dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

feat(helmchart): optimize HelmChartConfig

浏览代码
这个提交包含在:
rohow
2026-04-17 14:39:38 +08:00
未验证
父节点 89f4a8b491
当前提交 a9cb2eb48a
修改 18 个文件,包含 224 行新增41 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件
flux/README.md
+68 -4
查看文件
@@ -11,9 +11,9 @@ flux/
│ ├── kube-system.yaml # CoreDNS / NodeLocalDNS
│ ├── infra-devops.yaml # cert-manager / reflector / velero
│ ├── infra-data.yaml # CNPG / Valkey
│ ├── infra-monitor.yaml # Loki / Prometheus
│ ├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail)
│ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale
│ ├── infra-gitops.yaml # Gitea
│ ├── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web)
│ └── apps.yaml # Halo / RustDesk / Fillcode / SinceAI
├── infrastructure/
│ ├── sources/ # 所有 HelmRepository 定义
@@ -21,7 +21,71 @@ flux/
│ ├── infra-devops/ # cert-manager, webhook-dnspod, reflector, velero
│ ├── infra-data/ # CNPG operator, Barman, PG集群, Valkey
│ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书
│ ├── infra-monitor/ # Loki, Promtail, Prometheus+Grafana
│ └── infra-gitops/ # Gitea, Gitea Actions
│ ├── infra-monitor/ # Loki, Prometheus+Grafana
│ └── post/ # Promtail(依赖 infra-net,打破循环)
│ └── infra-gitops/ # Gitea
│ └── post/ # Gitea Actions + flux-operator WebOIDC/Ingress
└── apps/ # Halo, RustDesk, Whoami, 证书, Ingress
```
## 部署顺序
```
sources → secrets → kube-system → infra-devops → infra-data → infra-data-post
→ infra-monitor → infra-net → infra-devops-post
→ infra-monitor-post (Promtail)
→ infra-gitops
→ apps
→ infra-gitops-post (suspend=true,需手工凭据)
```
Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序错乱。
## 部署后手工步骤(infra-gitops-post
`infra-gitops-post` 默认 `suspend: true`,因为它依赖两类只能在 Gitea 启动后获取的凭据:
1. **Flux Operator Web 的 OIDC 客户端**
2. **Gitea Actions Runner Token**
步骤:
1. 浏览器访问 `https://git.dev.cm`,首个注册账号自动成为 admin。
2. **创建 OAuth2 应用**
- Site Administration → Integrations → Applications → Create OAuth2 Application
- Redirect URI: `https://cd.dev.cm/oauth2/callback`
- 记录 Client ID 与 Client Secret。
3. **生成 Runner Token**
- Site Administration → Actions → Runners → Create new Runner → 复制 registration token。
4. 更新 `k3s/.env`
```
FLUX_WEB_OIDC_CLIENT_ID=<step 2 client id>
FLUX_WEB_OIDC_CLIENT_SECRET=<step 2 client secret>
GITEA_ACTIONS_TOKEN=<step 3 token>
```
5. 重新注入 `flux-env` Secret 并协调:
```bash
kubectl -n infra-gitops create secret generic flux-env \
--from-env-file=k3s/.env \
--dry-run=client -o yaml | kubectl apply -f -
flux reconcile kustomization secrets -n infra-gitops
flux resume kustomization infra-gitops-post -n infra-gitops
flux reconcile kustomization infra-gitops-post -n infra-gitops --with-source
```
6. 验证:
```bash
kubectl -n infra-gitops get helmrelease gitea-actions
kubectl -n infra-gitops get deploy flux-operator -o yaml | grep -A2 args # 看到 --web-*
curl -I https://cd.dev.cm # 走 Gitea OIDC
```
## 为何拆出 \*-post 层?
- **`infra-monitor-post` (Promtail)**Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Podingress-nginx);而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`,打破循环。
- **`infra-gitops-post` (Gitea Actions + Flux Web)**:凭据必须在 Gitea 启动后手工创建;放在 post 层并默认 suspend,避免阻塞 bootstrap。
flux/clusters/base/infra-gitops.yaml
+24
查看文件
@@ -15,3 +15,27 @@ spec:
dependsOn:
- name: infra-data-post
- name: infra-monitor
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops-post
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
suspend: true
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-gitops/post
prune: true
wait: true
dependsOn:
- name: infra-gitops
- name: infra-net
postBuild:
substituteFrom:
- kind: Secret
name: flux-env
flux/clusters/base/infra-monitor.yaml
+20
查看文件
@@ -15,3 +15,23 @@ spec:
wait: true
dependsOn:
- name: infra-data-post
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-monitor-post
namespace: infra-gitops
spec:
interval: 30m
retryInterval: 1m
sourceRef:
kind: GitRepository
name: flux
path: ./flux/infrastructure/infra-monitor/post
prune: true
force: true
wait: true
dependsOn:
- name: infra-monitor
- name: infra-net
flux/clusters/dev-cm/kustomization.yaml
+4
查看文件
@@ -27,6 +27,10 @@ patches:
kind: Kustomization
name: infra-gitops
path: patches/infra-gitops.yaml
- target:
kind: Kustomization
name: infra-gitops-post
path: patches/infra-gitops-post.yaml
- target:
kind: Kustomization
name: apps
flux/clusters/dev-cm/patches/infra-gitops-post.yaml
+19
查看文件
@@ -0,0 +1,19 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infra-gitops-post
spec:
patches:
- target:
kind: HelmRelease
name: gitea-actions
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea-actions
spec:
values:
statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
flux/clusters/dev-cm/patches/infra-gitops.yaml
-13
查看文件
@@ -36,16 +36,3 @@ spec:
operator: In
values:
- homea
- target:
kind: HelmRelease
name: gitea-actions
patch: |
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gitea-actions
spec:
values:
statefulset:
nodeSelector:
dev-cm-runner/enabled: "true"
flux/flux-instance.yaml
+1 -1
查看文件
@@ -46,4 +46,4 @@ spec:
- key: kubernetes.io/hostname
operator: In
values:
- homea
- clawjp
flux/infrastructure/infra-data/post/databases.yaml
+43
查看文件
@@ -0,0 +1,43 @@
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-gitea
namespace: infra-data
spec:
name: gitea
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-sh-grafana
namespace: infra-data
spec:
name: grafana
owner: app
cluster:
name: cnpg17-cluster-sh
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-halo
namespace: infra-data
spec:
name: halo
owner: app
cluster:
name: cnpg17-cluster-hk
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
name: cnpg17-cluster-hk-crowdsec
namespace: infra-data
spec:
name: crowdsec
owner: app
cluster:
name: cnpg17-cluster-hk
flux/infrastructure/infra-data/post/kustomization.yaml
+1
查看文件
@@ -4,6 +4,7 @@ resources:
- cnpg17-objectstore-hw.yaml
- cnpg17-cluster-hk.yaml
- cnpg17-cluster-sh.yaml
- databases.yaml
- loadbalancer-hk.yaml
- loadbalancer-sh.yaml
- reflector-secret-annotations.yaml
flux/infrastructure/infra-gitops/kustomization.yaml
-1
查看文件
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-gitea.yaml
- helmrelease-gitea-actions.yaml
- configmap-templates.yaml
- configmap-actions-dind.yaml
- ingress-static-gitea.yaml
flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml
+27
查看文件
@@ -0,0 +1,27 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: flux-operator
namespace: infra-gitops
spec:
valuesContent: |-
web:
config:
baseURL: https://cd.dev.cm
authentication:
type: OAuth2
oauth2:
provider: OIDC
issuerURL: https://git.dev.cm
clientID: "${FLUX_WEB_OIDC_CLIENT_ID}"
clientSecret: "${FLUX_WEB_OIDC_CLIENT_SECRET}"
networkPolicy:
create: false
ingress:
enabled: true
className: nginx
hosts:
- host: cd.dev.cm
paths:
- path: /
pathType: Prefix
flux/infrastructure/infra-gitops/helmrelease-gitea-actions.yaml → flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml
查看文件
flux/infrastructure/infra-gitops/post/kustomization.yaml
+5
查看文件
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-gitea-actions.yaml
- helmchartconfig-flux-web.yaml
flux/infrastructure/infra-monitor/kustomization.yaml
-1
查看文件
@@ -3,6 +3,5 @@ kind: Kustomization
resources:
- namespace.yaml
- helmrelease-loki.yaml
- helmrelease-promtail.yaml
- helmrelease-prometheus.yaml
- ingress-static-grafana.yaml
flux/infrastructure/infra-monitor/helmrelease-promtail.yaml → flux/infrastructure/infra-monitor/post/helmrelease-promtail.yaml
查看文件
flux/infrastructure/infra-monitor/post/kustomization.yaml
+4
查看文件
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmrelease-promtail.yaml