docker-to-sealos
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDocker to Sealos Template Converter
Docker转Sealos模板转换器
Overview
概述
Convert Docker Compose files or installation docs into production-grade Sealos templates.
Execute end-to-end automatically (analysis, conversion, validation, output) without asking users for missing fields.
将Docker Compose文件或安装文档转换为生产级Sealos模板。
端到端自动执行(分析、转换、校验、输出),无需向用户询问缺失的字段。
Governance and Rule Priority
治理与规则优先级
Use the following precedence to prevent rule drift:
- MUST rules (this file)
SKILL.md - and
references/sealos-specs.mdreferences/database-templates.md - and
references/conversion-mappings.mdreferences/example-guide.md
If lower-priority references conflict with higher-priority MUST rules, update the lower-priority files.
Do not keep conflicting examples.
遵循以下优先级避免规则偏移:
- 中的必须规则(即本文档)
SKILL.md - 和
references/sealos-specs.mdreferences/database-templates.md - 和
references/conversion-mappings.mdreferences/example-guide.md
如果低优先级引用文件与高优先级必须规则冲突,请更新低优先级文件。不要保留存在冲突的示例。
Workflow
工作流程
Step 1: Analyze input
步骤1:分析输入
Extract from Docker Compose/docs:
- application services vs database services
- volumes/config mounts/object storage requirements
- ports, dependencies, service communication
- env vars and secret usage
- resource limits/requests and health checks
- if official Kubernetes installation docs/manifests are available, also extract app-runtime behavior from them (bootstrap admin fields, external endpoint/protocol assumptions, health probes, startup/init flow)
从Docker Compose/文档中提取以下内容:
- 应用服务与数据库服务
- 存储卷/配置挂载/对象存储需求
- 端口、依赖关系、服务通信规则
- 环境变量与密钥使用情况
- 资源限制/请求与健康检查配置
- 如果存在官方Kubernetes安装文档/清单,还需要从中提取应用运行时行为(启动管理员字段、外部端点/协议假设、健康探针、启动/初始化流程)
Step 2: Infer metadata
步骤2:推断元数据
Infer and normalize:
- app name, title, description, categories
- official URL, gitRepo, icon source
- locale/i18n metadata
推断并标准化以下内容:
- 应用名称、标题、描述、分类
- 官方URL、git仓库地址、图标来源
- 本地化/国际化元数据
Step 3: Plan resources in strict order
步骤3:严格按顺序规划资源
Generate resources in this order:
- Template CR
- ObjectStorageBucket (if needed)
- Database resources (ServiceAccount → Role → RoleBinding → Cluster → Job if needed)
- App workload resources (ConfigMap → Deployment/StatefulSet → Service → Ingress)
- App resource (last)
按以下顺序生成资源:
- 模板CR
- ObjectStorageBucket(如有需要)
- 数据库资源(ServiceAccount → Role → RoleBinding → Cluster → 按需生成Job)
- 应用工作负载资源(ConfigMap → Deployment/StatefulSet → Service → Ingress)
- App资源(最后生成)
Step 4: Apply conversion rules
步骤4:应用转换规则
Apply field-level mappings from , including:
references/conversion-mappings.md- image pinning and annotation mapping
- port/service/ingress conversion
- env var conversion and dependency ordering
- storage conversion and vn naming ()
scripts/path_converter.py - service-name to Kubernetes FQDN conversion
- for DB URL/DSN envs (for example ,
*_DATABASE_URL), when Kubeblocks*_DB_URLis host:port, injectendpoint/host/port/usernamevia approvedpasswordenvs and compose the final URL withsecretKeyRefexpansion$(VAR) - edge gateway normalization: when Compose includes Traefik-like edge proxy plus business services, skip the proxy workload and expose business services via Sealos Ingress directly
- TLS offload normalization for Sealos Ingress: when a business service exposes both 80 and 443, drop 443 from workload/service ports and remove in-container TLS certificate mounts (for example ,
/etc/nginx/ssl,/etc/ssl) unless official Kubernetes docs explicitly require HTTPS backend-to-service traffic/certs - prefer as deterministic conversion entrypoint (require
scripts/compose_to_template.py --kompose-mode alwaysfor reproducible workload shaping)kompose - when official Kubernetes installation docs/manifests exist, perform a dual-source merge: use Compose as baseline topology, then align app-runtime semantics with official Kubernetes guidance
应用中的字段级映射规则,包括:
references/conversion-mappings.md- 镜像版本固定与注解映射
- 端口/Service/Ingress转换
- 环境变量转换与依赖排序
- 存储转换与vn命名()
scripts/path_converter.py - 服务名到Kubernetes FQDN的转换
- 针对DB URL/DSN类环境变量(例如、
*_DATABASE_URL),当Kubeblocks的*_DB_URL为host:port格式时,通过已批准的endpoint环境变量注入secretKeyRef/host/port/username,并使用password变量扩展拼接最终URL$(VAR) - 边缘网关标准化:当Compose中包含类似Traefik的边缘代理和业务服务时,跳过代理工作负载,直接通过Sealos Ingress暴露业务服务
- Sealos Ingress的TLS卸载标准化:当业务服务同时暴露80和443端口时,从工作负载/Service端口中移除443端口,并删除容器内的TLS证书挂载(例如、
/etc/nginx/ssl、/etc/ssl),除非官方Kubernetes文档明确要求后端到服务的流量使用HTTPS/certs - 优先使用作为确定性转换入口(需要
scripts/compose_to_template.py --kompose-mode always保证工作负载生成可复现)kompose - 当存在官方Kubernetes安装文档/清单时,执行双源合并:以Compose作为基线拓扑,然后将应用运行时语义与官方Kubernetes指导对齐
Step 5: Apply database strategy
步骤5:应用数据库策略
- PostgreSQL must follow the pinned version and structure requirements.
- MySQL/MongoDB/Redis/Kafka must use templates and secret naming from .
references/database-templates.md - Add DB init Job/initContainer when application database bootstrap requires it.
- For PostgreSQL custom databases (non-), the init Job must wait for PostgreSQL readiness before execution and create the target database idempotently.
postgres
- PostgreSQL必须遵循指定的版本和结构要求。
- MySQL/MongoDB/Redis/Kafka必须使用中的模板和密钥命名规则。
references/database-templates.md - 当应用数据库引导需要时,添加DB初始化Job/initContainer。
- 针对PostgreSQL自定义数据库(非默认库),初始化Job必须等待PostgreSQL就绪后再执行,并以幂等方式创建目标数据库。
postgres
Step 6: Generate output files
步骤6:生成输出文件
Always produce:
template/<app-name>/index.yaml- when official icon is resolvable
template/<app-name>/logo.<ext>
始终输出以下内容:
template/<app-name>/index.yaml- 当可获取官方图标时输出
template/<app-name>/logo.<ext>
Step 7: Validate before output
步骤7:输出前校验
Run validator and self-tests before delivering template output.
If validation fails, fix template/rules/examples first.
在交付模板输出前运行校验器和自检。如果校验失败,请先修复模板/规则/示例。
MUST Rules (Condensed)
必须规则(精简版)
Naming and metadata
命名与元数据
- Template must be hardcoded lowercase; do not use
metadata.name.${{ defaults.app_name }} - Template CR folder name must match .
metadata.name - Template CR must include required metadata fields (,
title,url,gitRepo,author,description,icon,templateType,locale,i18n).categories - Template must be
spec.readme.https://raw.githubusercontent.com/labring-actions/templates/kb-0.9/template/<app-name>/README.md - Template must be
spec.i18n.zh.readme.https://raw.githubusercontent.com/labring-actions/templates/kb-0.9/template/<app-name>/README_zh.md - URL must point to template repo raw path for this app on
iconbranch.kb-0.9 - must be written in Simplified Chinese.
i18n.zh.description - Omit when it is identical to
i18n.zh.title.title - must only use predefined values (
categories,tool,ai,game,database,low-code,monitor,dev-ops,blog,storage,frontend).backend
- 模板必须硬编码为小写;不要使用
metadata.name。${{ defaults.app_name }} - 模板CR文件夹名称必须与一致。
metadata.name - 模板CR必须包含必填元数据字段(、
title、url、gitRepo、author、description、icon、templateType、locale、i18n)。categories - 模板必须为
spec.readme。https://raw.githubusercontent.com/labring-actions/templates/kb-0.9/template/<app-name>/README.md - 模板必须为
spec.i18n.zh.readme。https://raw.githubusercontent.com/labring-actions/templates/kb-0.9/template/<app-name>/README_zh.md - URL必须指向该应用在模板仓库
icon分支下的原始文件路径。kb-0.9 - 必须使用简体中文编写。
i18n.zh.description - 当与
i18n.zh.title相同时可省略。title - 只能使用预定义值(
categories、tool、ai、game、database、low-code、monitor、dev-ops、blog、storage、frontend)。backend
App resource
App资源
- App resource must use .
spec.data.url - App resource must be
spec.displayType.normal - App resource must be
spec.type.link - Never use in App resource.
spec.template - label value must equal resource
cloud.sealos.io/app-deploy-manager.metadata.name - label value must equal resource
metadata.labels.appfor managed app workloads.metadata.name - must equal workload
containers[*].namefor managed app workloads.metadata.name - Application resources must define
Serviceandmetadata.labels.app, and both labels must matchmetadata.labels.cloud.sealos.io/app-deploy-manager.spec.selector.app - Component-scoped resources must define
ConfigMapandmetadata.labels.app, and both labels must matchmetadata.labels.cloud.sealos.io/app-deploy-manager.metadata.name - Application resources must use the same component name across
Service,metadata.name,metadata.labels.app, andmetadata.labels.cloud.sealos.io/app-deploy-manager.spec.selector.app - Application resources must use the same component name across
Ingress,metadata.name, and backendmetadata.labels.cloud.sealos.io/app-deploy-manager.service.name - Service must be explicitly set (required for multi-port services).
spec.ports[*].name - HTTP Ingress must include required nginx annotations (,
kubernetes.io/ingress.class,nginx.ingress.kubernetes.io/proxy-body-size,nginx.ingress.kubernetes.io/server-snippet,nginx.ingress.kubernetes.io/ssl-redirect,nginx.ingress.kubernetes.io/backend-protocol,nginx.ingress.kubernetes.io/client-body-buffer-size,nginx.ingress.kubernetes.io/proxy-buffer-size,nginx.ingress.kubernetes.io/proxy-send-timeout,nginx.ingress.kubernetes.io/proxy-read-timeout) with expected defaults.nginx.ingress.kubernetes.io/configuration-snippet - When official application health checks are available, managed workloads must define ,
livenessProbe, and (for slow bootstrap apps)readinessProbe, aligned with official endpoints/commands.startupProbe
- App资源必须使用。
spec.data.url - App资源必须为
spec.displayType。normal - App资源必须为
spec.type。link - 不要在App资源中使用。
spec.template - 标签值必须等于资源
cloud.sealos.io/app-deploy-manager。metadata.name - 托管应用工作负载的标签值必须等于资源
metadata.labels.app。metadata.name - 托管应用工作负载的必须等于工作负载
containers[*].name。metadata.name - 应用资源必须定义
Service和metadata.labels.app,且两个标签都必须与metadata.labels.cloud.sealos.io/app-deploy-manager匹配。spec.selector.app - 组件级资源必须定义
ConfigMap和metadata.labels.app,且两个标签都必须与metadata.labels.cloud.sealos.io/app-deploy-manager匹配。metadata.name - 应用资源的
Service、metadata.name、metadata.labels.app和metadata.labels.cloud.sealos.io/app-deploy-manager必须使用相同的组件名称。spec.selector.app - 应用资源的
Ingress、metadata.name和后端metadata.labels.cloud.sealos.io/app-deploy-manager必须使用相同的组件名称。service.name - Service的必须显式设置(多端口服务必填)。
spec.ports[*].name - HTTP Ingress必须包含必填的nginx注解(、
kubernetes.io/ingress.class、nginx.ingress.kubernetes.io/proxy-body-size、nginx.ingress.kubernetes.io/server-snippet、nginx.ingress.kubernetes.io/ssl-redirect、nginx.ingress.kubernetes.io/backend-protocol、nginx.ingress.kubernetes.io/client-body-buffer-size、nginx.ingress.kubernetes.io/proxy-buffer-size、nginx.ingress.kubernetes.io/proxy-send-timeout、nginx.ingress.kubernetes.io/proxy-read-timeout)并使用预期的默认值。nginx.ingress.kubernetes.io/configuration-snippet - 当存在官方应用健康检查配置时,托管工作负载必须定义、
livenessProbe,以及(针对启动慢的应用)readinessProbe,与官方端点/命令对齐。startupProbe
Official Kubernetes alignment
官方Kubernetes对齐
- If official Kubernetes installation docs/manifests are available, conversion must reference them and align critical runtime settings before emitting template artifacts.
- When official Kubernetes docs/manifests and Compose differ, prefer official Kubernetes runtime semantics for app behavior (bootstrap admin fields, external endpoint/env/protocol, health probes), unless doing so violates higher-priority Sealos MUST/security constraints.
- 如果存在官方Kubernetes安装文档/清单,转换时必须参考这些内容,并在生成模板产物前对齐关键运行时配置。
- 当官方Kubernetes文档/清单与Compose存在差异时,优先采用官方Kubernetes的应用运行时语义(启动管理员字段、外部端点/环境变量/协议、健康探针),除非这样做违反更高优先级的Sealos必须规则/安全约束。
Images and pull policy
镜像与拉取策略
- Do not use .
:latest - Resolve versions with : prefer an explicit version tag (for example
crane), and fallback to digest pin only when a deterministic version tag is unavailable.v2.2.0 - Avoid floating tags (for example ,
:v2,:2.1); use an explicit version tag or digest.:stable - Managed workload image references must be concrete and must not contain Compose-style variable expressions (for example ,
${VAR}); resolve to explicit tag or digest before emitting template artifacts.${VAR:-default} - Application must match container image.
originImageName - All containers must explicitly set .
imagePullPolicy: IfNotPresent
- 不要使用标签。
:latest - 使用解析版本:优先使用明确的版本标签(例如
crane),仅当无确定版本标签时才回退到摘要固定。v2.2.0 - 避免使用浮动标签(例如、
:v2、:2.1);使用明确的版本标签或摘要。:stable - 托管工作负载的镜像引用必须是具体的,不得包含Compose风格的变量表达式(例如、
${VAR});在生成模板产物前解析为明确的标签或摘要。${VAR:-default} - 应用必须与容器镜像匹配。
originImageName - 所有容器必须显式设置。
imagePullPolicy: IfNotPresent
Storage
存储
- Do not use .
emptyDir - Use persistent storage patterns () where storage is needed.
volumeClaimTemplates - PVC request must be unless source spec explicitly requires less.
<= 1Gi - ConfigMap keys and volume names must follow vn naming ().
scripts/path_converter.py
- 不要使用。
emptyDir - 需要存储的场景使用持久化存储模式()。
volumeClaimTemplates - PVC请求容量必须,除非源规范明确要求更小的容量。
<= 1Gi - ConfigMap键名和存储卷名称必须遵循vn命名规则()。
scripts/path_converter.py
Env and secrets
环境变量与密钥
- Non-database sensitive values/inputs use direct .
env[].value - Business containers must source database connection fields (,
endpoint,host,port,username) from approved Kubeblocks database secrets viapassword.env[].valueFrom.secretKeyRef - Business containers must not use custom or
Secretexcept approved Kubeblocks database secrets and object storage secrets.secretKeyRef - Database connection/bootstrap may use Kubeblocks-provided secrets, and reserved Kubeblocks database secret names must not be redefined by custom resources.
Secret - Env vars must be declared before referenced (for example password before URL composition).
- Follow official app env var naming; do not invent prefixes.
- When the application requires its public URL configured via a file-based config system (e.g., node-config , PHP config files), create a ConfigMap containing the config file with the public URL set to
config/default.json, and mount it to the application's config directory. The ConfigMap must follow standard naming and label conventions.https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }} - For PostgreSQL custom databases (non-), include
postgresJob and implement startup-safe/idempotent creation logic (readiness wait + existence check before create).${{ defaults.app_name }}-pg-init
- 非数据库敏感值/输入直接使用。
env[].value - 业务容器必须通过从已批准的Kubeblocks数据库密钥中获取数据库连接字段(
env[].valueFrom.secretKeyRef、endpoint、host、port、username)。password - 除了已批准的Kubeblocks数据库密钥和对象存储密钥外,业务容器不得使用自定义或
Secret。secretKeyRef - 数据库连接/初始化可以使用Kubeblocks提供的密钥,预留的Kubeblocks数据库密钥名称不得被自定义资源重定义。
Secret - 环境变量必须在被引用前声明(例如密码要在URL拼接前声明)。
- 遵循官方应用的环境变量命名规则;不要自创前缀。
- 当应用需要通过基于文件的配置系统设置公共URL时(例如node-config的、PHP配置文件),创建包含配置文件的ConfigMap,将公共URL设置为
config/default.json,并将其挂载到应用的配置目录。该ConfigMap必须遵循标准命名和标签规范。https://${{ defaults.app_host }}.${{ SEALOS_CLOUD_DOMAIN }} - 针对PostgreSQL自定义数据库(非默认库),添加
postgresJob并实现启动安全/幂等创建逻辑(就绪等待 + 创建前存在性检查)。${{ defaults.app_name }}-pg-init
Database-specific constraints
数据库专属约束
- PostgreSQL version: .
postgresql-16.4.0 - PostgreSQL API: .
apps.kubeblocks.io/v1alpha1 - PostgreSQL RBAC unified naming: .
${{ defaults.app_name }}-pg - PostgreSQL RBAC requires and
app.kubernetes.io/instancelabels.app.kubernetes.io/managed-by - PostgreSQL role wildcard permission requirement remains as defined in current spec.
- PostgreSQL cluster must include required labels/fields (,
kb.io/database: postgresql-16.4.0,clusterdefinition.kubeblocks.io/name: postgresql,clusterversion.kubeblocks.io/name: postgresql-16.4.0,clusterVersionRef: postgresql-16.4.0,disableExporter: true,enabledLogs: [running],switchPolicy.type: Noop).serviceAccountName - MongoDB cluster must follow upgraded structure (,
componentDef: mongodb, labelsserviceVersion: 8.0.4andkb.io/database).app.kubernetes.io/instance - MySQL cluster must follow upgraded structure (,
kb.io/database: ac-mysql-8.0.30-1,clusterDefinitionRef: apecloud-mysql,clusterVersionRef: ac-mysql-8.0.30-1).tolerations: [] - Redis cluster must follow upgraded structure (,
componentDef: redis-7,componentDef: redis-sentinel-7, main data PVCserviceVersion: 7.2.7, topology1Gi).replication - Database cluster component resources must use and
limits(cpu=500m,memory=512Mi)unless source docs explicitly require otherwise.requests(cpu=50m,memory=51Mi) - Secret naming:
- MongoDB:
${{ defaults.app_name }}-mongodb-account-root - Redis:
${{ defaults.app_name }}-redis-redis-account-default - Kafka:
${{ defaults.app_name }}-broker-account-admin - Do not use legacy naming outside supported exceptions.
- MongoDB:
- PostgreSQL版本:。
postgresql-16.4.0 - PostgreSQL API:。
apps.kubeblocks.io/v1alpha1 - PostgreSQL RBAC统一命名:。
${{ defaults.app_name }}-pg - PostgreSQL RBAC需要和
app.kubernetes.io/instance标签。app.kubernetes.io/managed-by - PostgreSQL角色通配符权限要求保持当前规范中的定义。
- PostgreSQL集群必须包含必填标签/字段(、
kb.io/database: postgresql-16.4.0、clusterdefinition.kubeblocks.io/name: postgresql、clusterversion.kubeblocks.io/name: postgresql-16.4.0、clusterVersionRef: postgresql-16.4.0、disableExporter: true、enabledLogs: [running]、switchPolicy.type: Noop)。serviceAccountName - MongoDB集群必须遵循升级后的结构(、
componentDef: mongodb,标签serviceVersion: 8.0.4和kb.io/database)。app.kubernetes.io/instance - MySQL集群必须遵循升级后的结构(、
kb.io/database: ac-mysql-8.0.30-1、clusterDefinitionRef: apecloud-mysql、clusterVersionRef: ac-mysql-8.0.30-1)。tolerations: [] - Redis集群必须遵循升级后的结构(、
componentDef: redis-7、componentDef: redis-sentinel-7,主数据PVC容量serviceVersion: 7.2.7,拓扑模式1Gi)。replication - 数据库集群组件资源默认使用和
limits(cpu=500m,memory=512Mi),除非源文档明确要求其他配置。requests(cpu=50m,memory=51Mi) - 密钥命名规则:
- MongoDB:
${{ defaults.app_name }}-mongodb-account-root - Redis:
${{ defaults.app_name }}-redis-redis-account-default - Kafka:
${{ defaults.app_name }}-broker-account-admin - 除支持的例外情况外,不要使用旧版命名。
- MongoDB:
Baseline runtime defaults
基线运行时默认值
Unless source docs explicitly require otherwise, use:
- container limits: ,
cpu=200mmemory=256Mi - container requests: ,
cpu=20mmemory=25Mi revisionHistoryLimit: 1automountServiceAccountToken: false
除非源文档明确要求其他配置,否则使用以下默认值:
- 容器limits:、
cpu=200mmemory=256Mi - 容器requests:、
cpu=20mmemory=25Mi revisionHistoryLimit: 1automountServiceAccountToken: false
Defaults vs inputs
默认值与输入
- for generated values (
defaults,app_name, random passwords/keys).app_host - only for truly user-provided operational values (email/SMTP/external API keys, etc.).
inputs - must be in English.
inputs.description
- 用于生成值(
defaults、app_name、随机密码/密钥)。app_host - 仅用于真正由用户提供的运营值(邮箱/SMTP/外部API密钥等)。
inputs - 必须使用英文。
inputs.description
Validation Commands
校验命令
Run all checks before final response:
python scripts/path_converter.py --self-testpython scripts/test_check_consistency.pypython scripts/test_compose_to_template.pypython scripts/test_check_must_coverage.pypython scripts/check_consistency.py --skill SKILL.md --references references --rules-file references/rules-registry.yamlpython scripts/check_consistency.py --skill SKILL.md --references references --rules-file references/rules-registry.yaml --artifacts template/<app-name>/index.yamlpython scripts/check_must_coverage.py --skill SKILL.md --mapping references/must-rules-map.yaml --rules-file references/rules-registry.yaml- (CI / one-shot) (requires
python scripts/quality_gate.pyby default; settemplate/*/index.yamlonly for dev/debug without artifacts)DOCKER_TO_SEALOS_ALLOW_EMPTY_ARTIFACTS=1
check_consistency.pyreferences/rules-registry.yamlseverityscope.include_paths在最终响应前运行所有检查:
python scripts/path_converter.py --self-testpython scripts/test_check_consistency.pypython scripts/test_compose_to_template.pypython scripts/test_check_must_coverage.pypython scripts/check_consistency.py --skill SKILL.md --references references --rules-file references/rules-registry.yamlpython scripts/check_consistency.py --skill SKILL.md --references references --rules-file references/rules-registry.yaml --artifacts template/<app-name>/index.yamlpython scripts/check_must_coverage.py --skill SKILL.md --mapping references/must-rules-map.yaml --rules-file references/rules-registry.yaml- (CI/单次执行)(默认需要
python scripts/quality_gate.py;仅在无产物的开发/调试场景下设置template/*/index.yaml)DOCKER_TO_SEALOS_ALLOW_EMPTY_ARTIFACTS=1
check_consistency.pyreferences/rules-registry.yamlseverityscope.include_pathsOutput Contract
输出约定
When conversion is complete, provide:
- brief conversion summary
- target file path ()
template/<app-name>/index.yaml - complete template YAML
- key decisions only where ambiguity existed
转换完成后,提供以下内容:
- 简短的转换总结
- 目标文件路径()
template/<app-name>/index.yaml - 完整的模板YAML
- 仅在存在歧义的场景下说明关键决策
Reference Navigation (Progressive Loading)
参考文件导航(渐进式加载)
Load only needed references for current task:
references/sealos-specs.md- authoritative ordering, labels, App/Ingress/ConfigMap conventions
references/conversion-mappings.md- Docker→Sealos field-level mappings and edge conversions
references/database-templates.md- database templates, RBAC structures, secret naming patterns
references/example-guide.md- examples and pattern walkthroughs (non-authoritative)
references/rules-registry.yaml- machine-readable validation scope/rules list
references/must-rules-map.yaml- MUST bullet to enforcement mapping (or
rule) for drift controlmanual
- MUST bullet to enforcement mapping (
仅加载当前任务需要的参考文件:
references/sealos-specs.md- 权威排序、标签、App/Ingress/ConfigMap约定
references/conversion-mappings.md- Docker→Sealos字段级映射与边缘场景转换规则
references/database-templates.md- 数据库模板、RBAC结构、密钥命名模式
references/example-guide.md- 示例与模式演练(非权威)
references/rules-registry.yaml- 机器可读的校验范围/规则列表
references/must-rules-map.yaml- 必须条款与执行方式的映射(或
rule),用于偏移控制manual
- 必须条款与执行方式的映射(
Script Utilities
脚本工具
scripts/path_converter.py- convert paths to vn names
- self-test support for regression checks
scripts/compose_to_template.py- deterministic compose/docs-to-template generator entrypoint
- supports (
--kompose-mode auto|always|neveris default) to reusealwaysworkload shapeskompose convert - emits
template/<app-name>/index.yaml
scripts/test_compose_to_template.py- regression tests for compose conversion behavior
scripts/check_consistency.py- registry-driven consistency validator
scripts/test_check_consistency.py- regression tests for validator behavior
scripts/check_must_coverage.py- validate MUST bullet coverage mapping against registry rules
scripts/test_check_must_coverage.py- regression tests for MUST coverage validator
scripts/path_converter.py- 将路径转换为vn名称
- 支持自检用于回归检查
scripts/compose_to_template.py- 确定性的compose/文档转模板生成器入口
- 支持(默认
--kompose-mode auto|always|never)复用always生成的工作负载结构kompose convert - 输出
template/<app-name>/index.yaml
scripts/test_compose_to_template.py- Compose转换行为的回归测试
scripts/check_consistency.py- 注册驱动的一致性校验器
scripts/test_check_consistency.py- 校验器行为的回归测试
scripts/check_must_coverage.py- 校验必须条款在注册规则中的覆盖映射
scripts/test_check_must_coverage.py- 必须条款覆盖校验器的回归测试
Edge Policies
边缘场景策略
- Never ask users for missing fields; infer from compose/docs and platform conventions.
- Keep App resource in format; never use
spec.data.url.spec.template - Keep App resource and
spec.displayType: normal; do not infer alternative enum values.spec.type: link - Keep business-env, object storage, and DB-secret policy consistent with MUST rules.
- Prefer Sealos-managed ingress over bundled edge proxies: if a Traefik gateway is only acting as ingress/front-proxy and at least one business service exists, do not emit Traefik workload resources.
- Prefer gateway TLS termination in Sealos Ingress over in-container TLS: for dual-port HTTP/HTTPS workloads, keep HTTP service port and remove redundant HTTPS/certificate mounts unless official docs require HTTPS backend.
- Prefer fixing references/examples over adding exceptions when conflicts appear.
- If official Kubernetes installation docs/manifests exist for the target app, do not ignore them; use them to refine runtime semantics beyond Compose defaults.
- 永远不要向用户询问缺失字段;从compose/文档和平台约定中推断。
- 保持App资源使用格式;永远不要使用
spec.data.url。spec.template - 保持App资源和
spec.displayType: normal;不要推断其他枚举值。spec.type: link - 保持业务环境变量、对象存储和数据库密钥策略与必须规则一致。
- 优先使用Sealos托管的Ingress而非捆绑的边缘代理:如果Traefik网关仅作为Ingress/前端代理,且至少存在一个业务服务,则不要生成Traefik工作负载资源。
- 优先在Sealos Ingress中完成网关TLS终止而非容器内TLS:对于同时暴露HTTP/HTTPS端口的工作负载,保留HTTP服务端口,移除冗余的HTTPS/证书挂载,除非官方文档要求后端使用HTTPS。
- 出现冲突时,优先修复参考文件/示例而非添加例外。
- 如果目标应用存在官方Kubernetes安装文档/清单,不要忽略它们;使用这些内容优化Compose默认值之外的运行时语义。