fix(cd): 每次部署自動 apply deployment yamls (SSH key mount 持久化)

問題: kubectl set image 不會套用 yaml 中的 volumes/volumeMounts 變更修正: Step 1b 先 kubectl apply 三個 deployment yaml，再 set image 覆蓋 tag 效果: SSH key mount (/etc/repair-ssh) 在每次 CD 後自動存在 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-05 12:37:56 +08:00
parent 2a2a1fac8b
commit 1cc8c270c8
1 changed files with 31 additions and 7 deletions
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -165,10 +165,12 @@ jobs:
          # Phase O-4.1 2026-04-02: Sentry API Token (Wave A.1 ADR-037)
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
        run: |
+          # S1/S2: 統一命名 deploy_key，改用 ssh-keyscan（比 StrictHostKeyChecking=no 更安全）
          mkdir -p ~/.ssh
          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
-          ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key wooo@192.168.0.121 << SECRETS
+          ssh-keyscan 192.168.0.121 >> ~/.ssh/known_hosts 2>/dev/null
+          ssh -i ~/.ssh/deploy_key wooo@192.168.0.121 << SECRETS
          set -e
          export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

@@ -233,14 +235,31 @@ jobs:
        env:
          SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
+          # 首席架構師 Review C4: Deploy 步驟自行設定 SSH key，不依賴 Inject Secrets 的副作用
+          # S1/S2: 統一命名為 deploy_key，改用 ssh-keyscan（比 StrictHostKeyChecking=no 更安全）
+          mkdir -p ~/.ssh
+          echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          ssh-keyscan 192.168.0.121 >> ~/.ssh/known_hosts 2>/dev/null
+
          # Step 1: Apply ConfigMap (stdin pipe，必須獨立)
          cat k8s/awoooi-prod/04-configmap.yaml | \
-            ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key wooo@192.168.0.121 \
+            ssh -i ~/.ssh/deploy_key wooo@192.168.0.121 \
            "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml && sudo kubectl apply -f -"
          echo "✅ ConfigMap 已更新"

+          # Step 1b: Apply Deployment yamls (套用 volumes/resources/probe 等非 image 設定)
+          # 2026-04-05 Claude Code: 確保 deployment 結構變更（如 SSH key mount）持久化到 K8s
+          # 注意: IMAGE_TAG_PLACEHOLDER 會在 Step 2 的 kubectl set image 立即覆蓋
+          for f in k8s/awoooi-prod/06-deployment-api.yaml k8s/awoooi-prod/05-deployment-web.yaml k8s/awoooi-prod/08-deployment-worker.yaml; do
+            cat "$f" | \
+              ssh -i ~/.ssh/deploy_key wooo@192.168.0.121 \
+              "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml && sudo kubectl apply -f -"
+          done
+          echo "✅ Deployment yamls 已套用"
+
          # Step 2: Set images + Rollout + Health Check (合併一次 SSH)
-          ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key wooo@192.168.0.121 << 'DEPLOY'
+          ssh -i ~/.ssh/deploy_key wooo@192.168.0.121 << 'DEPLOY'
          set -e
          export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

@@ -280,19 +299,25 @@ jobs:
          fi
          DEPLOY

+      # I2: 共用 pip 安裝（requests 只裝一次）
+      # 2026-04-05 Claude Code (首席架構師 Review I2): 消除重複 pip install
+      - name: Setup Python Tools
+        run: pip install requests --quiet
+
      # Phase O-4.5 2026-04-02: Alert Chain Smoke Test (Wave A.6 + B.2 ADR-037)
      # 驗證告警鏈路 E2E: API Health + Webhook + OTEL + Event Exporter
      - name: Alert Chain Smoke Test
        id: alert_chain_smoke
        continue-on-error: true
        run: |
-          pip install requests --quiet
          # 2026-04-05 Claude Code: 使用真實 API 地址（192.168.0.121:32334 NodePort）
          # CI job container 的 localhost 不等於 K3s 節點，必須用內網 IP
+          # 首席架構師 Review C2: 修正永遠 pass — || true 移除，結果正確寫入 GITHUB_OUTPUT
          python3 scripts/alert_chain_smoke_test.py \
            --api-url http://192.168.0.121:32334 \
-            --json | tee /tmp/alert_chain_result.json || true
-          echo "alert_chain_status=pass" >> $GITHUB_OUTPUT
+            --json | tee /tmp/alert_chain_result.json \
+            && echo "alert_chain_status=pass" >> $GITHUB_OUTPUT \
+            || echo "alert_chain_status=fail" >> $GITHUB_OUTPUT

      # Phase O-5 Wave C.2 2026-04-02 ogt: 監控覆蓋率驗證 (generate_monitoring.py --check)
      # continue-on-error: true — 覆蓋率不足不阻塞部署，但反映在 TG 通知
@@ -300,7 +325,6 @@ jobs:
        id: monitoring_coverage
        continue-on-error: true
        run: |
-          pip install requests --quiet
          python3 scripts/generate_monitoring.py --check && echo "coverage_status=pass" >> $GITHUB_OUTPUT || echo "coverage_status=fail" >> $GITHUB_OUTPUT

      # [首席架構師] 新增 Playwright E2E Smoke Test 步驟 v1.0.0 2026-04-01 (台北時間)