From a9cb2eb48ad5b517fc3fd1c98ecd9fc83b7249b1 Mon Sep 17 00:00:00 2001 From: rohow Date: Fri, 17 Apr 2026 14:39:38 +0800 Subject: [PATCH] feat(helmchart): optimize HelmChartConfig --- .env.sample | 6 +- flux/README.md | 72 +++++++++++++++++-- flux/clusters/base/infra-gitops.yaml | 24 +++++++ flux/clusters/base/infra-monitor.yaml | 20 ++++++ flux/clusters/dev-cm/kustomization.yaml | 4 ++ .../dev-cm/patches/infra-gitops-post.yaml | 19 +++++ .../clusters/dev-cm/patches/infra-gitops.yaml | 13 ---- flux/flux-instance.yaml | 2 +- .../infra-data/post/databases.yaml | 43 +++++++++++ .../infra-data/post/kustomization.yaml | 1 + .../infra-gitops/kustomization.yaml | 1 - .../post/helmchartconfig-flux-web.yaml | 27 +++++++ .../{ => post}/helmrelease-gitea-actions.yaml | 0 .../infra-gitops/post/kustomization.yaml | 5 ++ .../infra-monitor/kustomization.yaml | 1 - .../{ => post}/helmrelease-promtail.yaml | 0 .../infra-monitor/post/kustomization.yaml | 4 ++ helmcharts/helmchart-flux.yaml | 23 +----- 18 files changed, 224 insertions(+), 41 deletions(-) create mode 100644 flux/clusters/dev-cm/patches/infra-gitops-post.yaml create mode 100644 flux/infrastructure/infra-data/post/databases.yaml create mode 100644 flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml rename flux/infrastructure/infra-gitops/{ => post}/helmrelease-gitea-actions.yaml (100%) create mode 100644 flux/infrastructure/infra-gitops/post/kustomization.yaml rename flux/infrastructure/infra-monitor/{ => post}/helmrelease-promtail.yaml (100%) create mode 100644 flux/infrastructure/infra-monitor/post/kustomization.yaml diff --git a/.env.sample b/.env.sample index 4c68895..a6e0ad4 100644 --- a/.env.sample +++ b/.env.sample @@ -6,5 +6,9 @@ S3_ACCESS_SECRET_KEY=placeholder DNSPOD_SECRET_ID=placeholder DNSPOD_SECRET_KEY=placeholder -# Gitea Actions Runner Token +# Gitea Actions Runner Token(Gitea 启动后在 admin → Runners 生成) GITEA_ACTIONS_TOKEN=placeholder + +# Flux Operator Web OIDC 凭据(Gitea 启动后创建 OAuth2 应用获取,Redirect URI: https://cd.dev.cm/oauth2/callback) +FLUX_WEB_OIDC_CLIENT_ID=placeholder +FLUX_WEB_OIDC_CLIENT_SECRET=placeholder diff --git a/flux/README.md b/flux/README.md index 014b930..72b6f29 100644 --- a/flux/README.md +++ b/flux/README.md @@ -11,9 +11,9 @@ flux/ │ ├── kube-system.yaml # CoreDNS / NodeLocalDNS │ ├── infra-devops.yaml # cert-manager / reflector / velero │ ├── infra-data.yaml # CNPG / Valkey -│ ├── infra-monitor.yaml # Loki / Prometheus +│ ├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail) │ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale -│ ├── infra-gitops.yaml # Gitea +│ ├── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web) │ └── apps.yaml # Halo / RustDesk / Fillcode / SinceAI ├── infrastructure/ │ ├── sources/ # 所有 HelmRepository 定义 @@ -21,7 +21,71 @@ flux/ │ ├── infra-devops/ # cert-manager, webhook-dnspod, reflector, velero │ ├── infra-data/ # CNPG operator, Barman, PG集群, Valkey │ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书 -│ ├── infra-monitor/ # Loki, Promtail, Prometheus+Grafana -│ └── infra-gitops/ # Gitea, Gitea Actions +│ ├── infra-monitor/ # Loki, Prometheus+Grafana +│ │ └── post/ # Promtail(依赖 infra-net,打破循环) +│ └── infra-gitops/ # Gitea +│ └── post/ # Gitea Actions + flux-operator Web(OIDC/Ingress) └── apps/ # Halo, RustDesk, Whoami, 证书, Ingress ``` + +## 部署顺序 + +``` +sources → secrets → kube-system → infra-devops → infra-data → infra-data-post + → infra-monitor → infra-net → infra-devops-post + → infra-monitor-post (Promtail) + → infra-gitops + → apps + → infra-gitops-post (suspend=true,需手工凭据) +``` + +Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。 + +## 部署后手工步骤(infra-gitops-post) + +`infra-gitops-post` 默认 `suspend: true`,因为它依赖两类只能在 Gitea 启动后获取的凭据: + +1. **Flux Operator Web 的 OIDC 客户端** +2. **Gitea Actions Runner Token** + +步骤: + +1. 浏览器访问 `https://git.dev.cm`,首个注册账号自动成为 admin。 +2. **创建 OAuth2 应用**: + - Site Administration → Integrations → Applications → Create OAuth2 Application + - Redirect URI: `https://cd.dev.cm/oauth2/callback` + - 记录 Client ID 与 Client Secret。 +3. **生成 Runner Token**: + - Site Administration → Actions → Runners → Create new Runner → 复制 registration token。 +4. 更新 `k3s/.env`: + + ``` + FLUX_WEB_OIDC_CLIENT_ID= + FLUX_WEB_OIDC_CLIENT_SECRET= + GITEA_ACTIONS_TOKEN= + ``` + +5. 重新注入 `flux-env` Secret 并协调: + + ```bash + kubectl -n infra-gitops create secret generic flux-env \ + --from-env-file=k3s/.env \ + --dry-run=client -o yaml | kubectl apply -f - + + flux reconcile kustomization secrets -n infra-gitops + flux resume kustomization infra-gitops-post -n infra-gitops + flux reconcile kustomization infra-gitops-post -n infra-gitops --with-source + ``` + +6. 验证: + + ```bash + kubectl -n infra-gitops get helmrelease gitea-actions + kubectl -n infra-gitops get deploy flux-operator -o yaml | grep -A2 args # 看到 --web-* + curl -I https://cd.dev.cm # 走 Gitea OIDC + ``` + +## 为何拆出 \*-post 层? + +- **`infra-monitor-post` (Promtail)**:Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Pod(ingress-nginx);而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`,打破循环。 +- **`infra-gitops-post` (Gitea Actions + Flux Web)**:凭据必须在 Gitea 启动后手工创建;放在 post 层并默认 suspend,避免阻塞 bootstrap。 diff --git a/flux/clusters/base/infra-gitops.yaml b/flux/clusters/base/infra-gitops.yaml index 52565b1..91ec4c8 100644 --- a/flux/clusters/base/infra-gitops.yaml +++ b/flux/clusters/base/infra-gitops.yaml @@ -15,3 +15,27 @@ spec: dependsOn: - name: infra-data-post - name: infra-monitor + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-gitops-post + namespace: infra-gitops +spec: + interval: 30m + retryInterval: 1m + suspend: true + sourceRef: + kind: GitRepository + name: flux + path: ./flux/infrastructure/infra-gitops/post + prune: true + wait: true + dependsOn: + - name: infra-gitops + - name: infra-net + postBuild: + substituteFrom: + - kind: Secret + name: flux-env diff --git a/flux/clusters/base/infra-monitor.yaml b/flux/clusters/base/infra-monitor.yaml index da3fe66..99384b2 100644 --- a/flux/clusters/base/infra-monitor.yaml +++ b/flux/clusters/base/infra-monitor.yaml @@ -15,3 +15,23 @@ spec: wait: true dependsOn: - name: infra-data-post + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-monitor-post + namespace: infra-gitops +spec: + interval: 30m + retryInterval: 1m + sourceRef: + kind: GitRepository + name: flux + path: ./flux/infrastructure/infra-monitor/post + prune: true + force: true + wait: true + dependsOn: + - name: infra-monitor + - name: infra-net diff --git a/flux/clusters/dev-cm/kustomization.yaml b/flux/clusters/dev-cm/kustomization.yaml index f493dff..d00907c 100644 --- a/flux/clusters/dev-cm/kustomization.yaml +++ b/flux/clusters/dev-cm/kustomization.yaml @@ -27,6 +27,10 @@ patches: kind: Kustomization name: infra-gitops path: patches/infra-gitops.yaml + - target: + kind: Kustomization + name: infra-gitops-post + path: patches/infra-gitops-post.yaml - target: kind: Kustomization name: apps diff --git a/flux/clusters/dev-cm/patches/infra-gitops-post.yaml b/flux/clusters/dev-cm/patches/infra-gitops-post.yaml new file mode 100644 index 0000000..42090d1 --- /dev/null +++ b/flux/clusters/dev-cm/patches/infra-gitops-post.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-gitops-post +spec: + patches: + - target: + kind: HelmRelease + name: gitea-actions + patch: | + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: gitea-actions + spec: + values: + statefulset: + nodeSelector: + dev-cm-runner/enabled: "true" diff --git a/flux/clusters/dev-cm/patches/infra-gitops.yaml b/flux/clusters/dev-cm/patches/infra-gitops.yaml index 71f8b29..ef536f1 100644 --- a/flux/clusters/dev-cm/patches/infra-gitops.yaml +++ b/flux/clusters/dev-cm/patches/infra-gitops.yaml @@ -36,16 +36,3 @@ spec: operator: In values: - homea - - target: - kind: HelmRelease - name: gitea-actions - patch: | - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - metadata: - name: gitea-actions - spec: - values: - statefulset: - nodeSelector: - dev-cm-runner/enabled: "true" diff --git a/flux/flux-instance.yaml b/flux/flux-instance.yaml index 2fd945a..77d2775 100644 --- a/flux/flux-instance.yaml +++ b/flux/flux-instance.yaml @@ -46,4 +46,4 @@ spec: - key: kubernetes.io/hostname operator: In values: - - homea + - clawjp diff --git a/flux/infrastructure/infra-data/post/databases.yaml b/flux/infrastructure/infra-data/post/databases.yaml new file mode 100644 index 0000000..299885b --- /dev/null +++ b/flux/infrastructure/infra-data/post/databases.yaml @@ -0,0 +1,43 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-sh-gitea + namespace: infra-data +spec: + name: gitea + owner: app + cluster: + name: cnpg17-cluster-sh +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-sh-grafana + namespace: infra-data +spec: + name: grafana + owner: app + cluster: + name: cnpg17-cluster-sh +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-hk-halo + namespace: infra-data +spec: + name: halo + owner: app + cluster: + name: cnpg17-cluster-hk +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: cnpg17-cluster-hk-crowdsec + namespace: infra-data +spec: + name: crowdsec + owner: app + cluster: + name: cnpg17-cluster-hk diff --git a/flux/infrastructure/infra-data/post/kustomization.yaml b/flux/infrastructure/infra-data/post/kustomization.yaml index 34d2a97..10ec5ec 100644 --- a/flux/infrastructure/infra-data/post/kustomization.yaml +++ b/flux/infrastructure/infra-data/post/kustomization.yaml @@ -4,6 +4,7 @@ resources: - cnpg17-objectstore-hw.yaml - cnpg17-cluster-hk.yaml - cnpg17-cluster-sh.yaml + - databases.yaml - loadbalancer-hk.yaml - loadbalancer-sh.yaml - reflector-secret-annotations.yaml diff --git a/flux/infrastructure/infra-gitops/kustomization.yaml b/flux/infrastructure/infra-gitops/kustomization.yaml index b2d1d1b..d8a88b0 100644 --- a/flux/infrastructure/infra-gitops/kustomization.yaml +++ b/flux/infrastructure/infra-gitops/kustomization.yaml @@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - helmrelease-gitea.yaml - - helmrelease-gitea-actions.yaml - configmap-templates.yaml - configmap-actions-dind.yaml - ingress-static-gitea.yaml diff --git a/flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml b/flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml new file mode 100644 index 0000000..91f5c82 --- /dev/null +++ b/flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml @@ -0,0 +1,27 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: flux-operator + namespace: infra-gitops +spec: + valuesContent: |- + web: + config: + baseURL: https://cd.dev.cm + authentication: + type: OAuth2 + oauth2: + provider: OIDC + issuerURL: https://git.dev.cm + clientID: "${FLUX_WEB_OIDC_CLIENT_ID}" + clientSecret: "${FLUX_WEB_OIDC_CLIENT_SECRET}" + networkPolicy: + create: false + ingress: + enabled: true + className: nginx + hosts: + - host: cd.dev.cm + paths: + - path: / + pathType: Prefix diff --git a/flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml b/flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml similarity index 100% rename from flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml rename to flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml diff --git a/flux/infrastructure/infra-gitops/post/kustomization.yaml b/flux/infrastructure/infra-gitops/post/kustomization.yaml new file mode 100644 index 0000000..5f16696 --- /dev/null +++ b/flux/infrastructure/infra-gitops/post/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helmrelease-gitea-actions.yaml + - helmchartconfig-flux-web.yaml diff --git a/flux/infrastructure/infra-monitor/kustomization.yaml b/flux/infrastructure/infra-monitor/kustomization.yaml index 78fca96..9b6b49d 100644 --- a/flux/infrastructure/infra-monitor/kustomization.yaml +++ b/flux/infrastructure/infra-monitor/kustomization.yaml @@ -3,6 +3,5 @@ kind: Kustomization resources: - namespace.yaml - helmrelease-loki.yaml - - helmrelease-promtail.yaml - helmrelease-prometheus.yaml - ingress-static-grafana.yaml diff --git a/flux/infrastructure/infra-monitor/helmrelease-promtail.yaml b/flux/infrastructure/infra-monitor/post/helmrelease-promtail.yaml similarity index 100% rename from flux/infrastructure/infra-monitor/helmrelease-promtail.yaml rename to flux/infrastructure/infra-monitor/post/helmrelease-promtail.yaml diff --git a/flux/infrastructure/infra-monitor/post/kustomization.yaml b/flux/infrastructure/infra-monitor/post/kustomization.yaml new file mode 100644 index 0000000..c93f85e --- /dev/null +++ b/flux/infrastructure/infra-monitor/post/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helmrelease-promtail.yaml diff --git a/helmcharts/helmchart-flux.yaml b/helmcharts/helmchart-flux.yaml index e59d659..1ed8ce7 100644 --- a/helmcharts/helmchart-flux.yaml +++ b/helmcharts/helmchart-flux.yaml @@ -19,23 +19,6 @@ spec: values: - homea installCRDs: true - web: - config: - baseURL: https://cd.dev.cm - authentication: - type: OAuth2 - oauth2: - provider: OIDC - issuerURL: https://git.dev.cm - clientID: "94b1ec99-55c4-4621-89c3-f49d8b7d5603" - clientSecret: "gto_5fmpkf6h7zohbpesnxfuvjvppinunayv7mfcyo2wmuzqtuj3ig2a" - networkPolicy: - create: false - ingress: - enabled: true - className: nginx - hosts: - - host: cd.dev.cm - paths: - - path: / - pathType: Prefix + # 注意:flux-operator 的 web 配置(OIDC + Ingress)依赖 Gitea 与 ingress-nginx, + # 由 Flux Kustomization `infra-gitops-post` 通过 k3s HelmChartConfig 在 Gitea 起来后叠加注入。 + # 详见 flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml