From b51a3d3580e6cb22e1b89bf49dac2eb5b7348f44 Mon Sep 17 00:00:00 2001
From: rohow <admin@dev.cm>
Date: Mon, 20 Apr 2026 17:57:32 +0800
Subject: [PATCH] feat(k8s): update valkey-cluster references and add SSA
 annotations for secrets

---
 .../infra-data-post/reflector-secret-annotations.yaml |  3 +++
 flux/clusters/dev-cm/patches/infra-data.yaml          |  5 +++--
 flux/clusters/dev-cm/patches/infra-gitops.yaml        | 11 +++++++++++
 .../infra-data/helmrelease-valkey-cluster.yaml        |  2 +-
 .../infra-data/post/reflector-secret-annotations.yaml |  6 ++++--
 .../infra-gitops/helmrelease-gitea.yaml               |  8 ++++----
 6 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml b/flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml
index b1f60b0..21be2ff 100644
--- a/flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml
+++ b/flux/clusters/dev-cm/infra-data-post/reflector-secret-annotations.yaml
@@ -11,6 +11,7 @@ metadata:
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
     reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
@@ -23,6 +24,7 @@ metadata:
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
     reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
@@ -35,6 +37,7 @@ metadata:
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
     reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
diff --git a/flux/clusters/dev-cm/patches/infra-data.yaml b/flux/clusters/dev-cm/patches/infra-data.yaml
index b44719e..2b80bb6 100644
--- a/flux/clusters/dev-cm/patches/infra-data.yaml
+++ b/flux/clusters/dev-cm/patches/infra-data.yaml
@@ -52,14 +52,15 @@ spec:
                 effect: "NoSchedule"
     - target:
         kind: HelmRelease
-        name: valkey-cluster-sh
+        name: valkey-cluster
       patch: |
         apiVersion: helm.toolkit.fluxcd.io/v2
         kind: HelmRelease
         metadata:
-          name: valkey-cluster-sh
+          name: valkey-cluster
         spec:
           values:
+            fullnameOverride: valkey-cluster-sh
             valkey:
               nodeAffinityPreset:
                 type: hard
diff --git a/flux/clusters/dev-cm/patches/infra-gitops.yaml b/flux/clusters/dev-cm/patches/infra-gitops.yaml
index 24b7431..88a0f20 100644
--- a/flux/clusters/dev-cm/patches/infra-gitops.yaml
+++ b/flux/clusters/dev-cm/patches/infra-gitops.yaml
@@ -24,6 +24,17 @@ spec:
                     secretKeyRef:
                       name: cnpg17-cluster-sh-app
                       key: password
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: valkey-cluster-sh
+                      key: valkey-password
+                - name: GITEA__SESSION__PROVIDER_CONFIG
+                  value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+                - name: GITEA__CACHE__HOST
+                  value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+                - name: GITEA__QUEUE__CONN_STR
+                  value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
             affinity:
               podAffinity:
                 preferredDuringSchedulingIgnoredDuringExecution:
diff --git a/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml b/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
index d0654d5..b2bbcb9 100644
--- a/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
+++ b/flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml
@@ -1,7 +1,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: valkey-cluster-sh
+  name: valkey-cluster
   namespace: infra-data
 spec:
   interval: 30m
diff --git a/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml b/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml
index 3c501eb..2d8c4e0 100644
--- a/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml
+++ b/flux/infrastructure/infra-data/post/reflector-secret-annotations.yaml
@@ -2,7 +2,7 @@
 # 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
 #
 # cnpg17-cluster-app → apps (halo), infra-net (crowdsec), infra-gitops (gitea), infra-monitor (grafana)
-# valkey-cluster-sh → infra-gitops (gitea)
+# valkey-cluster → infra-gitops (gitea)
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,6 +10,7 @@ metadata:
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
     reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
@@ -18,10 +19,11 @@ metadata:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: valkey-cluster-sh
+  name: valkey-cluster
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
     reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
diff --git a/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
index 2863831..bf510a5 100644
--- a/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
+++ b/flux/infrastructure/infra-gitops/helmrelease-gitea.yaml
@@ -89,14 +89,14 @@ spec:
         - name: REDIS_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: valkey-cluster-sh
+              name: valkey-cluster
               key: valkey-password
         - name: GITEA__SESSION__PROVIDER_CONFIG
-          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
         - name: GITEA__CACHE__HOST
-          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
         - name: GITEA__QUEUE__CONN_STR
-          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
     valkey-cluster:
       enabled: false
     extraVolumes: