diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml index 59ebc845..9766f4b5 100644 --- a/services/maintenance/kustomization.yaml +++ b/services/maintenance/kustomization.yaml @@ -42,7 +42,7 @@ images: - name: registry.bstein.dev/bstein/ariadne newTag: 0.1.0-22 # {"$imagepolicy": "maintenance:ariadne:tag"} - name: registry.bstein.dev/bstein/metis - newTag: 0.1.0-6-amd64 + newTag: 0.1.0-7-amd64 configMapGenerator: - name: disable-k3s-traefik-script namespace: maintenance diff --git a/services/maintenance/metis-configmap.yaml b/services/maintenance/metis-configmap.yaml index 0b0e6444..decc3f64 100644 --- a/services/maintenance/metis-configmap.yaml +++ b/services/maintenance/metis-configmap.yaml @@ -13,6 +13,14 @@ data: METIS_LOCAL_HOST: titan-22 METIS_ALLOWED_GROUPS: admin,maintenance,maintainer METIS_MAX_DEVICE_BYTES: "300000000000" + METIS_NAMESPACE: maintenance + METIS_RUNNER_IMAGE_AMD64: registry.bstein.dev/bstein/metis:0.1.0-7-amd64 + METIS_RUNNER_IMAGE_ARM64: registry.bstein.dev/bstein/metis:0.1.0-7-arm64 + METIS_HARBOR_REGISTRY: registry.bstein.dev + METIS_HARBOR_PROJECT: metis + METIS_HARBOR_API_BASE: https://registry.bstein.dev/api/v2.0 + METIS_HARBOR_USERNAME: admin + METIS_HOST_TMP_DIR: /tmp/metis-flash-test METIS_SENTINEL_PUSH_URL: http://metis.maintenance.svc.cluster.local/internal/sentinel/snapshot METIS_SENTINEL_INTERVAL_SEC: "1800" METIS_SENTINEL_NSENTER: "1" diff --git a/services/maintenance/metis-deployment.yaml b/services/maintenance/metis-deployment.yaml index 0642b247..6e53f89c 100644 --- a/services/maintenance/metis-deployment.yaml +++ b/services/maintenance/metis-deployment.yaml @@ -27,11 +27,13 @@ spec: node-role.kubernetes.io/accelerator: "true" containers: - name: metis - image: registry.bstein.dev/bstein/metis:0.1.0-6-amd64 + image: registry.bstein.dev/bstein/metis:0.1.0-7-amd64 imagePullPolicy: Always envFrom: - configMapRef: name: metis + - secretRef: + name: metis-harbor env: - name: METIS_K3S_TOKEN valueFrom: @@ -59,14 +61,6 @@ spec: volumeMounts: - name: metis-data mountPath: /var/lib/metis - - name: host-dev - mountPath: /dev - - name: host-sys - mountPath: /sys - readOnly: true - - name: host-udev - mountPath: /run/udev - readOnly: true resources: requests: cpu: 250m @@ -74,19 +68,7 @@ spec: limits: cpu: "2" memory: 4Gi - securityContext: - privileged: true - runAsUser: 0 volumes: - name: metis-data persistentVolumeClaim: claimName: metis-data - - name: host-dev - hostPath: - path: /dev - - name: host-sys - hostPath: - path: /sys - - name: host-udev - hostPath: - path: /run/udev diff --git a/services/maintenance/metis-rbac.yaml b/services/maintenance/metis-rbac.yaml index 8b922514..18411645 100644 --- a/services/maintenance/metis-rbac.yaml +++ b/services/maintenance/metis-rbac.yaml @@ -14,6 +14,27 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: metis-runner + namespace: maintenance +rules: + - apiGroups: [""] + resources: + - pods + verbs: + - create + - delete + - get + - list + - watch + - apiGroups: [""] + resources: + - pods/log + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metis-node-manager @@ -25,3 +46,17 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: metis-node-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: metis-runner + namespace: maintenance +subjects: + - kind: ServiceAccount + name: metis + namespace: maintenance +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: metis-runner diff --git a/services/maintenance/secretproviderclass.yaml b/services/maintenance/secretproviderclass.yaml index 85df2af5..fae83c78 100644 --- a/services/maintenance/secretproviderclass.yaml +++ b/services/maintenance/secretproviderclass.yaml @@ -13,9 +13,17 @@ spec: - objectName: "harbor-pull__dockerconfigjson" secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" + - objectName: "harbor-core__harbor_admin_password" + secretPath: "kv/data/atlas/harbor/harbor-core" + secretKey: "harbor_admin_password" secretObjects: - secretName: harbor-regcred type: kubernetes.io/dockerconfigjson data: - objectName: harbor-pull__dockerconfigjson key: .dockerconfigjson + - secretName: metis-harbor + type: Opaque + data: + - objectName: harbor-core__harbor_admin_password + key: METIS_HARBOR_PASSWORD diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 01cd6325..84b2625a 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -231,7 +231,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync" \ - "maintenance/ariadne-db maintenance/metis-oidc portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull" "" + "maintenance/ariadne-db maintenance/metis-oidc portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" "" write_policy_and_role "finance" "finance" "finance-vault" \ "finance/* shared/postmark-relay" "" write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \