From 77f2da9264122b0a6747ab51b2ff47c77aafd647 Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Thu, 9 Apr 2026 14:50:49 +0800
Subject: [PATCH] =?UTF-8?q?fix(k8s):=20Bug=20#11+#12=20=E2=80=94=20SSH=20e?=
 =?UTF-8?q?gress=20=E7=99=BD=E5=90=8D=E5=96=AE=20+=20repair-ssh-key=20?=
 =?UTF-8?q?=E8=AE=80=E5=8F=96=E6=AC=8A=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug #11 (NetworkPolicy): allow-required-egress 缺少 192.168.0.110:22
  - K8s Pod 到 110 的 SSH port 22 被 default-deny-all 封鎖
  - 自動修復的 SSH_COMMAND Playbook 必然 Connection refused
  - 修正: 加入 port 22 到 110 的 egress 白名單

Bug #12 (Deployment): repair-ssh-key Secret defaultMode=0400 (root-only)
  - Pod 以 appuser(UID 1000) 跑，無法讀取 root-owned 的 SSH key
  - ssh 報錯: "Load key: Permission denied"
  - 修正: 加入 securityContext.fsGroup=1000，讓 appuser 透過 group read 存取
  - 已驗證: Pod 內 ssh → repair-bot-110 → REPAIR_OK:sentry ✅

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 k8s/awoooi-prod/02-network-policy.yaml | 7 ++++++-
 k8s/awoooi-prod/06-deployment-api.yaml | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/k8s/awoooi-prod/02-network-policy.yaml b/k8s/awoooi-prod/02-network-policy.yaml
index 3a2c2071..d2f85a8c 100644
--- a/k8s/awoooi-prod/02-network-policy.yaml
+++ b/k8s/awoooi-prod/02-network-policy.yaml
@@ -121,9 +121,10 @@ spec:
         - protocol: TCP
           port: 11434
 
-    # 允許訪問 192.168.0.110 DevOps 金庫 (Harbor + Sentry + Langfuse)
+    # 允許訪問 192.168.0.110 DevOps 金庫 (Harbor + Sentry + Langfuse + SSH Repair)
     # 2026-03-24 新增: Sentry Self-Hosted
     # 2026-03-26 新增: Langfuse LLMOps (Phase 15.1)
+    # 2026-04-09 新增: SSH port 22 — repair-bot-110.sh 自動修復 (Bug #11 修正)
     - to:
         - ipBlock:
             cidr: 192.168.0.110/32
@@ -137,6 +138,10 @@ spec:
         # Langfuse LLMOps (Phase 15.1)
         - protocol: TCP
           port: 3100
+        # SSH — repair-bot-110.sh 自動修復執行路徑
+        # ADR-062: SSH_COMMAND Playbook 需要 K8s Pod → 110:22 的 egress
+        - protocol: TCP
+          port: 22
 
     # 允許訪問 192.168.0.112 安全掃描服務
     - to:
diff --git a/k8s/awoooi-prod/06-deployment-api.yaml b/k8s/awoooi-prod/06-deployment-api.yaml
index 4a2fae5b..b7c1b3ef 100644
--- a/k8s/awoooi-prod/06-deployment-api.yaml
+++ b/k8s/awoooi-prod/06-deployment-api.yaml
@@ -36,6 +36,11 @@ spec:
       # Phase 7: 使用 RBAC ServiceAccount (最小權限)
       serviceAccountName: awoooi-executor
       automountServiceAccountToken: true
+      # 2026-04-09 Claude Sonnet 4.6 Asia/Taipei: Bug #12 修正
+      # fsGroup=1000 讓 appuser(1000) 可讀取 defaultMode=0400 的 repair-ssh-key Secret
+      # SSH 要求 key 必須是 owner-only (0400/0600)，0444 會被拒絕
+      securityContext:
+        fsGroup: 1000
       containers:
         - name: api
           # 映像標籤由 CI/CD 動態注入 (格式: {sha}-{run_id})