..
2026-04-21 20:50:51 +08:00
2026-04-22 11:18:34 +08:00
2026-04-22 11:18:34 +08:00
2026-04-22 11:32:23 +08:00
2026-04-21 21:21:17 +08:00
rohowFlux GitOps
目录结构
flux/
├── clusters/
│ └── dev-cm/ # 集群级别编排
│ ├── kustomization.yaml # 资源列表
│ ├── sources.yaml # HelmRepository 源
│ ├── kube-system.yaml # CoreDNS / NodeLocalDNS
│ ├── infra-devops.yaml # cert-manager / reflector / velero
│ ├── infra-data.yaml # CNPG / Valkey
│ ├── infra-monitor.yaml # Loki / Prometheus (+ post: Promtail)
│ ├── infra-net.yaml # Nginx / CrowdSec / Tailscale
│ ├── infra-gitops.yaml # Gitea (+ post: Gitea Actions / Flux Web)
│ └── apps.yaml # Halo / RustDesk / Fillcode / SinceAI
├── infrastructure/
│ ├── sources/ # 所有 HelmRepository 定义
│ ├── kube-system/ # CoreDNS 自定义 + NodeLocalDNS
│ ├── infra-devops/ # cert-manager, webhook-dnspod, reflector, velero
│ │ └── post/ # ClusterIssuer + cert-manager ServiceMonitor values
│ ├── infra-data/ # CNPG operator, Barman, Valkey
│ │ ├── post-1/ # PG Cluster / ObjectStore / databases / LB
│ │ └── post-2/ # Reflector secret annotations
│ ├── infra-net/ # ingress-nginx, CrowdSec, Tailscale DERP, 证书
│ │ └── post/ # CDN Ingress(依赖 apps,打破循环)
│ ├── infra-monitor/ # Loki, Prometheus+Grafana
│ │ └── post/ # Promtail(依赖 infra-net,打破循环)
│ └── infra-gitops/ # Gitea
│ └── post/ # Gitea Actions + flux-operator Web(OIDC/Ingress)
└── apps/ # Halo, RustDesk, Whoami, 证书, Ingress
部署顺序
sources → secrets → kube-system → infra-devops → infra-data → infra-data-post-1 → infra-data-post-2
→ infra-monitor → infra-net → infra-devops-post
→ infra-monitor-post (Promtail)
→ infra-gitops
→ apps
→ infra-net-post (CDN Ingress)
→ infra-gitops-post (suspend=true,需手工凭据)
Kustomization 间通过 dependsOn + wait: true 串行等待,避免顺序错乱。
部署后手工步骤(infra-gitops-post)
infra-gitops-post 默认 suspend: true,因为它依赖两类只能在 Gitea 启动后获取的凭据:
- Flux Operator Web 的 OIDC 客户端
- Gitea Actions Runner Token
步骤:
-
浏览器访问
https://git.dev.cm,首个注册账号自动成为 admin。 -
创建 OAuth2 应用:
- Site Administration → Integrations → Applications → Create OAuth2 Application
- Redirect URI:
https://cd.dev.cm/oauth2/callback - 记录 Client ID 与 Client Secret。
-
生成 Runner Token:
- Site Administration → Actions → Runners → Create new Runner → 复制 registration token。
-
更新
k3s/.env:FLUX_WEB_OIDC_CLIENT_ID=<step 2 client id> FLUX_WEB_OIDC_CLIENT_SECRET=<step 2 client secret> GITEA_ACTIONS_TOKEN=<step 3 token> -
重新注入
flux-envSecret 并协调:kubectl -n infra-gitops create secret generic flux-env \ --from-env-file=k3s/.env \ --dry-run=client -o yaml | kubectl apply -f - flux reconcile kustomization secrets -n infra-gitops flux resume kustomization infra-gitops-post -n infra-gitops flux reconcile kustomization infra-gitops-post -n infra-gitops --with-source -
验证:
kubectl -n infra-gitops get helmrelease gitea-actions kubectl -n infra-gitops get deploy flux-operator -o yaml | grep -A2 args # 看到 --web-* curl -I https://cd.dev.cm # 走 Gitea OIDC
为何拆出 *-post 层?
infra-devops-post:cert-manager 首次安装时不能依赖ServiceMonitorCRD;post 层只在监控栈就绪后下发ClusterIssuer与可选 values ConfigMap,避免多个 Kustomization 共同管理同一个 HelmRelease。infra-monitor-post(Promtail):Promtail 依赖至少一个带devcm-log-collecting/enabled标签的 Pod(ingress-nginx);而infra-net又依赖infra-monitor的 CRD。Promtail 放到 post 层并dependsOn: infra-net,打破循环。infra-gitops-post(Gitea Actions + Flux Web):凭据必须在 Gitea 启动后手工创建;放在 post 层并默认 suspend,避免阻塞 bootstrap。