From b1c1091787bc7d8a22fecedd4f2f873195f151ab Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Sat, 11 Apr 2026 09:35:52 +0800
Subject: [PATCH] =?UTF-8?q?feat(mcp):=20MCP=20Phase=202a=20=E2=80=94=20SSH?=
 =?UTF-8?q?=20MCP=20key=20volume=20+=20SSH/ArgoCD/Sentry=20MCP=20=E5=95=9F?=
 =?UTF-8?q?=E7=94=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 06-deployment-api.yaml: ssh-mcp-key volume 定義（optional: true, 0400）
- 04-configmap.yaml: SSH_MCP_ENABLED/KNOWN_HOSTS_FILE + ARGOCD_MCP_ENABLED + SENTRY_MCP_ENABLED

MCP Phase 1-4 全部實作完成，10 providers 全部已啟用（ArgoCD/Sentry/SSH 需人工 Secret）

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 k8s/awoooi-prod/04-configmap.yaml      | 10 ++++++++++
 k8s/awoooi-prod/06-deployment-api.yaml | 11 +++++++++++
 2 files changed, 21 insertions(+)

diff --git a/k8s/awoooi-prod/04-configmap.yaml b/k8s/awoooi-prod/04-configmap.yaml
index 2153728e..4b251ec4 100644
--- a/k8s/awoooi-prod/04-configmap.yaml
+++ b/k8s/awoooi-prod/04-configmap.yaml
@@ -102,3 +102,13 @@ data:
   # in-cluster config 讀到 10.43.0.1，但 iptables/kube-proxy 沒把流量導到實際 API server
   # 用此 URL 覆蓋 host，讓 executor 直接打 K3s API server node IP
   K8S_API_SERVER_URL: "https://192.168.0.120:6443"
+
+  # MCP Phase 2a (2026-04-11 Claude Sonnet 4.6): SSH MCP 啟用
+  # SSH_MCP_ENABLED=true 需確認 ssh-mcp-key Secret 已建立且 188 已加 authorized_keys
+  SSH_MCP_ENABLED: "true"
+  SSH_MCP_KNOWN_HOSTS_FILE: "/etc/ssh-mcp/known_hosts"
+  # MCP Phase 3 (2026-04-11 Claude Sonnet 4.6): ArgoCD + Sentry MCP 啟用
+  # ARGOCD_API_TOKEN 在 Secrets 中配置
+  ARGOCD_MCP_ENABLED: "true"
+  ARGOCD_URL: "https://192.168.0.125:30443"
+  SENTRY_MCP_ENABLED: "true"
diff --git a/k8s/awoooi-prod/06-deployment-api.yaml b/k8s/awoooi-prod/06-deployment-api.yaml
index b7c1b3ef..e9a22c0c 100644
--- a/k8s/awoooi-prod/06-deployment-api.yaml
+++ b/k8s/awoooi-prod/06-deployment-api.yaml
@@ -71,6 +71,10 @@ spec:
               mountPath: /app/ops/config/service-registry.yaml
               subPath: service-registry.yaml
               readOnly: true
+            # MCP Phase 2a (2026-04-11 Claude Sonnet 4.6): SSH MCP key
+            - name: ssh-mcp-key
+              mountPath: /etc/ssh-mcp
+              readOnly: true
           resources:
             requests:
               cpu: "200m"
@@ -129,6 +133,13 @@ spec:
         - name: service-registry
           configMap:
             name: service-registry
+        # MCP Phase 2a (2026-04-11 Claude Sonnet 4.6): SSH MCP key
+        # optional: true — SSH MCP 預設關閉，Secret 不存在時 Pod 不阻塞
+        - name: ssh-mcp-key
+          secret:
+            secretName: ssh-mcp-key
+            defaultMode: 0400
+            optional: true
 
 ---
 apiVersion: v1