
hard:
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16Gi
pods: "20"
```
### 零信任網路策略
```yaml
# k8s/awoooi-prod/02-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: prod-isolation-policy
namespace: awoooi-prod
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
# 僅允許來自 Nginx Gateway (188) 的流量
- from:
- ipBlock:
cidr: 192.168.0.188/32
ports:
- protocol: TCP
port: 3000
- protocol: TCP
port: 8000
egress:
# 允許訪問 188 主機服務
- to:
- ipBlock:
cidr: 192.168.0.188/32
ports:
- protocol: TCP
port: 5432 # PostgreSQL
- protocol: TCP
port: 6380 # Redis
- protocol: TCP
port: 11434 # Ollama
- protocol: TCP
port: 8089 # OpenClaw
# 允許訪問 112 安全掃描
- to:
- ipBlock:
cidr: 192.168.0.112/32
ports:
- protocol: TCP
port: 8080
# 允許 DNS
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
```
---
## Nginx 正式環境路由
```nginx
# /etc/nginx/conf.d/awoooi-prod.conf
upstream awoooi_prod_api {
server 192.168.0.120:32334;
server 192.168.0.121:32334;
keepalive 32;
}
upstream awoooi_prod_web {
server 192.168.0.120:32335;
server 192.168.0.121:32335;
keepalive 16;
}
server {
listen 443 ssl http2;
server_name awoooi.wooo.work;
ssl_certificate /etc/nginx/ssl/awoooi.crt;
ssl_certificate_key /etc/nginx/ssl/awoooi.key;
# 系統標識
proxy_set_header X-System "awoooi-prod";
# SSE 串流優化 (關鍵!)
location ~ ^/api/v1/(agent|dashboard)/stream {
proxy_pass http://awoooi_prod_api;
proxy_buffering off;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_set_header Connection '';
proxy_http_version 1.1;
chunked_transfer_encoding on;
proxy_set_header X-Accel-Buffering no;
}
# 一般 API
location /api/ {
proxy_pass http://awoooi_prod_api;
proxy_http_version 1.1;
proxy_set_header Connection "keep-alive";
}
# 前端
location / {
proxy_pass http://awoooi_prod_web;
proxy_http_version 1.1;
}
# 共用 Headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
```
---
## 服務啟動順序
```
1. 192.168.0.188 (Host 服務)
└─ systemctl start nginx
└─ systemctl start postgresql
2. 192.168.0.188 (Docker 服務)
└─ docker-compose up -d redis-stack
└─ docker-compose up -d ollama
└─ docker-compose up -d openclaw-awoooi
└─ docker-compose up -d signoz
3. 192.168.0.110 (DevOps)
└─ docker-compose up -d harbor
└─ docker-compose up -d gh-runner
4. 192.168.0.112 (Security)
└─ docker-compose up -d scanner-api
5. 192.168.0.120/121 (K3s)
└─ kubectl apply -f k8s/awoooi-prod/
```
---
## 驗證清單
```bash
# 1. 驗證 Host 服務
systemctl status nginx
systemctl status postgresql
psql -U postgres -c "SELECT 1"
# 2. 驗證 Docker 服務 (188)
docker ps | grep -E "(ollama|openclaw|redis|signoz)"
curl http://localhost:11434/api/tags
curl http://localhost:8088/health
redis-cli -p 6380 PING
# 3. 驗證 K3s 服務
kubectl get pods -n awoooi-prod
kubectl get svc -n awoooi-prod
curl http://192.168.0.120:32334/health
curl http://192.168.0.120:32335
# 4. 驗證 Nginx 路由
curl -k https://awoooi.wooo.work/api/health
curl -k https://awoooi.wooo.work/
```
---
## 變更記錄
| 日期 | 版本 | 變更 | 作者 |
|------|------|------|------|
| 2026-03-20 | v1.0 | 初版建立,明確定義部署位置 | CIO |
---
*此文件由 CIO 維護,所有服務部署必須遵守此拓撲定義。*
Reference in New Issue View Git Blame Copy Permalink