bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

maintenance: inject metis SSH keys directly from Vault

Browse Source
This commit is contained in:
Brad Stein 2026-04-05 10:31:20 -03:00
parent e84399d0b1
commit 0828f0cf9e
3 changed files with 18 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
services/maintenance/metis-deployment.yaml
View File

@ -18,7 +18,17 @@ spec:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
metis.bstein.dev/config-rev: "2026-04-05-01"
metis.bstein.dev/config-rev: "2026-04-05-02"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "maintenance"
vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
{{ end }}
spec:
serviceAccountName: metis
terminationGracePeriodSeconds: 30
@ -30,6 +40,12 @@ spec:
- name: metis
image: registry.bstein.dev/bstein/metis:0.1.0-21-amd64
imagePullPolicy: Always
command: ["/bin/sh", "-c"]
args:
- |
set -e
. /vault/secrets/metis-ssh-env.sh
exec metis serve
envFrom:
- configMapRef:
name: metis
@ -42,24 +58,6 @@ spec:
name: metis-runtime
key: k3s_token
optional: true
- name: METIS_SSH_KEY_BRAD
valueFrom:
secretKeyRef:
name: metis-ssh-keys
key: brad_pub
optional: true
- name: METIS_SSH_KEY_BASTION
valueFrom:
secretKeyRef:
name: metis-ssh-keys
key: bastion_pub
optional: true
- name: METIS_SSH_KEY_HECATE_TETHYS
valueFrom:
secretKeyRef:
name: metis-ssh-keys
key: hecate_tethys_pub
optional: true
ports:
- name: http
containerPort: 8080

18
services/maintenance/secretproviderclass.yaml
View File

@ -16,15 +16,6 @@ spec:
- objectName: "harbor-core__harbor_admin_password"
secretPath: "kv/data/atlas/harbor/harbor-core"
secretKey: "harbor_admin_password"
- objectName: "metis-ssh-keys__bastion_pub"
secretPath: "kv/data/atlas/maintenance/metis-ssh-keys"
secretKey: "bastion_pub"
- objectName: "metis-ssh-keys__brad_pub"
secretPath: "kv/data/atlas/maintenance/metis-ssh-keys"
secretKey: "brad_pub"
- objectName: "metis-ssh-keys__hecate_tethys_pub"
secretPath: "kv/data/atlas/maintenance/metis-ssh-keys"
secretKey: "hecate_tethys_pub"
secretObjects:
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
@ -36,12 +27,3 @@ spec:
data:
- objectName: harbor-core__harbor_admin_password
key: METIS_HARBOR_PASSWORD
- secretName: metis-ssh-keys
type: Opaque
data:
- objectName: metis-ssh-keys__bastion_pub
key: bastion_pub
- objectName: metis-ssh-keys__brad_pub
key: brad_pub
- objectName: metis-ssh-keys__hecate_tethys_pub
key: hecate_tethys_pub

2
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -230,7 +230,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
"crypto/* shared/harbor-pull" ""
write_policy_and_role "health" "health" "health-vault-sync" \
"health/*" ""
write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync" \
write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \
"maintenance/ariadne-db maintenance/metis-oidc maintenance/metis-ssh-keys portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" ""
write_policy_and_role "finance" "finance" "finance-vault" \
"finance/* shared/postmark-relay" ""