k8s(secret): 加入 repair SSH key 建立說明 template

實際私鑰透過 kubectl create secret 手動建立，不上 Git 主機 110 (wooo) / 188 (ollama) 已設定 command= 受限 authorized_keys SSH health check 驗證: REPAIR_BOT_HEALTHY:110 / REPAIR_BOT_HEALTHY:188 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-05 11:17:57 +08:00
parent f51bf5a6a8
commit 892c5d53a7
3 changed files with 41 additions and 2 deletions
--- a/k8s/awoooi-prod/04-repair-ssh-key-template.yaml
+++ b/k8s/awoooi-prod/04-repair-ssh-key-template.yaml
@@ -0,0 +1,39 @@
+# k8s/awoooi-prod/04-repair-ssh-secret.yaml
+# SSH Secret Template — 不含實際私鑰 (存於 K8s，不上 Git)
+# 2026-04-05 Claude Code: Sprint 3 Host Auto-Repair
+#
+# 建立方式:
+#   ssh-keygen -t ed25519 -C "awoooi-repair-bot-2026" -f /tmp/awoooi_repair_bot -N ""
+#   kubectl create secret generic awoooi-repair-ssh-key \
+#     -n awoooi-prod \
+#     --from-file=id_ed25519=/tmp/awoooi_repair_bot \
+#     --from-file=id_ed25519.pub=/tmp/awoooi_repair_bot.pub
+#
+# 主機配置 (已完成 2026-04-05):
+#   110 ~/.ssh/authorized_keys: command="/home/wooo/bin/repair-bot-110.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding <pubkey>
+#   188 ~/.ssh/authorized_keys: command="/home/ollama/bin/repair-bot-188.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding <pubkey>
+#
+# 安全設計:
+#   - SSH key 在 K8s Secret，掛載到 API pod /etc/repair-ssh/
+#   - command= 限制：SSH 連線只能執行白名單修復腳本，不能執行任意命令
+#   - repair-bot-110.sh / repair-bot-188.sh 只允許 docker compose up -d 或 systemctl restart
+#
+# 驗證方式:
+#   ssh -i /tmp/awoooi_repair_bot -o StrictHostKeyChecking=no wooo@192.168.0.110 health
+#   → 預期: REPAIR_BOT_HEALTHY:110
+#   ssh -i /tmp/awoooi_repair_bot -o StrictHostKeyChecking=no ollama@192.168.0.188 health
+#   → 預期: REPAIR_BOT_HEALTHY:188
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: awoooi-repair-ssh-key
+  namespace: awoooi-prod
+  annotations:
+    # 此 template 不含實際私鑰，需手動 kubectl create secret 建立
+    awoooi.io/secret-type: "ssh-repair-bot"
+    awoooi.io/created: "2026-04-05"
+    awoooi.io/key-comment: "awoooi-repair-bot-2026"
+type: Opaque
+# data: 不在版控中 — 使用上方 kubectl create secret 指令建立
+# 實際 secret 已存在於 K8s cluster (awoooi-prod namespace)
--- a/scripts/repair-bot/repair-bot-110.sh
+++ b/scripts/repair-bot/repair-bot-110.sh
@@ -12,7 +12,7 @@
 # 部署位置: /home/wooo/bin/repair-bot-110.sh (on 192.168.0.110)
 # 使用者: wooo

-LOG="/var/log/awoooi-repair-bot.log"
+LOG="${HOME}/.repair-bot.log"
 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; }

 # 白名單: component → compose dir
--- a/scripts/repair-bot/repair-bot-188.sh
+++ b/scripts/repair-bot/repair-bot-188.sh
@@ -11,7 +11,7 @@
 # 部署位置: /home/ollama/bin/repair-bot-188.sh (on 192.168.0.188)
 # 使用者: ollama

-LOG="/var/log/awoooi-repair-bot.log"
+LOG="${HOME}/.repair-bot.log"
 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; }

 # 白名單: component → 修復方式