From 7ac654390cd0809dc81ed930f6f09cc61fae1ace Mon Sep 17 00:00:00 2001 From: OG T Date: Mon, 30 Mar 2026 01:34:02 +0800 Subject: [PATCH] =?UTF-8?q?fix(cd):=20=E6=94=B9=E7=94=A8=20sudoers=20NOPAS?= =?UTF-8?q?SWD=20(=E5=AE=8C=E5=85=A8=E7=A7=BB=E9=99=A4=E5=AF=86=E7=A2=BC)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 2026-03-30 ogt: 更安全的方案 - 已在 192.168.0.121 設定 sudoers NOPASSWD - /etc/sudoers.d/kubectl-deploy - 完全移除 SUDO_PASSWORD 環境變數 Co-Authored-By: Claude Opus 4.5 --- .gitea/workflows/cd.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 518020e2..e68e6307 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -87,7 +87,6 @@ jobs: - name: Deploy to K8s env: SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} run: | mkdir -p ~/.ssh echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key @@ -96,22 +95,22 @@ jobs: set -e export KUBECONFIG=/etc/rancher/k3s/k3s.yaml - # 2026-03-30 ogt: P0 安全修復 - 使用 secret 而非明文密碼 - echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-api \ + # 2026-03-30 ogt: sudoers NOPASSWD 已設定,無需密碼 + sudo kubectl set image deployment/awoooi-api \ api=192.168.0.110:5000/awoooi/api:${{ github.sha }} \ -n awoooi-prod - echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-web \ + sudo kubectl set image deployment/awoooi-web \ web=192.168.0.110:5000/awoooi/web:${{ github.sha }} \ -n awoooi-prod - echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-worker \ + sudo kubectl set image deployment/awoooi-worker \ worker=192.168.0.110:5000/awoooi/api:${{ github.sha }} \ -n awoooi-prod - echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s - echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s - echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s + sudo kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s + sudo kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s + sudo kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s echo "✅ 部署完成" DEPLOY