awoooi/k8s/awoooi-prod/03-secrets.example.yaml

# AWOOOI 正式環境 Secrets 模板
# ================================
# 負責人: CIO / CISO
# 版本: v1.1
# 日期: 2026-03-22
#
# ⚠️ 使用說明:
# 1. 複製此檔案為 03-secrets.yaml
# 2. 將所有 CHANGE_ME 替換為實際值
# 3. 03-secrets.yaml 已加入 .gitignore，禁止提交
# 4. 生產環境透過 CI/CD Secrets 注入

apiVersion: v1
kind: Secret
metadata:
  name: awoooi-secrets
  namespace: awoooi-prod
type: Opaque
stringData:
  # ============================================================================
  # 資料庫 (192.168.0.188 PostgreSQL)
  # ============================================================================
  DATABASE_URL: "postgresql+asyncpg://awoooi:CHANGE_ME@192.168.0.188:5432/awoooi_prod"

  # ============================================================================
  # Redis (192.168.0.188:6380, DB 0 - 與 OpenClaw 共用)
  # ============================================================================
  REDIS_URL: "redis://192.168.0.188:6380/0"

  # ============================================================================
  # AI 服務 API Keys (ADR-006 備援順序: Ollama → Gemini → Claude)
  # ============================================================================
  GEMINI_API_KEY: "CHANGE_ME"
  CLAUDE_API_KEY: "CHANGE_ME"

  # ============================================================================
  # Phase 9: Agent Teams (ADR-009)
  # Claude Agent SDK 需要 ANTHROPIC_API_KEY
  # ============================================================================
  ANTHROPIC_API_KEY: "CHANGE_ME"

  # ============================================================================
  # Phase 5.5: Telegram Gateway (OpenClaw 通知)
  # ============================================================================
  OPENCLAW_TG_BOT_TOKEN: "CHANGE_ME"
  OPENCLAW_TG_CHAT_ID: "CHANGE_ME"
  OPENCLAW_TG_USER_WHITELIST: "CHANGE_ME"  # 逗號分隔的 User ID
  SRE_GROUP_CHAT_ID: "CHANGE_ME"  # ADR-073 P2-4 (2026-04-12 ogt): SRE 群組 Chat ID，HeartbeatReport 發送目標

  # ============================================================================
  # Webhook 安全 (CISO 要求: HMAC-SHA256 簽章)
  # ============================================================================
  WEBHOOK_HMAC_SECRET: "CHANGE_ME_TO_RANDOM_64_CHARS"

  # ============================================================================
  # AwoooP Operator Console mutation API
  # ============================================================================
  AWOOOP_OPERATOR_API_KEY: "CHANGE_ME_TO_RANDOM_64_CHARS"

  # ============================================================================
  # JWT 認證 (未來擴展)
  # ============================================================================
  JWT_SECRET: "CHANGE_ME_TO_RANDOM_STRING"
  JWT_ALGORITHM: "HS256"

  # ============================================================================
  # Phase 15.1: Langfuse LLMOps (192.168.0.110:3100)
  # ============================================================================
  LANGFUSE_PUBLIC_KEY: "CHANGE_ME"
  LANGFUSE_SECRET_KEY: "CHANGE_ME"

  # ============================================================================
  # Phase 10: Sentry Self-Hosted (sentry.wooo.work)
  # 2026-03-27: 首席架構師審查 - 補齊遺漏配置
  # 2026-03-29: Wave A.1 新增 SENTRY_AUTH_TOKEN (ADR-037)
  # 2026-04-11: ADR-069 Sprint A — 更新為 HTTPS 公網域名 (sentry.wooo.work)
  #   取得步驟：
  #   1. SSH wooo@192.168.0.110
  #   2. docker exec sentry-self-hosted-web-1 sentry django shell -c "
  #      from sentry.models import Project, ProjectKey
  #      p = Project.objects.get(name='awoooi-api')
  #      print(ProjectKey.objects.filter(project=p).first().get_dsn())"
  # ============================================================================
  # API DSN (Project ID: 3) — 格式：https://<key>@sentry.wooo.work/3
  SENTRY_DSN: "https://8c4a210fd52909bbbdab642a166ff66e@sentry.wooo.work/3"
  # Auth Token for API Comment/Issues 操作 (Settings → Developer Settings → Internal Integrations)
  SENTRY_AUTH_TOKEN: "CHANGE_ME"
  # Web DSN (Project ID: 2) - 需在 Web ConfigMap 配置
  # NEXT_PUBLIC_SENTRY_DSN: "https://da02d4e5d6542e4d1ed6b2dd6542efeb@sentry.wooo.work/2"