diff --git a/services/maintenance/metis-deployment.yaml b/services/maintenance/metis-deployment.yaml index 78c29395..b2316c4f 100644 --- a/services/maintenance/metis-deployment.yaml +++ b/services/maintenance/metis-deployment.yaml @@ -18,27 +18,23 @@ spec: prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics" - metis.bstein.dev/config-rev: "2026-04-05-03" + metis.bstein.dev/config-rev: "2026-04-06-01" vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "maintenance" - vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys" vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime" - vault.hashicorp.com/agent-inject-secret-metis-harbor-env.sh: "kv/data/atlas/harbor/harbor-core" - vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: | - {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }} - export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}" - export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}" - export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}" - export METIS_SSH_KEY_HECATE_DB="{{ .Data.data.hecate_db_pub }}" - {{ end }} vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: | {{ with secret "kv/data/atlas/maintenance/metis-runtime" }} export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}" {{ end }} - vault.hashicorp.com/agent-inject-template-metis-harbor-env.sh: | - {{ with secret "kv/data/atlas/harbor/harbor-core" }} - export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}" + vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys" + vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: | + {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }} + export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}" + export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub .Data.data.hecate_tethys_pub }}" + export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub .Data.data.hecate_db_pub }}" + export METIS_SSH_KEY_HECATE_TETHYS="${METIS_SSH_KEY_ANANKE_TETHYS}" + export METIS_SSH_KEY_HECATE_DB="${METIS_SSH_KEY_ANANKE_DB}" {{ end }} spec: serviceAccountName: metis @@ -49,16 +45,14 @@ spec: node-role.kubernetes.io/accelerator: "true" containers: - name: metis - image: registry.bstein.dev/bstein/metis:0.1.0-9-amd64 + image: registry.bstein.dev/bstein/metis:latest imagePullPolicy: Always command: ["/bin/sh", "-c"] args: - - | - set -e + - >- . /vault/secrets/metis-runtime-env.sh - . /vault/secrets/metis-harbor-env.sh - . /vault/secrets/metis-ssh-env.sh - exec metis serve + && . /vault/secrets/metis-ssh-env.sh + && exec metis serve envFrom: - configMapRef: name: metis @@ -82,14 +76,34 @@ spec: volumeMounts: - name: metis-data mountPath: /var/lib/metis + - name: host-dev + mountPath: /dev + - name: host-sys + mountPath: /sys + readOnly: true + - name: host-udev + mountPath: /run/udev + readOnly: true resources: requests: - cpu: 250m - memory: 512Mi + cpu: 150m + memory: 256Mi limits: - cpu: "2" - memory: 4Gi + cpu: "1" + memory: 1Gi + securityContext: + privileged: true + runAsUser: 0 volumes: - name: metis-data persistentVolumeClaim: claimName: metis-data + - name: host-dev + hostPath: + path: /dev + - name: host-sys + hostPath: + path: /sys + - name: host-udev + hostPath: + path: /run/udev