From abe8eb43558f09da6566f62ff819e3c8c857dc2b Mon Sep 17 00:00:00 2001 From: rohow Date: Wed, 22 Apr 2026 18:50:08 +0800 Subject: [PATCH] feat(infra-gitops): add suspend logic for infra-gitops-post based on environment variables --- .env.sample | 4 ++++ flux/README.md | 7 ++++++- flux/clusters/base/infra-gitops.yaml | 5 +++++ .../helmrelease-cert-manager-webhook-dnspod.yaml | 11 +++++++++++ 4 files changed, 26 insertions(+), 1 deletion(-) diff --git a/.env.sample b/.env.sample index a6e0ad4..114babc 100644 --- a/.env.sample +++ b/.env.sample @@ -6,6 +6,10 @@ S3_ACCESS_SECRET_KEY=placeholder DNSPOD_SECRET_ID=placeholder DNSPOD_SECRET_KEY=placeholder +# Infra GitOps Post 阶段开关(参见 flux/README.md) +# 如果开启 需要完善 GITEA_ACTIONS_TOKEN / FLUX_WEB_OIDC_CLIENT_ID / FLUX_WEB_OIDC_CLIENT_SECRET 三个变量 +INFRA_GITOPS_POST_SUSPEND=true + # Gitea Actions Runner Token(Gitea 启动后在 admin → Runners 生成) GITEA_ACTIONS_TOKEN=placeholder diff --git a/flux/README.md b/flux/README.md index b943c95..ce891e1 100644 --- a/flux/README.md +++ b/flux/README.md @@ -48,11 +48,14 @@ Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序 ## 部署后手工步骤(infra-gitops-post) -`infra-gitops-post` 默认 `suspend: true`,因为它依赖两类只能在 Gitea 启动后获取的凭据: +`infra-gitops-post` 通过父级 Kustomization 的 `spec.suspend: ${INFRA_GITOPS_POST_SUSPEND:=true}` +默认暂停,因为它依赖两类只能在 Gitea 启动后获取的凭据: 1. **Flux Operator Web 的 OIDC 客户端** 2. **Gitea Actions Runner Token** +`flux-env` Secret 中设置 `INFRA_GITOPS_POST_SUSPEND=true|false`,从而决定 post 层是否自动放行。 + 步骤: 1. 浏览器访问 `https://git.dev.cm`,首个注册账号自动成为 admin。 @@ -68,6 +71,8 @@ Kustomization 间通过 `dependsOn` + `wait: true` 串行等待,避免顺序 FLUX_WEB_OIDC_CLIENT_ID= FLUX_WEB_OIDC_CLIENT_SECRET= GITEA_ACTIONS_TOKEN= + + INFRA_GITOPS_POST_SUSPEND=false ``` 5. 重新注入 `flux-env` Secret 并协调: diff --git a/flux/clusters/base/infra-gitops.yaml b/flux/clusters/base/infra-gitops.yaml index 039e16e..f79dd25 100644 --- a/flux/clusters/base/infra-gitops.yaml +++ b/flux/clusters/base/infra-gitops.yaml @@ -24,6 +24,11 @@ metadata: name: infra-gitops-post namespace: infra-gitops spec: + # drone/envsubst 不支持多变量逻辑或,因此聚合判断放在 .env → flux-env Secret 这一步: + # 构建脚本会在 GITEA_ACTIONS_TOKEN / FLUX_WEB_OIDC_CLIENT_ID / FLUX_WEB_OIDC_CLIENT_SECRET + # 任一为空时写入 INFRA_GITOPS_POST_SUSPEND=true,三者全部就绪时写入 false。 + # 未设置该变量时(例如旧的 Secret 还没刷新),保守地保持暂停。 + suspend: ${INFRA_GITOPS_POST_SUSPEND:=true} interval: 30m timeout: 15m retryInterval: 1m diff --git a/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml b/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml index 788f22c..756f9b7 100644 --- a/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml +++ b/flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml @@ -18,6 +18,17 @@ spec: name: imroc namespace: infra-gitops interval: 12h + # 启用漂移检测,集群中资源被误删时 Flux 会自动重建 + driftDetection: + mode: enabled + # 升级失败或资源被删除时,允许卸载后重装以恢复 + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + remediateLastFailure: true values: image: tag: "1.5.2"