fix(infra-gitops): update Gitea image tag to 1.26.2 and remove unused custom template volumes/configurations

fix: add missing spec.interval to cert-manager SSA patch HelmRelease

.env.sample

@@ -6,5 +6,15 @@ S3_ACCESS_SECRET_KEY=placeholder
 DNSPOD_SECRET_ID=placeholder
 DNSPOD_SECRET_KEY=placeholder
 
-# Gitea Actions Runner Token
+# Gitea Actions Runner Token（Gitea 启动后在 admin → Runners 生成，参见 flux/README.md “部署后手工步骤”）
 GITEA_ACTIONS_TOKEN=placeholder
+
+# Flux Operator Web OIDC 凭据（Gitea 启动后创建 OAuth2 应用获取，Redirect URI: https://cd.dev.cm/oauth2/callback）
+FLUX_WEB_OIDC_CLIENT_ID=placeholder
+FLUX_WEB_OIDC_CLIENT_SECRET=placeholder
+
+# Infra Net 凭据
+NET_MAXMIND_LICENSE_KEY=placeholder
+NET_CROWDSEC_BOUNCER_API_KEY=placeholder
+NET_TURNSTILE_SITE_KEY=placeholder
+NET_TURNSTILE_SECRET_KEY=placeholder

.gitignore

@@ -4,6 +4,9 @@ logs
 
 # Secrets
 .env
+flux-git-auth
+flux-git-auth.pub
+known_hosts
 
 # Editor directories and files
 .vscode/*

README.md

@@ -4,6 +4,6 @@
 
 参见 [ansible/README.md](ansible/README.md)
 
-#### apps 相关应用
+#### 应用相关
 
-参见 [apps/README.md](apps/README.md)
+参见 [flux/README.md](flux/README.md)

ansible/inventory/group_vars/all.yml

@@ -13,6 +13,7 @@ ha_server_url: "{{ lookup('env', 'HA_SERVER_URL') | default('', true) }}"
 # K3s Server URL (优先使用 HA_SERVER_URL，否则动态使用 init 节点地址)
 k3s_server_url: "{{ ha_server_url if (ha_server_url | length > 0) else '' }}"
 k3s_version: "v1.34.2+k3s1"
+tailscale_version: "1.96.4"
 
 # ETCD 配置
 etcd_snapshot_retention: 1
@@ -44,4 +45,3 @@ registry_mirrors:
     - "k8s.m.daocloud.io"
   quay.io:
     - "quay.m.daocloud.io"
-

ansible/playbooks/site.yml

@@ -167,3 +167,37 @@
           {{ nodes.stdout }}
           ══════════════════════════════════════════════════════════════
       when: cluster_init | default(false)
+
+# ============================================
+# K3s 卸载 (需显式指定: --tags uninstall)
+# ============================================
+- name: Uninstall K3s agents
+  hosts: agents
+  gather_facts: false
+  tags: [uninstall, never]
+  tasks:
+    - name: Check agent uninstall script
+      ansible.builtin.stat:
+        path: /usr/local/bin/k3s-agent-uninstall.sh
+      register: agent_uninstall_script
+
+    - name: Run k3s-agent-uninstall.sh
+      ansible.builtin.command: /usr/local/bin/k3s-agent-uninstall.sh
+      when: agent_uninstall_script.stat.exists
+      changed_when: true
+
+- name: Uninstall K3s masters
+  hosts: masters
+  gather_facts: false
+  serial: 1
+  tags: [uninstall, never]
+  tasks:
+    - name: Check server uninstall script
+      ansible.builtin.stat:
+        path: /usr/local/bin/k3s-uninstall.sh
+      register: server_uninstall_script
+
+    - name: Run k3s-uninstall.sh
+      ansible.builtin.command: /usr/local/bin/k3s-uninstall.sh
+      when: server_uninstall_script.stat.exists
+      changed_when: true

ansible/roles/common/tasks/main.yml

@@ -37,6 +37,20 @@
   failed_when: false
   changed_when: false
 
+- name: Check current Tailscale version
+  ansible.builtin.shell: tailscale version | head -1
+  register: common_tailscale_version
+  failed_when: false
+  changed_when: false
+  when: common_tailscale_check.rc == 0
+
+- name: Set Tailscale install flag
+  ansible.builtin.set_fact:
+    tailscale_needs_install: "{{
+      common_tailscale_check.rc != 0 or
+      (common_tailscale_version.stdout | default('') is not search(tailscale_version))
+    }}"
+
 - name: Download Tailscale install script
   ansible.builtin.get_url:
     url: https://tailscale.com/install.sh
@@ -44,11 +58,20 @@
     mode: "0755"
   when: common_tailscale_check.rc != 0
 
-- name: Install Tailscale
+- name: Install Tailscale via install script
   ansible.builtin.command: /tmp/tailscale-install.sh
   when: common_tailscale_check.rc != 0
   changed_when: true
 
+- name: Install specific Tailscale version
+  ansible.builtin.apt:
+    name:
+      - "tailscale={{ tailscale_version }}"
+      - "tailscaled={{ tailscale_version }}"
+    state: present
+    allow_downgrade: true
+  when: tailscale_needs_install
+
 - name: Remove Tailscale install script
   ansible.builtin.file:
     path: /tmp/tailscale-install.sh

ansible/roles/k3s/tasks/main.yml

@@ -110,7 +110,7 @@
 - name: Wait for K3s server ready
   ansible.builtin.wait_for:
     path: /var/lib/rancher/k3s/server/node-token
-    timeout: 120
+    timeout: 300
   when: "'masters' in group_names"
 
 # 保存 kubeconfig (仅 cluster-init)

flux/README.md

@@ -1,230 +1,142 @@
-# Flux GitOps 迁移指南
+# Flux GitOps
-
-补充一份面向本地演练和远端平滑切换的执行清单，见 [TEST_MIGRATION_PLAN.md](TEST_MIGRATION_PLAN.md)。
 
 ## 目录结构
 
 ```
 flux/
 ├── clusters/
-│   └── dev-cm/                          # 集群级别编排
+│   ├── base/                            # 基础集群编排，仅部署 infrastructure
-│       ├── kustomization.yaml           # 资源列表
+│   │   ├── kustomization.yaml           # infrastructure 资源列表
-│       ├── sources.yaml                 # HelmRepository 源
+│   │   ├── sources.yaml                 # infrastructure HelmRepository 源
-│       ├── kube-system.yaml             # CoreDNS / NodeLocalDNS
+│   │   ├── kube-system.yaml             # CoreDNS / NodeLocalDNS
-│       ├── infra-devops.yaml            # cert-manager / reflector / velero
+│   │   ├── infra-devops.yaml            # cert-manager / reflector / velero
-│       ├── infra-data.yaml              # CNPG / Valkey
+│   │   ├── infra-data.yaml              # CNPG / Valkey
-│       ├── infra-monitor.yaml           # Loki / Prometheus
+│   │   ├── infra-monitor.yaml           # Loki / Prometheus (+ post: Promtail)
-│       ├── infra-net.yaml               # Nginx / CrowdSec / Tailscale
+│   │   ├── infra-net.yaml               # Nginx / CrowdSec / Tailscale
-│       ├── infra-gitops.yaml            # Gitea
+│   │   └── infra-gitops.yaml            # Gitea (+ post: Gitea Actions / Flux Web)
-│       └── apps.yaml                    # Halo / RustDesk / Fillcode / SinceAI
+│   └── dev-cm/                          # dev-cm 集群 overlay，额外部署 apps
+│       ├── kustomization.yaml           # 引入 base，并追加 apps / app 依赖层
+│       ├── apps-sources.yaml            # app HelmRepository 源
+│       ├── apps-secrets.yaml            # apps namespace 与 app 专属 Secret
+│       ├── apps.yaml                    # Halo / RustDesk / Fillcode / SinceAI
+│       └── apps-post.yaml               # CDN Ingress（依赖 apps）
 ├── infrastructure/
 │   ├── sources/                         # 所有 HelmRepository 定义
 │   ├── kube-system/                     # CoreDNS 自定义 + NodeLocalDNS
 │   ├── infra-devops/                    # cert-manager, webhook-dnspod, reflector, velero
-│   ├── infra-data/                      # CNPG operator, Barman, PG集群, Valkey
+│   │   └── post/                        # ClusterIssuer + cert-manager ServiceMonitor values
+│   ├── infra-data/                      # CNPG operator, Barman, Valkey
+│   │   ├── post-1/                      # PG Cluster / ObjectStore / databases / LB
+│   │   └── post-2/                      # Reflector secret annotations
 │   ├── infra-net/                       # ingress-nginx, CrowdSec, Tailscale DERP, 证书
-│   ├── infra-monitor/                   # Loki, Promtail, Prometheus+Grafana
+│   ├── infra-monitor/                   # Loki, Prometheus+Grafana
-│   └── infra-gitops/                    # Gitea, Gitea Actions
+│   │   └── post/                        # Promtail（依赖 infra-net，打破循环）
-└── apps/                                # Halo, RustDesk, Whoami, 证书, Ingress
+│   └── infra-gitops/                    # Gitea
+│       └── post/                        # Gitea Actions + flux-operator Web（OIDC/Ingress）
+└── apps/
+    ├── sources/                         # app HelmRepository 定义
+    ├── secrets/                         # apps namespace 与 app 专属 Secret
+    ├── post/                            # CDN Ingress（依赖 apps，且引用部分 infra 服务）
+    ├── helmrelease-halo.yaml            # Halo
+    ├── helmrelease-rustdesk.yaml        # RustDesk
+    └── ...                              # app 证书与 Ingress
 ```
 
-## 依赖顺序
+## 前置准备
 
-```
+需要提前生成git访问凭证
-sources (HelmRepository)
-    │
-    ├── kube-system (无依赖)
-    │
-    └── infra-devops (cert-manager → webhook-dnspod → ClusterIssuer, reflector, velero)
-            │
-            ├── infra-data (CNPG operator → Barman plugin → PG集群 + ObjectStore, Valkey)
-            │       │
-            │       ├── infra-monitor (Loki → Promtail, Prometheus+Grafana→PG)
-            │       │       │
-            │       │       ├── infra-net (Nginx, 证书, CrowdSec→Loki+PG, Tailscale)
-            │       │       │
-            │       │       └── infra-gitops (Gitea→PG+Valkey, Gitea Actions→Gitea)
-            │       │
-            │       └───────┴── apps (Halo→PG, RustDesk, Whoami, 证书, Ingress)
-```
 
-## K3s 保留项
+```shell
+ssh-keygen -t ed25519 -C "flux" -f ./flux-git-auth -N ""
 
-以下资源**继续由 K3s HelmChart 管理**，不迁移到 Flux：
+ssh-keyscan github.com > ./known_hosts
 
-- `k3s/apps/infra/gitops/namespaces.yaml` — infra-gitops 命名空间
-- `k3s/apps/infra/gitops/flux/helmchart.yaml` — flux-operator HelmChart
-- `k3s/apps/infra/gitops/flux/flux-instance.yaml` — FluxInstance (含 sync 配置)
-- `k3s/apps/infra/gitops/flux/networkpolicy.yaml` — flux-operator NetworkPolicy
-- `k3s/apps/infra/gitops/flux/clusterrolebinding.yaml` — flux-web RBAC
-
-## 迁移步骤
-
-### 1. 创建 Git 认证 Secret
-
-Flux 需要 HTTPS 凭据来访问 Gitea 仓库。在集群中创建 Secret：
-
-```bash
 kubectl -n infra-gitops create secret generic flux-git-auth \
-    --from-literal=username=<GITEA_USERNAME> \
+ --from-file=identity=./flux-git-auth \
-    --from-literal=password=<GITEA_ACCESS_TOKEN>
+ --from-file=identity.pub=./flux-git-auth.pub \
+ --from-file=known_hosts=./known_hosts
 ```
 
-### 2. 确认仓库 URL
+然后将 `flux-git-auth.pub` 文件内容添加到远端仓库中
 
-检查 `k3s/apps/infra/gitops/flux/flux-instance.yaml` 中的 `sync.url` 字段，确保指向正确的 deploy 仓库地址。当前设置为：
+应用flux实例 后续将自动开启部署流程
+
+```shell
+kubectl apply -f flux/flux-instance.yaml
+```
+
+## 部署顺序
+
+```
+sources → secrets → kube-system → infra-devops → infra-data → infra-data-post-1 → infra-data-post-2
+       → infra-monitor → infra-net → infra-devops-post
+       → infra-monitor-post (Promtail)
+       → infra-gitops
+       → apps-sources → apps-secrets → apps
+       → apps-post (CDN Ingress)
+       → infra-gitops-post (suspend=true，需手工凭据)
+```
+
+`clusters/base` 只包含到 `infra-gitops-post` 为止的 infrastructure 部署；`apps-sources`、`apps-secrets`、`apps`、`apps-post` 只在 `clusters/dev-cm` 中声明。Kustomization 间通过 `dependsOn` + `wait: true` 串行等待，避免顺序错乱。
+
+## 部署后手工步骤（infra-gitops-post）
+
+`infra-gitops-post` 在 base 层硬编码 `spec.suspend: true` 默认暂停，因为它依赖两类只能在 Gitea 启动后获取的凭据：
+
+1. **Flux Operator Web 的 OIDC 客户端**
+2. **Gitea Actions Runner Token**
+
+凭据就绪、`flux-env` Secret 重新注入后，可以先用 `flux resume kustomization infra-gitops-post -n infra-gitops` 手工放行。
+
+注意：**手工 `resume` 只会修改集群里的 live 对象，不会改 Git 中的期望状态。** 由于 base 层仍然声明了 `spec.suspend: true`，当上层 `Kustomization` 重新协调（如 30 分钟周期、Git 变更、手工 reconcile）时，它会再次把 `infra-gitops-post` 改回暂停。
+
+如果希望恢复后保持开启，需要把 Git 中的期望状态也改掉，例如在环境 overlay（如 `clusters/dev-cm/infra-gitops-post.yaml`）中覆盖：
 
 ```yaml
-sync:
+spec:
-  url: https://git.dev.cm/devcm/deploy.git
+  suspend: false
 ```
 
-如果组织名或仓库名不同，请修改。
+步骤：
 
-### 3. 提交并推送 Flux 清单
+1. 浏览器访问 `https://git.dev.cm`，首个注册账号自动成为 admin。
+2. **创建 OAuth2 应用**：
+   - Site Administration → Integrations → Applications → Create OAuth2 Application
+   - Redirect URI: `https://cd.dev.cm/oauth2/callback`
+   - 记录 Client ID 与 Client Secret。
+3. **生成 Runner Token**：
+   - Site Administration → Actions → Runners → Create new Runner → 复制 registration token。
+4. 更新 `.env`：
 
-```bash
+   ```
-git add flux/
+   FLUX_WEB_OIDC_CLIENT_ID=<step 2 client id>
-git add k3s/apps/infra/gitops/flux/flux-instance.yaml
+   FLUX_WEB_OIDC_CLIENT_SECRET=<step 2 client secret>
-git commit -m "feat: 迁移到 Flux GitOps 管理"
+   GITEA_ACTIONS_TOKEN=<step 3 token>
-git push origin main
+   ```
-```
 
-### 4. 应用更新后的 FluxInstance
+5. 重新注入 `flux-env` Secret 并协调：
 
-FluxInstance 的 sync 配置更新后，K3s 会自动检测变更并重新应用。也可以手动触发：
+   ```bash
+   kubectl -n infra-gitops create secret generic flux-env \
+     --from-env-file=.env \
+     --dry-run=client -o yaml | kubectl apply -f -
 
-```bash
+   flux reconcile kustomization secrets -n infra-gitops
-kubectl apply -f k3s/apps/infra/gitops/flux/flux-instance.yaml
+   flux resume kustomization infra-gitops-post -n infra-gitops
-```
+   flux reconcile kustomization infra-gitops-post -n infra-gitops --with-source
+   ```
 
-这会让 flux-operator 创建：
+6. 验证：
 
-- `GitRepository/flux` — 监听 deploy 仓库
+   ```bash
-- `Kustomization/flux` — 应用 `flux/clusters/dev-cm/` 路径下的所有资源
+   kubectl -n infra-gitops get helmrelease gitea-actions
+   kubectl -n infra-gitops get deploy flux-operator -o yaml | grep -A2 args   # 看到 --web-*
+   curl -I https://cd.dev.cm                                                    # 走 Gitea OIDC
+   ```
 
-### 5. 等待 Flux 完成同步
+## 为何拆出 \*-post 层？
 
-```bash
+- **`infra-devops-post`**：cert-manager 首次安装时不能依赖 `ServiceMonitor` CRD；post 层只在监控栈就绪后下发 `ClusterIssuer` 与可选 values ConfigMap，避免多个 Kustomization 共同管理同一个 HelmRelease。
-# 查看 GitRepository 状态
+- **`infra-monitor-post` (Promtail)**：Promtail 依赖至少一个带 `devcm-log-collecting/enabled` 标签的 Pod（ingress-nginx）；而 `infra-net` 又依赖 `infra-monitor` 的 CRD。Promtail 放到 post 层并 `dependsOn: infra-net`，打破循环。
-kubectl -n infra-gitops get gitrepository flux
+- **`apps-post` (CDN Ingress)**：CDN Ingress 会引用 `apps`、`infra-gitops`、`infra-monitor` 中的服务，因此不属于 base；只在 `dev-cm` 中声明，并依赖对应服务层。
-
+- **`infra-gitops-post` (Gitea Actions + Flux Web)**：凭据必须在 Gitea 启动后手工创建；放在 post 层并默认 suspend，避免阻塞 bootstrap。
-# 查看所有 Kustomization 状态
-kubectl -n infra-gitops get kustomization
-
-# 查看所有 HelmRelease 状态
-kubectl get helmrelease -A
-
-# 实时查看 Flux 事件
-kubectl -n infra-gitops get events --sort-by='.lastTimestamp' --watch
-```
-
-等待所有 Kustomization 和 HelmRelease 状态变为 `Ready`。
-
-### 6. 验证资源被 Flux 接管
-
-对于每个已有的 Helm Release，Flux 会检测到已存在的资源并进行接管（adopt）。验证：
-
-```bash
-# 检查所有 HelmRelease 是否就绪
-kubectl get helmrelease -A -o wide
-
-# 检查某个具体的 release
-kubectl -n infra-devops describe helmrelease cert-manager
-```
-
-### 7. 清理旧的 K3s HelmChart 资源
-
-确认 Flux 已成功接管所有资源后，删除旧的 K3s HelmChart CR（不会影响已部署的应用）：
-
-```bash
-# 列出所有 K3s HelmChart
-kubectl get helmchart -A
-
-# 逐个删除（保留 flux-operator）
-kubectl delete helmchart -n infra-devops cert-manager
-kubectl delete helmchart -n infra-devops cert-manager-webhook-dnspod
-kubectl delete helmchart -n infra-devops reflector
-kubectl delete helmchart -n infra-devops velero
-kubectl delete helmchart -n infra-data cloudnative-pg
-kubectl delete helmchart -n infra-data cloudnative-pg-plugin-barman
-kubectl delete helmchart -n infra-data valkey-cluster-sh
-kubectl delete helmchart -n infra-net ingress-nginx
-kubectl delete helmchart -n infra-net crowdsec
-kubectl delete helmchart -n infra-net tailscale-derp-hk
-kubectl delete helmchart -n infra-monitor loki
-kubectl delete helmchart -n infra-monitor loki-promtail
-kubectl delete helmchart -n infra-monitor prometheus
-kubectl delete helmchart -n infra-gitops gitea
-kubectl delete helmchart -n infra-gitops gitea-actions
-kubectl delete helmchart -n apps fillcode-whoami
-kubectl delete helmchart -n apps halo
-kubectl delete helmchart -n apps rustdesk
-```
-
-> **注意**: K3s HelmChart 使用 `helm.cattle.io/v1` API。删除 HelmChart CR 默认**不会**卸载已部署的 Helm release。Flux 的 HelmRelease 会接管这些 release 的后续管理。
-
-### 8. 清理旧的 K3s 清单文件
-
-确认一切正常后，可以移除 `k3s/apps/` 中已迁移到 Flux 的文件（保留 flux 相关的）：
-
-```bash
-# 保留以下文件（K3s 继续管理）:
-# k3s/apps/infra/gitops/namespaces.yaml
-# k3s/apps/infra/gitops/flux/
-
-# 其余文件可以删除或归档
-```
-
-## 资源映射表
-
-| 原 K3s HelmChart             | Flux HelmRelease             | 命名空间      |
-| ---------------------------- | ---------------------------- | ------------- |
-| cert-manager                 | cert-manager                 | infra-devops  |
-| cert-manager-webhook-dnspod  | cert-manager-webhook-dnspod  | infra-devops  |
-| reflector                    | reflector                    | infra-devops  |
-| velero                       | velero                       | infra-devops  |
-| cloudnative-pg               | cloudnative-pg               | infra-data    |
-| cloudnative-pg-plugin-barman | cloudnative-pg-plugin-barman | infra-data    |
-| valkey-cluster-sh            | valkey-cluster-sh            | infra-data    |
-| ingress-nginx                | ingress-nginx                | infra-net     |
-| crowdsec                     | crowdsec                     | infra-net     |
-| tailscale-derp-hk            | tailscale-derp-hk            | infra-net     |
-| loki                         | loki                         | infra-monitor |
-| loki-promtail                | loki-promtail                | infra-monitor |
-| prometheus                   | prometheus                   | infra-monitor |
-| gitea                        | gitea                        | infra-gitops  |
-| gitea-actions                | gitea-actions                | infra-gitops  |
-| fillcode-whoami              | fillcode-whoami              | apps          |
-| halo                         | halo                         | apps          |
-| rustdesk                     | rustdesk                     | apps          |
-
-## HelmRelease 内依赖关系
-
-| HelmRelease                  | dependsOn                      |
-| ---------------------------- | ------------------------------ |
-| cert-manager-webhook-dnspod  | cert-manager                   |
-| cloudnative-pg-plugin-barman | cloudnative-pg                 |
-| loki-promtail                | loki                           |
-| crowdsec                     | ingress-nginx, loki (cross-ns) |
-| gitea-actions                | gitea                          |
-
-## 注意事项
-
-1. **Helm Release 接管**: Flux 默认会检测与 HelmRelease 同名的已存在 Helm release。如果名称不匹配，需要在 `spec.releaseName` 中指定原始名称。
-
-2. **CRD 管理**: cert-manager 和 kube-prometheus-stack 的 HelmRelease 配置了 `install.crds: CreateReplace` 和 `upgrade.crds: CreateReplace` 以确保 CRD 被正确管理。
-
-3. **跨命名空间引用**: 所有 HelmRepository 位于 `infra-gitops` 命名空间。HelmRelease 通过 `sourceRef.namespace: infra-gitops` 跨命名空间引用。FluxInstance 配置为单租户模式 (`multitenant: false`)，允许此行为。
-
-4. **kube-system 资源**: `prune: false` 用于 kube-system Kustomization，防止 Flux 意外删除系统资源。
-
-5. **Velero CRD**: Velero HelmRelease 保持 `upgradeCRDs: false`，与原始配置一致。
-
-6. **敏感信息**: 以下 Secret 需要手动维护（不在 Git 中管理）：
-   - `flux-git-auth` (Gitea 访问令牌)
-   - `dnspod-secret` (DNSPod API 凭据)
-   - `s3-devcm-hw` (华为云 OBS 凭据)
-   - `cnpg17-cluster-*-app` (PostgreSQL 密码, 由 CNPG 自动管理)
-   - `valkey-cluster-sh` (Valkey 密码)
-   - `gitea-actions` (Gitea Actions runner token)

flux/apps/helmrelease-halo.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: apps
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: halo
@@ -17,14 +18,14 @@ spec:
   values:
     image:
       repository: halohub/halo-pro
-      tag: 2.23.1
+      tag: 2.24.2
     service:
       type: ClusterIP
     ingress:
       enabled: true
       ingressClassName: nginx
       annotations:
-        nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+        nginx.ingress.kubernetes.io/proxy-body-size: "100m"
         nginx.ingress.kubernetes.io/configuration-snippet: |
           proxy_set_header Accept-Encoding "";
           subs_filter_types text/html;
@@ -47,11 +48,11 @@ spec:
       enabled: false
     externalDatabase:
       platform: postgresql
-      host: cnpg17-cluster-hk-rw.infra-data
+      host: cnpg17-cluster-rw.infra-data
       port: 5432
       user: app
       password: from-secret
       database: halo
-      existingSecret: cnpg17-cluster-hk-app
+      existingSecret: cnpg17-cluster-app
     haloUsername: rohow
     haloExternalUrl: https://dev.cm

flux/apps/helmrelease-rustdesk.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: apps
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: rustdesk-server

flux/apps/helmrelease-whoami.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: apps
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: whoami

flux/apps/ingress-halo-static.yaml

@@ -4,8 +4,8 @@ metadata:
   name: halo-static
   namespace: apps
   annotations:
-    nginx.ingress.kubernetes.io/use-regex: "true"
     nginx.ingress.kubernetes.io/proxy-buffering: "on"
+    nginx.ingress.kubernetes.io/use-regex: "true"
     nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_cache cache;
       proxy_cache_valid 200 302 7d;
@@ -28,3 +28,6 @@ spec:
                 name: halo
                 port:
                   number: 80
+  tls:
+    - hosts:
+        - dev.cm

flux/apps/ingress-halo-www.yaml

@@ -9,6 +9,9 @@ metadata:
       rewrite ^/(.*)$ https://dev.cm/$1 permanent;
 spec:
   ingressClassName: nginx
+  tls:
+    - hosts:
+        - www.dev.cm
   rules:
     - host: www.dev.cm
       http:

flux/apps/ingress-sinceai-shop.yaml

@@ -4,7 +4,6 @@ metadata:
   name: sinceai-shop
   namespace: apps
   annotations:
-    # 302 跳转到https://sinceai.taobao.com/
     nginx.ingress.kubernetes.io/configuration-snippet: |
       rewrite ^/(.*)$ https://sinceai.taobao.com/$1? permanent;
 spec:

flux/apps/kustomization.yaml

@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - namespace.yaml
   - certificate-fillcode-com.yaml
   - certificate-sinceai-com.yaml
   - helmrelease-halo.yaml

flux/apps/post/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ingress-cdn.yaml

flux/apps/secrets/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../base
+  - namespaces.yaml

flux/apps/sources/helm-repositories.yaml

@@ -0,0 +1,21 @@
+# whoami
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cowboysysop
+  namespace: infra-gitops
+spec:
+  interval: 168h
+  timeout: 5m
+  url: https://cowboysysop.github.io/charts/
+---
+# halo
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: halo
+  namespace: infra-gitops
+spec:
+  interval: 168h
+  timeout: 5m
+  url: https://halo-sigs.github.io/charts/

flux/apps/sources/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-repositories.yaml

flux/clusters/base/infra-data.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository
@@ -20,17 +21,38 @@ spec:
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infra-data-post
+  name: infra-data-post-1
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository
     name: flux
-  path: ./flux/infrastructure/infra-data/post
+  path: ./flux/infrastructure/infra-data/post-1
   prune: true
   force: true
   wait: true
   dependsOn:
     - name: infra-data
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-data-post-2
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  timeout: 15m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-data/post-2
+  prune: true
+  force: true
+  wait: true
+  dependsOn:
+    - name: infra-data-post-1

flux/clusters/base/infra-devops.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository
@@ -24,6 +25,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository

flux/clusters/base/infra-gitops.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository
@@ -13,5 +14,32 @@ spec:
   prune: true
   wait: true
   dependsOn:
-    - name: infra-data-post
+    - name: infra-data-post-2
     - name: infra-monitor
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-gitops-post
+  namespace: infra-gitops
+spec:
+  # 默认暂停：post 层依赖 Gitea 启动后才能获取的 OIDC / Runner Token 凭据。
+  # 凭据就绪并写入 flux-env Secret 后，使用 `flux resume kustomization infra-gitops-post -n infra-gitops` 放行。
+  suspend: true
+  interval: 30m
+  timeout: 15m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-gitops/post
+  prune: true
+  wait: true
+  dependsOn:
+    - name: infra-gitops
+    - name: infra-net
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: flux-env

flux/clusters/base/infra-monitor.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository
@@ -14,4 +15,25 @@ spec:
   force: true
   wait: true
   dependsOn:
-    - name: infra-data-post
+    - name: infra-data-post-2
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-monitor-post
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  timeout: 15m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/infrastructure/infra-monitor/post
+  prune: true
+  force: true
+  wait: true
+  dependsOn:
+    - name: infra-monitor
+    - name: infra-net

flux/clusters/base/infra-net.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository

flux/clusters/base/kube-system.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository

flux/clusters/base/kustomization.yaml

@@ -9,4 +9,3 @@ resources:
   - infra-net.yaml
   - infra-monitor.yaml
   - infra-gitops.yaml
-  - apps.yaml

flux/clusters/base/secrets.yaml

@@ -7,6 +7,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository

flux/clusters/base/sources.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository

flux/clusters/dev-cm/apps-post.yaml

@@ -1,17 +1,20 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: apps
+  name: apps-post
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   retryInterval: 1m
   sourceRef:
     kind: GitRepository
     name: flux
-  path: ./flux/apps
+  path: ./flux/apps/post
   prune: true
+  wait: true
   dependsOn:
-    - name: infra-data-post
     - name: infra-net
     - name: infra-gitops
+    - name: infra-monitor
+    - name: apps

flux/clusters/dev-cm/apps-secrets.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps-secrets
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  timeout: 15m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/apps/secrets
+  prune: false
+  wait: true
+  dependsOn:
+    - name: apps-sources
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: flux-env

flux/clusters/dev-cm/apps-sources.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps-sources
+  namespace: infra-gitops
+spec:
+  interval: 30m
+  timeout: 15m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/apps/sources
+  prune: true
+  wait: true
+  dependsOn:
+    - name: sources

flux/clusters/dev-cm/apps.yaml

@@ -2,7 +2,21 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: apps
+  namespace: infra-gitops
 spec:
+  interval: 30m
+  timeout: 15m
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux
+  path: ./flux/apps
+  prune: true
+  dependsOn:
+    - name: apps-sources
+    - name: apps-secrets
+    - name: infra-data-post-2
+    - name: infra-net
   patches:
     - target:
         kind: HelmRelease
@@ -14,6 +28,9 @@ spec:
           name: halo
         spec:
           values:
+            externalDatabase:
+              host: cnpg17-cluster-hk-rw.infra-data
+              existingSecret: cnpg17-cluster-hk-app
             affinity:
               podAffinity:
                 preferredDuringSchedulingIgnoredDuringExecution:

flux/clusters/dev-cm/infra-data/patch.yaml

@@ -52,14 +52,15 @@ spec:
                 effect: "NoSchedule"
     - target:
         kind: HelmRelease
-        name: valkey-cluster-sh
+        name: valkey-cluster
       patch: |
         apiVersion: helm.toolkit.fluxcd.io/v2
         kind: HelmRelease
         metadata:
-          name: valkey-cluster-sh
+          name: valkey-cluster
         spec:
           values:
+            fullnameOverride: valkey-cluster-sh
             valkey:
               nodeAffinityPreset:
                 type: hard

flux/clusters/dev-cm/infra-data/post-1/databases.yaml

@@ -0,0 +1,43 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-sh-gitea
+  namespace: infra-data
+spec:
+  name: gitea
+  owner: app
+  cluster:
+    name: cnpg17-cluster-sh
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-sh-grafana
+  namespace: infra-data
+spec:
+  name: grafana
+  owner: app
+  cluster:
+    name: cnpg17-cluster-sh
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-hk-halo
+  namespace: infra-data
+spec:
+  name: halo
+  owner: app
+  cluster:
+    name: cnpg17-cluster-hk
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-hk-crowdsec
+  namespace: infra-data
+spec:
+  name: crowdsec
+  owner: app
+  cluster:
+    name: cnpg17-cluster-hk

flux/clusters/dev-cm/infra-data/post-1/kustomization.yaml

@@ -4,6 +4,6 @@ resources:
   - cnpg17-objectstore-hw.yaml
   - cnpg17-cluster-hk.yaml
   - cnpg17-cluster-sh.yaml
+  - databases.yaml
   - loadbalancer-hk.yaml
   - loadbalancer-sh.yaml
-  - reflector-secret-annotations.yaml

flux/clusters/dev-cm/infra-data/post-1/patch.yaml

@@ -1,8 +1,9 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infra-data-post
+  name: infra-data-post-1
 spec:
+  path: ./flux/clusters/dev-cm/infra-data/post-1
   patches:
     - target:
         kind: Cluster

flux/clusters/dev-cm/infra-data/post-2/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - reflector-secret-annotations.yaml

flux/clusters/dev-cm/infra-data/post-2/patch.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-data-post-2
+spec:
+  path: ./flux/clusters/dev-cm/infra-data/post-2

flux/clusters/dev-cm/infra-data/post-2/reflector-secret-annotations.yaml

@@ -1,9 +1,3 @@
-# 给CNPG和Valkey自动生成的secrets添加Reflector注解
-# 通过SSA force合并注解到已有secrets 使其自动复制到消费方命名空间
-#
-# cnpg17-cluster-hk-app → apps (halo), infra-net (crowdsec)
-# cnpg17-cluster-sh-app → infra-gitops (gitea), infra-monitor (grafana)
-# valkey-cluster-sh → infra-gitops (gitea)
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,6 +5,7 @@ metadata:
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
     reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-net"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
@@ -23,10 +18,11 @@ metadata:
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops,infra-monitor"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops,infra-monitor"
 ---
 apiVersion: v1
 kind: Secret
@@ -35,7 +31,8 @@ metadata:
   namespace: infra-data
   annotations:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
     reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apps,infra-gitops"
     reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apps,infra-gitops"

flux/clusters/dev-cm/infra-gitops-post.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-gitops-post
+spec:
+  suspend: false
+  patches:
+    - target:
+        kind: HelmRelease
+        name: gitea-actions
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: gitea-actions
+        spec:
+          values:
+            statefulset:
+              nodeSelector:
+                dev-cm-runner/enabled: "true"

flux/clusters/dev-cm/infra-gitops.yaml

@@ -14,6 +14,27 @@ spec:
           name: gitea
         spec:
           values:
+            gitea:
+              config:
+                database:
+                  HOST: cnpg17-cluster-sh-rw.infra-data:5432
+              additionalConfigFromEnvs:
+                - name: GITEA__DATABASE__PASSWD
+                  valueFrom:
+                    secretKeyRef:
+                      name: cnpg17-cluster-sh-app
+                      key: password
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: valkey-cluster-sh
+                      key: valkey-password
+                - name: GITEA__SESSION__PROVIDER_CONFIG
+                  value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+                - name: GITEA__CACHE__HOST
+                  value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+                - name: GITEA__QUEUE__CONN_STR
+                  value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
             affinity:
               podAffinity:
                 preferredDuringSchedulingIgnoredDuringExecution:
@@ -36,16 +57,3 @@ spec:
                           operator: In
                           values:
                             - homea
-    - target:
-        kind: HelmRelease
-        name: gitea-actions
-      patch: |
-        apiVersion: helm.toolkit.fluxcd.io/v2
-        kind: HelmRelease
-        metadata:
-          name: gitea-actions
-        spec:
-          values:
-            statefulset:
-              nodeSelector:
-                dev-cm-runner/enabled: "true"

flux/clusters/dev-cm/infra-monitor-post.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-monitor-post
+spec:
+  patches:
+    - target:
+        kind: HelmRelease
+        name: loki-promtail
+      patch: |
+        apiVersion: helm.toolkit.fluxcd.io/v2
+        kind: HelmRelease
+        metadata:
+          name: loki-promtail
+        spec:
+          values:
+            nodeSelector:
+              svccontroller.k3s.cattle.io/enablelb: "true"

flux/clusters/dev-cm/infra-monitor.yaml

@@ -55,6 +55,14 @@ spec:
               nodeSelector:
                 kubernetes.io/hostname: hwa
             grafana:
+              envValueFrom:
+                GF_DATABASE_PASSWORD:
+                  secretKeyRef:
+                    name: cnpg17-cluster-sh-app
+                    key: password
+              grafana.ini:
+                database:
+                  host: cnpg17-cluster-sh-rw.infra-data:5432
               affinity:
                 podAffinity:
                   preferredDuringSchedulingIgnoredDuringExecution:

flux/clusters/dev-cm/infra-net.yaml

@@ -26,7 +26,6 @@ spec:
                 nameservers:
                   - "169.254.20.10"
                   - "10.43.0.10"
-              maxmindLicenseKey: "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"
             defaultBackend:
               affinity:
                 nodeAffinity:
@@ -48,6 +47,43 @@ spec:
           name: crowdsec
         spec:
           values:
+            lapi:
+              env:
+                - name: DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: cnpg17-cluster-hk-app
+                      key: password
+              affinity:
+                nodeAffinity:
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 1
+                      preference:
+                        matchExpressions:
+                          - key: topology.kubernetes.io/region
+                            operator: In
+                            values:
+                              - cn-hk
+            config:
+              config.yaml.local: |
+                db_config:
+                  type: postgresql
+                  host: cnpg17-cluster-hk-rw.infra-data
+                  port: 5432
+                  db_name: crowdsec
+                  user: app
+                  password: ${DB_PASSWORD}
+                  sslmode: require
+                api:
+                  server:
+                    auto_registration:
+                      enabled: true
+                      token: "${REGISTRATION_TOKEN}"
+                      allowed_ranges:
+                        - "127.0.0.1/32"
+                        - "192.168.0.0/16"
+                        - "172.16.0.0/12"
+                        - "10.0.0.0/8"
             agent:
               affinity:
                 podAffinity:
@@ -70,17 +106,6 @@ spec:
                             operator: In
                             values:
                               - cn-hk
-            lapi:
-              affinity:
-                nodeAffinity:
-                  preferredDuringSchedulingIgnoredDuringExecution:
-                    - weight: 1
-                      preference:
-                        matchExpressions:
-                          - key: topology.kubernetes.io/region
-                            operator: In
-                            values:
-                              - cn-hk
     - target:
         kind: HelmRelease
         name: tailscale-derp-hk

flux/clusters/dev-cm/kube-system.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kube-system
+spec:
+  patches:
+    - target:
+        kind: Deployment
+        name: "(coredns|local-path-provisioner|metrics-server)"
+      patch: |
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: placeholder
+        spec:
+          template:
+            spec:
+              affinity:
+                nodeAffinity:
+                  requiredDuringSchedulingIgnoredDuringExecution:
+                    nodeSelectorTerms:
+                      - matchExpressions:
+                          - key: node-role.kubernetes.io/control-plane
+                            operator: In
+                            values:
+                              - "true"
+              tolerations:
+                - key: node-role.kubernetes.io/control-plane
+                  operator: Exists
+                  effect: NoSchedule

flux/clusters/dev-cm/kustomization.yaml

@@ -2,32 +2,48 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
+  - apps-sources.yaml
+  - apps-secrets.yaml
+  - apps.yaml
+  - apps-post.yaml
 patches:
+  - target:
+      kind: Kustomization
+      name: kube-system
+    path: kube-system.yaml
   - target:
       kind: Kustomization
       name: infra-devops
-    path: patches/infra-devops.yaml
+    path: infra-devops.yaml
   - target:
       kind: Kustomization
       name: infra-data
-    path: patches/infra-data.yaml
+    path: infra-data/patch.yaml
   - target:
       kind: Kustomization
-      name: infra-data-post
+      name: infra-data-post-1
-    path: patches/infra-data-post.yaml
+    path: infra-data/post-1/patch.yaml
+  - target:
+      kind: Kustomization
+      name: infra-data-post-2
+    path: infra-data/post-2/patch.yaml
   - target:
       kind: Kustomization
       name: infra-net
-    path: patches/infra-net.yaml
+    path: infra-net.yaml
   - target:
       kind: Kustomization
       name: infra-monitor
-    path: patches/infra-monitor.yaml
+    path: infra-monitor.yaml
+  - target:
+      kind: Kustomization
+      name: infra-monitor-post
+    path: infra-monitor-post.yaml
   - target:
       kind: Kustomization
       name: infra-gitops
-    path: patches/infra-gitops.yaml
+    path: infra-gitops.yaml
   - target:
       kind: Kustomization
-      name: apps
+      name: infra-gitops-post
-    path: patches/apps.yaml
+    path: infra-gitops-post.yaml

flux/flux-instance.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   distribution:
-    version: "2.x"
+    version: "2.8.5"
     registry: "ghcr.io/fluxcd"
     artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
   components:
@@ -22,17 +22,35 @@ spec:
   storage:
     class: "local-path"
     size: "10Gi"
-  # Git 仓库同步配置 - 请将 url 替换为实际的 deploy 仓库地址
   sync:
     kind: GitRepository
-    url: https://git.dev.cm/devcm/deploy.git
+    url: ssh://git@github.com/devcm-repo/k3s.git
     ref: refs/heads/main
     path: flux/clusters/dev-cm
     pullSecret: flux-git-auth
+    name: flux
   kustomize:
     patches:
+      # source-controller 需要良好的国际网络环境，优先调度到网络较好的节点上
       - target:
           kind: Deployment
+          name: (source-controller)
+        patch: |
+          - op: add
+            path: /spec/template/spec/affinity
+            value:
+              nodeAffinity:
+                preferredDuringSchedulingIgnoredDuringExecution:
+                  - weight: 100
+                    preference:
+                      matchExpressions:
+                        - key: kubernetes.io/hostname
+                          operator: In
+                          values:
+                            - clawjp
+      - target:
+          kind: Deployment
+          name: (helm-controller|kustomize-controller|notification-controller)
         patch: |
           - op: add
             path: /spec/template/spec/affinity

flux/infrastructure/infra-data/helmrelease-barman-plugin.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-data
 spec:
   interval: 30m
+  timeout: 15m
   dependsOn:
     - name: cloudnative-pg
   chart:

flux/infrastructure/infra-data/helmrelease-cloudnative-pg.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-data
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: cloudnative-pg

flux/infrastructure/infra-data/helmrelease-valkey-cluster.yaml

@@ -1,10 +1,11 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: valkey-cluster-sh
+  name: valkey-cluster
   namespace: infra-data
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: valkey-cluster

flux/infrastructure/infra-data/post-1/cnpg17-cluster.yaml

@@ -0,0 +1,42 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: cnpg17-cluster
+  namespace: infra-data
+spec:
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.4
+  enableSuperuserAccess: true
+  enablePDB: false
+  instances: 1
+  storage:
+    size: 10Gi
+  postgresql:
+    parameters:
+      archive_timeout: 30min
+  env:
+    - name: AWS_REQUEST_CHECKSUM_CALCULATION
+      value: when_required
+    - name: AWS_RESPONSE_CHECKSUM_VALIDATION
+      value: when_required
+  plugins:
+    - name: barman-cloud.cloudnative-pg.io
+      isWALArchiver: true
+      parameters:
+        barmanObjectName: cnpg17-objectstore-hw
+        serverName: cnpg17-cluster
+
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: cnpg17-cluster-backups
+  namespace: infra-data
+spec:
+  schedule: "0 0 0 * * *"
+  immediate: true
+  backupOwnerReference: self
+  method: plugin
+  pluginConfiguration:
+    name: barman-cloud.cloudnative-pg.io
+  cluster:
+    name: cnpg17-cluster

flux/infrastructure/infra-data/post-1/cnpg17-objectstore-hw.yaml

@@ -0,0 +1,20 @@
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  name: cnpg17-objectstore-hw
+  namespace: infra-data
+spec:
+  retentionPolicy: "7d"
+  configuration:
+    destinationPath: s3://devcm/cnpg/
+    endpointURL: https://obs.cn-east-3.myhuaweicloud.com
+    s3Credentials:
+      accessKeyId:
+        name: s3-devcm-hw
+        key: ACCESS_KEY_ID
+      secretAccessKey:
+        name: s3-devcm-hw
+        key: ACCESS_SECRET_KEY
+    wal:
+      compression: gzip
+      maxParallel: 8

flux/infrastructure/infra-data/post-1/databases.yaml

@@ -0,0 +1,43 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-gitea
+  namespace: infra-data
+spec:
+  name: gitea
+  owner: app
+  cluster:
+    name: cnpg17-cluster
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-grafana
+  namespace: infra-data
+spec:
+  name: grafana
+  owner: app
+  cluster:
+    name: cnpg17-cluster
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-halo
+  namespace: infra-data
+spec:
+  name: halo
+  owner: app
+  cluster:
+    name: cnpg17-cluster
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: cnpg17-cluster-crowdsec
+  namespace: infra-data
+spec:
+  name: crowdsec
+  owner: app
+  cluster:
+    name: cnpg17-cluster

flux/infrastructure/infra-data/post-1/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cnpg17-objectstore-hw.yaml
+  - cnpg17-cluster.yaml
+  - databases.yaml
+  - loadbalancer.yaml

flux/infrastructure/infra-data/post-1/loadbalancer.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cnpg17-cluster-lb
+  namespace: infra-data
+spec:
+  selector:
+    cnpg.io/cluster: cnpg17-cluster
+    role: primary
+  ports:
+    - protocol: TCP
+      port: 5432
+      targetPort: 5432
+  type: LoadBalancer

flux/infrastructure/infra-data/post-2/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - reflector-secret-annotations.yaml

flux/infrastructure/infra-data/post-2/reflector-secret-annotations.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cnpg17-cluster-app
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-net,infra-gitops,infra-monitor"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-net,infra-gitops,infra-monitor"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: valkey-cluster
+  namespace: infra-data
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    kustomize.toolkit.fluxcd.io/ssa: Merge
+    reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+    reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "infra-gitops"
+    reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "infra-gitops"

flux/infrastructure/infra-devops/helmrelease-cert-manager-webhook-dnspod.yaml

@@ -6,17 +6,29 @@ metadata:
   namespace: infra-devops
 spec:
   interval: 30m
+  timeout: 15m
   dependsOn:
     - name: cert-manager
   chart:
     spec:
       chart: cert-manager-webhook-dnspod
-      version: 1.4.5
+      version: 1.5.2
       sourceRef:
         kind: HelmRepository
         name: imroc
         namespace: infra-gitops
       interval: 12h
+  # 启用漂移检测,集群中资源被误删时 Flux 会自动重建
+  driftDetection:
+    mode: enabled
+  # 升级失败或资源被删除时,允许卸载后重装以恢复
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+      remediateLastFailure: true
   values:
     image:
       tag: "1.5.2"

flux/infrastructure/infra-devops/helmrelease-cert-manager.yaml

@@ -5,6 +5,12 @@ metadata:
   namespace: infra-devops
 spec:
   interval: 30m
+  timeout: 15m
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-runtime-values
+      valuesKey: values.yaml
+      optional: true
   chart:
     spec:
       chart: cert-manager
@@ -18,8 +24,8 @@ spec:
     crds: CreateReplace
   upgrade:
     crds: CreateReplace
-  # 首次install时servicemonitor=false(CRD尚不存在)
+  # 首次 install 时 ServiceMonitor CRD 尚不存在，保持 chart 默认值 false。
-  # infra-monitor层部署后通过SSA patch开启
+  # infra-devops-post 在 CRD 就绪后通过可选 valuesFrom 开启 ServiceMonitor。
   values:
     crds:
       enabled: true
@@ -27,5 +33,3 @@ spec:
     enableCertificateOwnerRef: true
     prometheus:
       enabled: true
-      servicemonitor:
-        enabled: false

flux/infrastructure/infra-devops/helmrelease-reflector.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-devops
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: reflector

flux/infrastructure/infra-devops/helmrelease-velero.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-devops
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: velero
@@ -57,4 +58,4 @@ spec:
           - mountPath: /target
             name: plugins
     nodeAgent:
-      # 控制面板不启用 lb节点不启用
+      enabled: true

flux/infrastructure/infra-devops/post/configmap-cert-manager-runtime-values.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-manager-runtime-values
+  namespace: infra-devops
+  labels:
+    reconcile.fluxcd.io/watch: Enabled
+data:
+  values.yaml: |
+    prometheus:
+      servicemonitor:
+        enabled: true
+        interval: 300s
+        prometheusInstance: kube-prometheus

flux/infrastructure/infra-devops/post/helmrelease-cert-manager-patch.yaml

@@ -1,17 +0,0 @@
-# 在prometheus-stack部署后 通过SSA patch cert-manager开启ServiceMonitor
-# cert-manager初始安装时servicemonitor.enabled=false(CRD尚不存在)
-# infra-monitor层部署时CRD已就绪 此patch合并到已有HelmRelease
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: infra-devops
-  annotations:
-    kustomize.toolkit.fluxcd.io/prune: disabled
-spec:
-  values:
-    prometheus:
-      servicemonitor:
-        enabled: true
-        interval: 300s
-        prometheusInstance: kube-prometheus

flux/infrastructure/infra-devops/post/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - clusterissuer-dnspod.yaml
-  - helmrelease-cert-manager-patch.yaml
+  - configmap-cert-manager-runtime-values.yaml

flux/infrastructure/infra-gitops/helmrelease-gitea.yaml

@@ -5,10 +5,11 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: gitea
-      version: 12.5.0
+      version: 12.6.0
       sourceRef:
         kind: HelmRepository
         name: gitea
@@ -20,7 +21,7 @@ spec:
     postgresql-ha:
       enabled: false
     image:
-      tag: 1.25.5
+      tag: 1.26.2
     ingress:
       enabled: true
       className: nginx
@@ -48,7 +49,7 @@ spec:
           ROOT_URL: https://git.dev.cm/
         database:
           DB_TYPE: postgres
-          HOST: cnpg17-cluster-sh-rw.infra-data:5432
+          HOST: cnpg17-cluster-rw.infra-data:5432
           NAME: gitea
           USER: app
           SSL_MODE: disable
@@ -83,29 +84,18 @@ spec:
         - name: GITEA__DATABASE__PASSWD
           valueFrom:
             secretKeyRef:
-              name: cnpg17-cluster-sh-app
+              name: cnpg17-cluster-app
               key: password
         - name: REDIS_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: valkey-cluster-sh
+              name: valkey-cluster
               key: valkey-password
         - name: GITEA__SESSION__PROVIDER_CONFIG
-          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
         - name: GITEA__CACHE__HOST
-          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
         - name: GITEA__QUEUE__CONN_STR
-          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-sh-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
+          value: "redis://:$(REDIS_PASSWORD)@valkey-cluster-headless.infra-data:6379/0?pool_size=100&idle_timeout=180s"
     valkey-cluster:
       enabled: false
-    extraVolumes:
-      - name: gitea-custom-templates-volume
-        configMap:
-          name: gitea-custom-templates
-    extraContainerVolumeMounts:
-      - name: gitea-custom-templates-volume
-        subPath: home.tmpl
-        mountPath: /data/gitea/templates/home.tmpl
-      - name: gitea-custom-templates-volume
-        subPath: extra_links.tmpl
-        mountPath: /data/gitea/templates/custom/extra_links.tmpl

flux/infrastructure/infra-gitops/kustomization.yaml

@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - helmrelease-gitea.yaml
-  - helmrelease-gitea-actions.yaml
   - configmap-templates.yaml
   - configmap-actions-dind.yaml
   - ingress-static-gitea.yaml

flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml

@@ -0,0 +1,27 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: flux-operator
+  namespace: infra-gitops
+spec:
+  valuesContent: |-
+    web:
+      config:
+        baseURL: https://cd.dev.cm
+        authentication:
+          type: OAuth2
+          oauth2:
+            provider: OIDC
+            issuerURL: https://git.dev.cm
+            clientID: "${FLUX_WEB_OIDC_CLIENT_ID}"
+            clientSecret: "${FLUX_WEB_OIDC_CLIENT_SECRET}"
+      networkPolicy:
+        create: false
+      ingress:
+        enabled: true
+        className: nginx
+        hosts:
+          - host: cd.dev.cm
+            paths:
+              - path: /
+                pathType: Prefix

flux/infrastructure/infra-gitops/post/helmrelease-gitea-actions.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-gitops
 spec:
   interval: 30m
+  timeout: 15m
   dependsOn:
     - name: gitea
   chart:

flux/infrastructure/infra-gitops/post/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease-gitea-actions.yaml
+  - helmchartconfig-flux-web.yaml

flux/infrastructure/infra-monitor/helmrelease-loki.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-monitor
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: loki

flux/infrastructure/infra-monitor/helmrelease-prometheus.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-monitor
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: kube-prometheus-stack
@@ -52,7 +53,7 @@ spec:
       envValueFrom:
         GF_DATABASE_PASSWORD:
           secretKeyRef:
-            name: cnpg17-cluster-sh-app
+            name: cnpg17-cluster-app
             key: password
       grafana.ini:
         server:
@@ -65,7 +66,7 @@ spec:
           news_feed_enabled: false
         database:
           type: postgres
-          host: cnpg17-cluster-sh-rw.infra-data:5432
+          host: cnpg17-cluster-rw.infra-data:5432
           name: grafana
           user: app
           password: $__env{GF_DATABASE_PASSWORD}

flux/infrastructure/infra-monitor/kustomization.yaml

@@ -3,6 +3,5 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - helmrelease-loki.yaml
-  - helmrelease-promtail.yaml
   - helmrelease-prometheus.yaml
   - ingress-static-grafana.yaml

flux/infrastructure/infra-monitor/post/helmrelease-promtail.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-monitor
 spec:
   interval: 30m
+  timeout: 15m
   dependsOn:
     - name: loki
   chart:

flux/infrastructure/infra-monitor/post/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease-promtail.yaml

flux/infrastructure/infra-net/helmrelease-crowdsec.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-net
 spec:
   interval: 30m
+  timeout: 15m
   dependsOn:
     - name: ingress-nginx
     - name: loki
@@ -77,14 +78,14 @@ spec:
         - name: DB_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: cnpg17-cluster-hk-app
+              name: cnpg17-cluster-app
               key: password
     config:
       # api config.yaml配置
       config.yaml.local: |
         db_config:
           type: postgresql
-          host: cnpg17-cluster-hk-rw.infra-data
+          host: cnpg17-cluster-rw.infra-data
           port: 5432
           db_name: crowdsec
           user: app

flux/infrastructure/infra-net/helmrelease-ingress-nginx.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-net
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: ingress-nginx
@@ -14,6 +15,10 @@ spec:
         name: ingress-nginx
         namespace: infra-gitops
       interval: 12h
+  valuesFrom:
+    - kind: Secret
+      name: infra-net-env
+      valuesKey: ingress-nginx-values.yaml
   values:
     fullnameOverride: ingress-nginx
     controller:
@@ -124,8 +129,6 @@ spec:
         # crowdsec插件配置
         plugins: "crowdsec"
         lua-shared-dicts: "crowdsec_cache: 50m"
-      # 启用geoip2模块
-      maxmindLicenseKey: ""
       extraArgs:
         default-ssl-certificate: "infra-net/dev-cm-crt"
       # crowdsec插件配置
@@ -139,7 +142,10 @@ spec:
             - name: API_URL
               value: "http://crowdsec-service.infra-net.svc.cluster.local:8080"
             - name: API_KEY
-              value: "ImxBThnyiNm224V5DHYPY63KPAcyJ+WF0rm18Gr4M80"
+              valueFrom:
+                secretKeyRef:
+                  name: infra-net-env
+                  key: NET_CROWDSEC_BOUNCER_API_KEY
             - name: BOUNCER_CONFIG
               value: "/crowdsec/crowdsec-bouncer.conf"
             - name: MODE
@@ -153,9 +159,15 @@ spec:
             - name: CAPTCHA_PROVIDER
               value: "turnstile"
             - name: SITE_KEY
-              value: "0x4AAAAAAAxJ2RPNWzn2LCc-"
+              valueFrom:
+                secretKeyRef:
+                  name: infra-net-env
+                  key: NET_TURNSTILE_SITE_KEY
             - name: SECRET_KEY
-              value: "0x4AAAAAAAxJ2dwFOaNg5ae3c6wYTmWH0bU"
+              valueFrom:
+                secretKeyRef:
+                  name: infra-net-env
+                  key: NET_TURNSTILE_SECRET_KEY
             - name: CAPTCHA_TEMPLATE_PATH
               value: /etc/nginx/static/captcha.html
           command: ['/bin/sh', '-c']

flux/infrastructure/infra-net/helmrelease-tailscale-derp.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: infra-net
 spec:
   interval: 30m
+  timeout: 15m
   chart:
     spec:
       chart: tailscale-derp

flux/infrastructure/infra-net/kustomization.yaml

@@ -5,6 +5,5 @@ resources:
   - helmrelease-ingress-nginx.yaml
   - configmap-static.yaml
   - certificate-dev-cm.yaml
-  - ingress-cdn.yaml
   - helmrelease-crowdsec.yaml
   - helmrelease-tailscale-derp.yaml

flux/infrastructure/secrets/infra-net.yaml

@@ -0,0 +1,16 @@
+# Infra Net 凭据
+# 变量来源: flux-env Secret (通过postBuild.substituteFrom注入)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: infra-net-env
+  namespace: infra-net
+type: Opaque
+stringData:
+  NET_MAXMIND_LICENSE_KEY: "${NET_MAXMIND_LICENSE_KEY}"
+  NET_CROWDSEC_BOUNCER_API_KEY: "${NET_CROWDSEC_BOUNCER_API_KEY}"
+  NET_TURNSTILE_SITE_KEY: "${NET_TURNSTILE_SITE_KEY}"
+  NET_TURNSTILE_SECRET_KEY: "${NET_TURNSTILE_SECRET_KEY}"
+  ingress-nginx-values.yaml: |
+    controller:
+      maxmindLicenseKey: "${NET_MAXMIND_LICENSE_KEY}"

flux/infrastructure/secrets/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - s3-devcm-hw.yaml
   - dnspod-secret.yaml
   - gitea-actions.yaml
+  - infra-net.yaml

flux/infrastructure/secrets/namespaces.yaml

@@ -14,3 +14,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: infra-gitops
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-net

flux/infrastructure/sources/helm-repositories.yaml

@@ -5,7 +5,8 @@ metadata:
   name: jetstack
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://charts.jetstack.io
 ---
 # cert-manager-webhook-dnspod (OCI)
@@ -15,9 +16,9 @@ metadata:
   name: imroc
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
-  type: oci
+  timeout: 5m
-  url: oci://registry-1.docker.io/imroc
+  url: https://imroc.github.io/cert-manager-webhook-dnspod
 ---
 # reflector
 apiVersion: source.toolkit.fluxcd.io/v1
@@ -26,7 +27,8 @@ metadata:
   name: emberstack
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://emberstack.github.io/helm-charts
 ---
 # velero
@@ -36,7 +38,8 @@ metadata:
   name: vmware-tanzu
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://vmware-tanzu.github.io/helm-charts
 ---
 # cloudnative-pg, plugin-barman-cloud
@@ -46,7 +49,8 @@ metadata:
   name: cloudnative-pg
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://cloudnative-pg.github.io/charts
 ---
 # valkey-cluster (OCI)
@@ -56,9 +60,10 @@ metadata:
   name: bitnami
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   type: oci
-  url: oci://registry-1.docker.io/bitnamicharts
+  url: oci://docker.m.daocloud.io/bitnamicharts
 ---
 # ingress-nginx
 apiVersion: source.toolkit.fluxcd.io/v1
@@ -67,7 +72,8 @@ metadata:
   name: ingress-nginx
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://kubernetes.github.io/ingress-nginx
 ---
 # crowdsec
@@ -77,7 +83,8 @@ metadata:
   name: crowdsec
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://crowdsecurity.github.io/helm-charts
 ---
 # tailscale-derp, rustdesk-server
@@ -87,7 +94,8 @@ metadata:
   name: devcm-repo
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://devcm-repo.github.io/helm-charts
 ---
 # loki, promtail
@@ -97,7 +105,8 @@ metadata:
   name: grafana
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://grafana.github.io/helm-charts
 ---
 # kube-prometheus-stack
@@ -107,7 +116,8 @@ metadata:
   name: prometheus-community
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://prometheus-community.github.io/helm-charts
 ---
 # gitea, gitea-actions
@@ -117,25 +127,7 @@ metadata:
   name: gitea
   namespace: infra-gitops
 spec:
-  interval: 24h
+  interval: 168h
+  timeout: 5m
   url: https://dl.gitea.com/charts
 ---
-# whoami
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: cowboysysop
-  namespace: infra-gitops
-spec:
-  interval: 24h
-  url: https://cowboysysop.github.io/charts/
----
-# halo
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: halo
-  namespace: infra-gitops
-spec:
-  interval: 24h
-  url: https://halo-sigs.github.io/charts/

helmcharts/helmchart-flux.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator
   targetNamespace: infra-gitops
-  version: 0.40.0
+  version: 0.48.0
   valuesContent: |-
     affinity:
       nodeAffinity:
@@ -19,26 +19,6 @@ spec:
                   values:
                     - homea  
     installCRDs: true
-    web:
+    # 注意：flux-operator 的 web 配置（OIDC + Ingress）依赖 Gitea 与 ingress-nginx，
-      config:
+    # 由 Flux Kustomization `infra-gitops-post` 通过 k3s HelmChartConfig 在 Gitea 起来后叠加注入。
-        baseURL: https://cd.dev.cm
+    # 详见 flux/infrastructure/infra-gitops/post/helmchartconfig-flux-web.yaml
-        authentication:
-          type: OAuth2
-          oauth2:
-            provider: OIDC
-            issuerURL: https://git.dev.cm
-            clientID: "94b1ec99-55c4-4621-89c3-f49d8b7d5603"
-            clientSecret: "gto_5fmpkf6h7zohbpesnxfuvjvppinunayv7mfcyo2wmuzqtuj3ig2a"
-      networkPolicy:
-        create: false
-      ingress:
-        enabled: true
-        className: nginx
-        hosts:
-          - host: cd.dev.cm
-            paths:
-              - path: /
-                pathType: Prefix
-
-
-

helmcharts/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infra-gitops