feat(infra-net): add new Secret for Infra Net credentials and configure HelmRelease dependencies

flux/apps/helmrelease-halo.yaml

@@ -18,7 +18,7 @@ spec:
   values:
     image:
       repository: halohub/halo-pro
-      tag: 2.24.0
+      tag: 2.24.2
     service:
       type: ClusterIP
     ingress:

flux/clusters/dev-cm/infra-net.yaml

@@ -26,7 +26,6 @@ spec:
                 nameservers:
                   - "169.254.20.10"
                   - "10.43.0.10"
-              maxmindLicenseKey: "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"
             defaultBackend:
               affinity:
                 nodeAffinity:

flux/infrastructure/infra-gitops/helmrelease-gitea.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: gitea
-      version: 12.5.0
+      version: 12.6.0
       sourceRef:
         kind: HelmRepository
         name: gitea
@@ -21,7 +21,7 @@ spec:
     postgresql-ha:
       enabled: false
     image:
-      tag: 1.25.5
+      tag: 1.26.2
     ingress:
       enabled: true
       className: nginx

flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml

@@ -15,6 +15,10 @@ spec:
         name: ingress-nginx
         namespace: infra-gitops
       interval: 12h
+  valuesFrom:
+    - kind: Secret
+      name: infra-net-env
+      valuesKey: ingress-nginx-values.yaml
   values:
     fullnameOverride: ingress-nginx
     controller:
@@ -125,8 +129,6 @@ spec:
         # crowdsec插件配置
         plugins: "crowdsec"
         lua-shared-dicts: "crowdsec_cache: 50m"
-      # 启用geoip2模块
-      maxmindLicenseKey: ""
       extraArgs:
         default-ssl-certificate: "infra-net/dev-cm-crt"
       # crowdsec插件配置
@@ -140,7 +142,10 @@ spec:
             - name: API_URL
               value: "http://crowdsec-service.infra-net.svc.cluster.local:8080"
             - name: API_KEY
-              value: "ImxBThnyiNm224V5DHYPY63KPAcyJ+WF0rm18Gr4M80"
+              valueFrom:
+                secretKeyRef:
+                  name: infra-net-env
+                  key: NET_CROWDSEC_BOUNCER_API_KEY
             - name: BOUNCER_CONFIG
               value: "/crowdsec/crowdsec-bouncer.conf"
             - name: MODE
@@ -154,9 +159,15 @@ spec:
             - name: CAPTCHA_PROVIDER
               value: "turnstile"
             - name: SITE_KEY
-              value: "0x4AAAAAAAxJ2RPNWzn2LCc-"
+              valueFrom:
+                secretKeyRef:
+                  name: infra-net-env
+                  key: NET_TURNSTILE_SITE_KEY
             - name: SECRET_KEY
-              value: "0x4AAAAAAAxJ2dwFOaNg5ae3c6wYTmWH0bU"
+              valueFrom:
+                secretKeyRef:
+                  name: infra-net-env
+                  key: NET_TURNSTILE_SECRET_KEY
             - name: CAPTCHA_TEMPLATE_PATH
               value: /etc/nginx/static/captcha.html
           command: ['/bin/sh', '-c']

flux/infrastructure/secrets/infra-net.yaml

@@ -0,0 +1,16 @@
+# Infra Net 凭据
+# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: infra-net-env
+  namespace: infra-net
+type: Opaque
+stringData:
+  NET_MAXMIND_LICENSE_KEY: "${NET_MAXMIND_LICENSE_KEY}"
+  NET_CROWDSEC_BOUNCER_API_KEY: "${NET_CROWDSEC_BOUNCER_API_KEY}"
+  NET_TURNSTILE_SITE_KEY: "${NET_TURNSTILE_SITE_KEY}"
+  NET_TURNSTILE_SECRET_KEY: "${NET_TURNSTILE_SECRET_KEY}"
+  ingress-nginx-values.yaml: |
+    controller:
+      maxmindLicenseKey: "${NET_MAXMIND_LICENSE_KEY}"

flux/infrastructure/secrets/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - s3-devcm-hw.yaml
   - dnspod-secret.yaml
   - gitea-actions.yaml
+  - infra-net.yaml

flux/infrastructure/secrets/namespaces.yaml

@@ -14,3 +14,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: infra-gitops
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-net