feat(cert-manager): add ConfigMap for runtime values and update HelmRelease to use it

flux/README.md

@@ -19,6 +19,7 @@ flux/
 │   ├── sources/                         # 所有 HelmRepository 定义
 │   ├── kube-system/                     # CoreDNS 自定义 + NodeLocalDNS
 │   ├── infra-devops/                    # cert-manager, webhook-dnspod, reflector, velero
+│   │   └── post/                        # ClusterIssuer + cert-manager ServiceMonitor values
 │   ├── infra-data/                      # CNPG operator, Barman, Valkey
 │   │   ├── post-1/                      # PG Cluster / ObjectStore / databases / LB
 │   │   └── post-2/                      # Reflector secret annotations
@@ -91,5 +92,6 @@ Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序
 
 ## 为何拆出 \*-post 层？
 
+- **`infra-devops-post`**：cert-manager 首次安装时不能依赖 `ServiceMonitor` CRD；post 层只在监控栈就绪后下发 `ClusterIssuer` 与可选 values ConfigMap，避免多个 Kustomization 共同管理同一个 HelmRelease。
 - **`infra-monitor-post` (Promtail)**：Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Pod（ingress-nginx）；而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`，打破循环。
 - **`infra-gitops-post` (Gitea Actions + Flux Web)**：凭据必须在 Gitea 启动后手工创建；放在 post 层并默认 suspend，避免阻塞 bootstrap。

flux/flux-instance.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   distribution:
-    version: "2.x"
+    version: "2.8.5"
     registry: "ghcr.io/fluxcd"
     artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
   components:

flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml

@@ -6,6 +6,11 @@ metadata:
 spec:
   interval: 30m
   timeout: 15m
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-runtime-values
+      valuesKey: values.yaml
+      optional: true
   chart:
     spec:
       chart: cert-manager
@@ -19,8 +24,8 @@ spec:
     crds: CreateReplace
   upgrade:
     crds: CreateReplace
-  # 首次install时servicemonitor=false(CRD尚不存在)
+  # 首次 install 时 ServiceMonitor CRD 尚不存在，保持 chart 默认值 false。
-  # infra-monitor层部署后通过SSA patch开启
+  # infra-devops-post 在 CRD 就绪后通过可选 valuesFrom 开启 ServiceMonitor。
   values:
     crds:
       enabled: true
@@ -28,5 +33,3 @@ spec:
     enableCertificateOwnerRef: true
     prometheus:
       enabled: true
-      servicemonitor:
-        enabled: false

flux/infrastructure/infra-devops/post/configmap-cert-manager-runtime-values.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-manager-runtime-values
+  namespace: infra-devops
+  labels:
+    reconcile.fluxcd.io/watch: Enabled
+data:
+  values.yaml: |
+    prometheus:
+      servicemonitor:
+        enabled: true
+        interval: 300s
+        prometheusInstance: kube-prometheus

flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml

@@ -1,24 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: infra-devops
-  annotations:
-    kustomize.toolkit.fluxcd.io/prune: disabled
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: cert-manager
-      version: v1.19.3
-      sourceRef:
-        kind: HelmRepository
-        name: jetstack
-        namespace: infra-gitops
-      interval: 12h
-  values:
-    prometheus:
-      servicemonitor:
-        enabled: true
-        interval: 300s
-        prometheusInstance: kube-prometheus

flux/infrastructure/infra-devops/post/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - clusterissuer-dnspod.yaml
-  - helmrelease-cert-manager-patch.yaml
+  - configmap-cert-manager-runtime-values.yaml