feat(helmchart): optimize HelmChartConfig

2026-04-17 14:39:38 +08:00
@@ -6,5 +6,9 @@ S3_ACCESS_SECRET_KEY=placeholder
 DNSPOD_SECRET_ID=placeholder
 DNSPOD_SECRET_KEY=placeholder
-# Gitea Actions Runner Token
+# Gitea Actions Runner Token（Gitea 启动后在 admin → Runners 生成）
 GITEA_ACTIONS_TOKEN=placeholder
 # Flux Operator Web OIDC 凭据（Gitea 启动后创建 OAuth2 应用获取，Redirect URI: https://cd.dev.cm/oauth2/callback）
 FLUX_WEB_OIDC_CLIENT_ID=placeholder
 FLUX_WEB_OIDC_CLIENT_SECRET=placeholder
@@ -11,9 +11,9 @@ flux/
 │       ├── kube-system.yaml             # CoreDNS / NodeLocalDNS
 │       ├── infra-devops.yaml            # cert-manager / reflector / velero
 │       ├── infra-data.yaml              # CNPG / Valkey
-│       ├── infra-monitor.yaml           # Loki / Prometheus
+│       ├── infra-monitor.yaml           # Loki / Prometheus (+ post: Promtail)
 │       ├── infra-net.yaml               # Nginx / CrowdSec / Tailscale
-│       ├── infra-gitops.yaml            # Gitea
+│       ├── infra-gitops.yaml            # Gitea (+ post: Gitea Actions / Flux Web)
 │       └── apps.yaml                    # Halo / RustDesk / Fillcode / SinceAI
 ├── infrastructure/
 │   ├── sources/                         # 所有 HelmRepository 定义
@@ -21,7 +21,71 @@ flux/
 │   ├── infra-devops/                    # cert-manager, webhook-dnspod, reflector, velero
 │   ├── infra-data/                      # CNPG operator, Barman, PG集群, Valkey
 │   ├── infra-net/                       # ingress-nginx, CrowdSec, Tailscale DERP, 证书
-│   ├── infra-monitor/                   # Loki, Promtail, Prometheus+Grafana
+│   ├── infra-monitor/                   # Loki, Prometheus+Grafana
-│   └── infra-gitops/                    # Gitea, Gitea Actions
+│   │   └── post/                        # Promtail（依赖 infra-net，打破循环）
 │   └── infra-gitops/                    # Gitea
 │       └── post/                        # Gitea Actions + flux-operator Web（OIDC/Ingress）
 └── apps/                                # Halo, RustDesk, Whoami, 证书, Ingress
 ```
 ## 部署顺序
 ```
 sources → secrets → kube-system → infra-devops → infra-data → infra-data-post
       → infra-monitor → infra-net → infra-devops-post
       → infra-monitor-post (Promtail)
       → infra-gitops
       → apps
       → infra-gitops-post (suspend=true，需手工凭据)
 ```
 Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序错乱。
 ## 部署后手工步骤（infra-gitops-post）
 `infra-gitops-post` 默认 `suspend: true`，因为它依赖两类只能在 Gitea 启动后获取的凭据：
 1. **Flux Operator Web 的 OIDC 客户端**
 2. **Gitea Actions Runner Token**
 步骤：
 1. 浏览器访问 `https://git.dev.cm`，首个注册账号自动成为 admin。
 2. **创建 OAuth2 应用**：
   - Site Administration → Integrations → Applications → Create OAuth2 Application
   - Redirect URI: `https://cd.dev.cm/oauth2/callback`
   - 记录 Client ID 与 Client Secret。
 3. **生成 Runner Token**：
   - Site Administration → Actions → Runners → Create new Runner → 复制 registration token。
 4. 更新 `k3s/.env`：
   ```
   FLUX_WEB_OIDC_CLIENT_ID=<step 2 client id>
   FLUX_WEB_OIDC_CLIENT_SECRET=<step 2 client secret>
   GITEA_ACTIONS_TOKEN=<step 3 token>
   ```
 5. 重新注入 `flux-env` Secret 并协调：
   ```bash
   kubectl -n infra-gitops create secret generic flux-env \
     --from-env-file=k3s/.env \
     --dry-run=client -o yaml | kubectl apply -f -
   flux reconcile kustomization secrets -n infra-gitops
   flux resume kustomization infra-gitops-post -n infra-gitops
   flux reconcile kustomization infra-gitops-post -n infra-gitops --with-source
   ```
 6. 验证：
   ```bash
   kubectl -n infra-gitops get helmrelease gitea-actions
   kubectl -n infra-gitops get deploy flux-operator -o yaml | grep -A2 args   # 看到 --web-*
   curl -I https://cd.dev.cm                                                    # 走 Gitea OIDC
   ```
 ## 为何拆出 \*-post 层？
 - **`infra-monitor-post` (Promtail)**：Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Pod（ingress-nginx）；而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`，打破循环。
 - **`infra-gitops-post` (Gitea Actions + Flux Web)**：凭据必须在 Gitea 启动后手工创建；放在 post 层并默认 suspend，避免阻塞 bootstrap。
@@ -15,3 +15,27 @@ spec:
  dependsOn:
    - name: infra-data-post
    - name: infra-monitor
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: infra-gitops-post
  namespace: infra-gitops
 spec:
  interval: 30m
  retryInterval: 1m
  suspend: true
  sourceRef:
    kind: GitRepository
    name: flux
  path: ./flux/infrastructure/infra-gitops/post
  prune: true
  wait: true
  dependsOn:
    - name: infra-gitops
    - name: infra-net
  postBuild:
    substituteFrom:
      - kind: Secret
        name: flux-env
@@ -15,3 +15,23 @@ spec:
  wait: true
  dependsOn:
    - name: infra-data-post
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: infra-monitor-post
  namespace: infra-gitops
 spec:
  interval: 30m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
    name: flux
  path: ./flux/infrastructure/infra-monitor/post
  prune: true
  force: true
  wait: true
  dependsOn:
    - name: infra-monitor
    - name: infra-net
@@ -27,6 +27,10 @@ patches:
      kind: Kustomization
      name: infra-gitops
    path: patches/infra-gitops.yaml
  - target:
      kind: Kustomization
      name: infra-gitops-post
    path: patches/infra-gitops-post.yaml
  - target:
      kind: Kustomization
      name: apps
@@ -0,0 +1,19 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: infra-gitops-post
 spec:
  patches:
    - target:
        kind: HelmRelease
        name: gitea-actions
      patch: |
        apiVersion: helm.toolkit.fluxcd.io/v2
        kind: HelmRelease
        metadata:
          name: gitea-actions
        spec:
          values:
            statefulset:
              nodeSelector:
                dev-cm-runner/enabled: "true"
@@ -36,16 +36,3 @@ spec:
                          operator: In
                          values:
                            - homea
    - target:
        kind: HelmRelease
        name: gitea-actions
      patch: |
        apiVersion: helm.toolkit.fluxcd.io/v2
        kind: HelmRelease
        metadata:
          name: gitea-actions
        spec:
          values:
            statefulset:
              nodeSelector:
                dev-cm-runner/enabled: "true"
@@ -46,4 +46,4 @@ spec:
                        - key: kubernetes.io/hostname
                          operator: In
                          values:
-                            - homea
+                            - clawjp
@@ -0,0 +1,43 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
  name: cnpg17-cluster-sh-gitea
  namespace: infra-data
 spec:
  name: gitea
  owner: app
  cluster:
    name: cnpg17-cluster-sh
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
  name: cnpg17-cluster-sh-grafana
  namespace: infra-data
 spec:
  name: grafana
  owner: app
  cluster:
    name: cnpg17-cluster-sh
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
  name: cnpg17-cluster-hk-halo
  namespace: infra-data
 spec:
  name: halo
  owner: app
  cluster:
    name: cnpg17-cluster-hk
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Database
 metadata:
  name: cnpg17-cluster-hk-crowdsec
  namespace: infra-data
 spec:
  name: crowdsec
  owner: app
  cluster:
    name: cnpg17-cluster-hk
@@ -4,6 +4,7 @@ resources:
  - cnpg17-objectstore-hw.yaml
  - cnpg17-cluster-hk.yaml
  - cnpg17-cluster-sh.yaml
  - databases.yaml
  - loadbalancer-hk.yaml
  - loadbalancer-sh.yaml
  - reflector-secret-annotations.yaml
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - helmrelease-gitea.yaml
  - helmrelease-gitea-actions.yaml
  - configmap-templates.yaml
  - configmap-actions-dind.yaml
  - ingress-static-gitea.yaml
@@ -0,0 +1,27 @@
 apiVersion: helm.cattle.io/v1
 kind: HelmChartConfig
 metadata:
  name: flux-operator
  namespace: infra-gitops
 spec:
  valuesContent: |-
    web:
      config:
        baseURL: https://cd.dev.cm
        authentication:
          type: OAuth2
          oauth2:
            provider: OIDC
            issuerURL: https://git.dev.cm
            clientID: "${FLUX_WEB_OIDC_CLIENT_ID}"
            clientSecret: "${FLUX_WEB_OIDC_CLIENT_SECRET}"
      networkPolicy:
        create: false
      ingress:
        enabled: true
        className: nginx
        hosts:
          - host: cd.dev.cm
            paths:
              - path: /
                pathType: Prefix
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - helmrelease-gitea-actions.yaml
  - helmchartconfig-flux-web.yaml
@@ -3,6 +3,5 @@ kind: Kustomization
 resources:
  - namespace.yaml
  - helmrelease-loki.yaml
  - helmrelease-promtail.yaml
  - helmrelease-prometheus.yaml
  - ingress-static-grafana.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - helmrelease-promtail.yaml
@@ -19,23 +19,6 @@ spec:
                  values:
                    - homea  
    installCRDs: true
-    web:
+    # 注意：flux-operator 的 web 配置（OIDC + Ingress）依赖 Gitea 与 ingress-nginx，
-      config:
+    # 由 Flux Kustomization `infra-gitops-post` 通过 k3s HelmChartConfig 在 Gitea 起来后叠加注入。
-        baseURL: https://cd.dev.cm
+    # 详见 flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml
        authentication:
          type: OAuth2
          oauth2:
            provider: OIDC
            issuerURL: https://git.dev.cm
            clientID: "94b1ec99-55c4-4621-89c3-f49d8b7d5603"
            clientSecret: "gto_5fmpkf6h7zohbpesnxfuvjvppinunayv7mfcyo2wmuzqtuj3ig2a"
      networkPolicy:
        create: false
      ingress:
        enabled: true
        className: nginx
        hosts:
          - host: cd.dev.cm
            paths:
              - path: /
                pathType: Prefix