bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

maintenance/metis: migrate ssh key vars to ananke

Browse Source
This commit is contained in:
Brad Stein 2026-04-06 19:28:44 -03:00
parent a5f405432b
commit 25ea022c2e
1 changed files with 37 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
services/maintenance/metis-deployment.yaml
View File

@ -18,27 +18,23 @@ spec:
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
prometheus.io/port: "8080" prometheus.io/port: "8080"
prometheus.io/path: "/metrics" prometheus.io/path: "/metrics"
metis.bstein.dev/config-rev: "2026-04-05-03" metis.bstein.dev/config-rev: "2026-04-06-01"
vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "maintenance" vault.hashicorp.com/role: "maintenance"
vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime" vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime"
vault.hashicorp.com/agent-inject-secret-metis-harbor-env.sh: "kv/data/atlas/harbor/harbor-core"
vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
export METIS_SSH_KEY_HECATE_DB="{{ .Data.data.hecate_db_pub }}"
{{ end }}
vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: | vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-runtime" }} {{ with secret "kv/data/atlas/maintenance/metis-runtime" }}
export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}" export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}"
{{ end }} {{ end }}
vault.hashicorp.com/agent-inject-template-metis-harbor-env.sh: | vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
{{ with secret "kv/data/atlas/harbor/harbor-core" }} vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}" {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
export METIS_SSH_KEY_ANANKE_TETHYS="{{ or .Data.data.ananke_tethys_pub .Data.data.hecate_tethys_pub }}"
export METIS_SSH_KEY_ANANKE_DB="{{ or .Data.data.ananke_db_pub .Data.data.hecate_db_pub }}"
export METIS_SSH_KEY_HECATE_TETHYS="${METIS_SSH_KEY_ANANKE_TETHYS}"
export METIS_SSH_KEY_HECATE_DB="${METIS_SSH_KEY_ANANKE_DB}"
{{ end }} {{ end }}
spec: spec:
serviceAccountName: metis serviceAccountName: metis
@ -49,16 +45,14 @@ spec:
node-role.kubernetes.io/accelerator: "true" node-role.kubernetes.io/accelerator: "true"
containers: containers:
- name: metis - name: metis
image: registry.bstein.dev/bstein/metis:0.1.0-9-amd64 image: registry.bstein.dev/bstein/metis:latest
imagePullPolicy: Always imagePullPolicy: Always
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- | - >-
set -e
. /vault/secrets/metis-runtime-env.sh . /vault/secrets/metis-runtime-env.sh
. /vault/secrets/metis-harbor-env.sh && . /vault/secrets/metis-ssh-env.sh
. /vault/secrets/metis-ssh-env.sh && exec metis serve
exec metis serve
envFrom: envFrom:
- configMapRef: - configMapRef:
name: metis name: metis
@ -82,14 +76,34 @@ spec:
volumeMounts: volumeMounts:
- name: metis-data - name: metis-data
mountPath: /var/lib/metis mountPath: /var/lib/metis
- name: host-dev
mountPath: /dev
- name: host-sys
mountPath: /sys
readOnly: true
- name: host-udev
mountPath: /run/udev
readOnly: true
resources: resources:
requests: requests:
cpu: 250m cpu: 150m
memory: 512Mi memory: 256Mi
limits: limits:
cpu: "2" cpu: "1"
memory: 4Gi memory: 1Gi
securityContext:
privileged: true
runAsUser: 0
volumes: volumes:
- name: metis-data - name: metis-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: metis-data claimName: metis-data
- name: host-dev
hostPath:
path: /dev
- name: host-sys
hostPath:
path: /sys
- name: host-udev
hostPath:
path: /run/udev