feat(apps/prod): add tiup-publisher

[wuhuizuo]

This pull request adds a new service, tiup-publisher, to the production environment. The changes include updates to the kustomization files and the addition of HelmRelease configurations for both production and staging mirrors.

Additions to tiup-publisher service:

• apps/prod/kustomization.yaml: Added tiup-publisher to the list of resources.
• apps/prod/tiup-publisher/kustomization.yaml: Created a new kustomization file for tiup-publisher with references to release-prod-mirror.yaml and release-staging-mirror.yaml.

HelmRelease configurations:

• apps/prod/tiup-publisher/release-prod-mirror.yaml: Added HelmRelease configuration for the production mirror of tiup-publisher, including image tag, volumes, and node selector.
• apps/prod/tiup-publisher/release-staging-mirror.yaml: Added HelmRelease configuration for the staging mirror of tiup-publisher, including image tag, volumes, and node selector.

Signed-off-by: wuhuizuo [email protected]

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Based on the pull request, the main changes are:

• A new resource called tiup-publisher has been added to the prod application.
• tiup-publisher is a HelmRelease object that has two sub-resources: release-prod-mirror.yaml and release-staging-mirror.yaml.

It seems that the pull request is adding a new feature to the application, which is a good thing. However, there are some potential issues to consider:

• It is not clear from the pull request description what is the purpose of tiup-publisher and how it is related to the other resources in the application. A more detailed description would be helpful.
• The version of tiup-publisher is hardcoded in the HelmRelease objects. This could cause problems if the version becomes outdated or incompatible with other components in the application. It would be better to use a variable or a parameter to specify the version.
• The tiup-credentials secret is mounted as a volume in the tiup-publisher HelmRelease objects. This could pose a security risk, as the secret is not encrypted in transit. It would be better to use a more secure way of passing credentials, such as Kubernetes secrets or environment variables.

To fix these issues, I would suggest the following:

• Add a more detailed description of tiup-publisher and its purpose in the pull request description.
• Use a variable or a parameter to specify the version of tiup-publisher in the HelmRelease objects.
• Use Kubernetes secrets or environment variables to pass credentials to tiup-publisher, instead of mounting the tiup-credentials secret as a volume.

[wuhuizuo]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wuhuizuo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• apps/prod/OWNERS [wuhuizuo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment