From a9351bc737c893fbde1a45b20766c291fa0029ec Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sat, 17 Jan 2026 01:02:58 -0300 Subject: [PATCH] jobs: drop apk installs and prefer arm64 --- .../longhorn/core/longhorn-settings-ensure-job.yaml | 4 ++-- .../longhorn/core/scripts/longhorn_settings_ensure.sh | 1 - services/keycloak/actual-oidc-secret-ensure-job.yaml | 4 ++-- services/keycloak/harbor-oidc-secret-ensure-job.yaml | 6 +++--- services/keycloak/logs-oidc-secret-ensure-job.yaml | 6 ++---- services/keycloak/mas-secrets-ensure-job.yaml | 10 ++++++---- services/keycloak/scripts/actual_oidc_secret_ensure.sh | 2 -- services/keycloak/scripts/harbor_oidc_secret_ensure.sh | 2 -- services/keycloak/scripts/vault_oidc_secret_ensure.sh | 2 -- services/keycloak/synapse-oidc-secret-ensure-job.yaml | 8 +++----- services/keycloak/vault-oidc-secret-ensure-job.yaml | 6 +++--- services/maintenance/image-sweeper-cronjob.yaml | 2 ++ services/maintenance/pod-cleaner-cronjob.yaml | 3 +++ 13 files changed, 26 insertions(+), 30 deletions(-) diff --git a/infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml b/infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml index f8e56cb..932c056 100644 --- a/infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml +++ b/infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: longhorn-settings-ensure-3 + name: longhorn-settings-ensure-4 namespace: longhorn-system spec: backoffLimit: 0 @@ -28,7 +28,7 @@ spec: operator: Exists containers: - name: apply - image: docker.io/alpine:3.20 + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/scripts/longhorn_settings_ensure.sh"] volumeMounts: - name: longhorn-settings-ensure-script diff --git a/infrastructure/longhorn/core/scripts/longhorn_settings_ensure.sh b/infrastructure/longhorn/core/scripts/longhorn_settings_ensure.sh index f73a0cc..f13e87a 100644 --- a/infrastructure/longhorn/core/scripts/longhorn_settings_ensure.sh +++ b/infrastructure/longhorn/core/scripts/longhorn_settings_ensure.sh @@ -2,7 +2,6 @@ set -eu # Longhorn blocks direct CR patches for some settings; use the internal API instead. -apk add --no-cache curl >/dev/null api_base="http://longhorn-backend.longhorn-system.svc:9500/v1/settings" diff --git a/services/keycloak/actual-oidc-secret-ensure-job.yaml b/services/keycloak/actual-oidc-secret-ensure-job.yaml index 0cb8aa8..22ba34f 100644 --- a/services/keycloak/actual-oidc-secret-ensure-job.yaml +++ b/services/keycloak/actual-oidc-secret-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: actual-oidc-secret-ensure-1 + name: actual-oidc-secret-ensure-2 namespace: sso spec: backoffLimit: 0 @@ -40,7 +40,7 @@ spec: operator: Exists containers: - name: apply - image: alpine:3.20 + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/scripts/actual_oidc_secret_ensure.sh"] volumeMounts: - name: actual-oidc-secret-ensure-script diff --git a/services/keycloak/harbor-oidc-secret-ensure-job.yaml b/services/keycloak/harbor-oidc-secret-ensure-job.yaml index 82c8097..8eac50d 100644 --- a/services/keycloak/harbor-oidc-secret-ensure-job.yaml +++ b/services/keycloak/harbor-oidc-secret-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: harbor-oidc-secret-ensure-8 + name: harbor-oidc-secret-ensure-9 namespace: sso spec: backoffLimit: 0 @@ -40,9 +40,9 @@ spec: operator: Exists containers: - name: apply - image: alpine:3.20 + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/scripts/harbor_oidc_secret_ensure.sh"] volumeMounts: - name: harbor-oidc-secret-ensure-script mountPath: /scripts - readOnly: true \ No newline at end of file + readOnly: true diff --git a/services/keycloak/logs-oidc-secret-ensure-job.yaml b/services/keycloak/logs-oidc-secret-ensure-job.yaml index 43177ff..df89fa0 100644 --- a/services/keycloak/logs-oidc-secret-ensure-job.yaml +++ b/services/keycloak/logs-oidc-secret-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: logs-oidc-secret-ensure-8 + name: logs-oidc-secret-ensure-9 namespace: sso spec: backoffLimit: 0 @@ -25,14 +25,12 @@ spec: restartPolicy: Never containers: - name: apply - image: alpine:3.20 + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/bin/sh", "-c"] args: - | set -euo pipefail . /vault/secrets/keycloak-admin-env.sh - apk add --no-cache curl jq openssl >/dev/null - KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" for attempt in 1 2 3 4 5; do diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml index 88e8177..9d97f72 100644 --- a/services/keycloak/mas-secrets-ensure-job.yaml +++ b/services/keycloak/mas-secrets-ensure-job.yaml @@ -10,7 +10,7 @@ imagePullSecrets: apiVersion: batch/v1 kind: Job metadata: - name: mas-secrets-ensure-18 + name: mas-secrets-ensure-19 namespace: sso spec: backoffLimit: 0 @@ -32,19 +32,21 @@ spec: spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never + nodeSelector: + kubernetes.io/arch: arm64 + node-role.kubernetes.io/worker: "true" volumes: - name: work emptyDir: {} initContainers: - name: generate - image: alpine:3.20 + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/bin/sh", "-c"] args: - | set -euo pipefail . /vault/secrets/keycloak-admin-env.sh umask 077 - apk add --no-cache curl openssl jq >/dev/null KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" @@ -124,4 +126,4 @@ spec: -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null volumeMounts: - name: work - mountPath: /work \ No newline at end of file + mountPath: /work diff --git a/services/keycloak/scripts/actual_oidc_secret_ensure.sh b/services/keycloak/scripts/actual_oidc_secret_ensure.sh index c686c24..3ed6e6a 100644 --- a/services/keycloak/scripts/actual_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/actual_oidc_secret_ensure.sh @@ -1,8 +1,6 @@ #!/usr/bin/env sh set -euo pipefail -apk add --no-cache curl jq >/dev/null - . /vault/secrets/keycloak-admin-env.sh KC_URL="http://keycloak.sso.svc.cluster.local" diff --git a/services/keycloak/scripts/harbor_oidc_secret_ensure.sh b/services/keycloak/scripts/harbor_oidc_secret_ensure.sh index beef591..7187d34 100755 --- a/services/keycloak/scripts/harbor_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/harbor_oidc_secret_ensure.sh @@ -1,8 +1,6 @@ #!/usr/bin/env sh set -euo pipefail -apk add --no-cache curl jq kubectl >/dev/null - . /vault/secrets/keycloak-admin-env.sh KC_URL="http://keycloak.sso.svc.cluster.local" diff --git a/services/keycloak/scripts/vault_oidc_secret_ensure.sh b/services/keycloak/scripts/vault_oidc_secret_ensure.sh index 3c7d4a5..e8cfe5b 100755 --- a/services/keycloak/scripts/vault_oidc_secret_ensure.sh +++ b/services/keycloak/scripts/vault_oidc_secret_ensure.sh @@ -1,8 +1,6 @@ #!/usr/bin/env sh set -euo pipefail -apk add --no-cache curl jq kubectl >/dev/null - . /vault/secrets/keycloak-admin-env.sh KC_URL="http://keycloak.sso.svc.cluster.local" diff --git a/services/keycloak/synapse-oidc-secret-ensure-job.yaml b/services/keycloak/synapse-oidc-secret-ensure-job.yaml index 2368404..07d1378 100644 --- a/services/keycloak/synapse-oidc-secret-ensure-job.yaml +++ b/services/keycloak/synapse-oidc-secret-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: synapse-oidc-secret-ensure-8 + name: synapse-oidc-secret-ensure-9 namespace: sso spec: backoffLimit: 0 @@ -25,14 +25,12 @@ spec: restartPolicy: Never containers: - name: apply - image: alpine:3.20 + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/bin/sh", "-c"] args: - | set -euo pipefail . /vault/secrets/keycloak-admin-env.sh - apk add --no-cache curl jq >/dev/null - KC_URL="http://keycloak.sso.svc.cluster.local" ACCESS_TOKEN="" for attempt in 1 2 3 4 5; do @@ -82,4 +80,4 @@ spec: curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null volumeMounts: - volumes: \ No newline at end of file + volumes: diff --git a/services/keycloak/vault-oidc-secret-ensure-job.yaml b/services/keycloak/vault-oidc-secret-ensure-job.yaml index 13c2571..e7e3b54 100644 --- a/services/keycloak/vault-oidc-secret-ensure-job.yaml +++ b/services/keycloak/vault-oidc-secret-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: vault-oidc-secret-ensure-5 + name: vault-oidc-secret-ensure-6 namespace: sso spec: backoffLimit: 0 @@ -40,9 +40,9 @@ spec: operator: Exists containers: - name: apply - image: alpine:3.20 + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/scripts/vault_oidc_secret_ensure.sh"] volumeMounts: - name: vault-oidc-secret-ensure-script mountPath: /scripts - readOnly: true \ No newline at end of file + readOnly: true diff --git a/services/maintenance/image-sweeper-cronjob.yaml b/services/maintenance/image-sweeper-cronjob.yaml index 08127bc..c94fcca 100644 --- a/services/maintenance/image-sweeper-cronjob.yaml +++ b/services/maintenance/image-sweeper-cronjob.yaml @@ -17,6 +17,8 @@ spec: restartPolicy: OnFailure nodeSelector: kubernetes.io/os: linux + kubernetes.io/arch: arm64 + node-role.kubernetes.io/worker: "true" tolerations: - key: node-role.kubernetes.io/control-plane operator: Exists diff --git a/services/maintenance/pod-cleaner-cronjob.yaml b/services/maintenance/pod-cleaner-cronjob.yaml index ffca7dd..e083c85 100644 --- a/services/maintenance/pod-cleaner-cronjob.yaml +++ b/services/maintenance/pod-cleaner-cronjob.yaml @@ -16,6 +16,9 @@ spec: spec: serviceAccountName: pod-cleaner restartPolicy: Never + nodeSelector: + kubernetes.io/arch: arm64 + node-role.kubernetes.io/worker: "true" containers: - name: cleaner image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131