feat(infra-gitops): add custom template volume mounts for Gitea HelmRelease

fix(infra-gitops): update Gitea image tag to 1.26.2 and remove unused custom template volumes/configurations
fix(infra-gitops): downgrade Gitea image tag to 1.25.5 in HelmRelease configuration
2026-05-28 16:29:39 +08:00 · 2026-05-28 15:44:05 +08:00 · 2026-05-28 15:22:38 +08:00 · 2026-05-28 15:15:50 +08:00 · 2026-05-25 18:09:38 +08:00 · 2026-05-22 16:53:15 +08:00
@@ -6,9 +6,15 @@ S3_ACCESS_SECRET_KEY=placeholder
 DNSPOD_SECRET_ID=placeholder
 DNSPOD_SECRET_KEY=placeholder
-# Gitea Actions Runner Token（Gitea 启动后在 admin → Runners 生成）
+# Gitea Actions Runner Token（Gitea 启动后在 admin → Runners 生成，参见 flux/README.md “部署后手工步骤”）
 GITEA_ACTIONS_TOKEN=placeholder
 # Flux Operator Web OIDC 凭据（Gitea 启动后创建 OAuth2 应用获取，Redirect URI: https://cd.dev.cm/oauth2/callback）
 FLUX_WEB_OIDC_CLIENT_ID=placeholder
 FLUX_WEB_OIDC_CLIENT_SECRET=placeholder
 # Infra Net 凭据
 NET_MAXMIND_LICENSE_KEY=placeholder
 NET_CROWDSEC_BOUNCER_API_KEY=placeholder
 NET_TURNSTILE_SITE_KEY=placeholder
 NET_TURNSTILE_SECRET_KEY=placeholder
@@ -7,14 +7,3 @@
 #### 应用相关
 参见 [flux/README.md](flux/README.md)
 `
 ssh-keygen -t ed25519 -C "flux" -f ./flux-git-auth -N ""
 ssh-keyscan github.com > ./known_hosts
 kubectl -n infra-gitops create secret generic flux-git-auth \
 --from-file=identity=./flux-git-auth \
 --from-file=identity.pub=./flux-git-auth.pub \
 --from-file=known_hosts=./known_hosts
 `
@@ -5,30 +5,64 @@
 ```
 flux/
 ├── clusters/
-│   └── dev-cm/                          # 集群级别编排
+│   ├── base/                            # 基础集群编排，仅部署 infrastructure
-│       ├── kustomization.yaml           # 资源列表
+│   │   ├── kustomization.yaml           # infrastructure 资源列表
-│       ├── sources.yaml                 # HelmRepository 源
+│   │   ├── sources.yaml                 # infrastructure HelmRepository 源
-│       ├── kube-system.yaml             # CoreDNS / NodeLocalDNS
+│   │   ├── kube-system.yaml             # CoreDNS / NodeLocalDNS
-│       ├── infra-devops.yaml            # cert-manager / reflector / velero
+│   │   ├── infra-devops.yaml            # cert-manager / reflector / velero
-│       ├── infra-data.yaml              # CNPG / Valkey
+│   │   ├── infra-data.yaml              # CNPG / Valkey
-│       ├── infra-monitor.yaml           # Loki / Prometheus (+ post: Promtail)
+│   │   ├── infra-monitor.yaml           # Loki / Prometheus (+ post: Promtail)
-│       ├── infra-net.yaml               # Nginx / CrowdSec / Tailscale
+│   │   ├── infra-net.yaml               # Nginx / CrowdSec / Tailscale
-│       ├── infra-gitops.yaml            # Gitea (+ post: Gitea Actions / Flux Web)
+│   │   └── infra-gitops.yaml            # Gitea (+ post: Gitea Actions / Flux Web)
-│       └── apps.yaml                    # Halo / RustDesk / Fillcode / SinceAI
+│   └── dev-cm/                          # dev-cm 集群 overlay，额外部署 apps
 │       ├── kustomization.yaml           # 引入 base，并追加 apps / app 依赖层
 │       ├── apps-sources.yaml            # app HelmRepository 源
 │       ├── apps-secrets.yaml            # apps namespace 与 app 专属 Secret
 │       ├── apps.yaml                    # Halo / RustDesk / Fillcode / SinceAI
 │       └── apps-post.yaml               # CDN Ingress（依赖 apps）
 ├── infrastructure/
 │   ├── sources/                         # 所有 HelmRepository 定义
 │   ├── kube-system/                     # CoreDNS 自定义 + NodeLocalDNS
 │   ├── infra-devops/                    # cert-manager, webhook-dnspod, reflector, velero
 │   │   └── post/                        # ClusterIssuer + cert-manager ServiceMonitor values
 │   ├── infra-data/                      # CNPG operator, Barman, Valkey
 │   │   ├── post-1/                      # PG Cluster / ObjectStore / databases / LB
 │   │   └── post-2/                      # Reflector secret annotations
 │   ├── infra-net/                       # ingress-nginx, CrowdSec, Tailscale DERP, 证书
 │   │   └── post/                        # CDN Ingress（依赖 apps，打破循环）
 │   ├── infra-monitor/                   # Loki, Prometheus+Grafana
 │   │   └── post/                        # Promtail（依赖 infra-net，打破循环）
 │   └── infra-gitops/                    # Gitea
 │       └── post/                        # Gitea Actions + flux-operator Web（OIDC/Ingress）
-└── apps/                                # Halo, RustDesk, Whoami, 证书, Ingress
+└── apps/
    ├── sources/                         # app HelmRepository 定义
    ├── secrets/                         # apps namespace 与 app 专属 Secret
    ├── post/                            # CDN Ingress（依赖 apps，且引用部分 infra 服务）
    ├── helmrelease-halo.yaml            # Halo
    ├── helmrelease-rustdesk.yaml        # RustDesk
    └── ...                              # app 证书与 Ingress
 ```
 ## 前置准备
 需要提前生成git访问凭证
 ```shell
 ssh-keygen -t ed25519 -C "flux" -f ./flux-git-auth -N ""
 ssh-keyscan github.com > ./known_hosts
 kubectl -n infra-gitops create secret generic flux-git-auth \
 --from-file=identity=./flux-git-auth \
 --from-file=identity.pub=./flux-git-auth.pub \
 --from-file=known_hosts=./known_hosts
 ```
 然后将 `flux-git-auth.pub` 文件内容添加到远端仓库中
 应用flux实例 后续将自动开启部署流程
 ```shell
 kubectl apply -f flux/flux-instance.yaml
 ```
 ## 部署顺序
@@ -38,20 +72,31 @@ sources → secrets → kube-system → infra-devops → infra-data → infra-da
       → infra-monitor → infra-net → infra-devops-post
       → infra-monitor-post (Promtail)
       → infra-gitops
-       → apps
+       → apps-sources → apps-secrets → apps
-       → infra-net-post (CDN Ingress)
+       → apps-post (CDN Ingress)
       → infra-gitops-post (suspend=true，需手工凭据)
 ```
-Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序错乱。
+`clusters/base` 只包含到 `infra-gitops-post` 为止的 infrastructure 部署；`apps-sources`、`apps-secrets`、`apps`、`apps-post` 只在 `clusters/dev-cm` 中声明。Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序错乱。
 ## 部署后手工步骤（infra-gitops-post）
-`infra-gitops-post` 默认 `suspend: true`，因为它依赖两类只能在 Gitea 启动后获取的凭据：
+`infra-gitops-post` 在 base 层硬编码 `spec.suspend: true` 默认暂停，因为它依赖两类只能在 Gitea 启动后获取的凭据：
 1. **Flux Operator Web 的 OIDC 客户端**
 2. **Gitea Actions Runner Token**
 凭据就绪、`flux-env` Secret 重新注入后，可以先用 `flux resume kustomization infra-gitops-post -n infra-gitops` 手工放行。
 注意：**手工 `resume` 只会修改集群里的 live 对象，不会改 Git 中的期望状态。** 由于 base 层仍然声明了 `spec.suspend: true`，当上层 `Kustomization` 重新协调（如 30 分钟周期、Git 变更、手工 reconcile）时，它会再次把 `infra-gitops-post` 改回暂停。
 如果希望恢复后保持开启，需要把 Git 中的期望状态也改掉，例如在环境 overlay（如 `clusters/dev-cm/infra-gitops-post.yaml`）中覆盖：
 ```yaml
 spec:
  suspend: false
 ```
 步骤：
 1. 浏览器访问 `https://git.dev.cm`，首个注册账号自动成为 admin。
@@ -61,7 +106,7 @@ Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序
   - 记录 Client ID 与 Client Secret。
 3. **生成 Runner Token**：
   - Site Administration → Actions → Runners → Create new Runner → 复制 registration token。
-4. 更新 `k3s/.env`：
+4. 更新 `.env`：
   ```
   FLUX_WEB_OIDC_CLIENT_ID=<step 2 client id>
@@ -73,7 +118,7 @@ Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序
   ```bash
   kubectl -n infra-gitops create secret generic flux-env \
-     --from-env-file=k3s/.env \
+     --from-env-file=.env \
     --dry-run=client -o yaml | kubectl apply -f -
   flux reconcile kustomization secrets -n infra-gitops
@@ -91,5 +136,7 @@ Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序
 ## 为何拆出 \*-post 层？
 - **`infra-devops-post`**：cert-manager 首次安装时不能依赖 `ServiceMonitor` CRD；post 层只在监控栈就绪后下发 `ClusterIssuer` 与可选 values ConfigMap，避免多个 Kustomization 共同管理同一个 HelmRelease。
 - **`infra-monitor-post` (Promtail)**：Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Pod（ingress-nginx）；而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`，打破循环。
 - **`apps-post` (CDN Ingress)**：CDN Ingress 会引用 `apps`、`infra-gitops`、`infra-monitor` 中的服务，因此不属于 base；只在 `dev-cm` 中声明，并依赖对应服务层。
 - **`infra-gitops-post` (Gitea Actions + Flux Web)**：凭据必须在 Gitea 启动后手工创建；放在 post 层并默认 suspend，避免阻塞 bootstrap。
@@ -18,14 +18,14 @@ spec:
  values:
    image:
      repository: halohub/halo-pro
-      tag: 2.24.0
+      tag: 2.24.2
    service:
      type: ClusterIP
    ingress:
      enabled: true
      ingressClassName: nginx
      annotations:
-        nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+        nginx.ingress.kubernetes.io/proxy-body-size: "100m"
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_set_header Accept-Encoding "";
          subs_filter_types text/html;
@@ -4,8 +4,8 @@ metadata:
  name: halo-static
  namespace: apps
  annotations:
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_cache cache;
      proxy_cache_valid 200 302 7d;
@@ -17,9 +17,6 @@ metadata:
      add_header X-Cache-Status $upstream_cache_status;
 spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - dev.cm
  rules:
    - host: dev.cm
      http:
@@ -31,3 +28,6 @@ spec:
                name: halo
                port:
                  number: 80
  tls:
    - hosts:
        - dev.cm
@@ -4,7 +4,6 @@ metadata:
  name: sinceai-shop
  namespace: apps
  annotations:
    # 302 跳转到https://sinceai.taobao.com/
    nginx.ingress.kubernetes.io/configuration-snippet: |
      rewrite ^/(.*)$ https://sinceai.taobao.com/$1? permanent;
 spec:
@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - certificate-fillcode-com.yaml
  - certificate-sinceai-com.yaml
  - helmrelease-halo.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespaces.yaml
@@ -0,0 +1,21 @@
 # whoami
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: cowboysysop
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://cowboysysop.github.io/charts/
 ---
 # halo
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: halo
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://halo-sigs.github.io/charts/
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - helm-repositories.yaml
@@ -24,6 +24,9 @@ metadata:
  name: infra-gitops-post
  namespace: infra-gitops
 spec:
  # 默认暂停：post 层依赖 Gitea 启动后才能获取的 OIDC / Runner Token 凭据。
  # 凭据就绪并写入 flux-env Secret 后，使用 `flux resume kustomization infra-gitops-post -n infra-gitops` 放行。
  suspend: true
  interval: 30m
  timeout: 15m
  retryInterval: 1m
@@ -18,22 +18,3 @@ spec:
    - name: infra-devops
    - name: infra-devops-post
    - name: infra-monitor
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: infra-net-post
  namespace: infra-gitops
 spec:
  interval: 30m
  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
    name: flux
  path: ./flux/infrastructure/infra-net/post
  prune: true
  wait: true
  dependsOn:
    - name: apps
@@ -9,4 +9,3 @@ resources:
  - infra-net.yaml
  - infra-monitor.yaml
  - infra-gitops.yaml
  - apps.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: apps
+  name: apps-post
  namespace: infra-gitops
 spec:
  interval: 30m
@@ -10,9 +10,11 @@ spec:
  sourceRef:
    kind: GitRepository
    name: flux
-  path: ./flux/apps
+  path: ./flux/apps/post
  prune: true
  wait: true
  dependsOn:
    - name: infra-data-post-2
    - name: infra-net
    - name: infra-gitops
    - name: infra-monitor
    - name: apps
@@ -0,0 +1,21 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: apps-secrets
  namespace: infra-gitops
 spec:
  interval: 30m
  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
    name: flux
  path: ./flux/apps/secrets
  prune: false
  wait: true
  dependsOn:
    - name: apps-sources
  postBuild:
    substituteFrom:
      - kind: Secret
        name: flux-env
@@ -0,0 +1,17 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: apps-sources
  namespace: infra-gitops
 spec:
  interval: 30m
  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
    name: flux
  path: ./flux/apps/sources
  prune: true
  wait: true
  dependsOn:
    - name: sources
@@ -2,7 +2,21 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: apps
  namespace: infra-gitops
 spec:
  interval: 30m
  timeout: 15m
  retryInterval: 1m
  sourceRef:
    kind: GitRepository
    name: flux
  path: ./flux/apps
  prune: true
  dependsOn:
    - name: apps-sources
    - name: apps-secrets
    - name: infra-data-post-2
    - name: infra-net
  patches:
    - target:
        kind: HelmRelease
@@ -23,7 +23,7 @@ spec:
      isWALArchiver: true
      parameters:
        barmanObjectName: cnpg17-objectstore-hw
-        serverName: cnpg17-cluster-hk-a
+        serverName: cnpg17-cluster-hk
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -23,7 +23,7 @@ spec:
      isWALArchiver: true
      parameters:
        barmanObjectName: cnpg17-objectstore-hw
-        serverName: cnpg17-cluster-sh-a
+        serverName: cnpg17-cluster-sh
 ---
 apiVersion: postgresql.cnpg.io/v1
@@ -0,0 +1,20 @@
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
  name: cnpg17-objectstore-hw
  namespace: infra-data
 spec:
  retentionPolicy: "7d"
  configuration:
    destinationPath: s3://devcm/cnpg/
    endpointURL: https://obs.cn-east-3.myhuaweicloud.com
    s3Credentials:
      accessKeyId:
        name: s3-devcm-hw
        key: ACCESS_KEY_ID
      secretAccessKey:
        name: s3-devcm-hw
        key: ACCESS_SECRET_KEY
    wal:
      compression: gzip
      maxParallel: 8
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../../infrastructure/infra-data/post-1/cnpg17-objectstore-hw.yaml
+  - cnpg17-objectstore-hw.yaml
  - cnpg17-cluster-hk.yaml
  - cnpg17-cluster-sh.yaml
  - databases.yaml
@@ -3,7 +3,7 @@ kind: Kustomization
 metadata:
  name: infra-data-post-1
 spec:
-  path: ./flux/clusters/dev-cm/infra-data-post-1
+  path: ./flux/clusters/dev-cm/infra-data/post-1
  patches:
    - target:
        kind: Cluster
@@ -3,4 +3,4 @@ kind: Kustomization
 metadata:
  name: infra-data-post-2
 spec:
-  path: ./flux/clusters/dev-cm/infra-data-post-2
+  path: ./flux/clusters/dev-cm/infra-data/post-2
@@ -20,9 +20,9 @@ metadata:
    kustomize.toolkit.fluxcd.io/prune: disabled
    kustomize.toolkit.fluxcd.io/ssa: Merge
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops,infra-monitor"
    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops,infra-monitor"
 ---
 apiVersion: v1
 kind: Secret
@@ -33,6 +33,6 @@ metadata:
    kustomize.toolkit.fluxcd.io/prune: disabled
    kustomize.toolkit.fluxcd.io/ssa: Merge
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops"
    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops"
@@ -3,6 +3,7 @@ kind: Kustomization
 metadata:
  name: infra-gitops-post
 spec:
  suspend: false
  patches:
    - target:
        kind: HelmRelease
@@ -26,7 +26,6 @@ spec:
                nameservers:
                  - "169.254.20.10"
                  - "10.43.0.10"
              maxmindLicenseKey: "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"
            defaultBackend:
              affinity:
                nodeAffinity:
@@ -2,15 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../base
  - apps-sources.yaml
  - apps-secrets.yaml
  - apps.yaml
  - apps-post.yaml
 patches:
  - target:
      kind: Kustomization
      name: kube-system
-    path: patches/kube-system.yaml
+    path: kube-system.yaml
  - target:
      kind: Kustomization
      name: infra-devops
-    path: patches/infra-devops.yaml
+    path: infra-devops.yaml
  - target:
      kind: Kustomization
      name: infra-data
@@ -18,32 +22,28 @@ patches:
  - target:
      kind: Kustomization
      name: infra-data-post-1
-    path: infra-data-post-1/patch.yaml
+    path: infra-data/post-1/patch.yaml
  - target:
      kind: Kustomization
      name: infra-data-post-2
-    path: infra-data-post-2/patch.yaml
+    path: infra-data/post-2/patch.yaml
  - target:
      kind: Kustomization
      name: infra-net
-    path: patches/infra-net.yaml
+    path: infra-net.yaml
  - target:
      kind: Kustomization
      name: infra-monitor
-    path: patches/infra-monitor.yaml
+    path: infra-monitor.yaml
  - target:
      kind: Kustomization
      name: infra-monitor-post
-    path: patches/infra-monitor-post.yaml
+    path: infra-monitor-post.yaml
  - target:
      kind: Kustomization
      name: infra-gitops
-    path: patches/infra-gitops.yaml
+    path: infra-gitops.yaml
  - target:
      kind: Kustomization
      name: infra-gitops-post
-    path: patches/infra-gitops-post.yaml
+    path: infra-gitops-post.yaml
  - target:
      kind: Kustomization
      name: apps
    path: patches/apps.yaml
@@ -5,7 +5,7 @@ metadata:
  namespace: infra-gitops
 spec:
  distribution:
-    version: "2.x"
+    version: "2.8.5"
    registry: "ghcr.io/fluxcd"
    artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
  components:
@@ -31,8 +31,26 @@ spec:
    name: flux
  kustomize:
    patches:
      # source-controller 需要良好的国际网络环境，优先调度到网络较好的节点上
      - target:
          kind: Deployment
          name: (source-controller)
        patch: |
          - op: add
            path: /spec/template/spec/affinity
            value:
              nodeAffinity:
                preferredDuringSchedulingIgnoredDuringExecution:
                  - weight: 100
                    preference:
                      matchExpressions:
                        - key: kubernetes.io/hostname
                          operator: In
                          values:
                            - clawjp
      - target:
          kind: Deployment
          name: (helm-controller|kustomize-controller|notification-controller)
        patch: |
          - op: add
            path: /spec/template/spec/affinity
@@ -7,9 +7,9 @@ metadata:
    kustomize.toolkit.fluxcd.io/prune: disabled
    kustomize.toolkit.fluxcd.io/ssa: Merge
    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-net,infra-gitops,infra-monitor"
    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-net,infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-net,infra-gitops,infra-monitor"
 ---
 apiVersion: v1
 kind: Secret
@@ -18,6 +18,17 @@ spec:
        name: imroc
        namespace: infra-gitops
      interval: 12h
  # 启用漂移检测,集群中资源被误删时 Flux 会自动重建
  driftDetection:
    mode: enabled
  # 升级失败或资源被删除时,允许卸载后重装以恢复
  install:
    remediation:
      retries: 3
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
  values:
    image:
      tag: "1.5.2"
@@ -6,6 +6,11 @@ metadata:
 spec:
  interval: 30m
  timeout: 15m
  valuesFrom:
    - kind: ConfigMap
      name: cert-manager-runtime-values
      valuesKey: values.yaml
      optional: true
  chart:
    spec:
      chart: cert-manager
@@ -19,8 +24,8 @@ spec:
    crds: CreateReplace
  upgrade:
    crds: CreateReplace
-  # 首次install时servicemonitor=false(CRD尚不存在)
+  # 首次 install 时 ServiceMonitor CRD 尚不存在，保持 chart 默认值 false。
-  # infra-monitor层部署后通过SSA patch开启
+  # infra-devops-post 在 CRD 就绪后通过可选 valuesFrom 开启 ServiceMonitor。
  values:
    crds:
      enabled: true
@@ -28,5 +33,3 @@ spec:
    enableCertificateOwnerRef: true
    prometheus:
      enabled: true
      servicemonitor:
        enabled: false
@@ -0,0 +1,14 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: cert-manager-runtime-values
  namespace: infra-devops
  labels:
    reconcile.fluxcd.io/watch: Enabled
 data:
  values.yaml: |
    prometheus:
      servicemonitor:
        enabled: true
        interval: 300s
        prometheusInstance: kube-prometheus
@@ -1,24 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: cert-manager
  namespace: infra-devops
  annotations:
    kustomize.toolkit.fluxcd.io/prune: disabled
 spec:
  interval: 30m
  chart:
    spec:
      chart: cert-manager
      version: v1.19.3
      sourceRef:
        kind: HelmRepository
        name: jetstack
        namespace: infra-gitops
      interval: 12h
  values:
    prometheus:
      servicemonitor:
        enabled: true
        interval: 300s
        prometheusInstance: kube-prometheus
@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - clusterissuer-dnspod.yaml
-  - helmrelease-cert-manager-patch.yaml
+  - configmap-cert-manager-runtime-values.yaml
@@ -9,7 +9,7 @@ spec:
  chart:
    spec:
      chart: gitea
-      version: 12.5.0
+      version: 12.6.0
      sourceRef:
        kind: HelmRepository
        name: gitea
@@ -21,7 +21,7 @@ spec:
    postgresql-ha:
      enabled: false
    image:
-      tag: 1.25.5
+      tag: 1.26.2
    ingress:
      enabled: true
      className: nginx
@@ -15,6 +15,10 @@ spec:
        name: ingress-nginx
        namespace: infra-gitops
      interval: 12h
  valuesFrom:
    - kind: Secret
      name: infra-net-env
      valuesKey: ingress-nginx-values.yaml
  values:
    fullnameOverride: ingress-nginx
    controller:
@@ -125,8 +129,6 @@ spec:
        # crowdsec插件配置
        plugins: "crowdsec"
        lua-shared-dicts: "crowdsec_cache: 50m"
      # 启用geoip2模块
      maxmindLicenseKey: ""
      extraArgs:
        default-ssl-certificate: "infra-net/dev-cm-crt"
      # crowdsec插件配置
@@ -140,7 +142,10 @@ spec:
            - name: API_URL
              value: "http://crowdsec-service.infra-net.svc.cluster.local:8080"
            - name: API_KEY
-              value: "ImxBThnyiNm224V5DHYPY63KPAcyJ+WF0rm18Gr4M80"
+              valueFrom:
                secretKeyRef:
                  name: infra-net-env
                  key: NET_CROWDSEC_BOUNCER_API_KEY
            - name: BOUNCER_CONFIG
              value: "/crowdsec/crowdsec-bouncer.conf"
            - name: MODE
@@ -154,9 +159,15 @@ spec:
            - name: CAPTCHA_PROVIDER
              value: "turnstile"
            - name: SITE_KEY
-              value: "0x4AAAAAAAxJ2RPNWzn2LCc-"
+              valueFrom:
                secretKeyRef:
                  name: infra-net-env
                  key: NET_TURNSTILE_SITE_KEY
            - name: SECRET_KEY
-              value: "0x4AAAAAAAxJ2dwFOaNg5ae3c6wYTmWH0bU"
+              valueFrom:
                secretKeyRef:
                  name: infra-net-env
                  key: NET_TURNSTILE_SECRET_KEY
            - name: CAPTCHA_TEMPLATE_PATH
              value: /etc/nginx/static/captcha.html
          command: ['/bin/sh', '-c']
@@ -0,0 +1,16 @@
 # Infra Net 凭据
 # 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
 apiVersion: v1
 kind: Secret
 metadata:
  name: infra-net-env
  namespace: infra-net
 type: Opaque
 stringData:
  NET_MAXMIND_LICENSE_KEY: "${NET_MAXMIND_LICENSE_KEY}"
  NET_CROWDSEC_BOUNCER_API_KEY: "${NET_CROWDSEC_BOUNCER_API_KEY}"
  NET_TURNSTILE_SITE_KEY: "${NET_TURNSTILE_SITE_KEY}"
  NET_TURNSTILE_SECRET_KEY: "${NET_TURNSTILE_SECRET_KEY}"
  ingress-nginx-values.yaml: |
    controller:
      maxmindLicenseKey: "${NET_MAXMIND_LICENSE_KEY}"
@@ -5,3 +5,4 @@ resources:
  - s3-devcm-hw.yaml
  - dnspod-secret.yaml
  - gitea-actions.yaml
  - infra-net.yaml
@@ -14,3 +14,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: infra-gitops
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: infra-net
@@ -6,6 +6,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://charts.jetstack.io
 ---
 # cert-manager-webhook-dnspod (OCI)
@@ -16,6 +17,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://imroc.github.io/cert-manager-webhook-dnspod
 ---
 # reflector
@@ -26,6 +28,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://emberstack.github.io/helm-charts
 ---
 # velero
@@ -36,6 +39,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://vmware-tanzu.github.io/helm-charts
 ---
 # cloudnative-pg, plugin-barman-cloud
@@ -46,6 +50,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://cloudnative-pg.github.io/charts
 ---
 # valkey-cluster (OCI)
@@ -56,6 +61,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  type: oci
  url: oci://docker.m.daocloud.io/bitnamicharts
 ---
@@ -67,6 +73,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://kubernetes.github.io/ingress-nginx
 ---
 # crowdsec
@@ -77,6 +84,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://crowdsecurity.github.io/helm-charts
 ---
 # tailscale-derp, rustdesk-server
@@ -87,6 +95,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://devcm-repo.github.io/helm-charts
 ---
 # loki, promtail
@@ -97,6 +106,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://grafana.github.io/helm-charts
 ---
 # kube-prometheus-stack
@@ -107,6 +117,7 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://prometheus-community.github.io/helm-charts
 ---
 # gitea, gitea-actions
@@ -117,24 +128,6 @@ metadata:
  namespace: infra-gitops
 spec:
  interval: 168h
  timeout: 5m
  url: https://dl.gitea.com/charts
 ---
 # whoami
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: cowboysysop
  namespace: infra-gitops
 spec:
  interval: 168h
  url: https://cowboysysop.github.io/charts/
 ---
 # halo
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: halo
  namespace: infra-gitops
 spec:
  interval: 168h
  url: https://halo-sigs.github.io/charts/
@@ -6,7 +6,7 @@ metadata:
 spec:
  chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator
  targetNamespace: infra-gitops
-  version: 0.46.0
+  version: 0.48.0
  valuesContent: |-
    affinity:
      nodeAffinity: