fix(cd): 改用 sudoers NOPASSWD (完全移除密碼)
2026-03-30 ogt: 更安全的方案 - 已在 192.168.0.121 設定 sudoers NOPASSWD - /etc/sudoers.d/kubectl-deploy - 完全移除 SUDO_PASSWORD 環境變數 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -87,7 +87,6 @@ jobs:
|
||||
- name: Deploy to K8s
|
||||
env:
|
||||
SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
|
||||
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
|
||||
@@ -96,22 +95,22 @@ jobs:
|
||||
set -e
|
||||
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
|
||||
|
||||
# 2026-03-30 ogt: P0 安全修復 - 使用 secret 而非明文密碼
|
||||
echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-api \
|
||||
# 2026-03-30 ogt: sudoers NOPASSWD 已設定,無需密碼
|
||||
sudo kubectl set image deployment/awoooi-api \
|
||||
api=192.168.0.110:5000/awoooi/api:${{ github.sha }} \
|
||||
-n awoooi-prod
|
||||
|
||||
echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-web \
|
||||
sudo kubectl set image deployment/awoooi-web \
|
||||
web=192.168.0.110:5000/awoooi/web:${{ github.sha }} \
|
||||
-n awoooi-prod
|
||||
|
||||
echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-worker \
|
||||
sudo kubectl set image deployment/awoooi-worker \
|
||||
worker=192.168.0.110:5000/awoooi/api:${{ github.sha }} \
|
||||
-n awoooi-prod
|
||||
|
||||
echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s
|
||||
echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s
|
||||
echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s
|
||||
sudo kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s
|
||||
sudo kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s
|
||||
sudo kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s
|
||||
echo "✅ 部署完成"
|
||||
DEPLOY
|
||||
|
||||
|
||||
Reference in New Issue
Block a user