From 30c677e6ed1b2d0e4e77f42b7d27b9a47c1ddb1b Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Tue, 31 Mar 2026 14:07:17 -0300 Subject: [PATCH] maintenance: add Metis service and sentinel manifests --- services/maintenance/image.yaml | 46 +++++++++++++ services/maintenance/kustomization.yaml | 9 +++ services/maintenance/metis-configmap.yaml | 12 ++++ services/maintenance/metis-deployment.yaml | 61 ++++++++++++++++++ .../maintenance/metis-sentinel-daemonset.yaml | 64 +++++++++++++++++++ services/maintenance/metis-service.yaml | 18 ++++++ .../maintenance/metis-serviceaccount.yaml | 6 ++ 7 files changed, 216 insertions(+) create mode 100644 services/maintenance/metis-configmap.yaml create mode 100644 services/maintenance/metis-deployment.yaml create mode 100644 services/maintenance/metis-sentinel-daemonset.yaml create mode 100644 services/maintenance/metis-service.yaml create mode 100644 services/maintenance/metis-serviceaccount.yaml diff --git a/services/maintenance/image.yaml b/services/maintenance/image.yaml index 77fee7a7..01b652f3 100644 --- a/services/maintenance/image.yaml +++ b/services/maintenance/image.yaml @@ -24,6 +24,52 @@ spec: --- apiVersion: image.toolkit.fluxcd.io/v1beta2 kind: ImageRepository +metadata: + name: metis + namespace: maintenance +spec: + image: registry.bstein.dev/bstein/metis + interval: 1m0s + secretRef: + name: harbor-regcred +--- +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImagePolicy +metadata: + name: metis + namespace: maintenance +spec: + imageRepositoryRef: + name: metis + policy: + semver: + range: ">=0.1.0-0" +--- +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImageRepository +metadata: + name: metis-sentinel + namespace: maintenance +spec: + image: registry.bstein.dev/bstein/metis-sentinel + interval: 1m0s + secretRef: + name: harbor-regcred +--- +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImagePolicy +metadata: + name: metis-sentinel + namespace: maintenance +spec: + imageRepositoryRef: + name: metis-sentinel + policy: + semver: + range: ">=0.1.0-0" +--- +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImageRepository metadata: name: soteria namespace: maintenance diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml index 90510140..2aa08489 100644 --- a/services/maintenance/kustomization.yaml +++ b/services/maintenance/kustomization.yaml @@ -6,32 +6,41 @@ resources: - image.yaml - secretproviderclass.yaml - soteria-configmap.yaml + - metis-configmap.yaml - vault-serviceaccount.yaml - vault-sync-deployment.yaml - ariadne-serviceaccount.yaml - ariadne-rbac.yaml - disable-k3s-traefik-serviceaccount.yaml - k3s-traefik-cleanup-rbac.yaml + - metis-serviceaccount.yaml - node-nofile-serviceaccount.yaml - pod-cleaner-rbac.yaml - soteria-serviceaccount.yaml - soteria-rbac.yaml - ariadne-deployment.yaml + - metis-deployment.yaml - oneoffs/ariadne-migrate-job.yaml - ariadne-service.yaml - soteria-deployment.yaml - disable-k3s-traefik-daemonset.yaml - oneoffs/k3s-traefik-cleanup-job.yaml - node-nofile-daemonset.yaml + - metis-sentinel-daemonset.yaml - k3s-agent-restart-daemonset.yaml - pod-cleaner-cronjob.yaml - node-image-sweeper-serviceaccount.yaml - node-image-sweeper-daemonset.yaml - image-sweeper-cronjob.yaml + - metis-service.yaml - soteria-service.yaml images: - name: registry.bstein.dev/bstein/ariadne newTag: 0.1.0-22 # {"$imagepolicy": "maintenance:ariadne:tag"} + - name: registry.bstein.dev/bstein/metis + newTag: 0.1.0-0 # {"$imagepolicy": "maintenance:metis:tag"} + - name: registry.bstein.dev/bstein/metis-sentinel + newTag: 0.1.0-0 # {"$imagepolicy": "maintenance:metis-sentinel:tag"} - name: registry.bstein.dev/bstein/soteria newTag: 0.1.0-11 # {"$imagepolicy": "maintenance:soteria:tag"} configMapGenerator: diff --git a/services/maintenance/metis-configmap.yaml b/services/maintenance/metis-configmap.yaml new file mode 100644 index 00000000..ba45d881 --- /dev/null +++ b/services/maintenance/metis-configmap.yaml @@ -0,0 +1,12 @@ +# services/maintenance/metis-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: metis + namespace: maintenance +data: + METIS_DEFAULT_FLASH_NODE: titan-22 + METIS_METRICS_PORT: "8080" + METIS_METRICS_PATH: /metrics + METIS_SENTINEL_OUT: /var/run/metis-sentinel + METIS_SENTINEL_INTERVAL_SEC: "300" diff --git a/services/maintenance/metis-deployment.yaml b/services/maintenance/metis-deployment.yaml new file mode 100644 index 00000000..87b2db78 --- /dev/null +++ b/services/maintenance/metis-deployment.yaml @@ -0,0 +1,61 @@ +# services/maintenance/metis-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metis + namespace: maintenance +spec: + replicas: 1 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: metis + template: + metadata: + labels: + app: metis + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + spec: + serviceAccountName: metis + nodeSelector: + kubernetes.io/arch: amd64 + node-role.kubernetes.io/worker: "true" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: ["titan-22"] + - weight: 25 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: ["titan-24"] + containers: + - name: metis + image: registry.bstein.dev/bstein/metis:latest + imagePullPolicy: Always + envFrom: + - configMapRef: + name: metis + ports: + - name: http + containerPort: 8080 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] diff --git a/services/maintenance/metis-sentinel-daemonset.yaml b/services/maintenance/metis-sentinel-daemonset.yaml new file mode 100644 index 00000000..44236904 --- /dev/null +++ b/services/maintenance/metis-sentinel-daemonset.yaml @@ -0,0 +1,64 @@ +# services/maintenance/metis-sentinel-daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: metis-sentinel + namespace: maintenance +spec: + selector: + matchLabels: + app: metis-sentinel + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: metis-sentinel + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + spec: + serviceAccountName: metis + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/worker: "true" + containers: + - name: metis-sentinel + image: registry.bstein.dev/bstein/metis-sentinel:latest + imagePullPolicy: Always + envFrom: + - configMapRef: + name: metis + env: + - name: METIS_SENTINEL_NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + ports: + - name: http + containerPort: 8080 + volumeMounts: + - name: host-root + mountPath: /host + readOnly: true + - name: sentinel-output + mountPath: /var/run/metis-sentinel + resources: + requests: + cpu: 25m + memory: 64Mi + limits: + cpu: 250m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 + capabilities: + drop: ["ALL"] + volumes: + - name: host-root + hostPath: + path: / + - name: sentinel-output + emptyDir: {} diff --git a/services/maintenance/metis-service.yaml b/services/maintenance/metis-service.yaml new file mode 100644 index 00000000..5e45c3c2 --- /dev/null +++ b/services/maintenance/metis-service.yaml @@ -0,0 +1,18 @@ +# services/maintenance/metis-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: metis + namespace: maintenance + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "80" + prometheus.io/path: "/metrics" +spec: + type: ClusterIP + selector: + app: metis + ports: + - name: http + port: 80 + targetPort: http diff --git a/services/maintenance/metis-serviceaccount.yaml b/services/maintenance/metis-serviceaccount.yaml new file mode 100644 index 00000000..fe5d72d8 --- /dev/null +++ b/services/maintenance/metis-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/maintenance/metis-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: metis + namespace: maintenance