fix(cd): 改用 sudoers NOPASSWD (完全移除密碼)
All checks were successful
CD Pipeline / build-and-deploy (push) Successful in 3m39s
E2E Health Check / e2e-health (push) Successful in 15s

2026-03-30 ogt: 更安全的方案

- 已在 192.168.0.121 設定 sudoers NOPASSWD
- /etc/sudoers.d/kubectl-deploy
- 完全移除 SUDO_PASSWORD 環境變數

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
OG T
2026-03-30 01:34:02 +08:00
parent 4f06115497
commit 7ac654390c

View File

@@ -87,7 +87,6 @@ jobs:
- name: Deploy to K8s
env:
SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
@@ -96,22 +95,22 @@ jobs:
set -e
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
# 2026-03-30 ogt: P0 安全修復 - 使用 secret 而非明文密碼
echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-api \
# 2026-03-30 ogt: sudoers NOPASSWD 已設定,無需密碼
sudo kubectl set image deployment/awoooi-api \
api=192.168.0.110:5000/awoooi/api:${{ github.sha }} \
-n awoooi-prod
echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-web \
sudo kubectl set image deployment/awoooi-web \
web=192.168.0.110:5000/awoooi/web:${{ github.sha }} \
-n awoooi-prod
echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-worker \
sudo kubectl set image deployment/awoooi-worker \
worker=192.168.0.110:5000/awoooi/api:${{ github.sha }} \
-n awoooi-prod
echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s
echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s
echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s
sudo kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s
sudo kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s
sudo kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s
echo "✅ 部署完成"
DEPLOY