From 401df4d68c24d0fb8a2b14ac560699e97772f279 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 16 Jan 2026 17:31:29 -0300 Subject: [PATCH] longhorn: use harbor mirrors and vault pull secret --- infrastructure/longhorn/core/helmrelease.yaml | 45 +++++++++++++++++++ .../longhorn/core/kustomization.yaml | 3 ++ .../longhorn/core/secretproviderclass.yaml | 21 +++++++++ .../longhorn/core/vault-serviceaccount.yaml | 6 +++ .../longhorn/core/vault-sync-deployment.yaml | 34 ++++++++++++++ .../vault/scripts/vault_k8s_auth_configure.sh | 4 +- 6 files changed, 111 insertions(+), 2 deletions(-) create mode 100644 infrastructure/longhorn/core/secretproviderclass.yaml create mode 100644 infrastructure/longhorn/core/vault-serviceaccount.yaml create mode 100644 infrastructure/longhorn/core/vault-sync-deployment.yaml diff --git a/infrastructure/longhorn/core/helmrelease.yaml b/infrastructure/longhorn/core/helmrelease.yaml index 521df04..a5d44ad 100644 --- a/infrastructure/longhorn/core/helmrelease.yaml +++ b/infrastructure/longhorn/core/helmrelease.yaml @@ -30,3 +30,48 @@ spec: ui: type: NodePort nodePort: 30824 + privateRegistry: + createSecret: false + registrySecret: longhorn-registry + image: + longhorn: + engine: + repository: registry.bstein.dev/bstein/longhorn-engine + tag: v1.8.2 + manager: + repository: registry.bstein.dev/bstein/longhorn-manager + tag: v1.8.2 + ui: + repository: registry.bstein.dev/bstein/longhorn-ui + tag: v1.8.2 + instanceManager: + repository: registry.bstein.dev/bstein/longhorn-instance-manager + tag: v1.8.2 + shareManager: + repository: registry.bstein.dev/bstein/longhorn-share-manager + tag: v1.8.2 + backingImageManager: + repository: registry.bstein.dev/bstein/longhorn-backing-image-manager + tag: v1.8.2 + supportBundleKit: + repository: registry.bstein.dev/bstein/longhorn-support-bundle-kit + tag: v0.0.56 + csi: + attacher: + repository: registry.bstein.dev/bstein/longhorn-csi-attacher + tag: v4.9.0 + provisioner: + repository: registry.bstein.dev/bstein/longhorn-csi-provisioner + tag: v5.3.0 + nodeDriverRegistrar: + repository: registry.bstein.dev/bstein/longhorn-csi-node-driver-registrar + tag: v2.14.0 + resizer: + repository: registry.bstein.dev/bstein/longhorn-csi-resizer + tag: v1.13.2 + snapshotter: + repository: registry.bstein.dev/bstein/longhorn-csi-snapshotter + tag: v8.2.0 + livenessProbe: + repository: registry.bstein.dev/bstein/longhorn-livenessprobe + tag: v2.16.0 diff --git a/infrastructure/longhorn/core/kustomization.yaml b/infrastructure/longhorn/core/kustomization.yaml index 47153c7..e8320c7 100644 --- a/infrastructure/longhorn/core/kustomization.yaml +++ b/infrastructure/longhorn/core/kustomization.yaml @@ -3,4 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml + - vault-serviceaccount.yaml + - secretproviderclass.yaml + - vault-sync-deployment.yaml - helmrelease.yaml diff --git a/infrastructure/longhorn/core/secretproviderclass.yaml b/infrastructure/longhorn/core/secretproviderclass.yaml new file mode 100644 index 0000000..031d1d8 --- /dev/null +++ b/infrastructure/longhorn/core/secretproviderclass.yaml @@ -0,0 +1,21 @@ +# infrastructure/longhorn/core/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: longhorn-vault + namespace: longhorn-system +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "longhorn" + objects: | + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/longhorn" + secretKey: "dockerconfigjson" + secretObjects: + - secretName: longhorn-registry + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/infrastructure/longhorn/core/vault-serviceaccount.yaml b/infrastructure/longhorn/core/vault-serviceaccount.yaml new file mode 100644 index 0000000..17ccef8 --- /dev/null +++ b/infrastructure/longhorn/core/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# infrastructure/longhorn/core/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-vault-sync + namespace: longhorn-system diff --git a/infrastructure/longhorn/core/vault-sync-deployment.yaml b/infrastructure/longhorn/core/vault-sync-deployment.yaml new file mode 100644 index 0000000..cb04c39 --- /dev/null +++ b/infrastructure/longhorn/core/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# infrastructure/longhorn/core/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: longhorn-vault-sync + namespace: longhorn-system +spec: + replicas: 1 + selector: + matchLabels: + app: longhorn-vault-sync + template: + metadata: + labels: + app: longhorn-vault-sync + spec: + serviceAccountName: longhorn-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: longhorn-vault diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 0b2dca6..2d2d4ba 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -214,8 +214,8 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ "crypto/* harbor-pull/crypto" "" write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" -write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \ - "longhorn/*" "" +write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault,longhorn-vault-sync" \ + "longhorn/* harbor-pull/longhorn" "" write_policy_and_role "postgres" "postgres" "postgres-vault" \ "postgres/postgres-db" "" write_policy_and_role "vault" "vault" "vault" \