fix(k8s): extract Secret to separate file to fix kustomize apply

- Move ENCRYPTION_KEY Secret from gitea-assistant.yaml to k8s/secret.yaml
- Add secret.yaml to kustomization.yaml resources
- Update deployment docs with secret creation step

README.md

@@ -185,20 +185,27 @@ docker-compose up -d
 
 Kubernetes manifests are located in the `k8s/` directory.
 
-**1. Configure**
-
-The only env var in the ConfigMap is `PORT`. All other settings (Gitea connection, webhook secret, admin password, review engine, Feishu, etc.) are configured through the **Admin Dashboard Web UI** after deployment — they are auto-seeded with secure defaults on first boot.
-
-Ensure persistent storage is configured for the `/app/data` directory to retain the SQLite database and encryption key.
-
-**2. Deploy**
-**3. Deploy**
+**1. Create the encryption secret**
 
 ```bash
-# Using Kustomize (recommended)
-kubectl apply -k k8s/
+# Generate a key and create the secret
+kubectl apply -f k8s/namespace.yaml
+ENCRYPTION_KEY=$(openssl rand -hex 32)
+kubectl -n gitea-assistant create secret generic gitea-assistant-secret \
+  --from-literal=ENCRYPTION_KEY=$ENCRYPTION_KEY
+# Save this key! You'll need it if you ever redeploy.
+echo "Your ENCRYPTION_KEY: $ENCRYPTION_KEY"
+```
 
-# Or apply individually
+**2. Deploy**
+
+```bash
+kubectl apply -k k8s/
+```
+
+Or apply individually:
+
+```bash
 kubectl apply -f k8s/namespace.yaml
 kubectl apply -f k8s/qdrant.yaml
 kubectl apply -f k8s/gitea-assistant.yaml

docs/README.zh-CN.md

@@ -185,20 +185,27 @@ docker-compose up -d
 
 Kubernetes 部署清单位于 `k8s/` 目录。
 
-**1. 配置**
-
-ConfigMap 中唯一的环境变量是 `PORT`。所有其他设置（Gitea 连接、Webhook 密钥、管理员密码、审查引擎、飞书等）均在部署后通过 **Web 管理后台** 配置，首次启动时自动以安全默认值初始化。
-
-请确保为 `/app/data` 目录配置持久化存储，以保留 SQLite 数据库和加密密钥。
-
-**2. 部署**
-**3. 部署**
+**1. 创建加密密钥**
 
 ```bash
-# 使用 Kustomize（推荐）
-kubectl apply -k k8s/
+# 生成密钥并创建 Secret
+kubectl apply -f k8s/namespace.yaml
+ENCRYPTION_KEY=$(openssl rand -hex 32)
+kubectl -n gitea-assistant create secret generic gitea-assistant-secret \
+  --from-literal=ENCRYPTION_KEY=$ENCRYPTION_KEY
+# 请保存此密钥！重新部署时需要使用。
+echo "你的 ENCRYPTION_KEY: $ENCRYPTION_KEY"
+```
 
-# 或逐个应用
+**2. 部署**
+
+```bash
+kubectl apply -k k8s/
+```
+
+或逐个应用：
+
+```bash
 kubectl apply -f k8s/namespace.yaml
 kubectl apply -f k8s/qdrant.yaml
 kubectl apply -f k8s/gitea-assistant.yaml

k8s/gitea-assistant.yaml

@@ -1,18 +1,3 @@
----
-# Secret: sensitive configuration (create before deploying)
-# Generate a 64-char hex key: openssl rand -hex 32
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gitea-assistant-secret
-  namespace: gitea-assistant
-  labels:
-    app.kubernetes.io/name: gitea-assistant
-    app.kubernetes.io/part-of: gitea-assistant
-type: Opaque
-stringData:
-  ENCRYPTION_KEY: "" # REQUIRED: run `openssl rand -hex 32` and paste here
-
 ---
 # ConfigMap: only infrastructure-level env vars that must be known before DB init
 apiVersion: v1

k8s/kustomization.yaml

@@ -5,5 +5,6 @@ namespace: gitea-assistant
 
 resources:
   - namespace.yaml
+  - secret.yaml
   - qdrant.yaml
   - gitea-assistant.yaml

k8s/secret.yaml

@@ -0,0 +1,13 @@
+# IMPORTANT: Fill in ENCRYPTION_KEY before running kubectl apply -k k8s/
+# Generate a key:  openssl rand -hex 32
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-assistant-secret
+  namespace: gitea-assistant
+  labels:
+    app.kubernetes.io/name: gitea-assistant
+    app.kubernetes.io/part-of: gitea-assistant
+type: Opaque
+stringData:
+  ENCRYPTION_KEY: "" # REQUIRED: paste your key here