maintenance: remoteize metis build and flash

2026-03-31 20:42:35 -03:00 · 2026-03-31 20:42:35 -03:00 · 5ae6c5d4fb
commit 5ae6c5d4fb
parent b9fb577cfc
6 changed files with 56 additions and 23 deletions
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@ -42,7 +42,7 @@ images:
  - name: registry.bstein.dev/bstein/ariadne
    newTag: 0.1.0-22 # {"$imagepolicy": "maintenance:ariadne:tag"}
  - name: registry.bstein.dev/bstein/metis
-    newTag: 0.1.0-6-amd64
+    newTag: 0.1.0-7-amd64
 configMapGenerator:
  - name: disable-k3s-traefik-script
    namespace: maintenance
--- a/services/maintenance/metis-configmap.yaml
+++ b/services/maintenance/metis-configmap.yaml
@ -13,6 +13,14 @@ data:
  METIS_LOCAL_HOST: titan-22
  METIS_ALLOWED_GROUPS: admin,maintenance,maintainer
  METIS_MAX_DEVICE_BYTES: "300000000000"
+  METIS_NAMESPACE: maintenance
+  METIS_RUNNER_IMAGE_AMD64: registry.bstein.dev/bstein/metis:0.1.0-7-amd64
+  METIS_RUNNER_IMAGE_ARM64: registry.bstein.dev/bstein/metis:0.1.0-7-arm64
+  METIS_HARBOR_REGISTRY: registry.bstein.dev
+  METIS_HARBOR_PROJECT: metis
+  METIS_HARBOR_API_BASE: https://registry.bstein.dev/api/v2.0
+  METIS_HARBOR_USERNAME: admin
+  METIS_HOST_TMP_DIR: /tmp/metis-flash-test
  METIS_SENTINEL_PUSH_URL: http://metis.maintenance.svc.cluster.local/internal/sentinel/snapshot
  METIS_SENTINEL_INTERVAL_SEC: "1800"
  METIS_SENTINEL_NSENTER: "1"
--- a/services/maintenance/metis-deployment.yaml
+++ b/services/maintenance/metis-deployment.yaml
@ -27,11 +27,13 @@ spec:
        node-role.kubernetes.io/accelerator: "true"
      containers:
        - name: metis
-          image: registry.bstein.dev/bstein/metis:0.1.0-6-amd64
+          image: registry.bstein.dev/bstein/metis:0.1.0-7-amd64
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
                name: metis
+            - secretRef:
+                name: metis-harbor
          env:
            - name: METIS_K3S_TOKEN
              valueFrom:
@ -59,14 +61,6 @@ spec:
          volumeMounts:
            - name: metis-data
              mountPath: /var/lib/metis
-            - name: host-dev
-              mountPath: /dev
-            - name: host-sys
-              mountPath: /sys
-              readOnly: true
-            - name: host-udev
-              mountPath: /run/udev
-              readOnly: true
          resources:
            requests:
              cpu: 250m
@ -74,19 +68,7 @@ spec:
            limits:
              cpu: "2"
              memory: 4Gi
-          securityContext:
-            privileged: true
-            runAsUser: 0
      volumes:
        - name: metis-data
          persistentVolumeClaim:
            claimName: metis-data
-        - name: host-dev
-          hostPath:
-            path: /dev
-        - name: host-sys
-          hostPath:
-            path: /sys
-        - name: host-udev
-          hostPath:
-            path: /run/udev
--- a/services/maintenance/metis-rbac.yaml
+++ b/services/maintenance/metis-rbac.yaml
@ -14,6 +14,27 @@ rules:
      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: metis-runner
+  namespace: maintenance
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups: [""]
+    resources:
+      - pods/log
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: metis-node-manager
@ -25,3 +46,17 @@ roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metis-node-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: metis-runner
+  namespace: maintenance
+subjects:
+  - kind: ServiceAccount
+    name: metis
+    namespace: maintenance
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: metis-runner
--- a/services/maintenance/secretproviderclass.yaml
+++ b/services/maintenance/secretproviderclass.yaml
@ -13,9 +13,17 @@ spec:
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
+      - objectName: "harbor-core__harbor_admin_password"
+        secretPath: "kv/data/atlas/harbor/harbor-core"
+        secretKey: "harbor_admin_password"
  secretObjects:
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
+    - secretName: metis-harbor
+      type: Opaque
+      data:
+        - objectName: harbor-core__harbor_admin_password
+          key: METIS_HARBOR_PASSWORD
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -231,7 +231,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
 write_policy_and_role "health" "health" "health-vault-sync" \
  "health/*" ""
 write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync" \
-  "maintenance/ariadne-db maintenance/metis-oidc portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull" ""
+  "maintenance/ariadne-db maintenance/metis-oidc portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" ""
 write_policy_and_role "finance" "finance" "finance-vault" \
  "finance/* shared/postmark-relay" ""
 write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \