bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

jobs: drop apk installs and prefer arm64

Browse Source
This commit is contained in:
Brad Stein 2026-01-17 01:02:58 -03:00
parent f4c6827c8c
commit a9351bc737
13 changed files with 26 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: longhorn-settings-ensure-3 name: longhorn-settings-ensure-4
namespace: longhorn-system namespace: longhorn-system
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -28,7 +28,7 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: apply - name: apply
image: docker.io/alpine:3.20 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/scripts/longhorn_settings_ensure.sh"] command: ["/scripts/longhorn_settings_ensure.sh"]
volumeMounts: volumeMounts:
- name: longhorn-settings-ensure-script - name: longhorn-settings-ensure-script

1
infrastructure/longhorn/core/scripts/longhorn_settings_ensure.sh
View File

@ -2,7 +2,6 @@
set -eu set -eu
# Longhorn blocks direct CR patches for some settings; use the internal API instead. # Longhorn blocks direct CR patches for some settings; use the internal API instead.
apk add --no-cache curl >/dev/null
api_base="http://longhorn-backend.longhorn-system.svc:9500/v1/settings" api_base="http://longhorn-backend.longhorn-system.svc:9500/v1/settings"

4
services/keycloak/actual-oidc-secret-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: actual-oidc-secret-ensure-1 name: actual-oidc-secret-ensure-2
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -40,7 +40,7 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: apply - name: apply
image: alpine:3.20 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/scripts/actual_oidc_secret_ensure.sh"] command: ["/scripts/actual_oidc_secret_ensure.sh"]
volumeMounts: volumeMounts:
- name: actual-oidc-secret-ensure-script - name: actual-oidc-secret-ensure-script

6
services/keycloak/harbor-oidc-secret-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: harbor-oidc-secret-ensure-8 name: harbor-oidc-secret-ensure-9
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -40,9 +40,9 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: apply - name: apply
image: alpine:3.20 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/scripts/harbor_oidc_secret_ensure.sh"] command: ["/scripts/harbor_oidc_secret_ensure.sh"]
volumeMounts: volumeMounts:
- name: harbor-oidc-secret-ensure-script - name: harbor-oidc-secret-ensure-script
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true

6
services/keycloak/logs-oidc-secret-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: logs-oidc-secret-ensure-8 name: logs-oidc-secret-ensure-9
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -25,14 +25,12 @@ spec:
restartPolicy: Never restartPolicy: Never
containers: containers:
- name: apply - name: apply
image: alpine:3.20 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- | - |
set -euo pipefail set -euo pipefail
. /vault/secrets/keycloak-admin-env.sh . /vault/secrets/keycloak-admin-env.sh
apk add --no-cache curl jq openssl >/dev/null
KC_URL="http://keycloak.sso.svc.cluster.local" KC_URL="http://keycloak.sso.svc.cluster.local"
ACCESS_TOKEN="" ACCESS_TOKEN=""
for attempt in 1 2 3 4 5; do for attempt in 1 2 3 4 5; do

10
services/keycloak/mas-secrets-ensure-job.yaml
View File

@ -10,7 +10,7 @@ imagePullSecrets:
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: mas-secrets-ensure-18 name: mas-secrets-ensure-19
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -32,19 +32,21 @@ spec:
spec: spec:
serviceAccountName: mas-secrets-ensure serviceAccountName: mas-secrets-ensure
restartPolicy: Never restartPolicy: Never
nodeSelector:
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
volumes: volumes:
- name: work - name: work
emptyDir: {} emptyDir: {}
initContainers: initContainers:
- name: generate - name: generate
image: alpine:3.20 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- | - |
set -euo pipefail set -euo pipefail
. /vault/secrets/keycloak-admin-env.sh . /vault/secrets/keycloak-admin-env.sh
umask 077 umask 077
apk add --no-cache curl openssl jq >/dev/null
KC_URL="http://keycloak.sso.svc.cluster.local" KC_URL="http://keycloak.sso.svc.cluster.local"
ACCESS_TOKEN="" ACCESS_TOKEN=""
@ -124,4 +126,4 @@ spec:
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-secrets-runtime" >/dev/null
volumeMounts: volumeMounts:
- name: work - name: work
mountPath: /work mountPath: /work

2
services/keycloak/scripts/actual_oidc_secret_ensure.sh
View File

@ -1,8 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
set -euo pipefail set -euo pipefail
apk add --no-cache curl jq >/dev/null
. /vault/secrets/keycloak-admin-env.sh . /vault/secrets/keycloak-admin-env.sh
KC_URL="http://keycloak.sso.svc.cluster.local" KC_URL="http://keycloak.sso.svc.cluster.local"

2
services/keycloak/scripts/harbor_oidc_secret_ensure.sh
View File

@ -1,8 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
set -euo pipefail set -euo pipefail
apk add --no-cache curl jq kubectl >/dev/null
. /vault/secrets/keycloak-admin-env.sh . /vault/secrets/keycloak-admin-env.sh
KC_URL="http://keycloak.sso.svc.cluster.local" KC_URL="http://keycloak.sso.svc.cluster.local"

2
services/keycloak/scripts/vault_oidc_secret_ensure.sh
View File

@ -1,8 +1,6 @@
#!/usr/bin/env sh #!/usr/bin/env sh
set -euo pipefail set -euo pipefail
apk add --no-cache curl jq kubectl >/dev/null
. /vault/secrets/keycloak-admin-env.sh . /vault/secrets/keycloak-admin-env.sh
KC_URL="http://keycloak.sso.svc.cluster.local" KC_URL="http://keycloak.sso.svc.cluster.local"

8
services/keycloak/synapse-oidc-secret-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: synapse-oidc-secret-ensure-8 name: synapse-oidc-secret-ensure-9
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -25,14 +25,12 @@ spec:
restartPolicy: Never restartPolicy: Never
containers: containers:
- name: apply - name: apply
image: alpine:3.20 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- | - |
set -euo pipefail set -euo pipefail
. /vault/secrets/keycloak-admin-env.sh . /vault/secrets/keycloak-admin-env.sh
apk add --no-cache curl jq >/dev/null
KC_URL="http://keycloak.sso.svc.cluster.local" KC_URL="http://keycloak.sso.svc.cluster.local"
ACCESS_TOKEN="" ACCESS_TOKEN=""
for attempt in 1 2 3 4 5; do for attempt in 1 2 3 4 5; do
@ -82,4 +80,4 @@ spec:
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/synapse-oidc" >/dev/null
volumeMounts: volumeMounts:
volumes: volumes:

6
services/keycloak/vault-oidc-secret-ensure-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: vault-oidc-secret-ensure-5 name: vault-oidc-secret-ensure-6
namespace: sso namespace: sso
spec: spec:
backoffLimit: 0 backoffLimit: 0
@ -40,9 +40,9 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: apply - name: apply
image: alpine:3.20 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/scripts/vault_oidc_secret_ensure.sh"] command: ["/scripts/vault_oidc_secret_ensure.sh"]
volumeMounts: volumeMounts:
- name: vault-oidc-secret-ensure-script - name: vault-oidc-secret-ensure-script
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true

2
services/maintenance/image-sweeper-cronjob.yaml
View File

@ -17,6 +17,8 @@ spec:
restartPolicy: OnFailure restartPolicy: OnFailure
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
tolerations: tolerations:
- key: node-role.kubernetes.io/control-plane - key: node-role.kubernetes.io/control-plane
operator: Exists operator: Exists

3
services/maintenance/pod-cleaner-cronjob.yaml
View File

@ -16,6 +16,9 @@ spec:
spec: spec:
serviceAccountName: pod-cleaner serviceAccountName: pod-cleaner
restartPolicy: Never restartPolicy: Never
nodeSelector:
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
containers: containers:
- name: cleaner - name: cleaner
image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131