feat(flux): flux

.env.sample

@@ -0,0 +1,10 @@
+# 华为云OBS S3凭据 (velero备份 + CNPG WAL归档)
+S3_ACCESS_KEY_ID=placeholder
+S3_ACCESS_SECRET_KEY=placeholder
+
+# DNSPod API凭据 (cert-manager ACME DNS验证)
+DNSPOD_SECRET_ID=placeholder
+DNSPOD_SECRET_KEY=placeholder
+
+# Gitea Actions Runner Token
+GITEA_ACTIONS_TOKEN=placeholder

.gitignore

@@ -2,6 +2,9 @@
 logs
 *.log
 
+# Secrets
+.env
+
 # Editor directories and files
 .vscode/*
 !.vscode/extensions.json

flux/clusters/base/apps.yaml

@@ -12,6 +12,6 @@ spec:
   path: ./flux/apps
   prune: true
   dependsOn:
-    - name: infra-data
+    - name: infra-data-post
     - name: infra-net
     - name: infra-gitops

flux/clusters/base/infra-data.yaml

@@ -15,3 +15,22 @@ spec:
   wait: true
   dependsOn:
     - name: infra-devops
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-data-post
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-data/post
+  prune: true
+  force: true
+  wait: true
+  dependsOn:
+    - name: infra-data

flux/clusters/base/infra-devops.yaml

@@ -14,6 +14,7 @@ spec:
   wait: true
   dependsOn:
     - name: sources
+    - name: secrets
 
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1

flux/clusters/base/infra-gitops.yaml

@@ -13,5 +13,5 @@ spec:
   prune: true
   wait: true
   dependsOn:
-    - name: infra-data
+    - name: infra-data-post
     - name: infra-monitor

flux/clusters/base/infra-monitor.yaml

@@ -14,4 +14,4 @@ spec:
   force: true
   wait: true
   dependsOn:
-    - name: infra-data
+    - name: infra-data-post

flux/clusters/base/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - sources.yaml
+  - secrets.yaml
   - kube-system.yaml
   - infra-devops.yaml
   - infra-data.yaml

flux/clusters/base/secrets.yaml

@@ -0,0 +1,22 @@
+# 密钥管理层 - 通过postBuild从flux-env Secret注入变量
+# 所有环境流程一致: kubectl create secret generic flux-env -n infra-gitops --from-env-file=.env
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: secrets
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/secrets
+  prune: false
+  wait: true
+  dependsOn:
+    - name: sources
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: flux-env

flux/clusters/dev-cm/kustomization.yaml

@@ -11,6 +11,10 @@ patches:
       kind: Kustomization
       name: infra-data
     path: patches/infra-data.yaml
+  - target:
+      kind: Kustomization
+      name: infra-data-post
+    path: patches/infra-data-post.yaml
   - target:
       kind: Kustomization
       name: infra-net

flux/clusters/dev-cm/patches/infra-data-post.yaml

@@ -0,0 +1,58 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-data-post
+spec:
+  patches:
+    - target:
+        kind: Cluster
+        name: cnpg17-cluster-hk
+      patch: |
+        apiVersion: postgresql.cnpg.io/v1
+        kind: Cluster
+        metadata:
+          name: cnpg17-cluster-hk
+        spec:
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: topology.kubernetes.io/region
+                        operator: In
+                        values:
+                          - "cn-hk"
+              preferredDuringSchedulingIgnoredDuringExecution:
+                - weight: 1
+                  preference:
+                    matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - clawhk
+    - target:
+        kind: Cluster
+        name: cnpg17-cluster-sh
+      patch: |
+        apiVersion: postgresql.cnpg.io/v1
+        kind: Cluster
+        metadata:
+          name: cnpg17-cluster-sh
+        spec:
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                  - matchExpressions:
+                      - key: topology.kubernetes.io/region
+                        operator: In
+                        values:
+                          - "cn-sh"
+              preferredDuringSchedulingIgnoredDuringExecution:
+                - weight: 1
+                  preference:
+                    matchExpressions:
+                      - key: kubernetes.io/hostname
+                        operator: In
+                        values:
+                          - homea

flux/clusters/dev-cm/patches/infra-data.yaml

@@ -50,58 +50,6 @@ spec:
               - key: "node-role.kubernetes.io/control-plane"
                 operator: "Exists"
                 effect: "NoSchedule"
-    - target:
-        kind: Cluster
-        name: cnpg17-cluster-hk
-      patch: |
-        apiVersion: postgresql.cnpg.io/v1
-        kind: Cluster
-        metadata:
-          name: cnpg17-cluster-hk
-        spec:
-          affinity:
-            nodeAffinity:
-              requiredDuringSchedulingIgnoredDuringExecution:
-                nodeSelectorTerms:
-                  - matchExpressions:
-                      - key: topology.kubernetes.io/region
-                        operator: In
-                        values:
-                          - "cn-hk"
-              preferredDuringSchedulingIgnoredDuringExecution:
-                - weight: 1
-                  preference:
-                    matchExpressions:
-                      - key: kubernetes.io/hostname
-                        operator: In
-                        values:
-                          - clawhk
-    - target:
-        kind: Cluster
-        name: cnpg17-cluster-sh
-      patch: |
-        apiVersion: postgresql.cnpg.io/v1
-        kind: Cluster
-        metadata:
-          name: cnpg17-cluster-sh
-        spec:
-          affinity:
-            nodeAffinity:
-              requiredDuringSchedulingIgnoredDuringExecution:
-                nodeSelectorTerms:
-                  - matchExpressions:
-                      - key: topology.kubernetes.io/region
-                        operator: In
-                        values:
-                          - "cn-sh"
-              preferredDuringSchedulingIgnoredDuringExecution:
-                - weight: 1
-                  preference:
-                    matchExpressions:
-                      - key: kubernetes.io/hostname
-                        operator: In
-                        values:
-                          - homea
     - target:
         kind: HelmRelease
         name: valkey-cluster-sh

flux/clusters/local/kustomization.yaml

@@ -2,8 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
-patches:
-  - target:
-      kind: Kustomization
-      name: infra-devops
-    path: patches/infra-devops.yaml

flux/clusters/local/patches/infra-devops.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: infra-devops
-spec:
-  wait: false

flux/infrastructure/infra-data/kustomization.yaml

@@ -4,10 +4,4 @@ resources:
   - namespace.yaml
   - helmrelease-cloudnative-pg.yaml
   - helmrelease-barman-plugin.yaml
-  - cnpg17-objectstore-hw.yaml
-  - cnpg17-cluster-hk.yaml
-  - cnpg17-cluster-sh.yaml
-  - loadbalancer-hk.yaml
-  - loadbalancer-sh.yaml
   - helmrelease-valkey-cluster.yaml
-  - reflector-secret-annotations.yaml

flux/infrastructure/infra-data/post/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cnpg17-objectstore-hw.yaml
+  - cnpg17-cluster-hk.yaml
+  - cnpg17-cluster-sh.yaml
+  - loadbalancer-hk.yaml
+  - loadbalancer-sh.yaml
+  - reflector-secret-annotations.yaml

flux/infrastructure/secrets/dnspod-secret.yaml

@@ -0,0 +1,11 @@
+# cert-manager DNSPod webhook凭据
+# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dnspod-secret
+  namespace: infra-devops
+type: Opaque
+stringData:
+  secretId: "${DNSPOD_SECRET_ID}"
+  secretKey: "${DNSPOD_SECRET_KEY}"

flux/infrastructure/secrets/gitea-actions.yaml

@@ -0,0 +1,10 @@
+# Gitea Actions Runner Token
+# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-actions
+  namespace: infra-gitops
+type: Opaque
+stringData:
+  token: "${GITEA_ACTIONS_TOKEN}"

flux/infrastructure/secrets/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespaces.yaml
+  - s3-devcm-hw.yaml
+  - dnspod-secret.yaml
+  - gitea-actions.yaml

flux/infrastructure/secrets/namespaces.yaml

@@ -0,0 +1,16 @@
+# 确保密钥目标命名空间已存在
+# 与各infra层的namespace.yaml幂等
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-devops
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-data
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-gitops

flux/infrastructure/secrets/s3-devcm-hw.yaml

@@ -0,0 +1,23 @@
+# S3凭据 (华为云OBS)
+# 用途: velero备份 + CNPG barman WAL归档
+# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-devcm-hw
+  namespace: infra-devops
+type: Opaque
+stringData:
+  ACCESS_KEY_ID: "${S3_ACCESS_KEY_ID}"
+  ACCESS_SECRET_KEY: "${S3_ACCESS_SECRET_KEY}"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-devcm-hw
+  namespace: infra-data
+type: Opaque
+stringData:
+  ACCESS_KEY_ID: "${S3_ACCESS_KEY_ID}"
+  ACCESS_SECRET_KEY: "${S3_ACCESS_SECRET_KEY}"