refactor: replace master.key file with ENCRYPTION_KEY env var and fix k8s deployment

- Replace file-based master key (data/master.key) with ENCRYPTION_KEY env var (hex-encoded) - App now requires ENCRYPTION_KEY to start, removing MASTER_KEY_PATH entirely - Fix k8s: add missing gitea-assistant-data volume, replace PVC with hostPath for single-node - Fix k8s: change qdrant from StatefulSet+PVC to Deployment+hostPath - Add K8s Secret for ENCRYPTION_KEY injection - Update all tests, .env.example, and documentation
2026-03-27 10:05:50 +00:00 · 2026-03-05 15:24:08 +08:00
parent 9b063afba0
commit 0bc147cbc5
12 changed files with 129 additions and 167 deletions
--- a/k8s/gitea-assistant.yaml
+++ b/k8s/gitea-assistant.yaml
@@ -1,3 +1,18 @@
+---
+# Secret: sensitive configuration (create before deploying)
+# Generate a 64-char hex key: openssl rand -hex 32
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-assistant-secret
+  namespace: gitea-assistant
+  labels:
+    app.kubernetes.io/name: gitea-assistant
+    app.kubernetes.io/part-of: gitea-assistant
+type: Opaque
+stringData:
+  ENCRYPTION_KEY: "" # REQUIRED: run `openssl rand -hex 32` and paste here
+
 ---
 # ConfigMap: only infrastructure-level env vars that must be known before DB init
 apiVersion: v1
@@ -43,6 +58,8 @@ spec:
          envFrom:
            - configMapRef:
                name: gitea-assistant-config
+            - secretRef:
+                name: gitea-assistant-secret
          resources:
            limits:
              memory: "512Mi"
@@ -70,8 +87,10 @@ spec:
            failureThreshold: 3
      volumes:
        - name: data
-          persistentVolumeClaim:
-            claimName: gitea-assistant-data
+          hostPath:
+            # Customize this path to match your node's storage layout
+            path: /opt/gitea-assistant/data
+            type: DirectoryOrCreate

 ---
 apiVersion: v1
--- a/k8s/qdrant.yaml
+++ b/k8s/qdrant.yaml
@@ -1,22 +1,6 @@
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: qdrant-data
-  namespace: gitea-assistant
-  labels:
-    app.kubernetes.io/name: qdrant
-    app.kubernetes.io/part-of: gitea-assistant
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 10Gi
-
 ---
 apiVersion: apps/v1
-kind: StatefulSet
+kind: Deployment
 metadata:
  name: qdrant
  namespace: gitea-assistant
@@ -24,7 +8,6 @@ metadata:
    app.kubernetes.io/name: qdrant
    app.kubernetes.io/part-of: gitea-assistant
 spec:
-  serviceName: qdrant
  replicas: 1
  selector:
    matchLabels:
@@ -72,8 +55,10 @@ spec:
            failureThreshold: 3
      volumes:
        - name: qdrant-storage
-          persistentVolumeClaim:
-            claimName: qdrant-data
+          hostPath:
+            # Customize this path to match your node's storage layout
+            path: /opt/gitea-assistant/qdrant
+            type: DirectoryOrCreate

 ---
 apiVersion: v1