longhorn: use harbor mirrors and vault pull secret

2026-01-16 17:31:29 -03:00 · 2026-01-16 17:31:29 -03:00 · 401df4d68c
commit 401df4d68c
parent 4406724da5
6 changed files with 111 additions and 2 deletions
--- a/infrastructure/longhorn/core/helmrelease.yaml
+++ b/infrastructure/longhorn/core/helmrelease.yaml
@ -30,3 +30,48 @@ spec:
      ui:
        type: NodePort
        nodePort: 30824
+    privateRegistry:
+      createSecret: false
+      registrySecret: longhorn-registry
+    image:
+      longhorn:
+        engine:
+          repository: registry.bstein.dev/bstein/longhorn-engine
+          tag: v1.8.2
+        manager:
+          repository: registry.bstein.dev/bstein/longhorn-manager
+          tag: v1.8.2
+        ui:
+          repository: registry.bstein.dev/bstein/longhorn-ui
+          tag: v1.8.2
+        instanceManager:
+          repository: registry.bstein.dev/bstein/longhorn-instance-manager
+          tag: v1.8.2
+        shareManager:
+          repository: registry.bstein.dev/bstein/longhorn-share-manager
+          tag: v1.8.2
+        backingImageManager:
+          repository: registry.bstein.dev/bstein/longhorn-backing-image-manager
+          tag: v1.8.2
+        supportBundleKit:
+          repository: registry.bstein.dev/bstein/longhorn-support-bundle-kit
+          tag: v0.0.56
+      csi:
+        attacher:
+          repository: registry.bstein.dev/bstein/longhorn-csi-attacher
+          tag: v4.9.0
+        provisioner:
+          repository: registry.bstein.dev/bstein/longhorn-csi-provisioner
+          tag: v5.3.0
+        nodeDriverRegistrar:
+          repository: registry.bstein.dev/bstein/longhorn-csi-node-driver-registrar
+          tag: v2.14.0
+        resizer:
+          repository: registry.bstein.dev/bstein/longhorn-csi-resizer
+          tag: v1.13.2
+        snapshotter:
+          repository: registry.bstein.dev/bstein/longhorn-csi-snapshotter
+          tag: v8.2.0
+        livenessProbe:
+          repository: registry.bstein.dev/bstein/longhorn-livenessprobe
+          tag: v2.16.0
--- a/infrastructure/longhorn/core/kustomization.yaml
+++ b/infrastructure/longhorn/core/kustomization.yaml
@ -3,4 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
+  - vault-serviceaccount.yaml
+  - secretproviderclass.yaml
+  - vault-sync-deployment.yaml
  - helmrelease.yaml
--- a/infrastructure/longhorn/core/secretproviderclass.yaml
+++ b/infrastructure/longhorn/core/secretproviderclass.yaml
@ -0,0 +1,21 @@
+# infrastructure/longhorn/core/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: longhorn-vault
+  namespace: longhorn-system
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "longhorn"
+    objects: |
+      - objectName: "harbor-pull__dockerconfigjson"
+        secretPath: "kv/data/atlas/harbor-pull/longhorn"
+        secretKey: "dockerconfigjson"
+  secretObjects:
+    - secretName: longhorn-registry
+      type: kubernetes.io/dockerconfigjson
+      data:
+        - objectName: harbor-pull__dockerconfigjson
+          key: .dockerconfigjson
--- a/infrastructure/longhorn/core/vault-serviceaccount.yaml
+++ b/infrastructure/longhorn/core/vault-serviceaccount.yaml
@ -0,0 +1,6 @@
+# infrastructure/longhorn/core/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: longhorn-vault-sync
+  namespace: longhorn-system
--- a/infrastructure/longhorn/core/vault-sync-deployment.yaml
+++ b/infrastructure/longhorn/core/vault-sync-deployment.yaml
@ -0,0 +1,34 @@
+# infrastructure/longhorn/core/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: longhorn-vault-sync
+  namespace: longhorn-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: longhorn-vault-sync
+  template:
+    metadata:
+      labels:
+        app: longhorn-vault-sync
+    spec:
+      serviceAccountName: longhorn-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: longhorn-vault
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -214,8 +214,8 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
  "crypto/* harbor-pull/crypto" ""
 write_policy_and_role "health" "health" "health-vault-sync" \
  "health/*" ""
-write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \
-  "longhorn/*" ""
+write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault,longhorn-vault-sync" \
+  "longhorn/* harbor-pull/longhorn" ""
 write_policy_and_role "postgres" "postgres" "postgres-vault" \
  "postgres/postgres-db" ""
 write_policy_and_role "vault" "vault" "vault" \