From cc8cfe60cf2d3f0e2c39eaa65fa8ec9acd1251f6 Mon Sep 17 00:00:00 2001
From: zyc <1439655764@qq.com>
Date: Thu, 19 Mar 2026 14:57:01 +0800
Subject: [PATCH] Switch deployment from kubectl to SSH for EC certificate
 compatibility

K3s uses EC certificates which CI kubectl cannot parse. Deploy via SSH
to server where local kubectl works natively.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yaml | 66 +++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 32 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 916593c..7ae6030 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -47,46 +47,48 @@ jobs:
             --tag ${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-web:latest \
             ./web 2>&1 | tee -a /tmp/build.log
 
-      - name: Setup Kubectl
+      - name: Setup SSH
         run: |
-          curl -LO "https://dl.k8s.io/release/v1.34.1/bin/linux/amd64/kubectl" || \
-          curl -LO "https://cdn.dl.k8s.io/release/v1.34.1/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          mv kubectl /usr/local/bin/
+          mkdir -p ~/.ssh
+          echo "${{ secrets.K3S_SSH_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H ${{ secrets.K3S_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
 
-      - name: Deploy to K3s
-        run: |
-          mkdir -p ~/.kube
-          echo "${{ secrets.KUBE_CONFIG_K3S }}" > ~/.kube/config
-
-      - name: Create or Update Secrets
-        run: |
-          kubectl create secret generic video-backend-secrets \
-            --from-literal=ARK_API_KEY=${{ secrets.ARK_API_KEY }} \
-            --from-literal=TOS_ACCESS_KEY=${{ secrets.TOS_ACCESS_KEY }} \
-            --from-literal=TOS_SECRET_KEY=${{ secrets.TOS_SECRET_KEY }} \
-            --from-literal=DJANGO_SECRET_KEY=${{ secrets.DJANGO_SECRET_KEY }} \
-            --from-literal=DB_HOST=${{ secrets.DB_HOST }} \
-            --from-literal=DB_USER=${{ secrets.DB_USER }} \
-            --from-literal=DB_PASSWORD=${{ secrets.DB_PASSWORD }} \
-            --dry-run=client -o yaml | kubectl apply -f -
-
-      - name: Apply K8s Manifests
+      - name: Deploy to K3s via SSH
         id: deploy
         run: |
-          # Replace image placeholders
-          sed -i "s|\${CI_REGISTRY_IMAGE}/video-backend:latest|${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-backend:latest|g" k8s/backend-deployment.yaml
-          sed -i "s|\${CI_REGISTRY_IMAGE}/video-web:latest|${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}/video-web:latest|g" k8s/web-deployment.yaml
+          SWR_IMAGE="${{ secrets.SWR_SERVER }}/${{ secrets.SWR_ORG }}"
 
-          # Apply all manifests (cert-manager & issuer already installed on cluster)
+          # Replace image placeholders in yaml files
+          sed -i "s|\${CI_REGISTRY_IMAGE}/video-backend:latest|${SWR_IMAGE}/video-backend:latest|g" k8s/backend-deployment.yaml
+          sed -i "s|\${CI_REGISTRY_IMAGE}/video-web:latest|${SWR_IMAGE}/video-web:latest|g" k8s/web-deployment.yaml
+
+          # Copy k8s manifests to server
+          scp -o StrictHostKeyChecking=no k8s/backend-deployment.yaml k8s/web-deployment.yaml k8s/ingress.yaml root@${{ secrets.K3S_HOST }}:/tmp/
+
+          # Create/update secrets and apply manifests on server
           set -o pipefail
-          {
-            kubectl apply -f k8s/backend-deployment.yaml
-            kubectl apply -f k8s/web-deployment.yaml
-            kubectl apply -f k8s/ingress.yaml
+          ssh -o StrictHostKeyChecking=no root@${{ secrets.K3S_HOST }} << ENDSSH
+            export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+
+            kubectl create secret generic video-backend-secrets \
+              --from-literal=ARK_API_KEY='${{ secrets.ARK_API_KEY }}' \
+              --from-literal=TOS_ACCESS_KEY='${{ secrets.TOS_ACCESS_KEY }}' \
+              --from-literal=TOS_SECRET_KEY='${{ secrets.TOS_SECRET_KEY }}' \
+              --from-literal=DJANGO_SECRET_KEY='${{ secrets.DJANGO_SECRET_KEY }}' \
+              --from-literal=DB_HOST='${{ secrets.DB_HOST }}' \
+              --from-literal=DB_USER='${{ secrets.DB_USER }}' \
+              --from-literal=DB_PASSWORD='${{ secrets.DB_PASSWORD }}' \
+              --dry-run=client -o yaml | kubectl apply -f -
+
+            kubectl apply -f /tmp/backend-deployment.yaml
+            kubectl apply -f /tmp/web-deployment.yaml
+            kubectl apply -f /tmp/ingress.yaml
             kubectl rollout restart deployment/video-backend
             kubectl rollout restart deployment/video-web
-          } 2>&1 | tee /tmp/deploy.log
+
+            rm -f /tmp/backend-deployment.yaml /tmp/web-deployment.yaml /tmp/ingress.yaml
+          ENDSSH
 
       # ===== Log Center: failure reporting =====
       - name: Report failure to Log Center