diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 1847e5f9..d45de202 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -45,13 +45,13 @@ env:
   OTEL_SERVICE_NAME: awoooi-cd
   OTEL_RESOURCE_ATTRIBUTES: service.version=${{ github.sha }},deployment.environment=production
   CI_IMAGE: 192.168.0.110:5000/awoooi/ci-runner:act-22.04
-  # 2026-05-06 Codex: deploy through the 120 control-plane node. After dirty
-  # reboots, 121 host-key prompts can block the non-interactive host runner.
-  # Both nodes support the sudo kubectl path, but 120 removes the extra hop.
-  K8S_SSH_HOST: 192.168.0.120
-  K8S_API_SERVER: https://192.168.0.120:6443
+  # 2026-05-24 Codex: deploy through the currently Ready control-plane node.
+  # 120 is NotReady/SchedulingDisabled and its SSH/API endpoints are currently
+  # unreachable; pinning CD to it blocks secret injection before GitOps deploy.
+  K8S_SSH_HOST: 192.168.0.121
+  K8S_API_SERVER: https://192.168.0.121:6443
   # 2026-05-05 Codex: health/smoke probes use the keepalived VIP instead of a
-  # fixed node. Kubectl still tunnels through K8S_SSH_HOST with --server=120.
+  # fixed node. Kubectl still tunnels through K8S_SSH_HOST.
   API_HEALTH_URL: http://192.168.0.125:32334/api/v1/health
   ALERT_CHAIN_API_URL: http://192.168.0.125:32334