From f23176cbb9fd6b10674103e0bb781c1310cfe221 Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Sat, 11 Apr 2026 21:10:42 +0800
Subject: [PATCH] =?UTF-8?q?fix(k8s):=20ArgoCD=20MCP=20=E7=B6=B2=E8=B7=AF?=
 =?UTF-8?q?=E9=80=A3=E7=B7=9A=E4=BF=AE=E5=BE=A9=20=E2=80=94=20ARGOCD=5FURL?=
 =?UTF-8?q?=20=E6=94=B9=E7=94=A8=20120:30443?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- NetworkPolicy v1.4: 加入 ArgoCD MCP egress 規則
  - argocd namespace Pod selector (port 8080, ClusterIP fallback)
  - 192.168.0.120:30443 NodePort（ClusterIP DNAT 跨 namespace 不穩定）
- ARGOCD_URL: 192.168.0.125 → 192.168.0.120:30443（K3s Master NodePort，更穩定）
- 已驗證: 192.168.0.120:30443 從 Pod 內部可達，apps=[awoooi-prod]

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 k8s/awoooi-prod/02-network-policy.yaml | 14 +++++++++-----
 k8s/awoooi-prod/04-configmap.yaml      |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/k8s/awoooi-prod/02-network-policy.yaml b/k8s/awoooi-prod/02-network-policy.yaml
index a9924f3c..91fab952 100644
--- a/k8s/awoooi-prod/02-network-policy.yaml
+++ b/k8s/awoooi-prod/02-network-policy.yaml
@@ -179,13 +179,17 @@ spec:
           port: 443
     - to:
         - ipBlock:
-            cidr: 192.168.0.120/32  # K3s Master 實際 API Server 端點
+            cidr: 192.168.0.120/32  # K3s Master 實際 API Server 端點 + ArgoCD NodePort
       ports:
         - protocol: TCP
           port: 6443
+        # ArgoCD MCP NodePort (2026-04-11): ClusterIP DNAT 跨 namespace 不穩定，改用 NodePort
+        - protocol: TCP
+          port: 30443
 
     # 允許訪問 ArgoCD MCP（MCP Phase 3，2026-04-11）
-    # ArgoCD Server 在 argocd namespace，Pod 需要訪問其 HTTP/HTTPS API
+    # ArgoCD Server Pod 在 argocd namespace (10.42.0.252)，但 DNS 解析到 ClusterIP (10.43.16.201)
+    # 必須同時允許 namespace+pod selector（Pod IP）和 ClusterIP
     - to:
         - namespaceSelector:
             matchLabels:
@@ -193,11 +197,11 @@ spec:
           podSelector:
             matchLabels:
               app.kubernetes.io/name: argocd-server
+        - ipBlock:
+            cidr: 10.43.16.201/32  # argocd-server ClusterIP
       ports:
         - protocol: TCP
-          port: 80
-        - protocol: TCP
-          port: 443
+          port: 8080
 
     # 允許訪問 192.168.0.121 K3s Worker (mon1)
     # 2026-04-09 新增: NodePort 32334(API)/32335(Web) 在 121 上，host probe 需要
diff --git a/k8s/awoooi-prod/04-configmap.yaml b/k8s/awoooi-prod/04-configmap.yaml
index 22220310..dd8962e8 100644
--- a/k8s/awoooi-prod/04-configmap.yaml
+++ b/k8s/awoooi-prod/04-configmap.yaml
@@ -110,7 +110,7 @@ data:
   # MCP Phase 3 (2026-04-11 Claude Sonnet 4.6): ArgoCD + Sentry MCP 啟用
   # ARGOCD_API_TOKEN 在 Secrets 中配置
   ARGOCD_MCP_ENABLED: "true"
-  ARGOCD_URL: "https://192.168.0.125:30443"
+  ARGOCD_URL: "https://192.168.0.120:30443"
   SENTRY_MCP_ENABLED: "true"
   # Prometheus server 在 110:9090 (非 188)
   PROMETHEUS_URL: "http://192.168.0.110:9090"