From 634dadac70191e6a028692a694a67a7cd368e3c8 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 15 Jun 2026 02:44:01 +0800 Subject: [PATCH] =?UTF-8?q?docs(iwooos):=20=E8=A8=98=E9=8C=84=20k8s=20gito?= =?UTF-8?q?ps=20=E9=A9=97=E8=AD=89=20[skip=20ci]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/LOGBOOK.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index cdaae1a2..5526a6ba 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,46 @@ +## 2026-06-15|K8s / ArgoCD GitOps 變更證據驗收正式部署與 production 驗證完成 + +**背景**:110 冷啟動事件中曾出現 ArgoCD `Synced / Degraded`、drift-scanner pod pending、部分服務依賴啟動順序不穩等訊號。既有高價值配置控管已把 K8s / ArgoCD GitOps 列為 C0,但仍缺少專門針對 manifest diff、ArgoCD readback、sync revision、rollout evidence、NetworkPolicy / Secret / RBAC / NodePort 影響與 rollback owner 的只讀驗收帳本。若缺少此層,後續容易把「UI 看得到 GitOps 風險」誤判成 `argocd sync`、`kubectl apply`、Helm upgrade 或 live patch 已獲授權。 + +**完成項目**: +- 新增 `scripts/security/k8s-argocd-change-evidence-acceptance.py`,從 `k8s/` production GitOps manifest 產生 metadata-only change evidence acceptance ledger。 +- 新增 `docs/security/k8s-argocd-change-evidence-acceptance.snapshot.json`,固定 `change_evidence_candidate_count=4`、`c0_change_evidence_candidate_count=3`、`write_capable_candidate_count=4`、`required_evidence_field_count=18`、`reviewer_check_count=18`、`outcome_lane_count=8`、`blocked_action_count=28`。 +- 新增 `docs/security/K8S-ARGOCD-CHANGE-EVIDENCE-ACCEPTANCE.md`,明確要求 source manifest diff、rendered manifest diff、ArgoCD application readback、sync revision、rollout evidence、route smoke、metrics / alert evidence、maintenance window、rollback owner 與 runtime approval package。 +- `high-value-config-control-coverage.snapshot.json` 已同步 K8s production GitOps maturity `62% -> 64%`;高價值配置平均只讀成熟度維持 `68%`,IwoooS headline 維持 `64%`。 +- `/zh-TW/iwooos` 前端 evidence marker 已同步 `k8s_argocd_change_evidence_acceptance_candidate_count=4`、`k8s_production_gitops_coverage_percent=64`、`argocd_api_read_authorized=false`、`kubectl_action_authorized=false` 與 `64% / sync 0`。 +- `security-mirror-progress-guard.py` 已鎖住新 snapshot schema、summary、candidate ids、reviewer checks、outcome lanes、blocked actions、false flags、coverage 64%、posture source paths 與前端 marker。 + +**本地驗證**: +- 產生器 smoke:`K8S_ARGOCD_CHANGE_EVIDENCE_ACCEPTANCE_OK candidates=4 c0=3 write_capable=4 checks=18 lanes=8 accepted=0 runtime_gate=0`。 +- high-value config coverage 重產:`HIGH_VALUE_CONFIG_CONTROL_COVERAGE_OK categories=14 c0=8 avg=68 runtime_gate=0`。 +- `python3 -m py_compile scripts/security/k8s-argocd-change-evidence-acceptance.py scripts/security/high-value-config-control-coverage.py scripts/security/security-mirror-progress-guard.py` 通過。 +- JSON parse:K8s / ArgoCD acceptance snapshot、high-value coverage snapshot、IwoooS posture projection snapshot、`apps/web/messages/zh-TW.json`、`apps/web/messages/en.json` 通過。 +- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。 +- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。 +- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=854`。 +- `git diff --check` 通過。 +- `pnpm --dir apps/web typecheck` 通過。 +- `NEXT_PUBLIC_API_URL=https://awoooi.wooo.work SENTRY_SUPPRESS_GLOBAL_ERROR_HANDLER_FILE_WARNING=1 pnpm --dir apps/web build` 通過,92/92 static pages generated。 +- local build artifact scan:`/iwooos` bundle 可見 `k8s_argocd_change_evidence_acceptance_candidate_count=4`、K8s `64% / sync 0`、DNS / TLS `78% / probe 0`、`runtime_execution_authorized=false`;raw owner namespace、外部 raw namespace 與內部工作片語均未命中。 + +**Gitea / CD**: +- Code commit:`f055a973 fix(iwooos): 新增 k8s gitops 變更證據驗收`,已正常 push 到 `gitea/main`,無 force push。 +- Code Review:Gitea Actions run `2994` / `ai-code-review` Success。 +- CD:Gitea Actions run `2993` 已產生 deploy marker `0976f466 chore(cd): deploy f055a97 [skip ci]`,`gitea/main` 已快轉到該 marker。 + +**Production 只讀驗證(deploy marker `0976f466`)**: +- In-app browser desktop `1440x900`:`/zh-TW/iwooos?_v=f055a973-k8s-gitops-prod-desktop` 可見 K8s / ArgoCD change evidence acceptance marker、K8s `64% / sync 0`、DNS / TLS `78% / probe 0`、runtime gate `0`、`argocd_api_read_authorized=false` 與 `kubectl_action_authorized=false`;`innerWidth=1440`、`scrollWidth=1434`、`horizontalOverflow=false`;raw owner namespace 與工作視窗片語均為 `false`。 +- In-app browser mobile `390x844`:`/zh-TW/iwooos?_v=f055a973-k8s-gitops-prod-mobile` 可見 K8s / ArgoCD change evidence acceptance marker、K8s `64% / sync 0`、DNS / TLS `78% / probe 0`、runtime gate `0`、`argocd_api_read_authorized=false` 與 `kubectl_action_authorized=false`;`innerWidth=390`、`scrollWidth=384`、`horizontalOverflow=false`;raw owner namespace 與工作視窗片語均為 `false`。 +- In-app browser mobile `390x844`:`/zh-TW/awooop/tenants?_v=f055a973-k8s-gitops-tenants-mobile` 可見脫敏範圍代號與 redaction boundary;`innerWidth=390`、`scrollWidth=384`、`horizontalOverflow=false`;raw owner namespace、raw repo 範例與工作視窗片語均為 `false`。 + +**完成度與邊界**: +- K8s / ArgoCD change evidence acceptance artifact:`100%`。 +- K8s production GitOps 只讀治理成熟度:`62% -> 64%`。 +- 高價值配置平均只讀成熟度:維持 `68%`。 +- IwoooS headline:維持 `64%`;active runtime gate:維持 `0`。 +- source manifest diff、rendered manifest diff、ArgoCD application readback、sync revision、rollout evidence、route smoke、metrics / alert evidence、runtime approval package、owner response accepted 全部維持 `0 / false`。 +- `argocd sync`、ArgoCD API read、`kubectl apply`、live patch、Helm upgrade、Kustomize build、NetworkPolicy apply、NodePort change、RBAC change、Secret change、runtime gate、action button 全部維持 `0 / false`。 + ## 2026-06-15|端口 / 防火牆變更證據驗收正式部署與 production 驗證完成 **背景**:110 端口關閉事件已造成 Ollama、ArgoCD、drift-scanner 與相關 route 異常,且使用者明確要求「所有重要配置都要被管控」。既有 SSH / network owner response acceptance 只能描述存取路徑與 owner response gate,仍缺少專門針對端口開關、防火牆規則、服務影響、跨專案同步、維護窗口、rollback owner 與 post-check evidence 的只讀驗收帳本;若缺少此層,未來很容易把「看得到端口異常」誤判成「已授權關閉 / 開啟 / 修復」。