From deb52c424b8766ce4b26a11e48f0c9c7cbb99c8c Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sun, 5 Apr 2026 11:31:05 -0300 Subject: [PATCH] maintenance/vault: move Metis runtime secrets to Vault --- services/maintenance/kustomization.yaml | 3 +- services/maintenance/metis-configmap.yaml | 4 +-- services/maintenance/metis-deployment.yaml | 25 +++++++++------- .../metis-k3s-token-sync-cronjob.yaml | 16 ++++++---- .../maintenance/metis-token-sync-rbac.yaml | 30 ------------------- services/maintenance/secretproviderclass.yaml | 8 ----- services/vault/k8s-auth-config-cronjob.yaml | 5 ---- .../vault/scripts/vault_k8s_auth_configure.sh | 5 +++- 8 files changed, 32 insertions(+), 64 deletions(-) delete mode 100644 services/maintenance/metis-token-sync-rbac.yaml diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml index 0633fe21..597e97c6 100644 --- a/services/maintenance/kustomization.yaml +++ b/services/maintenance/kustomization.yaml @@ -16,7 +16,6 @@ resources: - metis-serviceaccount.yaml - metis-rbac.yaml - metis-token-sync-serviceaccount.yaml - - metis-token-sync-rbac.yaml - node-nofile-serviceaccount.yaml - pod-cleaner-rbac.yaml - ariadne-deployment.yaml @@ -42,7 +41,7 @@ images: - name: registry.bstein.dev/bstein/ariadne newTag: 0.1.0-22 # {"$imagepolicy": "maintenance:ariadne:tag"} - name: registry.bstein.dev/bstein/metis - newTag: 0.1.0-21-amd64 + newTag: 0.1.0-22-amd64 configMapGenerator: - name: disable-k3s-traefik-script namespace: maintenance diff --git a/services/maintenance/metis-configmap.yaml b/services/maintenance/metis-configmap.yaml index 64c1603e..2c1c5155 100644 --- a/services/maintenance/metis-configmap.yaml +++ b/services/maintenance/metis-configmap.yaml @@ -14,8 +14,8 @@ data: METIS_ALLOWED_GROUPS: admin,maintenance METIS_MAX_DEVICE_BYTES: "1000000000000" METIS_NAMESPACE: maintenance - METIS_RUNNER_IMAGE_AMD64: registry.bstein.dev/bstein/metis:0.1.0-21-amd64 - METIS_RUNNER_IMAGE_ARM64: registry.bstein.dev/bstein/metis:0.1.0-21-arm64 + METIS_RUNNER_IMAGE_AMD64: registry.bstein.dev/bstein/metis:0.1.0-22-amd64 + METIS_RUNNER_IMAGE_ARM64: registry.bstein.dev/bstein/metis:0.1.0-22-arm64 METIS_HARBOR_REGISTRY: registry.bstein.dev METIS_HARBOR_PROJECT: metis METIS_HARBOR_API_BASE: https://registry.bstein.dev/api/v2.0 diff --git a/services/maintenance/metis-deployment.yaml b/services/maintenance/metis-deployment.yaml index 50b5128a..6f190612 100644 --- a/services/maintenance/metis-deployment.yaml +++ b/services/maintenance/metis-deployment.yaml @@ -18,17 +18,27 @@ spec: prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics" - metis.bstein.dev/config-rev: "2026-04-05-02" + metis.bstein.dev/config-rev: "2026-04-05-03" vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "maintenance" vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys" + vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime" + vault.hashicorp.com/agent-inject-secret-metis-harbor-env.sh: "kv/data/atlas/harbor/harbor-core" vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: | {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }} export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}" export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}" export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}" {{ end }} + vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: | + {{ with secret "kv/data/atlas/maintenance/metis-runtime" }} + export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}" + {{ end }} + vault.hashicorp.com/agent-inject-template-metis-harbor-env.sh: | + {{ with secret "kv/data/atlas/harbor/harbor-core" }} + export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}" + {{ end }} spec: serviceAccountName: metis terminationGracePeriodSeconds: 30 @@ -38,26 +48,19 @@ spec: node-role.kubernetes.io/accelerator: "true" containers: - name: metis - image: registry.bstein.dev/bstein/metis:0.1.0-21-amd64 + image: registry.bstein.dev/bstein/metis:0.1.0-22-amd64 imagePullPolicy: Always command: ["/bin/sh", "-c"] args: - | set -e + . /vault/secrets/metis-runtime-env.sh + . /vault/secrets/metis-harbor-env.sh . /vault/secrets/metis-ssh-env.sh exec metis serve envFrom: - configMapRef: name: metis - - secretRef: - name: metis-harbor - env: - - name: METIS_K3S_TOKEN - valueFrom: - secretKeyRef: - name: metis-runtime - key: k3s_token - optional: true ports: - name: http containerPort: 8080 diff --git a/services/maintenance/metis-k3s-token-sync-cronjob.yaml b/services/maintenance/metis-k3s-token-sync-cronjob.yaml index 0e248e86..7ef49087 100644 --- a/services/maintenance/metis-k3s-token-sync-cronjob.yaml +++ b/services/maintenance/metis-k3s-token-sync-cronjob.yaml @@ -25,18 +25,24 @@ spec: effect: NoSchedule containers: - name: sync - image: registry.bstein.dev/bstein/kubectl:1.35.0 + image: hashicorp/vault:1.17.6 imagePullPolicy: IfNotPresent command: - /bin/sh - -c args: - | - set -euo pipefail + set -eu token="$(tr -d '\n' < /host/var/lib/rancher/k3s/server/token)" - kubectl -n maintenance create secret generic metis-runtime \ - --from-literal=k3s_token="${token}" \ - --dry-run=client -o yaml | kubectl apply -f - + jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + VAULT_TOKEN="$(vault write -field=token auth/kubernetes/login role="${VAULT_K8S_ROLE}" jwt="${jwt}")" + export VAULT_TOKEN + vault kv put kv/atlas/maintenance/metis-runtime k3s_token="${token}" + env: + - name: VAULT_ADDR + value: http://vault.vault.svc.cluster.local:8200 + - name: VAULT_K8S_ROLE + value: maintenance-metis-token-sync securityContext: runAsUser: 0 volumeMounts: diff --git a/services/maintenance/metis-token-sync-rbac.yaml b/services/maintenance/metis-token-sync-rbac.yaml deleted file mode 100644 index 86da52b4..00000000 --- a/services/maintenance/metis-token-sync-rbac.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# services/maintenance/metis-token-sync-rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: metis-token-sync - namespace: maintenance -rules: - - apiGroups: [""] - resources: - - secrets - verbs: - - get - - list - - create - - update - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: metis-token-sync - namespace: maintenance -subjects: - - kind: ServiceAccount - name: metis-token-sync - namespace: maintenance -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: metis-token-sync diff --git a/services/maintenance/secretproviderclass.yaml b/services/maintenance/secretproviderclass.yaml index fae83c78..85df2af5 100644 --- a/services/maintenance/secretproviderclass.yaml +++ b/services/maintenance/secretproviderclass.yaml @@ -13,17 +13,9 @@ spec: - objectName: "harbor-pull__dockerconfigjson" secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" - - objectName: "harbor-core__harbor_admin_password" - secretPath: "kv/data/atlas/harbor/harbor-core" - secretKey: "harbor_admin_password" secretObjects: - secretName: harbor-regcred type: kubernetes.io/dockerconfigjson data: - objectName: harbor-pull__dockerconfigjson key: .dockerconfigjson - - secretName: metis-harbor - type: Opaque - data: - - objectName: harbor-core__harbor_admin_password - key: METIS_HARBOR_PASSWORD diff --git a/services/vault/k8s-auth-config-cronjob.yaml b/services/vault/k8s-auth-config-cronjob.yaml index 5a2d6829..43da16b4 100644 --- a/services/vault/k8s-auth-config-cronjob.yaml +++ b/services/vault/k8s-auth-config-cronjob.yaml @@ -34,11 +34,6 @@ spec: value: http://10.43.57.249:8200 - name: VAULT_K8S_ROLE value: vault-admin - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-init - key: root_token - name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE value: /var/run/secrets/vault-token-reviewer/token - name: VAULT_K8S_ROLE_TTL diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 3d198d00..0f5b8d24 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -231,7 +231,10 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \ - "maintenance/ariadne-db maintenance/metis-oidc maintenance/metis-ssh-keys portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" "" + "maintenance/ariadne-db maintenance/metis-oidc maintenance/metis-ssh-keys maintenance/metis-runtime portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" "" +write_policy_and_role "maintenance-metis-token-sync" "maintenance" "metis-token-sync" \ + "" \ + "maintenance/metis-runtime" write_policy_and_role "finance" "finance" "finance-vault" \ "finance/* shared/postmark-relay" "" write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \