longhorn: use harbor mirrors and vault pull secret
This commit is contained in:
parent
4406724da5
commit
401df4d68c
@ -30,3 +30,48 @@ spec:
|
|||||||
ui:
|
ui:
|
||||||
type: NodePort
|
type: NodePort
|
||||||
nodePort: 30824
|
nodePort: 30824
|
||||||
|
privateRegistry:
|
||||||
|
createSecret: false
|
||||||
|
registrySecret: longhorn-registry
|
||||||
|
image:
|
||||||
|
longhorn:
|
||||||
|
engine:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-engine
|
||||||
|
tag: v1.8.2
|
||||||
|
manager:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-manager
|
||||||
|
tag: v1.8.2
|
||||||
|
ui:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-ui
|
||||||
|
tag: v1.8.2
|
||||||
|
instanceManager:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-instance-manager
|
||||||
|
tag: v1.8.2
|
||||||
|
shareManager:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-share-manager
|
||||||
|
tag: v1.8.2
|
||||||
|
backingImageManager:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-backing-image-manager
|
||||||
|
tag: v1.8.2
|
||||||
|
supportBundleKit:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-support-bundle-kit
|
||||||
|
tag: v0.0.56
|
||||||
|
csi:
|
||||||
|
attacher:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-csi-attacher
|
||||||
|
tag: v4.9.0
|
||||||
|
provisioner:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-csi-provisioner
|
||||||
|
tag: v5.3.0
|
||||||
|
nodeDriverRegistrar:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-csi-node-driver-registrar
|
||||||
|
tag: v2.14.0
|
||||||
|
resizer:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-csi-resizer
|
||||||
|
tag: v1.13.2
|
||||||
|
snapshotter:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-csi-snapshotter
|
||||||
|
tag: v8.2.0
|
||||||
|
livenessProbe:
|
||||||
|
repository: registry.bstein.dev/bstein/longhorn-livenessprobe
|
||||||
|
tag: v2.16.0
|
||||||
|
|||||||
@ -3,4 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
resources:
|
resources:
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
|
- vault-serviceaccount.yaml
|
||||||
|
- secretproviderclass.yaml
|
||||||
|
- vault-sync-deployment.yaml
|
||||||
- helmrelease.yaml
|
- helmrelease.yaml
|
||||||
|
|||||||
21
infrastructure/longhorn/core/secretproviderclass.yaml
Normal file
21
infrastructure/longhorn/core/secretproviderclass.yaml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# infrastructure/longhorn/core/secretproviderclass.yaml
|
||||||
|
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||||
|
kind: SecretProviderClass
|
||||||
|
metadata:
|
||||||
|
name: longhorn-vault
|
||||||
|
namespace: longhorn-system
|
||||||
|
spec:
|
||||||
|
provider: vault
|
||||||
|
parameters:
|
||||||
|
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
|
||||||
|
roleName: "longhorn"
|
||||||
|
objects: |
|
||||||
|
- objectName: "harbor-pull__dockerconfigjson"
|
||||||
|
secretPath: "kv/data/atlas/harbor-pull/longhorn"
|
||||||
|
secretKey: "dockerconfigjson"
|
||||||
|
secretObjects:
|
||||||
|
- secretName: longhorn-registry
|
||||||
|
type: kubernetes.io/dockerconfigjson
|
||||||
|
data:
|
||||||
|
- objectName: harbor-pull__dockerconfigjson
|
||||||
|
key: .dockerconfigjson
|
||||||
6
infrastructure/longhorn/core/vault-serviceaccount.yaml
Normal file
6
infrastructure/longhorn/core/vault-serviceaccount.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# infrastructure/longhorn/core/vault-serviceaccount.yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: longhorn-vault-sync
|
||||||
|
namespace: longhorn-system
|
||||||
34
infrastructure/longhorn/core/vault-sync-deployment.yaml
Normal file
34
infrastructure/longhorn/core/vault-sync-deployment.yaml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# infrastructure/longhorn/core/vault-sync-deployment.yaml
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: longhorn-vault-sync
|
||||||
|
namespace: longhorn-system
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: longhorn-vault-sync
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: longhorn-vault-sync
|
||||||
|
spec:
|
||||||
|
serviceAccountName: longhorn-vault-sync
|
||||||
|
containers:
|
||||||
|
- name: sync
|
||||||
|
image: alpine:3.20
|
||||||
|
command: ["/bin/sh", "-c"]
|
||||||
|
args:
|
||||||
|
- "sleep infinity"
|
||||||
|
volumeMounts:
|
||||||
|
- name: vault-secrets
|
||||||
|
mountPath: /vault/secrets
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: vault-secrets
|
||||||
|
csi:
|
||||||
|
driver: secrets-store.csi.k8s.io
|
||||||
|
readOnly: true
|
||||||
|
volumeAttributes:
|
||||||
|
secretProviderClass: longhorn-vault
|
||||||
@ -214,8 +214,8 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
|
|||||||
"crypto/* harbor-pull/crypto" ""
|
"crypto/* harbor-pull/crypto" ""
|
||||||
write_policy_and_role "health" "health" "health-vault-sync" \
|
write_policy_and_role "health" "health" "health-vault-sync" \
|
||||||
"health/*" ""
|
"health/*" ""
|
||||||
write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \
|
write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault,longhorn-vault-sync" \
|
||||||
"longhorn/*" ""
|
"longhorn/* harbor-pull/longhorn" ""
|
||||||
write_policy_and_role "postgres" "postgres" "postgres-vault" \
|
write_policy_and_role "postgres" "postgres" "postgres-vault" \
|
||||||
"postgres/postgres-db" ""
|
"postgres/postgres-db" ""
|
||||||
write_policy_and_role "vault" "vault" "vault" \
|
write_policy_and_role "vault" "vault" "vault" \
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user