bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

jenkins: sync harbor pull secret from vault

Browse Source
This commit is contained in:
Brad Stein 2026-01-22 04:45:24 -03:00
parent ba2b9acbcc
commit 94953ab0fe
5 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
services/jenkins/kustomization.yaml
View File

@ -5,11 +5,14 @@ namespace: jenkins
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
- vault-serviceaccount.yaml
- pvc.yaml - pvc.yaml
- cache-pvc.yaml - cache-pvc.yaml
- plugins-pvc.yaml - plugins-pvc.yaml
- configmap-jcasc.yaml - configmap-jcasc.yaml
- configmap-plugins.yaml - configmap-plugins.yaml
- secretproviderclass.yaml
- vault-sync-deployment.yaml
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- ingress.yaml - ingress.yaml

21
services/jenkins/secretproviderclass.yaml Normal file
View File

@ -0,0 +1,21 @@
# services/jenkins/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: jenkins-vault
namespace: jenkins
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "jenkins"
objects: |
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/shared/harbor-pull"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: harbor-bstein-robot
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

6
services/jenkins/vault-serviceaccount.yaml Normal file
View File

@ -0,0 +1,6 @@
# services/jenkins/vault-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins-vault-sync
namespace: jenkins

34
services/jenkins/vault-sync-deployment.yaml Normal file
View File

@ -0,0 +1,34 @@
# services/jenkins/vault-sync-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins-vault-sync
namespace: jenkins
spec:
replicas: 1
selector:
matchLabels:
app: jenkins-vault-sync
template:
metadata:
labels:
app: jenkins-vault-sync
spec:
serviceAccountName: jenkins-vault-sync
containers:
- name: sync
image: alpine:3.20
command: ["/bin/sh", "-c"]
args:
- "sleep infinity"
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: jenkins-vault

2
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -218,7 +218,7 @@ write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
"nextcloud/* shared/keycloak-admin shared/postmark-relay" "" "nextcloud/* shared/keycloak-admin shared/postmark-relay" ""
write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \ write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
"comms/* shared/chat-ai-keys-runtime shared/harbor-pull" "" "comms/* shared/chat-ai-keys-runtime shared/harbor-pull" ""
write_policy_and_role "jenkins" "jenkins" "jenkins" \ write_policy_and_role "jenkins" "jenkins" "jenkins,jenkins-vault-sync" \
"jenkins/* shared/harbor-pull" "" "jenkins/* shared/harbor-pull" ""
write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \ write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
"monitoring/* shared/postmark-relay shared/harbor-pull" "" "monitoring/* shared/postmark-relay shared/harbor-pull" ""