fix(k8s): ArgoCD MCP 網路連線修復 — ARGOCD_URL 改用 120:30443

- NetworkPolicy v1.4: 加入 ArgoCD MCP egress 規則 - argocd namespace Pod selector (port 8080, ClusterIP fallback) - 192.168.0.120:30443 NodePort（ClusterIP DNAT 跨 namespace 不穩定） - ARGOCD_URL: 192.168.0.125 → 192.168.0.120:30443（K3s Master NodePort，更穩定） - 已驗證: 192.168.0.120:30443 從 Pod 內部可達，apps=[awoooi-prod] Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 21:10:42 +08:00
parent 4a00573a20
commit f23176cbb9
2 changed files with 10 additions and 6 deletions
--- a/k8s/awoooi-prod/02-network-policy.yaml
+++ b/k8s/awoooi-prod/02-network-policy.yaml
@@ -179,13 +179,17 @@ spec:
          port: 443
    - to:
        - ipBlock:
-            cidr: 192.168.0.120/32  # K3s Master 實際 API Server 端點
+            cidr: 192.168.0.120/32  # K3s Master 實際 API Server 端點 + ArgoCD NodePort
      ports:
        - protocol: TCP
          port: 6443
+        # ArgoCD MCP NodePort (2026-04-11): ClusterIP DNAT 跨 namespace 不穩定，改用 NodePort
+        - protocol: TCP
+          port: 30443

    # 允許訪問 ArgoCD MCP（MCP Phase 3，2026-04-11）
-    # ArgoCD Server 在 argocd namespace，Pod 需要訪問其 HTTP/HTTPS API
+    # ArgoCD Server Pod 在 argocd namespace (10.42.0.252)，但 DNS 解析到 ClusterIP (10.43.16.201)
+    # 必須同時允許 namespace+pod selector（Pod IP）和 ClusterIP
    - to:
        - namespaceSelector:
            matchLabels:
@@ -193,11 +197,11 @@ spec:
          podSelector:
            matchLabels:
              app.kubernetes.io/name: argocd-server
+        - ipBlock:
+            cidr: 10.43.16.201/32  # argocd-server ClusterIP
      ports:
        - protocol: TCP
-          port: 80
-        - protocol: TCP
-          port: 443
+          port: 8080

    # 允許訪問 192.168.0.121 K3s Worker (mon1)
    # 2026-04-09 新增: NodePort 32334(API)/32335(Web) 在 121 上，host probe 需要
--- a/k8s/awoooi-prod/04-configmap.yaml
+++ b/k8s/awoooi-prod/04-configmap.yaml
@@ -110,7 +110,7 @@ data:
  # MCP Phase 3 (2026-04-11 Claude Sonnet 4.6): ArgoCD + Sentry MCP 啟用
  # ARGOCD_API_TOKEN 在 Secrets 中配置
  ARGOCD_MCP_ENABLED: "true"
-  ARGOCD_URL: "https://192.168.0.125:30443"
+  ARGOCD_URL: "https://192.168.0.120:30443"
  SENTRY_MCP_ENABLED: "true"
  # Prometheus server 在 110:9090 (非 188)
  PROMETHEUS_URL: "http://192.168.0.110:9090"