diff --git a/services/jellyfin/deployment.yaml b/services/jellyfin/deployment.yaml index 1177a06..4747417 100644 --- a/services/jellyfin/deployment.yaml +++ b/services/jellyfin/deployment.yaml @@ -20,7 +20,16 @@ spec: metadata: labels: app: jellyfin + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "pegasus" + vault.hashicorp.com/agent-inject-secret-ldap-config.xml: "kv/data/atlas/pegasus/jellyfin-ldap-config" + vault.hashicorp.com/agent-inject-template-ldap-config.xml: | + {{ with secret "kv/data/atlas/pegasus/jellyfin-ldap-config" }} + {{ index .Data.data "ldap-config.xml" }} + {{ end }} spec: + serviceAccountName: pegasus-vault-sync # Clean up any lingering OIDC artifacts and strip the injected script tag initContainers: - name: strip-oidc @@ -90,6 +99,10 @@ spec: - name: jellyfin image: docker.io/jellyfin/jellyfin:10.11.5 imagePullPolicy: IfNotPresent + command: + - /entrypoint.sh + args: + - /jellyfin/jellyfin ports: - name: http containerPort: 8096 @@ -104,6 +117,8 @@ spec: value: "65532" - name: UMASK value: "002" + - name: VAULT_COPY_FILES + value: /vault/secrets/ldap-config.xml:/config/plugins/configurations/LDAP-Auth.xml resources: limits: nvidia.com/gpu.shared: 1 @@ -114,12 +129,11 @@ spec: cpu: "500m" memory: 1Gi volumeMounts: + - name: jellyfin-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh - name: config mountPath: /config - # Override LDAP plugin configuration from a secret to avoid embedding credentials in the PVC. - - name: ldap-config - mountPath: /config/plugins/configurations/LDAP-Auth.xml - subPath: ldap-config.xml - name: cache mountPath: /cache - name: media @@ -143,6 +157,10 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: false volumes: + - name: jellyfin-vault-entrypoint + configMap: + name: jellyfin-vault-entrypoint + defaultMode: 493 - name: web-root emptyDir: {} - name: config @@ -154,9 +172,3 @@ spec: - name: media persistentVolumeClaim: claimName: jellyfin-media-asteria-new - - name: ldap-config - secret: - secretName: jellyfin-ldap-config - items: - - key: ldap-config.xml - path: ldap-config.xml diff --git a/services/jellyfin/kustomization.yaml b/services/jellyfin/kustomization.yaml index 51566b8..041b27c 100644 --- a/services/jellyfin/kustomization.yaml +++ b/services/jellyfin/kustomization.yaml @@ -7,3 +7,9 @@ resources: - service.yaml - deployment.yaml - ingress.yaml +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: + - name: jellyfin-vault-entrypoint + files: + - vault-entrypoint.sh=scripts/vault-entrypoint.sh diff --git a/services/jellyfin/scripts/vault-entrypoint.sh b/services/jellyfin/scripts/vault-entrypoint.sh new file mode 100644 index 0000000..fa3b791 --- /dev/null +++ b/services/jellyfin/scripts/vault-entrypoint.sh @@ -0,0 +1,34 @@ +#!/bin/sh +set -eu + +if [ -n "${VAULT_ENV_FILE:-}" ]; then + if [ -f "${VAULT_ENV_FILE}" ]; then + # shellcheck disable=SC1090 + . "${VAULT_ENV_FILE}" + else + echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2 + exit 1 + fi +fi + +if [ -n "${VAULT_COPY_FILES:-}" ]; then + old_ifs="$IFS" + IFS=',' + for pair in ${VAULT_COPY_FILES}; do + src="${pair%%:*}" + dest="${pair#*:}" + if [ -z "${src}" ] || [ -z "${dest}" ]; then + echo "Vault copy entry malformed: ${pair}" >&2 + exit 1 + fi + if [ ! -f "${src}" ]; then + echo "Vault file not found: ${src}" >&2 + exit 1 + fi + mkdir -p "$(dirname "${dest}")" + cp "${src}" "${dest}" + done + IFS="$old_ifs" +fi + +exec "$@"