From f331ae87c27f42ecc96d3cd4e86f30499b5fbfba Mon Sep 17 00:00:00 2001 From: AWOOOI CD Date: Wed, 15 Jul 2026 02:04:56 +0800 Subject: [PATCH 1/2] chore(cd): deploy 31de3a7 [skip ci] --- k8s/awoooi-prod/06-deployment-api.yaml | 4 ++-- k8s/awoooi-prod/08-deployment-ansible-executor-broker.yaml | 2 +- k8s/awoooi-prod/08-deployment-worker.yaml | 2 +- k8s/awoooi-prod/kustomization.yaml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/k8s/awoooi-prod/06-deployment-api.yaml b/k8s/awoooi-prod/06-deployment-api.yaml index b529c6e5e..21a5ad4a7 100644 --- a/k8s/awoooi-prod/06-deployment-api.yaml +++ b/k8s/awoooi-prod/06-deployment-api.yaml @@ -160,12 +160,12 @@ spec: - name: AWOOOI_BUILD_COMMIT_SHA # 2026-06-29 Codex: CD rewrites this to the deployed image tag so # production deploy readback does not rely on a stale static snapshot. - value: "72bcbd7882f02990bfca6eaf67ea68cfa233c334" + value: "31de3a709815f33a11ba6de6e78b771b7160a245" - name: AWOOOI_DESIRED_API_IMAGE_TAG # 2026-06-30 Codex: CD rewrites this alongside AWOOOI_BUILD_COMMIT_SHA. # Production readback compares runtime image truth against this # GitOps desired tag instead of doing a slow Gitea raw fetch. - value: "72bcbd7882f02990bfca6eaf67ea68cfa233c334" + value: "31de3a709815f33a11ba6de6e78b771b7160a245" - name: DATABASE_POOL_SIZE # 2026-07-01 Codex: production role `awoooi` currently has a low # connection limit. Keep API pool conservative until DB role diff --git a/k8s/awoooi-prod/08-deployment-ansible-executor-broker.yaml b/k8s/awoooi-prod/08-deployment-ansible-executor-broker.yaml index b26fc8b96..1d35cc038 100644 --- a/k8s/awoooi-prod/08-deployment-ansible-executor-broker.yaml +++ b/k8s/awoooi-prod/08-deployment-ansible-executor-broker.yaml @@ -66,7 +66,7 @@ spec: - name: DATABASE_NULL_POOL value: "true" - name: AWOOOI_BUILD_COMMIT_SHA - value: "72bcbd7882f02990bfca6eaf67ea68cfa233c334" + value: "31de3a709815f33a11ba6de6e78b771b7160a245" - name: ENABLE_AWOOOP_ANSIBLE_CANDIDATE_BACKFILL_WORKER value: "false" - name: ENABLE_AWOOOP_ANSIBLE_CHECK_MODE_WORKER diff --git a/k8s/awoooi-prod/08-deployment-worker.yaml b/k8s/awoooi-prod/08-deployment-worker.yaml index 9bcacfe99..df3125539 100644 --- a/k8s/awoooi-prod/08-deployment-worker.yaml +++ b/k8s/awoooi-prod/08-deployment-worker.yaml @@ -173,7 +173,7 @@ spec: - name: DATABASE_BOOTSTRAP_DDL_ENABLED value: "false" - name: AWOOOI_BUILD_COMMIT_SHA - value: "72bcbd7882f02990bfca6eaf67ea68cfa233c334" + value: "31de3a709815f33a11ba6de6e78b771b7160a245" - name: ENABLE_AWOOOP_ANSIBLE_CANDIDATE_BACKFILL_WORKER value: "true" - name: ENABLE_SECURITY_CONTROL_PLANE_MAINTENANCE_WORKER diff --git a/k8s/awoooi-prod/kustomization.yaml b/k8s/awoooi-prod/kustomization.yaml index 30b7db0af..14fabb734 100644 --- a/k8s/awoooi-prod/kustomization.yaml +++ b/k8s/awoooi-prod/kustomization.yaml @@ -40,9 +40,9 @@ resources: # ⚠️ 重要: name 必須與 deployment YAML 中的 image 完全匹配 (含 tag) # newName + newTag 由 CI 透過 kustomize edit set image 注入 images: -- digest: sha256:0f371518701b3fb115f67b16b9a6993adc98e0277c344a074a869ed5db28ee58 +- digest: sha256:a99b3b276def966c03be56f7e8e15feb69d5e2029c8d4ec11dd4b839709351b8 name: 192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER newName: 192.168.0.110:5000/awoooi/api -- digest: sha256:18d791008184d6582e7f9f3ead8ed9b8d41c5e704f626d5e3686fd3b9e2b4a6c +- digest: sha256:9f3d1caa5808b2c690f37bd41c1776f9b881215b6211eb64b46bec2d5daf3474 name: 192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER newName: 192.168.0.110:5000/awoooi/web From 58b3d2178c100163aadd5b16379e5dfafd58b127 Mon Sep 17 00:00:00 2001 From: ogt Date: Wed, 15 Jul 2026 01:51:15 +0800 Subject: [PATCH 2/2] feat(security): mirror Argo CD Redis init --- .../security/runtime-image-mirror-policy.json | 15 +++++++++++ .../test_runtime_image_mirror_controller.py | 27 +++++++++++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/config/security/runtime-image-mirror-policy.json b/config/security/runtime-image-mirror-policy.json index 4c3ee3a50..e386d21a1 100644 --- a/config/security/runtime-image-mirror-policy.json +++ b/config/security/runtime-image-mirror-policy.json @@ -129,6 +129,21 @@ "container": "argocd-application-controller" } }, + { + "asset_id": "runtime-image:argocd-redis-secret-init", + "source_index_digest": "sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49", + "platform_digest": "sha256:2f25a42949ea69c0dd33f4ce1918c6a01039d6c14a7ecc1d19088504a9d3e94f", + "target_registry_digest": "sha256:8b7e25d7e6036d6750c5bda8920cbd80d8902c25771666f6767dc97bd7fab8fc", + "push_ref": "registry.wooo.work/awoooi/runtime-mirror/argocd:v3.3.6-linux-amd64", + "runtime_ref": "192.168.0.110:5000/awoooi/runtime-mirror/argocd@sha256:8b7e25d7e6036d6750c5bda8920cbd80d8902c25771666f6767dc97bd7fab8fc", + "workload": { + "kind": "deployment", + "namespace": "argocd", + "name": "argocd-redis", + "container": "secret-init", + "container_kind": "init_container" + } + }, { "asset_id": "runtime-image:kured", "source_index_digest": "sha256:2c5d73bb4517a269def38a6cd54d34d82be81793bea9ff1bb35c6533515ad209", diff --git a/scripts/security/tests/test_runtime_image_mirror_controller.py b/scripts/security/tests/test_runtime_image_mirror_controller.py index 8bd472241..4cfe9bf69 100644 --- a/scripts/security/tests/test_runtime_image_mirror_controller.py +++ b/scripts/security/tests/test_runtime_image_mirror_controller.py @@ -47,7 +47,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase): self.assertEqual(policy.work_item_id, "AIA-P0-006-02A") self.assertEqual(policy.risk_level, "high") - self.assertEqual(len(policy.images), 12) + self.assertEqual(len(policy.images), 13) self.assertNotIn("github.com", raw) self.assertNotIn("ghcr.io", raw) self.assertIn('"external_pull_allowed": false', raw) @@ -73,7 +73,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase): ) container_kinds = [image.workload.container_kind for image in policy.images] self.assertEqual(container_kinds.count("container"), 10) - self.assertEqual(container_kinds.count("init_container"), 2) + self.assertEqual(container_kinds.count("init_container"), 3) def test_policy_loads_and_validates_init_container_kind(self) -> None: image = self._image_with_container_kind("init_container") @@ -304,6 +304,29 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase): image.runtime_ref.endswith("@" + image.target_registry_digest) ) + def test_argocd_redis_init_reuses_verified_staging_artifact(self) -> None: + policy = controller.load_policy(POLICY_PATH) + staging = controller.load_staging_policy(STAGING_POLICY_PATH).images[0] + image = next( + image + for image in policy.images + if image.asset_id == "runtime-image:argocd-redis-secret-init" + ) + + self.assertEqual(image.source_index_digest, staging.source_index_digest) + self.assertEqual(image.platform_digest, staging.platform_digest) + self.assertEqual(image.push_ref, staging.push_ref) + self.assertEqual(image.workload.kind, "deployment") + self.assertEqual(image.workload.namespace, "argocd") + self.assertEqual(image.workload.name, "argocd-redis") + self.assertEqual(image.workload.container, "secret-init") + self.assertEqual(image.workload.container_kind, "init_container") + self.assertEqual( + image.target_registry_digest, + "sha256:8b7e25d7e6036d6750c5bda8920cbd80d8902c25771666f6767dc97bd7fab8fc", + ) + self.assertTrue(image.runtime_ref.endswith("@" + image.target_registry_digest)) + def test_policy_rejects_external_pull_and_mutable_runtime_ref(self) -> None: payload = json.loads(POLICY_PATH.read_text(encoding="utf-8")) with tempfile.TemporaryDirectory() as temp: