ci+docs(vault): read LLM keys from kv/openclaw, SSH/infra/cloudflare from kv/CICD

DEEPSEEK/NVIDIA/OLLAMA_API_KEY live in kv/data/openclaw (not CICD); vault-action
reads them from that path in the same step. Policy grants read on both
kv/data/CICD and kv/data/openclaw.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Haitao Pan 2026-06-24 15:35:25 +08:00
parent dba85dad04
commit 607c995a9a
2 changed files with 30 additions and 25 deletions

View File

@ -17,14 +17,14 @@ name: Deploy AI Workspace (IaC + Ansible + Cloudflare)
# 密钥管理:不使用 GitHub Actions Secrets统一从 HashiCorp Vault
# (https://vault.svc.plus) KV 安全获取,认证走 GitHub OIDCJWT无静态 token
# - Vault 角色: github-actions-xworkspace-console (jwt auth, audience=vault)
# - KV 路径: kv/data/CICD共享 CICD 机密,复用既有键名
# - KV 路径: kv/data/CICD共享 CICD 机密 + kv/data/openclawLLM keys
# - 用到的键(详见 docs/operations/vault-github-actions.md
# VULTR_API_KEY → TF_VAR_vultr_api_key
# CODEX_GITHUB_PERSONAL_ACCESS_TOKEN → checkout ai-workspace-infra
# SSH_PRIVATE_DEPLOY_KEY[_B64] → 连主机 SSH 私钥B64 优先)
# CLOUDFLARE_DNS_API_TOKEN → Cloudflare DNS 编辑
# DEEPSEEK_API_KEY / NVIDIA_API_KEY / OLLAMA_API_KEY → LLM provider keys(需补写)
# 可选远端 TF stateTF_STATE_ENDPOINT/BUCKET/ACCESS_KEY/SECRET_KEY/REGION
# [kv/CICD] VULTR_API_KEY → TF_VAR_vultr_api_key
# [kv/CICD] CODEX_GITHUB_PERSONAL_ACCESS_TOKEN → checkout ai-workspace-infra
# [kv/CICD] SSH_PRIVATE_DEPLOY_KEY[_B64] → 连主机 SSH 私钥B64 优先)
# [kv/CICD] CLOUDFLARE_DNS_API_TOKEN → Cloudflare DNS 编辑
# [kv/openclaw] DEEPSEEK_API_KEY / NVIDIA_API_KEY / OLLAMA_API_KEY → LLM provider keys
# [kv/CICD] 可选远端 TF stateTF_STATE_ENDPOINT/BUCKET/ACCESS_KEY/SECRET_KEY/REGION
# =============================================================================
on:
@ -66,6 +66,8 @@ env:
VAULT_ROLE: github-actions-xworkspace-console
# 共享 CICD 机密路径KV v2 读路径含 data/)。键名见 docs/operations/vault-github-actions.md
VAULT_KV: kv/data/CICD
# LLM provider keys 放在 openclaw 路径
VAULT_KV_OPENCLAW: kv/data/openclaw
INFRA_REPO: ${{ github.repository_owner }}/ai-workspace-infra
# vultr-vps 根(共享 scripts/ templates/ config/ENV_DIR 为 terraform 运行目录(workdir)
VPS_ROOT: infra/iac_modules/terraform-hcl-standard/vultr-vps
@ -221,9 +223,9 @@ jobs:
secrets: |
${{ env.VAULT_KV }} SSH_PRIVATE_DEPLOY_KEY | ANSIBLE_SSH_KEY ;
${{ env.VAULT_KV }} SSH_PRIVATE_DEPLOY_KEY_B64 | ANSIBLE_SSH_KEY_B64 ;
${{ env.VAULT_KV }} DEEPSEEK_API_KEY | DEEPSEEK_API_KEY ;
${{ env.VAULT_KV }} NVIDIA_API_KEY | NVIDIA_API_KEY ;
${{ env.VAULT_KV }} OLLAMA_API_KEY | OLLAMA_API_KEY
${{ env.VAULT_KV_OPENCLAW }} DEEPSEEK_API_KEY | DEEPSEEK_API_KEY ;
${{ env.VAULT_KV_OPENCLAW }} NVIDIA_API_KEY | NVIDIA_API_KEY ;
${{ env.VAULT_KV_OPENCLAW }} OLLAMA_API_KEY | OLLAMA_API_KEY
- name: Download CMDB (host IP source)
uses: actions/download-artifact@v4

View File

@ -25,6 +25,13 @@ path "kv/data/CICD" {
path "kv/metadata/CICD" {
capabilities = ["read", "list"]
}
# LLM provider keys 在 openclaw 路径
path "kv/data/openclaw" {
capabilities = ["read"]
}
path "kv/metadata/openclaw" {
capabilities = ["read", "list"]
}
EOF
# 2.2 role仅绑定本仓库的 GitHub OIDC 身份
@ -43,24 +50,20 @@ vault write auth/jwt/role/github-actions-xworkspace-console \
> 共享 KV 仅授予 read。如需仅限分支`sub` 收窄为
> `repo:ai-workspace-lab/xworkspace-console:ref:refs/heads/main`
## 3. KV 字段(`kv/data/CICD`复用既有共享键)
## 3. KV 字段(复用既有共享键,跨两条路径
| Vault 键 | 映射到 workflow 输出 | 用途 | 状态 |
| Vault 路径 | 键 | 映射到输出 | 用途 |
| --- | --- | --- | --- |
| `VULTR_API_KEY` | `VULTR_API_KEY` | provision`TF_VAR_vultr_api_key` | 已有 |
| `CODEX_GITHUB_PERSONAL_ACCESS_TOKEN` | `INFRA_REPO_TOKEN` | checkout 私有 `ai-workspace-infra` | 已有 |
| `CLOUDFLARE_DNS_API_TOKEN` | `CLOUDFLARE_DNS_API_TOKEN` | dnsCloudflare DNS 编辑 | 已有 |
| `SSH_PRIVATE_DEPLOY_KEY_B64` | `ANSIBLE_SSH_KEY_B64` | 连主机 SSH 私钥(**优先**,单行 base64 | 已有 |
| `SSH_PRIVATE_DEPLOY_KEY` | `ANSIBLE_SSH_KEY` | 同上原始多行(回退) | 已有 |
| `DEEPSEEK_API_KEY` / `NVIDIA_API_KEY` / `OLLAMA_API_KEY` | 同名 | deploy注入主机的 LLM provider keys | **需补写** |
| `TF_STATE_ENDPOINT/BUCKET/ACCESS_KEY/SECRET_KEY/REGION` | 同名 | 可选远端 TF state不配则本地 state | 可选 |
| `kv/data/CICD` | `VULTR_API_KEY` | `VULTR_API_KEY` | provision`TF_VAR_vultr_api_key` |
| `kv/data/CICD` | `CODEX_GITHUB_PERSONAL_ACCESS_TOKEN` | `INFRA_REPO_TOKEN` | checkout 私有 `ai-workspace-infra` |
| `kv/data/CICD` | `CLOUDFLARE_DNS_API_TOKEN` | `CLOUDFLARE_DNS_API_TOKEN` | dnsCloudflare DNS 编辑 |
| `kv/data/CICD` | `SSH_PRIVATE_DEPLOY_KEY_B64` | `ANSIBLE_SSH_KEY_B64` | 连主机 SSH 私钥(**优先**,单行 base64 |
| `kv/data/CICD` | `SSH_PRIVATE_DEPLOY_KEY` | `ANSIBLE_SSH_KEY` | 同上原始多行(回退) |
| `kv/data/openclaw` | `DEEPSEEK_API_KEY` / `NVIDIA_API_KEY` / `OLLAMA_API_KEY` | 同名 | deploy注入主机的 LLM provider keys |
| `kv/data/CICD` | `TF_STATE_ENDPOINT/BUCKET/ACCESS_KEY/SECRET_KEY/REGION` | 同名 | 可选远端 TF state不配则本地 state |
需补写三个 LLM key其余键已存在
```bash
vault kv patch kv/CICD \
DEEPSEEK_API_KEY=... NVIDIA_API_KEY=... OLLAMA_API_KEY=...
```
> 所有键均已存在LLM key 在 `kv/openclaw`,其余共享键在 `kv/CICD`)。
> vault-action 一个步骤可跨多路径读,每行自带路径。
> 主机登录用 `SSH_PRIVATE_DEPLOY_KEY`,其公钥 `SSH_PUBLIC_DEPLOY_KEY` 须写入
> `ai-workspace-infra``vultr-vps/config/resources/ai-workspace-hosts.yaml`