diff --git a/README.md b/README.md index dfbd7a9..48204db 100644 --- a/README.md +++ b/README.md @@ -185,20 +185,27 @@ docker-compose up -d Kubernetes manifests are located in the `k8s/` directory. -**1. Configure** - -The only env var in the ConfigMap is `PORT`. All other settings (Gitea connection, webhook secret, admin password, review engine, Feishu, etc.) are configured through the **Admin Dashboard Web UI** after deployment — they are auto-seeded with secure defaults on first boot. - -Ensure persistent storage is configured for the `/app/data` directory to retain the SQLite database and encryption key. - -**2. Deploy** -**3. Deploy** +**1. Create the encryption secret** ```bash -# Using Kustomize (recommended) -kubectl apply -k k8s/ +# Generate a key and create the secret +kubectl apply -f k8s/namespace.yaml +ENCRYPTION_KEY=$(openssl rand -hex 32) +kubectl -n gitea-assistant create secret generic gitea-assistant-secret \ + --from-literal=ENCRYPTION_KEY=$ENCRYPTION_KEY +# Save this key! You'll need it if you ever redeploy. +echo "Your ENCRYPTION_KEY: $ENCRYPTION_KEY" +``` -# Or apply individually +**2. Deploy** + +```bash +kubectl apply -k k8s/ +``` + +Or apply individually: + +```bash kubectl apply -f k8s/namespace.yaml kubectl apply -f k8s/qdrant.yaml kubectl apply -f k8s/gitea-assistant.yaml diff --git a/docs/README.zh-CN.md b/docs/README.zh-CN.md index 0c4ea94..c606208 100644 --- a/docs/README.zh-CN.md +++ b/docs/README.zh-CN.md @@ -185,20 +185,27 @@ docker-compose up -d Kubernetes 部署清单位于 `k8s/` 目录。 -**1. 配置** - -ConfigMap 中唯一的环境变量是 `PORT`。所有其他设置(Gitea 连接、Webhook 密钥、管理员密码、审查引擎、飞书等)均在部署后通过 **Web 管理后台** 配置,首次启动时自动以安全默认值初始化。 - -请确保为 `/app/data` 目录配置持久化存储,以保留 SQLite 数据库和加密密钥。 - -**2. 部署** -**3. 部署** +**1. 创建加密密钥** ```bash -# 使用 Kustomize(推荐) -kubectl apply -k k8s/ +# 生成密钥并创建 Secret +kubectl apply -f k8s/namespace.yaml +ENCRYPTION_KEY=$(openssl rand -hex 32) +kubectl -n gitea-assistant create secret generic gitea-assistant-secret \ + --from-literal=ENCRYPTION_KEY=$ENCRYPTION_KEY +# 请保存此密钥!重新部署时需要使用。 +echo "你的 ENCRYPTION_KEY: $ENCRYPTION_KEY" +``` -# 或逐个应用 +**2. 部署** + +```bash +kubectl apply -k k8s/ +``` + +或逐个应用: + +```bash kubectl apply -f k8s/namespace.yaml kubectl apply -f k8s/qdrant.yaml kubectl apply -f k8s/gitea-assistant.yaml diff --git a/k8s/gitea-assistant.yaml b/k8s/gitea-assistant.yaml index afacb52..68ccc06 100644 --- a/k8s/gitea-assistant.yaml +++ b/k8s/gitea-assistant.yaml @@ -1,18 +1,3 @@ ---- -# Secret: sensitive configuration (create before deploying) -# Generate a 64-char hex key: openssl rand -hex 32 -apiVersion: v1 -kind: Secret -metadata: - name: gitea-assistant-secret - namespace: gitea-assistant - labels: - app.kubernetes.io/name: gitea-assistant - app.kubernetes.io/part-of: gitea-assistant -type: Opaque -stringData: - ENCRYPTION_KEY: "" # REQUIRED: run `openssl rand -hex 32` and paste here - --- # ConfigMap: only infrastructure-level env vars that must be known before DB init apiVersion: v1 diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml index 8a088a3..50bfd61 100644 --- a/k8s/kustomization.yaml +++ b/k8s/kustomization.yaml @@ -5,5 +5,6 @@ namespace: gitea-assistant resources: - namespace.yaml + - secret.yaml - qdrant.yaml - gitea-assistant.yaml diff --git a/k8s/secret.yaml b/k8s/secret.yaml new file mode 100644 index 0000000..9b66f21 --- /dev/null +++ b/k8s/secret.yaml @@ -0,0 +1,13 @@ +# IMPORTANT: Fill in ENCRYPTION_KEY before running kubectl apply -k k8s/ +# Generate a key: openssl rand -hex 32 +apiVersion: v1 +kind: Secret +metadata: + name: gitea-assistant-secret + namespace: gitea-assistant + labels: + app.kubernetes.io/name: gitea-assistant + app.kubernetes.io/part-of: gitea-assistant +type: Opaque +stringData: + ENCRYPTION_KEY: "" # REQUIRED: paste your key here