diff --git a/services/harbor/helmrelease.yaml b/services/harbor/helmrelease.yaml index 95025f2..45ca1d8 100644 --- a/services/harbor/helmrelease.yaml +++ b/services/harbor/helmrelease.yaml @@ -112,7 +112,7 @@ spec: existingSecretSecretKey: harbor-core core: image: - repository: registry.bstein.dev/infra/harbor-core-vault + repository: registry.bstein.dev/infra/harbor-core tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-core:tag"} nodeSelector: kubernetes.io/hostname: titan-05 @@ -175,7 +175,7 @@ spec: values: ["rpi4"] jobservice: image: - repository: registry.bstein.dev/infra/harbor-jobservice-vault + repository: registry.bstein.dev/infra/harbor-jobservice tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-jobservice:tag"} nodeSelector: kubernetes.io/hostname: titan-05 @@ -245,11 +245,11 @@ spec: registry: registry: image: - repository: registry.bstein.dev/infra/harbor-registry-vault + repository: registry.bstein.dev/infra/harbor-registry tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registry:tag"} controller: image: - repository: registry.bstein.dev/infra/harbor-registryctl-vault + repository: registry.bstein.dev/infra/harbor-registryctl tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registryctl:tag"} serviceAccountName: harbor-vault-sync automountServiceAccountToken: true @@ -354,6 +354,10 @@ spec: spec: containers: - name: core + command: + - /entrypoint.sh + args: + - /harbor/entrypoint.sh env: - $patch: replace - name: VAULT_ENV_FILE @@ -365,6 +369,9 @@ spec: - configMapRef: name: harbor-core volumeMounts: + - name: harbor-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh - name: secret-key $patch: delete - name: token-service-private-key @@ -372,6 +379,10 @@ spec: - name: core-writable mountPath: /etc/core volumes: + - name: harbor-vault-entrypoint + configMap: + name: harbor-vault-entrypoint + defaultMode: 493 - name: secret-key $patch: delete - name: token-service-private-key @@ -391,6 +402,10 @@ spec: spec: containers: - name: jobservice + command: + - /entrypoint.sh + args: + - /harbor/entrypoint.sh env: - $patch: replace - name: VAULT_ENV_FILE @@ -399,6 +414,15 @@ spec: - $patch: replace - configMapRef: name: harbor-jobservice-env + volumeMounts: + - name: harbor-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: harbor-vault-entrypoint + configMap: + name: harbor-vault-entrypoint + defaultMode: 493 - target: kind: Deployment name: harbor-registry @@ -412,6 +436,10 @@ spec: spec: containers: - name: registry + command: + - /entrypoint.sh + args: + - /home/harbor/entrypoint.sh env: - $patch: replace - name: VAULT_ENV_FILE @@ -421,11 +449,18 @@ spec: envFrom: - $patch: replace volumeMounts: + - name: harbor-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh - name: registry-htpasswd $patch: delete - name: registry-writable mountPath: /etc/registry - name: registryctl + command: + - /entrypoint.sh + args: + - /home/harbor/start.sh env: - $patch: replace - name: VAULT_ENV_FILE @@ -434,7 +469,15 @@ spec: - $patch: replace - configMapRef: name: harbor-registryctl + volumeMounts: + - name: harbor-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh volumes: + - name: harbor-vault-entrypoint + configMap: + name: harbor-vault-entrypoint + defaultMode: 493 - name: registry-htpasswd $patch: delete - name: registry-writable @@ -484,6 +527,11 @@ spec: automountServiceAccountToken: true containers: - name: core-job + command: + - /entrypoint.sh + args: + - /harbor/harbor_core + - -mode=migrate env: - $patch: replace - name: VAULT_ENV_FILE @@ -492,6 +540,15 @@ spec: - $patch: replace - configMapRef: name: harbor-core + volumeMounts: + - name: harbor-vault-entrypoint + mountPath: /entrypoint.sh + subPath: vault-entrypoint.sh + volumes: + - name: harbor-vault-entrypoint + configMap: + name: harbor-vault-entrypoint + defaultMode: 493 - target: kind: Secret name: harbor-core diff --git a/services/harbor/image.yaml b/services/harbor/image.yaml index 850926a..2b25875 100644 --- a/services/harbor/image.yaml +++ b/services/harbor/image.yaml @@ -5,7 +5,7 @@ metadata: name: harbor-core namespace: harbor spec: - image: registry.bstein.dev/infra/harbor-core-vault + image: registry.bstein.dev/infra/harbor-core interval: 5m0s --- apiVersion: image.toolkit.fluxcd.io/v1beta2 @@ -29,7 +29,7 @@ metadata: name: harbor-jobservice namespace: harbor spec: - image: registry.bstein.dev/infra/harbor-jobservice-vault + image: registry.bstein.dev/infra/harbor-jobservice interval: 5m0s --- apiVersion: image.toolkit.fluxcd.io/v1beta2 @@ -77,7 +77,7 @@ metadata: name: harbor-registry namespace: harbor spec: - image: registry.bstein.dev/infra/harbor-registry-vault + image: registry.bstein.dev/infra/harbor-registry interval: 5m0s --- apiVersion: image.toolkit.fluxcd.io/v1beta2 @@ -101,7 +101,7 @@ metadata: name: harbor-registryctl namespace: harbor spec: - image: registry.bstein.dev/infra/harbor-registryctl-vault + image: registry.bstein.dev/infra/harbor-registryctl interval: 5m0s --- apiVersion: image.toolkit.fluxcd.io/v1beta2 diff --git a/services/harbor/kustomization.yaml b/services/harbor/kustomization.yaml index 2a9cb9e..3018b3c 100644 --- a/services/harbor/kustomization.yaml +++ b/services/harbor/kustomization.yaml @@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: harbor +generatorOptions: + disableNameSuffixHash: true resources: - namespace.yaml - serviceaccount.yaml @@ -11,3 +13,7 @@ resources: - helmrelease.yaml - vault-sync-deployment.yaml - image.yaml +configMapGenerator: + - name: harbor-vault-entrypoint + files: + - scripts/vault-entrypoint.sh diff --git a/services/harbor/scripts/vault-entrypoint.sh b/services/harbor/scripts/vault-entrypoint.sh new file mode 100644 index 0000000..8d6ea78 --- /dev/null +++ b/services/harbor/scripts/vault-entrypoint.sh @@ -0,0 +1,35 @@ +#!/bin/sh +set -eu + +if [ -n "${VAULT_ENV_FILE:-}" ]; then + if [ -f "${VAULT_ENV_FILE}" ]; then + # shellcheck disable=SC1090 + . "${VAULT_ENV_FILE}" + else + echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2 + exit 1 + fi +fi + +if [ -n "${VAULT_COPY_FILES:-}" ]; then + old_ifs="$IFS" + IFS=',' + set -- ${VAULT_COPY_FILES} + IFS="$old_ifs" + for pair in "$@"; do + src="${pair%%:*}" + dest="${pair#*:}" + if [ -z "${src}" ] || [ -z "${dest}" ]; then + echo "Vault copy entry malformed: ${pair}" >&2 + exit 1 + fi + if [ ! -f "${src}" ]; then + echo "Vault file not found: ${src}" >&2 + exit 1 + fi + mkdir -p "$(dirname "${dest}")" + cp "${src}" "${dest}" + done +fi + +exec "$@"