docs: project docs, scripts, deployment configs, and evidence

2026-04-02 11:22:17 +08:00
parent 4718980ab5
commit bbeeb63dfa
396 changed files with 165018 additions and 0 deletions
--- a/docs/evidence/ops/2026-03-29/alerting/20260329-100125/ALERTMANAGER_LIVE_DELIVERY_DRILL.md
+++ b/docs/evidence/ops/2026-03-29/alerting/20260329-100125/ALERTMANAGER_LIVE_DELIVERY_DRILL.md
@@ -0,0 +1,29 @@
+# Alertmanager Live Delivery Drill
+
+- Generated at: 2026-03-29 10:01:25 +08:00
+- Template file: D:\project\deployment\\alertmanager\\alertmanager.yml
+- Env source: D:\project\deployment\alertmanager\alertmanager.env.example
+- Redacted rendered config: not-generated
+
+## Strict Preconditions
+
+- Required variables present: True
+- Placeholder/example-value findings: ALERTMANAGER_WARNING_TO still uses example domain; ALERTMANAGER_CRITICAL_TO still uses example domain; ALERTMANAGER_AUTH_USERNAME still uses example domain; ALERTMANAGER_SMARTHOST still uses example domain; ALERTMANAGER_DEFAULT_TO still uses example domain; ALERTMANAGER_AUTH_PASSWORD still uses placeholder secret; ALERTMANAGER_FROM still uses example domain
+- Render path succeeded: False
+
+## Delivery Attempt
+
+- SMTP host: unparsed
+- SMTP port: unparsed
+- TLS enabled: True
+- TCP connectivity succeeded: False
+- TCP connectivity error: not-run
+
+## Conclusion
+
+- Live external delivery closed: False
+- Failure reason: placeholder or example values detected
+- This drill fails closed on unresolved placeholders, example domains, and placeholder secrets.
+- The evidence intentionally stores only redacted config output and masked recipient information.
+- A successful run proves real secret injection plus SMTP server acceptance for the configured on-call routes; it does not by itself prove downstream human acknowledgment.
+
--- a/docs/evidence/ops/2026-03-29/alerting/20260329-100125/ALERTMANAGER_RENDER_DRILL.md
+++ b/docs/evidence/ops/2026-03-29/alerting/20260329-100125/ALERTMANAGER_RENDER_DRILL.md
@@ -0,0 +1,17 @@
+# Alertmanager Render Drill
+
+- Generated at: 2026-03-29 10:01:25 +08:00
+- Template file: D:\project\deployment\alertmanager\alertmanager.yml
+- Rendered file: D:\project\docs\evidence\ops\2026-03-29\alerting\20260329-100125\alertmanager.rendered.yaml
+- Synthetic secret values were injected through process environment variables for this drill only.
+- Result: template placeholders resolved successfully and the rendered config contains no unresolved `${ALERTMANAGER_*}` tokens.
+
+## Scope Note
+
+- This drill validates the config injection/rendering path only.
+- It does not prove real SMTP delivery, real contact routing, or production secret manager integration.
+
+## Evidence Files
+
+- alertmanager.rendered.yaml
+
--- a/docs/evidence/ops/2026-03-29/alerting/20260329-100125/alertmanager.rendered.yaml
+++ b/docs/evidence/ops/2026-03-29/alerting/20260329-100125/alertmanager.rendered.yaml
@@ -0,0 +1,85 @@
+global:
+  resolve_timeout: 5m
+
+# 注意：
+# 该文件为模板文件，生产环境必须先注入并渲染 `${ALERTMANAGER_*}` 变量，
+# 再将渲染结果交给 Alertmanager 使用。
+
+# 告警路由
+route:
+  group_by: ['alertname', 'service']
+  group_wait: 30s
+  group_interval: 5m
+  repeat_interval: 12h
+  receiver: 'default'
+
+  # 子路由，根据严重级别分发
+  routes:
+    # Critical 告警
+    - match:
+        severity: critical
+      receiver: 'critical-alerts'
+      group_wait: 10s
+      continue: true
+
+    # Warning 告警
+    - match:
+        severity: warning
+      receiver: 'warning-alerts'
+      continue: true
+
+# 告警接收者
+receivers:
+  # 默认接收者
+  - name: 'default'
+    email_configs:
+      - to: 'ops-team@example.org'
+        from: 'alertmanager@example.org'
+        smarthost: 'smtp.example.org:587'
+        auth_username: 'alertmanager@example.org'
+        auth_password: 'synthetic-secret-for-render-drill'
+        headers:
+          Subject: '[{{ .Status | toUpper }}] {{ .GroupLabels.alertname }}'
+
+  # Critical 告警接收者
+  - name: 'critical-alerts'
+    email_configs:
+      - to: 'critical-oncall@example.org'
+        from: 'alertmanager@example.org'
+        smarthost: 'smtp.example.org:587'
+        auth_username: 'alertmanager@example.org'
+        auth_password: 'synthetic-secret-for-render-drill'
+        headers:
+          Subject: '[CRITICAL] {{ .GroupLabels.alertname }}'
+
+  # Warning 告警接收者
+  - name: 'warning-alerts'
+    email_configs:
+      - to: 'warning-oncall@example.org'
+        from: 'alertmanager@example.org'
+        smarthost: 'smtp.example.org:587'
+        auth_username: 'alertmanager@example.org'
+        auth_password: 'synthetic-secret-for-render-drill'
+        headers:
+          Subject: '[WARNING] {{ .GroupLabels.alertname }}'
+
+# 告警抑制规则
+inhibit_rules:
+  # 如果有 critical 告警，抑制同一服务的 warning 告警
+  - source_match:
+      severity: 'critical'
+    target_match:
+      severity: 'warning'
+    equal: ['service']
+
+# 告警静默规则（按需配置）
+# silences:
+#   - matchers:
+#       - name: alertname
+#         value: LowOnlineUsers
+#       - name: severity
+#         value: info
+#     startsAt: "2026-03-12T00:00:00+08:00"
+#     endsAt: "2026-03-12T23:59:59+08:00"
+#     comment: "维护期间静默低在线用户告警"
+