bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

maintenance/vault: move Metis runtime secrets to Vault

Browse Source
This commit is contained in:
Brad Stein 2026-04-05 11:31:05 -03:00
parent 0828f0cf9e
commit deb52c424b
8 changed files with 32 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
services/maintenance/kustomization.yaml
View File

@ -16,7 +16,6 @@ resources:
- metis-serviceaccount.yaml
- metis-rbac.yaml
- metis-token-sync-serviceaccount.yaml
- metis-token-sync-rbac.yaml
- node-nofile-serviceaccount.yaml
- pod-cleaner-rbac.yaml
- ariadne-deployment.yaml
@ -42,7 +41,7 @@ images:
- name: registry.bstein.dev/bstein/ariadne
newTag: 0.1.0-22 # {"$imagepolicy": "maintenance:ariadne:tag"}
- name: registry.bstein.dev/bstein/metis
newTag: 0.1.0-21-amd64
newTag: 0.1.0-22-amd64
configMapGenerator:
- name: disable-k3s-traefik-script
namespace: maintenance

4
services/maintenance/metis-configmap.yaml
View File

@ -14,8 +14,8 @@ data:
METIS_ALLOWED_GROUPS: admin,maintenance
METIS_MAX_DEVICE_BYTES: "1000000000000"
METIS_NAMESPACE: maintenance
METIS_RUNNER_IMAGE_AMD64: registry.bstein.dev/bstein/metis:0.1.0-21-amd64
METIS_RUNNER_IMAGE_ARM64: registry.bstein.dev/bstein/metis:0.1.0-21-arm64
METIS_RUNNER_IMAGE_AMD64: registry.bstein.dev/bstein/metis:0.1.0-22-amd64
METIS_RUNNER_IMAGE_ARM64: registry.bstein.dev/bstein/metis:0.1.0-22-arm64
METIS_HARBOR_REGISTRY: registry.bstein.dev
METIS_HARBOR_PROJECT: metis
METIS_HARBOR_API_BASE: https://registry.bstein.dev/api/v2.0

25
services/maintenance/metis-deployment.yaml
View File

@ -18,17 +18,27 @@ spec:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
metis.bstein.dev/config-rev: "2026-04-05-02"
metis.bstein.dev/config-rev: "2026-04-05-03"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "maintenance"
vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime"
vault.hashicorp.com/agent-inject-secret-metis-harbor-env.sh: "kv/data/atlas/harbor/harbor-core"
vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
{{ end }}
vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: |
{{ with secret "kv/data/atlas/maintenance/metis-runtime" }}
export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}"
{{ end }}
vault.hashicorp.com/agent-inject-template-metis-harbor-env.sh: |
{{ with secret "kv/data/atlas/harbor/harbor-core" }}
export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}"
{{ end }}
spec:
serviceAccountName: metis
terminationGracePeriodSeconds: 30
@ -38,26 +48,19 @@ spec:
node-role.kubernetes.io/accelerator: "true"
containers:
- name: metis
image: registry.bstein.dev/bstein/metis:0.1.0-21-amd64
image: registry.bstein.dev/bstein/metis:0.1.0-22-amd64
imagePullPolicy: Always
command: ["/bin/sh", "-c"]
args:
- |
set -e
. /vault/secrets/metis-runtime-env.sh
. /vault/secrets/metis-harbor-env.sh
. /vault/secrets/metis-ssh-env.sh
exec metis serve
envFrom:
- configMapRef:
name: metis
- secretRef:
name: metis-harbor
env:
- name: METIS_K3S_TOKEN
valueFrom:
secretKeyRef:
name: metis-runtime
key: k3s_token
optional: true
ports:
- name: http
containerPort: 8080

16
services/maintenance/metis-k3s-token-sync-cronjob.yaml
View File

@ -25,18 +25,24 @@ spec:
effect: NoSchedule
containers:
- name: sync
image: registry.bstein.dev/bstein/kubectl:1.35.0
image: hashicorp/vault:1.17.6
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
args:
- |
set -euo pipefail
set -eu
token="$(tr -d '\n' < /host/var/lib/rancher/k3s/server/token)"
kubectl -n maintenance create secret generic metis-runtime \
--from-literal=k3s_token="${token}" \
--dry-run=client -o yaml | kubectl apply -f -
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
VAULT_TOKEN="$(vault write -field=token auth/kubernetes/login role="${VAULT_K8S_ROLE}" jwt="${jwt}")"
export VAULT_TOKEN
vault kv put kv/atlas/maintenance/metis-runtime k3s_token="${token}"
env:
- name: VAULT_ADDR
value: http://vault.vault.svc.cluster.local:8200
- name: VAULT_K8S_ROLE
value: maintenance-metis-token-sync
securityContext:
runAsUser: 0
volumeMounts:

30
services/maintenance/metis-token-sync-rbac.yaml
View File

@ -1,30 +0,0 @@
# services/maintenance/metis-token-sync-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: metis-token-sync
namespace: maintenance
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- list
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: metis-token-sync
namespace: maintenance
subjects:
- kind: ServiceAccount
name: metis-token-sync
namespace: maintenance
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: metis-token-sync

8
services/maintenance/secretproviderclass.yaml
View File

@ -13,17 +13,9 @@ spec:
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/shared/harbor-pull"
secretKey: "dockerconfigjson"
- objectName: "harbor-core__harbor_admin_password"
secretPath: "kv/data/atlas/harbor/harbor-core"
secretKey: "harbor_admin_password"
secretObjects:
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson
- secretName: metis-harbor
type: Opaque
data:
- objectName: harbor-core__harbor_admin_password
key: METIS_HARBOR_PASSWORD

5
services/vault/k8s-auth-config-cronjob.yaml
View File

@ -34,11 +34,6 @@ spec:
value: http://10.43.57.249:8200
- name: VAULT_K8S_ROLE
value: vault-admin
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-init
key: root_token
- name: VAULT_K8S_TOKEN_REVIEWER_JWT_FILE
value: /var/run/secrets/vault-token-reviewer/token
- name: VAULT_K8S_ROLE_TTL

5
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -231,7 +231,10 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
write_policy_and_role "health" "health" "health-vault-sync" \
"health/*" ""
write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \
"maintenance/ariadne-db maintenance/metis-oidc maintenance/metis-ssh-keys portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" ""
"maintenance/ariadne-db maintenance/metis-oidc maintenance/metis-ssh-keys maintenance/metis-runtime portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" ""
write_policy_and_role "maintenance-metis-token-sync" "maintenance" "metis-token-sync" \
"" \
"maintenance/metis-runtime"
write_policy_and_role "finance" "finance" "finance-vault" \
"finance/* shared/postmark-relay" ""
write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \