typhon: add AC Infinity telemetry service and Flux wiring

clusters/atlas/flux-system/applications/kustomization.yaml

@@ -25,6 +25,7 @@ resources:
   - mailu/kustomization.yaml
   - jenkins/kustomization.yaml
   - ai-llm/kustomization.yaml
+  - typhon/kustomization.yaml
   - nextcloud/kustomization.yaml
   - nextcloud-mail-sync/kustomization.yaml
   - outline/kustomization.yaml

clusters/atlas/flux-system/applications/typhon/kustomization.yaml

@@ -0,0 +1,29 @@
+# clusters/atlas/flux-system/applications/typhon/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: typhon
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./services/typhon
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  targetNamespace: climate
+  dependsOn:
+    - name: vault
+    - name: vault-csi
+    - name: monitoring
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: typhon
+      namespace: climate
+    - apiVersion: v1
+      kind: Service
+      name: typhon
+      namespace: climate
+  wait: false
+  timeout: 20m

services/typhon/deployment.yaml

@@ -0,0 +1,105 @@
+# services/typhon/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: typhon
+  namespace: climate
+  labels:
+    app: typhon
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: typhon
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app: typhon
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9108"
+        prometheus.io/path: "/metrics"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "typhon"
+        vault.hashicorp.com/agent-inject-secret-aci-env.sh: "kv/data/atlas/climate/typhon/ac-infinity"
+        vault.hashicorp.com/agent-inject-template-aci-env.sh: |
+          {{- with secret "kv/data/atlas/climate/typhon/ac-infinity" -}}
+          export ACI_EMAIL="{{ .Data.data.ACI_EMAIL }}"
+          export ACI_PASSWORD="{{ .Data.data.ACI_PASSWORD }}"
+          {{- if index .Data.data "ACI_HOST" }}
+          export ACI_HOST="{{ index .Data.data "ACI_HOST" }}"
+          {{- end }}
+          {{- end -}}
+        typhon.bstein.dev/restart-rev: "2"
+    spec:
+      serviceAccountName: typhon
+      imagePullSecrets:
+        - name: harbor-regcred
+      nodeSelector:
+        kubernetes.io/arch: amd64
+        kubernetes.io/hostname: titan-22
+      containers:
+        - name: typhon
+          image: registry.bstein.dev/bstein/typhon:main
+          imagePullPolicy: Always
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -eu
+              . /vault/secrets/aci-env.sh
+              exec node dist/index.js
+          env:
+            - name: POLL_INTERVAL_SECONDS
+              value: "30"
+            - name: REQUEST_TIMEOUT_MS
+              value: "10000"
+            - name: LISTEN_PORT
+              value: "9108"
+            - name: LOG_LEVEL
+              value: "info"
+          ports:
+            - name: metrics
+              containerPort: 9108
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics
+            initialDelaySeconds: 20
+            periodSeconds: 20
+            timeoutSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65532
+            runAsGroup: 65532
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+      volumes:
+        - name: tmp
+          emptyDir: {}

services/typhon/kustomization.yaml

@@ -0,0 +1,12 @@
+# services/typhon/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: climate
+resources:
+  - namespace.yaml
+  - serviceaccount.yaml
+  - secretproviderclass.yaml
+  - vault-sync-deployment.yaml
+  - deployment.yaml
+  - service.yaml
+  - networkpolicy.yaml

services/typhon/namespace.yaml

@@ -0,0 +1,5 @@
+# services/typhon/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: climate

services/typhon/networkpolicy.yaml

@@ -0,0 +1,46 @@
+# services/typhon/networkpolicy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: typhon
+  namespace: climate
+spec:
+  podSelector:
+    matchLabels:
+      app: typhon
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+      ports:
+        - protocol: TCP
+          port: 9108
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: vault
+      ports:
+        - protocol: TCP
+          port: 8200
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - protocol: TCP
+          port: 80
+        - protocol: TCP
+          port: 443

services/typhon/secretproviderclass.yaml

@@ -0,0 +1,21 @@
+# services/typhon/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: typhon-vault
+  namespace: climate
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "typhon"
+    objects: |
+      - objectName: "harbor-pull__dockerconfigjson"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
+        secretKey: "dockerconfigjson"
+  secretObjects:
+    - secretName: harbor-regcred
+      type: kubernetes.io/dockerconfigjson
+      data:
+        - objectName: harbor-pull__dockerconfigjson
+          key: .dockerconfigjson

services/typhon/service.yaml

@@ -0,0 +1,18 @@
+# services/typhon/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: typhon
+  namespace: climate
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9108"
+    prometheus.io/path: "/metrics"
+spec:
+  type: ClusterIP
+  selector:
+    app: typhon
+  ports:
+    - name: metrics
+      port: 9108
+      targetPort: metrics

services/typhon/serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/typhon/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: typhon
+  namespace: climate

services/typhon/vault-sync-deployment.yaml

@@ -0,0 +1,34 @@
+# services/typhon/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: typhon-vault-sync
+  namespace: climate
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: typhon-vault-sync
+  template:
+    metadata:
+      labels:
+        app: typhon-vault-sync
+    spec:
+      serviceAccountName: typhon
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: typhon-vault