wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

fix(cd): avoid host-key prompt during deploy
All checks were successful
Code Review / ai-code-review (push) Successful in 10s
Details

Browse Source
This commit is contained in:
Your Name
2026-05-06 07:27:57 +08:00
parent 09256be62c
commit d2aebdd477
2 changed files with 24 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.gitea/workflows/cd.yaml
View File

@@ -42,10 +42,10 @@ env:
OTEL_SERVICE_NAME: awoooi-cd OTEL_SERVICE_NAME: awoooi-cd
OTEL_RESOURCE_ATTRIBUTES: service.version=${{ github.sha }},deployment.environment=production OTEL_RESOURCE_ATTRIBUTES: service.version=${{ github.sha }},deployment.environment=production
CI_IMAGE: 192.168.0.110:5000/awoooi/ci-runner:act-22.04 CI_IMAGE: 192.168.0.110:5000/awoooi/ci-runner:act-22.04
# CD SSH still lands on 121 because that host has the deploy sudo path. # 2026-05-06 Codex: deploy through the 120 control-plane node. After dirty
# Its kubeconfig points to 127.0.0.1, so the deploy scripts rewrite a temp # reboots, 121 host-key prompts can block the non-interactive host runner.
# kubeconfig to the 120 control-plane API server before running kubectl. # Both nodes support the sudo kubectl path, but 120 removes the extra hop.
K8S_SSH_HOST: 192.168.0.121 K8S_SSH_HOST: 192.168.0.120
K8S_API_SERVER: https://192.168.0.120:6443 K8S_API_SERVER: https://192.168.0.120:6443
# 2026-05-05 Codex: health/smoke probes use the keepalived VIP instead of a # 2026-05-05 Codex: health/smoke probes use the keepalived VIP instead of a
# fixed node. Kubectl still tunnels through K8S_SSH_HOST with --server=120. # fixed node. Kubectl still tunnels through K8S_SSH_HOST with --server=120.
@@ -446,8 +446,9 @@ jobs:
mkdir -p ~/.ssh mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key chmod 600 ~/.ssh/deploy_key
ssh-keyscan "${{ env.K8S_SSH_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null
ssh -i ~/.ssh/deploy_key "wooo@${{ env.K8S_SSH_HOST }}" << SECRETS SSH_OPTS="-i ~/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10"
ssh $SSH_OPTS "wooo@${{ env.K8S_SSH_HOST }}" << SECRETS
set -e set -e
K8S_API_SERVER="${{ env.K8S_API_SERVER }}" K8S_API_SERVER="${{ env.K8S_API_SERVER }}"
KUBECTL="sudo kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml --server=\${K8S_API_SERVER}" KUBECTL="sudo kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml --server=\${K8S_API_SERVER}"
@@ -676,19 +677,20 @@ jobs:
mkdir -p ~/.ssh mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key chmod 600 ~/.ssh/deploy_key
ssh-keyscan "${{ env.K8S_SSH_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null
SSH_OPTS="-i ~/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10"
IMAGE_TAG="${{ github.sha }}" IMAGE_TAG="${{ github.sha }}"
HARBOR=192.168.0.110:5000 HARBOR=192.168.0.110:5000
# ─── Step 1: Apply ConfigMap + ServiceRegistry (ArgoCD 管的是 DeploymentConfigMap 仍直接 apply) ─── # ─── Step 1: Apply ConfigMap + ServiceRegistry (ArgoCD 管的是 DeploymentConfigMap 仍直接 apply) ───
cat k8s/awoooi-prod/04-configmap.yaml | \ cat k8s/awoooi-prod/04-configmap.yaml | \
ssh -i ~/.ssh/deploy_key "wooo@${{ env.K8S_SSH_HOST }}" \ ssh $SSH_OPTS "wooo@${{ env.K8S_SSH_HOST }}" \
"KUBECTL='sudo kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml --server=${{ env.K8S_API_SERVER }}'; \$KUBECTL apply -f -" "KUBECTL='sudo kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml --server=${{ env.K8S_API_SERVER }}'; \$KUBECTL apply -f -"
echo "✅ ConfigMap 已更新" echo "✅ ConfigMap 已更新"
cat k8s/awoooi-prod/15-service-registry-configmap.yaml | \ cat k8s/awoooi-prod/15-service-registry-configmap.yaml | \
ssh -i ~/.ssh/deploy_key "wooo@${{ env.K8S_SSH_HOST }}" \ ssh $SSH_OPTS "wooo@${{ env.K8S_SSH_HOST }}" \
"KUBECTL='sudo kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml --server=${{ env.K8S_API_SERVER }}'; \$KUBECTL apply -f -" "KUBECTL='sudo kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml --server=${{ env.K8S_API_SERVER }}'; \$KUBECTL apply -f -"
echo "✅ Service Registry ConfigMap 已更新" echo "✅ Service Registry ConfigMap 已更新"
@@ -730,7 +732,7 @@ jobs:
} }
# ─── Step 4: 等待 ArgoCD sync + rollout ─── # ─── Step 4: 等待 ArgoCD sync + rollout ───
ssh -i ~/.ssh/deploy_key "wooo@${{ env.K8S_SSH_HOST }}" \ ssh $SSH_OPTS "wooo@${{ env.K8S_SSH_HOST }}" \
"EXPECTED_REVISION='${DEPLOY_REVISION}' bash -s" << 'ARGOCD_WAIT' "EXPECTED_REVISION='${DEPLOY_REVISION}' bash -s" << 'ARGOCD_WAIT'
set -e set -e
K8S_API_SERVER="${{ env.K8S_API_SERVER }}" K8S_API_SERVER="${{ env.K8S_API_SERVER }}"

12
docs/LOGBOOK.md
View File

@@ -1,3 +1,15 @@
## 2026-05-06 | CD host-key prompt unblock for AwoooP Ollama rollout
**背景**`09256be6` 已推到 Gitea main但 CD `build-and-deploy` 卡在 SSH 到 `192.168.0.121` 的 host-key authenticity promptrunner 無互動輸入,導致新 image tag 尚未注入 `kustomization.yaml`
**本次修補**
- `.gitea/workflows/cd.yaml` 的 K8s deploy SSH 目標改為已驗證可用的 `192.168.0.120` 控制面。
- `Inject K8s Secrets``Deploy to K8s` 兩段 SSH 加上 `BatchMode=yes``StrictHostKeyChecking=yes`、固定 `UserKnownHostsFile``ConnectTimeout=10`
- 目的:重開機或 known_hosts 清空時CD 要明確成功或失敗,不能再卡住整條部署鏈。
**驗證**
- 本機已驗證 `wooo@192.168.0.120` 可用 `sudo -n kubectl --server=https://192.168.0.120:6443` 查詢 `awoooi-prod` namespace。
# LOGBOOK - AWOOOI 進度軌跡 # LOGBOOK - AWOOOI 進度軌跡
> **用途**: AI 代理進度追蹤,防止 Session 斷層 > **用途**: AI 代理進度追蹤,防止 Session 斷層