ZhenYi/gitdataai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deploy): hardcode PVC name as shared-data in templates, remove pvcName Helm value

Browse Source 
PVC name is now immutable — hardcoded in all 4 deployment templates instead
of being a configurable Helm value. Removed pvcName from values.yaml and
--set pvcName from deploy.sh. This ensures the PVC can never be renamed or
deleted by Helm operations, only manually via kubectl.
This commit is contained in:
ZhenYi 2026-05-12 16:36:13 +08:00
parent dc193a061a
commit 8be15cb81e
7 changed files with 48 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
deploy.sh
View File

@ -65,7 +65,6 @@ if ! helm upgrade --install "$RELEASE" "$CHART_DIR" \
--set imageRegistry="$REGISTRY" \
--set imageTag="$TAG" \
--set configMapName="$CONFIG_MAP" \
--set pvcName="$PVC_NAME" \
--timeout 5m; then
echo ""
err "Deployment FAILED — release preserved for debugging.

86
deploy/README.md
View File

@ -4,18 +4,19 @@ Monolithic Helm chart for all backend services.
## Services
| Service | Port(s) | Replicas | HPA | Purpose |
|---|---|---|---|---|
| `app` | 3000 (HTTP) | 2 | 210 | Main API server |
| `gitserver` | 8021 (HTTP), 2222 (SSH) | 1 | 15 | Git HTTP + SSH server |
| `email_worker` | 8084 (HTTP) | 1 | disabled | Email queue consumer (single instance only) |
| `git_hook` | 8083 (HTTP) | 1 | 15 | Git hook worker pool |
| `metrics_aggregator` | 9090 (HTTP) | 1 | 15 | Prometheus scrape + Loki push |
| `static_server` | 8081 (HTTP) | 1 | 15 | Static file server (avatars, blobs, media) |
| Service | Port(s) | Replicas | HPA | Purpose |
|----------------------|-------------------------|----------|----------|---------------------------------------------|
| `app` | 3000 (HTTP) | 2 | 210 | Main API server |
| `gitserver` | 8021 (HTTP), 2222 (SSH) | 1 | 15 | Git HTTP + SSH server |
| `email_worker` | 8084 (HTTP) | 1 | disabled | Email queue consumer (single instance only) |
| `git_hook` | 8083 (HTTP) | 1 | 15 | Git hook worker pool |
| `metrics_aggregator` | 9090 (HTTP) | 1 | 15 | Prometheus scrape + Loki push |
| `static_server` | 8081 (HTTP) | 1 | 15 | Static file server (avatars, blobs, media) |
## Prerequisites
The following resources must exist in the cluster **before** installing the Helm chart. They are not managed by Helm — install, upgrade, and uninstall of the chart will not touch them.
The following resources must exist in the cluster **before** installing the Helm chart. They are not managed by Helm —
install, upgrade, and uninstall of the chart will not touch them.
### 1. Namespace
@ -23,7 +24,7 @@ The following resources must exist in the cluster **before** installing the Helm
kubectl create namespace app
```
### 2. PVC (aliyun-nfs, 200Ti, ReadWriteMany)
### 2. PVC (aliyun-nfs-app, 200Ti, ReadWriteMany)
```bash
kubectl apply -f - <<'EOF'
@ -38,11 +39,12 @@ spec:
resources:
requests:
storage: 200Ti
storageClassName: aliyun-nfs
storageClassName: aliyun-nfs-app
EOF
```
> The chart references this PVC by name. If you use a different name, pass `--set pvcName=your-pvc-name` to Helm.
> The chart references this PVC by hardcoded name `shared-data`. This name is immutable — it cannot be changed via Helm
> values.
### 3. ConfigMap
@ -71,23 +73,23 @@ data:
EOF
```
| Variable | Default / Example | Required |
|---|---|---|
| `APP_REPOS_ROOT` | `/data/repos` | Yes |
| `APP_AVATAR_PATH` | `/data/avatars` | Yes |
| `STORAGE_PATH` | `/data/files` | Yes |
| `STATIC_ROOT` | `/data` | Yes |
| `APP_LOG_LEVEL` | `info` | No |
| `APP_COOKIE_SECURE` | `false` | No |
| `APP_DOMAIN_URL` | `https://your-domain.com` | Yes |
| `APP_DATABASE_URL` | `postgres://...` | **Yes** |
| `APP_REDIS_URL` | `redis://...` | **Yes** |
| `APP_AI_BASIC_URL` | `https://api.openai.com/v1` | **Yes** |
| `APP_AI_API_KEY` | `sk-...` | **Yes** |
| `APP_SMTP_PASSWORD` | `...` | **Yes** |
| `APP_SESSION_SECRET` | min 32 bytes | **Yes** |
| `APP_SSH_SERVER_PRIVATE_KEY` | hex-encoded PEM | **Yes** |
| `APP_SSH_PORT` | `2222` | Yes (k8s) |
| Variable | Default / Example | Required |
|------------------------------|-----------------------------|-----------|
| `APP_REPOS_ROOT` | `/data/repos` | Yes |
| `APP_AVATAR_PATH` | `/data/avatars` | Yes |
| `STORAGE_PATH` | `/data/files` | Yes |
| `STATIC_ROOT` | `/data` | Yes |
| `APP_LOG_LEVEL` | `info` | No |
| `APP_COOKIE_SECURE` | `false` | No |
| `APP_DOMAIN_URL` | `https://your-domain.com` | Yes |
| `APP_DATABASE_URL` | `postgres://...` | **Yes** |
| `APP_REDIS_URL` | `redis://...` | **Yes** |
| `APP_AI_BASIC_URL` | `https://api.openai.com/v1` | **Yes** |
| `APP_AI_API_KEY` | `sk-...` | **Yes** |
| `APP_SMTP_PASSWORD` | `...` | **Yes** |
| `APP_SESSION_SECRET` | min 32 bytes | **Yes** |
| `APP_SSH_SERVER_PRIVATE_KEY` | hex-encoded PEM | **Yes** |
| `APP_SSH_PORT` | `2222` | Yes (k8s) |
> **SSH host key**: `APP_SSH_SERVER_PRIVATE_KEY` must be the hex-encoded Ed25519 private key PEM bytes.
> ```bash
@ -127,16 +129,17 @@ helm upgrade --install deploy ./deploy \
All services share a single PVC (`shared-data`) via `subPath` mounts:
| SubPath | Mount | Used By |
|---|---|---|
| `repos` | `/data/repos` | app, gitserver, git-hook |
| `avatars` | `/data/avatars` | app |
| `files` | `/data/files` | app |
| `static` | `/data` | static-server |
| SubPath | Mount | Used By |
|-----------|-----------------|--------------------------|
| `repos` | `/data/repos` | app, gitserver, git-hook |
| `avatars` | `/data/avatars` | app |
| `files` | `/data/files` | app |
| `static` | `/data` | static-server |
## Autoscaling
All services except `email_worker` have HPA enabled by default. The email worker is fixed at 1 replica and must not be scaled.
All services except `email_worker` have HPA enabled by default. The email worker is fixed at 1 replica and must not be
scaled.
To adjust HPA bounds per service:
@ -175,10 +178,10 @@ All services require these to be reachable from the cluster:
Optional dependencies with graceful degradation:
| Dependency | Variable | Fallback |
|---|---|---|
| NATS JetStream | `NATS_URL` + `NATS_TOKEN` | Redis queue |
| Loki | `LOKI_URL` | Logs discarded |
| Dependency | Variable | Fallback |
|----------------|-------------------------------|------------------|
| NATS JetStream | `NATS_URL` + `NATS_TOKEN` | Redis queue |
| Loki | `LOKI_URL` | Logs discarded |
| OTEL Collector | `OTEL_EXPORTER_OTLP_ENDPOINT` | Tracing disabled |
## Production Example
@ -193,6 +196,5 @@ helm upgrade --install deploy ./deploy \
--set ingress.enabled=true \
--set ingress.className=nginx \
--set ingress.hosts[0].host=your-domain.com \
--set configMapName=app-env \
--set pvcName=shared-data
--set configMapName=app-env
```

2
deploy/templates/app/deployment.yaml
View File

@ -74,7 +74,7 @@ spec:
volumes:
- name: shared-data
persistentVolumeClaim:
claimName: {{ .Values.pvcName }}
claimName: shared-data
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

2
deploy/templates/git_hook/deployment.yaml
View File

@ -63,7 +63,7 @@ spec:
volumes:
- name: shared-data
persistentVolumeClaim:
claimName: {{ .Values.pvcName }}
claimName: shared-data
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

2
deploy/templates/gitserver/deployment.yaml
View File

@ -73,7 +73,7 @@ spec:
volumes:
- name: shared-data
persistentVolumeClaim:
claimName: {{ .Values.pvcName }}
claimName: shared-data
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

2
deploy/templates/static_server/deployment.yaml
View File

@ -63,7 +63,7 @@ spec:
volumes:
- name: shared-data
persistentVolumeClaim:
claimName: {{ .Values.pvcName }}
claimName: shared-data
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

3
deploy/values.yaml
View File

@ -153,9 +153,6 @@ gingress:
cpu: 500m
memory: 512Mi
# External PVC (managed outside Helm — not deleted on uninstall)
pvcName: "shared-data"
# Ingress — handled by gingress controller
ingress:
enabled: true