From 1669365ea5edd70c6028a4f69494175e8fe65c87 Mon Sep 17 00:00:00 2001 From: rohow Date: Thu, 28 May 2026 15:15:50 +0800 Subject: [PATCH] feat(infra-net): add new Secret for Infra Net credentials and configure HelmRelease dependencies --- .env.sample | 6 ++++++ flux/apps/helmrelease-halo.yaml | 2 +- flux/clusters/dev-cm/infra-net.yaml | 1 - .../infra-gitops/helmrelease-gitea.yaml | 4 ++-- .../infra-net/helmrelease-ingress-nginx.yaml | 21 ++++++++++++++----- flux/infrastructure/secrets/infra-net.yaml | 16 ++++++++++++++ .../infrastructure/secrets/kustomization.yaml | 1 + flux/infrastructure/secrets/namespaces.yaml | 5 +++++ 8 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 flux/infrastructure/secrets/infra-net.yaml diff --git a/.env.sample b/.env.sample index 5d7d411..3834f69 100644 --- a/.env.sample +++ b/.env.sample @@ -12,3 +12,9 @@ GITEA_ACTIONS_TOKEN=placeholder # Flux Operator Web OIDC 凭据(Gitea 启动后创建 OAuth2 应用获取,Redirect URI: https://cd.dev.cm/oauth2/callback) FLUX_WEB_OIDC_CLIENT_ID=placeholder FLUX_WEB_OIDC_CLIENT_SECRET=placeholder + +# Infra Net 凭据 +NET_MAXMIND_LICENSE_KEY=placeholder +NET_CROWDSEC_BOUNCER_API_KEY=placeholder +NET_TURNSTILE_SITE_KEY=placeholder +NET_TURNSTILE_SECRET_KEY=placeholder diff --git a/flux/apps/helmrelease-halo.yaml b/flux/apps/helmrelease-halo.yaml index b03cd4c..41d9680 100644 --- a/flux/apps/helmrelease-halo.yaml +++ b/flux/apps/helmrelease-halo.yaml @@ -18,7 +18,7 @@ spec: values: image: repository: halohub/halo-pro - tag: 2.24.0 + tag: 2.24.2 service: type: ClusterIP ingress: diff --git a/flux/clusters/dev-cm/infra-net.yaml b/flux/clusters/dev-cm/infra-net.yaml index 53e11db..f7b632e 100644 --- a/flux/clusters/dev-cm/infra-net.yaml +++ b/flux/clusters/dev-cm/infra-net.yaml @@ -26,7 +26,6 @@ spec: nameservers: - "169.254.20.10" - "10.43.0.10" - maxmindLicenseKey: "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" defaultBackend: affinity: nodeAffinity: diff --git a/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml index bf510a5..106eab1 100644 --- a/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml +++ b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: gitea - version: 12.5.0 + version: 12.6.0 sourceRef: kind: HelmRepository name: gitea @@ -21,7 +21,7 @@ spec: postgresql-ha: enabled: false image: - tag: 1.25.5 + tag: 1.26.2 ingress: enabled: true className: nginx diff --git a/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml b/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml index 11e4d4c..bc4a485 100644 --- a/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml +++ b/flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml @@ -15,6 +15,10 @@ spec: name: ingress-nginx namespace: infra-gitops interval: 12h + valuesFrom: + - kind: Secret + name: infra-net-env + valuesKey: ingress-nginx-values.yaml values: fullnameOverride: ingress-nginx controller: @@ -125,8 +129,6 @@ spec: # crowdsec插件配置 plugins: "crowdsec" lua-shared-dicts: "crowdsec_cache: 50m" - # 启用geoip2模块 - maxmindLicenseKey: "" extraArgs: default-ssl-certificate: "infra-net/dev-cm-crt" # crowdsec插件配置 @@ -140,7 +142,10 @@ spec: - name: API_URL value: "http://crowdsec-service.infra-net.svc.cluster.local:8080" - name: API_KEY - value: "ImxBThnyiNm224V5DHYPY63KPAcyJ+WF0rm18Gr4M80" + valueFrom: + secretKeyRef: + name: infra-net-env + key: NET_CROWDSEC_BOUNCER_API_KEY - name: BOUNCER_CONFIG value: "/crowdsec/crowdsec-bouncer.conf" - name: MODE @@ -154,9 +159,15 @@ spec: - name: CAPTCHA_PROVIDER value: "turnstile" - name: SITE_KEY - value: "0x4AAAAAAAxJ2RPNWzn2LCc-" + valueFrom: + secretKeyRef: + name: infra-net-env + key: NET_TURNSTILE_SITE_KEY - name: SECRET_KEY - value: "0x4AAAAAAAxJ2dwFOaNg5ae3c6wYTmWH0bU" + valueFrom: + secretKeyRef: + name: infra-net-env + key: NET_TURNSTILE_SECRET_KEY - name: CAPTCHA_TEMPLATE_PATH value: /etc/nginx/static/captcha.html command: ['/bin/sh', '-c'] diff --git a/flux/infrastructure/secrets/infra-net.yaml b/flux/infrastructure/secrets/infra-net.yaml new file mode 100644 index 0000000..4c8a4b4 --- /dev/null +++ b/flux/infrastructure/secrets/infra-net.yaml @@ -0,0 +1,16 @@ +# Infra Net 凭据 +# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入) +apiVersion: v1 +kind: Secret +metadata: + name: infra-net-env + namespace: infra-net +type: Opaque +stringData: + NET_MAXMIND_LICENSE_KEY: "${NET_MAXMIND_LICENSE_KEY}" + NET_CROWDSEC_BOUNCER_API_KEY: "${NET_CROWDSEC_BOUNCER_API_KEY}" + NET_TURNSTILE_SITE_KEY: "${NET_TURNSTILE_SITE_KEY}" + NET_TURNSTILE_SECRET_KEY: "${NET_TURNSTILE_SECRET_KEY}" + ingress-nginx-values.yaml: | + controller: + maxmindLicenseKey: "${NET_MAXMIND_LICENSE_KEY}" diff --git a/flux/infrastructure/secrets/kustomization.yaml b/flux/infrastructure/secrets/kustomization.yaml index 61a591e..e789374 100644 --- a/flux/infrastructure/secrets/kustomization.yaml +++ b/flux/infrastructure/secrets/kustomization.yaml @@ -5,3 +5,4 @@ resources: - s3-devcm-hw.yaml - dnspod-secret.yaml - gitea-actions.yaml + - infra-net.yaml diff --git a/flux/infrastructure/secrets/namespaces.yaml b/flux/infrastructure/secrets/namespaces.yaml index cabd94d..23d8cf7 100644 --- a/flux/infrastructure/secrets/namespaces.yaml +++ b/flux/infrastructure/secrets/namespaces.yaml @@ -14,3 +14,8 @@ apiVersion: v1 kind: Namespace metadata: name: infra-gitops +--- +apiVersion: v1 +kind: Namespace +metadata: + name: infra-net