bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

maintenance/metis: migrate ssh key vars to ananke

Browse Source
This commit is contained in:
Brad Stein 2026-04-06 19:28:44 -03:00
parent a5f405432b
commit 25ea022c2e
1 changed files with 37 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
services/maintenance/metis-deployment.yaml
View File

@ -18,27 +18,23 @@ spec:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
metis.bstein.dev/config-rev: "2026-04-05-03"
metis.bstein.dev/config-rev: "2026-04-06-01"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "maintenance"
vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime"
vault.hashicorp.com/agent-inject-secret-metis-harbor-env.sh: "kv/data/atlas/harbor/harbor-core"
vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
export METIS_SSH_KEY_HECATE_DB="{{ .Data.data.hecate_db_pub }}"
{{ end }}
vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-runtime" }}
export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}"
{{ end }}
vault.hashicorp.com/agent-inject-template-metis-harbor-env.sh: |
{{ with secret "kv/data/atlas/harbor/harbor-core" }}
export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}"
vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub .Data.data.hecate_tethys_pub }}"
export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub .Data.data.hecate_db_pub }}"
export METIS_SSH_KEY_HECATE_TETHYS="${METIS_SSH_KEY_ANANKE_TETHYS}"
export METIS_SSH_KEY_HECATE_DB="${METIS_SSH_KEY_ANANKE_DB}"
{{ end }}
spec:
serviceAccountName: metis
@ -49,16 +45,14 @@ spec:
node-role.kubernetes.io/accelerator: "true"
containers:
- name: metis
image: registry.bstein.dev/bstein/metis:0.1.0-9-amd64
image: registry.bstein.dev/bstein/metis:latest
imagePullPolicy: Always
command: ["/bin/sh", "-c"]
args:
- |
set -e
- >-
. /vault/secrets/metis-runtime-env.sh
. /vault/secrets/metis-harbor-env.sh
. /vault/secrets/metis-ssh-env.sh
exec metis serve
&& . /vault/secrets/metis-ssh-env.sh
&& exec metis serve
envFrom:
- configMapRef:
name: metis
@ -82,14 +76,34 @@ spec:
volumeMounts:
- name: metis-data
mountPath: /var/lib/metis
- name: host-dev
mountPath: /dev
- name: host-sys
mountPath: /sys
readOnly: true
- name: host-udev
mountPath: /run/udev
readOnly: true
resources:
requests:
cpu: 250m
memory: 512Mi
cpu: 150m
memory: 256Mi
limits:
cpu: "2"
memory: 4Gi
cpu: "1"
memory: 1Gi
securityContext:
privileged: true
runAsUser: 0
volumes:
- name: metis-data
persistentVolumeClaim:
claimName: metis-data
- name: host-dev
hostPath:
path: /dev
- name: host-sys
hostPath:
path: /sys
- name: host-udev
hostPath:
path: /run/udev