From c3ef14c2698a66e3022dce71e77524f2d6c433d5 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sun, 12 Apr 2026 15:23:08 -0300 Subject: [PATCH] typhon: add AC Infinity telemetry service and Flux wiring --- .../applications/kustomization.yaml | 1 + .../applications/typhon/kustomization.yaml | 29 +++++ services/typhon/deployment.yaml | 105 ++++++++++++++++++ services/typhon/kustomization.yaml | 12 ++ services/typhon/namespace.yaml | 5 + services/typhon/networkpolicy.yaml | 46 ++++++++ services/typhon/secretproviderclass.yaml | 21 ++++ services/typhon/service.yaml | 18 +++ services/typhon/serviceaccount.yaml | 6 + services/typhon/vault-sync-deployment.yaml | 34 ++++++ 10 files changed, 277 insertions(+) create mode 100644 clusters/atlas/flux-system/applications/typhon/kustomization.yaml create mode 100644 services/typhon/deployment.yaml create mode 100644 services/typhon/kustomization.yaml create mode 100644 services/typhon/namespace.yaml create mode 100644 services/typhon/networkpolicy.yaml create mode 100644 services/typhon/secretproviderclass.yaml create mode 100644 services/typhon/service.yaml create mode 100644 services/typhon/serviceaccount.yaml create mode 100644 services/typhon/vault-sync-deployment.yaml diff --git a/clusters/atlas/flux-system/applications/kustomization.yaml b/clusters/atlas/flux-system/applications/kustomization.yaml index 10c203d8..c2494381 100644 --- a/clusters/atlas/flux-system/applications/kustomization.yaml +++ b/clusters/atlas/flux-system/applications/kustomization.yaml @@ -25,6 +25,7 @@ resources: - mailu/kustomization.yaml - jenkins/kustomization.yaml - ai-llm/kustomization.yaml + - typhon/kustomization.yaml - nextcloud/kustomization.yaml - nextcloud-mail-sync/kustomization.yaml - outline/kustomization.yaml diff --git a/clusters/atlas/flux-system/applications/typhon/kustomization.yaml b/clusters/atlas/flux-system/applications/typhon/kustomization.yaml new file mode 100644 index 00000000..a4b857b1 --- /dev/null +++ b/clusters/atlas/flux-system/applications/typhon/kustomization.yaml @@ -0,0 +1,29 @@ +# clusters/atlas/flux-system/applications/typhon/kustomization.yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: typhon + namespace: flux-system +spec: + interval: 10m + path: ./services/typhon + prune: true + sourceRef: + kind: GitRepository + name: flux-system + targetNamespace: climate + dependsOn: + - name: vault + - name: vault-csi + - name: monitoring + healthChecks: + - apiVersion: apps/v1 + kind: Deployment + name: typhon + namespace: climate + - apiVersion: v1 + kind: Service + name: typhon + namespace: climate + wait: false + timeout: 20m diff --git a/services/typhon/deployment.yaml b/services/typhon/deployment.yaml new file mode 100644 index 00000000..67d7e000 --- /dev/null +++ b/services/typhon/deployment.yaml @@ -0,0 +1,105 @@ +# services/typhon/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: typhon + namespace: climate + labels: + app: typhon +spec: + replicas: 1 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: typhon + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + template: + metadata: + labels: + app: typhon + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9108" + prometheus.io/path: "/metrics" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "typhon" + vault.hashicorp.com/agent-inject-secret-aci-env.sh: "kv/data/atlas/climate/typhon/ac-infinity" + vault.hashicorp.com/agent-inject-template-aci-env.sh: | + {{- with secret "kv/data/atlas/climate/typhon/ac-infinity" -}} + export ACI_EMAIL="{{ .Data.data.ACI_EMAIL }}" + export ACI_PASSWORD="{{ .Data.data.ACI_PASSWORD }}" + {{- if index .Data.data "ACI_HOST" }} + export ACI_HOST="{{ index .Data.data "ACI_HOST" }}" + {{- end }} + {{- end -}} + typhon.bstein.dev/restart-rev: "2" + spec: + serviceAccountName: typhon + imagePullSecrets: + - name: harbor-regcred + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/hostname: titan-22 + containers: + - name: typhon + image: registry.bstein.dev/bstein/typhon:main + imagePullPolicy: Always + command: ["/bin/sh", "-c"] + args: + - | + set -eu + . /vault/secrets/aci-env.sh + exec node dist/index.js + env: + - name: POLL_INTERVAL_SECONDS + value: "30" + - name: REQUEST_TIMEOUT_MS + value: "10000" + - name: LISTEN_PORT + value: "9108" + - name: LOG_LEVEL + value: "info" + ports: + - name: metrics + containerPort: 9108 + volumeMounts: + - name: tmp + mountPath: /tmp + livenessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 20 + periodSeconds: 20 + timeoutSeconds: 3 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: metrics + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + volumes: + - name: tmp + emptyDir: {} diff --git a/services/typhon/kustomization.yaml b/services/typhon/kustomization.yaml new file mode 100644 index 00000000..3021a54a --- /dev/null +++ b/services/typhon/kustomization.yaml @@ -0,0 +1,12 @@ +# services/typhon/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: climate +resources: + - namespace.yaml + - serviceaccount.yaml + - secretproviderclass.yaml + - vault-sync-deployment.yaml + - deployment.yaml + - service.yaml + - networkpolicy.yaml diff --git a/services/typhon/namespace.yaml b/services/typhon/namespace.yaml new file mode 100644 index 00000000..8fd583b5 --- /dev/null +++ b/services/typhon/namespace.yaml @@ -0,0 +1,5 @@ +# services/typhon/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: climate diff --git a/services/typhon/networkpolicy.yaml b/services/typhon/networkpolicy.yaml new file mode 100644 index 00000000..a8ca7f0e --- /dev/null +++ b/services/typhon/networkpolicy.yaml @@ -0,0 +1,46 @@ +# services/typhon/networkpolicy.yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: typhon + namespace: climate +spec: + podSelector: + matchLabels: + app: typhon + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - protocol: TCP + port: 9108 + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: vault + ports: + - protocol: TCP + port: 8200 + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 diff --git a/services/typhon/secretproviderclass.yaml b/services/typhon/secretproviderclass.yaml new file mode 100644 index 00000000..76399fa3 --- /dev/null +++ b/services/typhon/secretproviderclass.yaml @@ -0,0 +1,21 @@ +# services/typhon/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: typhon-vault + namespace: climate +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "typhon" + objects: | + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/shared/harbor-pull" + secretKey: "dockerconfigjson" + secretObjects: + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/typhon/service.yaml b/services/typhon/service.yaml new file mode 100644 index 00000000..d7af6b85 --- /dev/null +++ b/services/typhon/service.yaml @@ -0,0 +1,18 @@ +# services/typhon/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: typhon + namespace: climate + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9108" + prometheus.io/path: "/metrics" +spec: + type: ClusterIP + selector: + app: typhon + ports: + - name: metrics + port: 9108 + targetPort: metrics diff --git a/services/typhon/serviceaccount.yaml b/services/typhon/serviceaccount.yaml new file mode 100644 index 00000000..87491320 --- /dev/null +++ b/services/typhon/serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/typhon/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: typhon + namespace: climate diff --git a/services/typhon/vault-sync-deployment.yaml b/services/typhon/vault-sync-deployment.yaml new file mode 100644 index 00000000..e1679e18 --- /dev/null +++ b/services/typhon/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/typhon/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: typhon-vault-sync + namespace: climate +spec: + replicas: 1 + selector: + matchLabels: + app: typhon-vault-sync + template: + metadata: + labels: + app: typhon-vault-sync + spec: + serviceAccountName: typhon + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: typhon-vault