From e5a87cc65f8e285bb4f61faebdeb57c95bfa1938 Mon Sep 17 00:00:00 2001
From: Fam Zheng <fam@euphon.net>
Date: Sun, 17 May 2026 22:28:19 +0100
Subject: [PATCH] =?UTF-8?q?notes(feishu):=20lark-cli=20config=20=E4=BB=8E?=
 =?UTF-8?q?=20secret=20cp=20=E5=88=B0=20PVC=20=E5=AD=90=E7=9B=AE=E5=BD=95?=
 =?UTF-8?q?=EF=BC=8C=E5=8F=AF=E8=AF=BB=E5=8F=AF=E5=86=99=20+=20=E9=87=8D?=
 =?UTF-8?q?=E5=90=AF=E4=BF=9D=E7=95=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

initContainer cp /secrets/lark-cli/config.json → /data/lark-cli/config.json
（已存在不覆盖，保留运行时 refresh 过的 token）；feishu sidecar 主容器
subPath mount data PVC 的 lark-cli/ 到 /root/.lark-cli，lark-cli 写 cache、
refresh 都落 PVC。
---
 apps/notes/k8s/all.yaml | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/apps/notes/k8s/all.yaml b/apps/notes/k8s/all.yaml
index c7dfa5d..be75619 100644
--- a/apps/notes/k8s/all.yaml
+++ b/apps/notes/k8s/all.yaml
@@ -36,6 +36,30 @@ spec:
     spec:
       imagePullSecrets:
         - name: registry-creds
+      initContainers:
+        # secret volume 是只读的，但 lark-cli 跑时要写 cache / refresh token。
+        # 启动时把 secret 里的 config.json 复制到 PVC 子目录 lark-cli/，主容器再挂这个子目录到 ~/.lark-cli。
+        # 已存在不覆盖（保留运行时刷新过的 token）。
+        - name: lark-config-init
+          image: busybox:1.36
+          command:
+            - sh
+            - -c
+            - |
+              mkdir -p /data/lark-cli
+              if [ ! -f /data/lark-cli/config.json ]; then
+                cp /secrets/lark-cli/config.json /data/lark-cli/config.json
+                chmod 600 /data/lark-cli/config.json
+                echo "seeded lark-cli config from secret"
+              else
+                echo "lark-cli config already present in PVC, leaving alone"
+              fi
+          volumeMounts:
+            - name: lark-cli-secret
+              mountPath: /secrets/lark-cli
+              readOnly: true
+            - name: data
+              mountPath: /data
       containers:
         - name: notes
           image: registry.famzheng.me/mochi/notes:latest
@@ -105,14 +129,14 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
-            - name: lark-cli-config
+            - name: data
               mountPath: /root/.lark-cli
-              readOnly: false
+              subPath: lark-cli
       volumes:
         - name: data
           persistentVolumeClaim:
             claimName: notes-data
-        - name: lark-cli-config
+        - name: lark-cli-secret
           secret:
             secretName: lark-cli-creds
             items: