fix(deploy): hardcode PVC name as shared-data in templates, remove pvcName Helm value

PVC name is now immutable — hardcoded in all 4 deployment templates instead of being a configurable Helm value. Removed pvcName from values.yaml and --set pvcName from deploy.sh. This ensures the PVC can never be renamed or deleted by Helm operations, only manually via kubectl.
2026-05-12 16:36:13 +08:00 · 2026-05-12 16:36:13 +08:00 · 8be15cb81e
commit 8be15cb81e
parent dc193a061a
7 changed files with 48 additions and 50 deletions
--- a/deploy.sh
+++ b/deploy.sh
@ -65,7 +65,6 @@ if ! helm upgrade --install "$RELEASE" "$CHART_DIR" \
    --set imageRegistry="$REGISTRY" \
    --set imageTag="$TAG" \
    --set configMapName="$CONFIG_MAP" \
    --set pvcName="$PVC_NAME" \
    --timeout 5m; then
    echo ""
    err "Deployment FAILED — release preserved for debugging.
--- a/deploy/README.md
+++ b/deploy/README.md
@ -4,18 +4,19 @@ Monolithic Helm chart for all backend services.
 ## Services
-| Service | Port(s) | Replicas | HPA | Purpose |
+| Service              | Port(s)                 | Replicas | HPA      | Purpose                                     |
-|---|---|---|---|---|
+|----------------------|-------------------------|----------|----------|---------------------------------------------|
-| `app` | 3000 (HTTP) | 2 | 2–10 | Main API server |
+| `app`                | 3000 (HTTP)             | 2        | 2–10     | Main API server                             |
-| `gitserver` | 8021 (HTTP), 2222 (SSH) | 1 | 1–5 | Git HTTP + SSH server |
+| `gitserver`          | 8021 (HTTP), 2222 (SSH) | 1        | 1–5      | Git HTTP + SSH server                       |
-| `email_worker` | 8084 (HTTP) | 1 | disabled | Email queue consumer (single instance only) |
+| `email_worker`       | 8084 (HTTP)             | 1        | disabled | Email queue consumer (single instance only) |
-| `git_hook` | 8083 (HTTP) | 1 | 1–5 | Git hook worker pool |
+| `git_hook`           | 8083 (HTTP)             | 1        | 1–5      | Git hook worker pool                        |
-| `metrics_aggregator` | 9090 (HTTP) | 1 | 1–5 | Prometheus scrape + Loki push |
+| `metrics_aggregator` | 9090 (HTTP)             | 1        | 1–5      | Prometheus scrape + Loki push               |
-| `static_server` | 8081 (HTTP) | 1 | 1–5 | Static file server (avatars, blobs, media) |
+| `static_server`      | 8081 (HTTP)             | 1        | 1–5      | Static file server (avatars, blobs, media)  |
 ## Prerequisites
-The following resources must exist in the cluster **before** installing the Helm chart. They are not managed by Helm — install, upgrade, and uninstall of the chart will not touch them.
+The following resources must exist in the cluster **before** installing the Helm chart. They are not managed by Helm —
 install, upgrade, and uninstall of the chart will not touch them.
 ### 1. Namespace
@ -23,7 +24,7 @@ The following resources must exist in the cluster **before** installing the Helm
 kubectl create namespace app
 ```
-### 2. PVC (aliyun-nfs, 200Ti, ReadWriteMany)
+### 2. PVC (aliyun-nfs-app, 200Ti, ReadWriteMany)
 ```bash
 kubectl apply -f - <<'EOF'
@ -38,11 +39,12 @@ spec:
  resources:
    requests:
      storage: 200Ti
-  storageClassName: aliyun-nfs
+  storageClassName: aliyun-nfs-app
 EOF
 ```
-> The chart references this PVC by name. If you use a different name, pass `--set pvcName=your-pvc-name` to Helm.
+> The chart references this PVC by hardcoded name `shared-data`. This name is immutable — it cannot be changed via Helm
 > values.
 ### 3. ConfigMap
@ -71,23 +73,23 @@ data:
 EOF
 ```
-| Variable | Default / Example | Required |
+| Variable                     | Default / Example           | Required  |
-|---|---|---|
+|------------------------------|-----------------------------|-----------|
-| `APP_REPOS_ROOT` | `/data/repos` | Yes |
+| `APP_REPOS_ROOT`             | `/data/repos`               | Yes       |
-| `APP_AVATAR_PATH` | `/data/avatars` | Yes |
+| `APP_AVATAR_PATH`            | `/data/avatars`             | Yes       |
-| `STORAGE_PATH` | `/data/files` | Yes |
+| `STORAGE_PATH`               | `/data/files`               | Yes       |
-| `STATIC_ROOT` | `/data` | Yes |
+| `STATIC_ROOT`                | `/data`                     | Yes       |
-| `APP_LOG_LEVEL` | `info` | No |
+| `APP_LOG_LEVEL`              | `info`                      | No        |
-| `APP_COOKIE_SECURE` | `false` | No |
+| `APP_COOKIE_SECURE`          | `false`                     | No        |
-| `APP_DOMAIN_URL` | `https://your-domain.com` | Yes |
+| `APP_DOMAIN_URL`             | `https://your-domain.com`   | Yes       |
-| `APP_DATABASE_URL` | `postgres://...` | **Yes** |
+| `APP_DATABASE_URL`           | `postgres://...`            | **Yes**   |
-| `APP_REDIS_URL` | `redis://...` | **Yes** |
+| `APP_REDIS_URL`              | `redis://...`               | **Yes**   |
-| `APP_AI_BASIC_URL` | `https://api.openai.com/v1` | **Yes** |
+| `APP_AI_BASIC_URL`           | `https://api.openai.com/v1` | **Yes**   |
-| `APP_AI_API_KEY` | `sk-...` | **Yes** |
+| `APP_AI_API_KEY`             | `sk-...`                    | **Yes**   |
-| `APP_SMTP_PASSWORD` | `...` | **Yes** |
+| `APP_SMTP_PASSWORD`          | `...`                       | **Yes**   |
-| `APP_SESSION_SECRET` | min 32 bytes | **Yes** |
+| `APP_SESSION_SECRET`         | min 32 bytes                | **Yes**   |
-| `APP_SSH_SERVER_PRIVATE_KEY` | hex-encoded PEM | **Yes** |
+| `APP_SSH_SERVER_PRIVATE_KEY` | hex-encoded PEM             | **Yes**   |
-| `APP_SSH_PORT` | `2222` | Yes (k8s) |
+| `APP_SSH_PORT`               | `2222`                      | Yes (k8s) |
 > **SSH host key**: `APP_SSH_SERVER_PRIVATE_KEY` must be the hex-encoded Ed25519 private key PEM bytes.
 > ```bash
@ -127,16 +129,17 @@ helm upgrade --install deploy ./deploy \
 All services share a single PVC (`shared-data`) via `subPath` mounts:
-| SubPath | Mount | Used By |
+| SubPath   | Mount           | Used By                  |
-|---|---|---|
+|-----------|-----------------|--------------------------|
-| `repos` | `/data/repos` | app, gitserver, git-hook |
+| `repos`   | `/data/repos`   | app, gitserver, git-hook |
-| `avatars` | `/data/avatars` | app |
+| `avatars` | `/data/avatars` | app                      |
-| `files` | `/data/files` | app |
+| `files`   | `/data/files`   | app                      |
-| `static` | `/data` | static-server |
+| `static`  | `/data`         | static-server            |
 ## Autoscaling
-All services except `email_worker` have HPA enabled by default. The email worker is fixed at 1 replica and must not be scaled.
+All services except `email_worker` have HPA enabled by default. The email worker is fixed at 1 replica and must not be
 scaled.
 To adjust HPA bounds per service:
@ -175,10 +178,10 @@ All services require these to be reachable from the cluster:
 Optional dependencies with graceful degradation:
-| Dependency | Variable | Fallback |
+| Dependency     | Variable                      | Fallback         |
-|---|---|---|
+|----------------|-------------------------------|------------------|
-| NATS JetStream | `NATS_URL` + `NATS_TOKEN` | Redis queue |
+| NATS JetStream | `NATS_URL` + `NATS_TOKEN`     | Redis queue      |
-| Loki | `LOKI_URL` | Logs discarded |
+| Loki           | `LOKI_URL`                    | Logs discarded   |
 | OTEL Collector | `OTEL_EXPORTER_OTLP_ENDPOINT` | Tracing disabled |
 ## Production Example
@ -193,6 +196,5 @@ helm upgrade --install deploy ./deploy \
  --set ingress.enabled=true \
  --set ingress.className=nginx \
  --set ingress.hosts[0].host=your-domain.com \
-  --set configMapName=app-env \
+  --set configMapName=app-env
  --set pvcName=shared-data
 ```
--- a/deploy/templates/app/deployment.yaml
+++ b/deploy/templates/app/deployment.yaml
@ -74,7 +74,7 @@ spec:
      volumes:
        - name: shared-data
          persistentVolumeClaim:
-            claimName: {{ .Values.pvcName }}
+            claimName: shared-data
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/deploy/templates/git_hook/deployment.yaml
+++ b/deploy/templates/git_hook/deployment.yaml
@ -63,7 +63,7 @@ spec:
      volumes:
        - name: shared-data
          persistentVolumeClaim:
-            claimName: {{ .Values.pvcName }}
+            claimName: shared-data
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/deploy/templates/gitserver/deployment.yaml
+++ b/deploy/templates/gitserver/deployment.yaml
@ -73,7 +73,7 @@ spec:
      volumes:
        - name: shared-data
          persistentVolumeClaim:
-            claimName: {{ .Values.pvcName }}
+            claimName: shared-data
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/deploy/templates/static_server/deployment.yaml
+++ b/deploy/templates/static_server/deployment.yaml
@ -63,7 +63,7 @@ spec:
      volumes:
        - name: shared-data
          persistentVolumeClaim:
-            claimName: {{ .Values.pvcName }}
+            claimName: shared-data
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@ -153,9 +153,6 @@ gingress:
      cpu: 500m
      memory: 512Mi
 # External PVC (managed outside Helm — not deleted on uninstall)
 pvcName: "shared-data"
 # Ingress — handled by gingress controller
 ingress:
  enabled: true