bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

harbor: mount vault entrypoint script

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 21:02:50 -03:00
parent 713fedfe73
commit eeeb69fb7a
4 changed files with 106 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
services/harbor/helmrelease.yaml
View File

@ -112,7 +112,7 @@ spec:
existingSecretSecretKey: harbor-core existingSecretSecretKey: harbor-core
core: core:
image: image:
repository: registry.bstein.dev/infra/harbor-core-vault repository: registry.bstein.dev/infra/harbor-core
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-core:tag"} tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-core:tag"}
nodeSelector: nodeSelector:
kubernetes.io/hostname: titan-05 kubernetes.io/hostname: titan-05
@ -175,7 +175,7 @@ spec:
values: ["rpi4"] values: ["rpi4"]
jobservice: jobservice:
image: image:
repository: registry.bstein.dev/infra/harbor-jobservice-vault repository: registry.bstein.dev/infra/harbor-jobservice
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-jobservice:tag"} tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-jobservice:tag"}
nodeSelector: nodeSelector:
kubernetes.io/hostname: titan-05 kubernetes.io/hostname: titan-05
@ -245,11 +245,11 @@ spec:
registry: registry:
registry: registry:
image: image:
repository: registry.bstein.dev/infra/harbor-registry-vault repository: registry.bstein.dev/infra/harbor-registry
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registry:tag"} tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registry:tag"}
controller: controller:
image: image:
repository: registry.bstein.dev/infra/harbor-registryctl-vault repository: registry.bstein.dev/infra/harbor-registryctl
tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registryctl:tag"} tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-registryctl:tag"}
serviceAccountName: harbor-vault-sync serviceAccountName: harbor-vault-sync
automountServiceAccountToken: true automountServiceAccountToken: true
@ -354,6 +354,10 @@ spec:
spec: spec:
containers: containers:
- name: core - name: core
command:
- /entrypoint.sh
args:
- /harbor/entrypoint.sh
env: env:
- $patch: replace - $patch: replace
- name: VAULT_ENV_FILE - name: VAULT_ENV_FILE
@ -365,6 +369,9 @@ spec:
- configMapRef: - configMapRef:
name: harbor-core name: harbor-core
volumeMounts: volumeMounts:
- name: harbor-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
- name: secret-key - name: secret-key
$patch: delete $patch: delete
- name: token-service-private-key - name: token-service-private-key
@ -372,6 +379,10 @@ spec:
- name: core-writable - name: core-writable
mountPath: /etc/core mountPath: /etc/core
volumes: volumes:
- name: harbor-vault-entrypoint
configMap:
name: harbor-vault-entrypoint
defaultMode: 493
- name: secret-key - name: secret-key
$patch: delete $patch: delete
- name: token-service-private-key - name: token-service-private-key
@ -391,6 +402,10 @@ spec:
spec: spec:
containers: containers:
- name: jobservice - name: jobservice
command:
- /entrypoint.sh
args:
- /harbor/entrypoint.sh
env: env:
- $patch: replace - $patch: replace
- name: VAULT_ENV_FILE - name: VAULT_ENV_FILE
@ -399,6 +414,15 @@ spec:
- $patch: replace - $patch: replace
- configMapRef: - configMapRef:
name: harbor-jobservice-env name: harbor-jobservice-env
volumeMounts:
- name: harbor-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: harbor-vault-entrypoint
configMap:
name: harbor-vault-entrypoint
defaultMode: 493
- target: - target:
kind: Deployment kind: Deployment
name: harbor-registry name: harbor-registry
@ -412,6 +436,10 @@ spec:
spec: spec:
containers: containers:
- name: registry - name: registry
command:
- /entrypoint.sh
args:
- /home/harbor/entrypoint.sh
env: env:
- $patch: replace - $patch: replace
- name: VAULT_ENV_FILE - name: VAULT_ENV_FILE
@ -421,11 +449,18 @@ spec:
envFrom: envFrom:
- $patch: replace - $patch: replace
volumeMounts: volumeMounts:
- name: harbor-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
- name: registry-htpasswd - name: registry-htpasswd
$patch: delete $patch: delete
- name: registry-writable - name: registry-writable
mountPath: /etc/registry mountPath: /etc/registry
- name: registryctl - name: registryctl
command:
- /entrypoint.sh
args:
- /home/harbor/start.sh
env: env:
- $patch: replace - $patch: replace
- name: VAULT_ENV_FILE - name: VAULT_ENV_FILE
@ -434,7 +469,15 @@ spec:
- $patch: replace - $patch: replace
- configMapRef: - configMapRef:
name: harbor-registryctl name: harbor-registryctl
volumeMounts:
- name: harbor-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes: volumes:
- name: harbor-vault-entrypoint
configMap:
name: harbor-vault-entrypoint
defaultMode: 493
- name: registry-htpasswd - name: registry-htpasswd
$patch: delete $patch: delete
- name: registry-writable - name: registry-writable
@ -484,6 +527,11 @@ spec:
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
- name: core-job - name: core-job
command:
- /entrypoint.sh
args:
- /harbor/harbor_core
- -mode=migrate
env: env:
- $patch: replace - $patch: replace
- name: VAULT_ENV_FILE - name: VAULT_ENV_FILE
@ -492,6 +540,15 @@ spec:
- $patch: replace - $patch: replace
- configMapRef: - configMapRef:
name: harbor-core name: harbor-core
volumeMounts:
- name: harbor-vault-entrypoint
mountPath: /entrypoint.sh
subPath: vault-entrypoint.sh
volumes:
- name: harbor-vault-entrypoint
configMap:
name: harbor-vault-entrypoint
defaultMode: 493
- target: - target:
kind: Secret kind: Secret
name: harbor-core name: harbor-core

8
services/harbor/image.yaml
View File

@ -5,7 +5,7 @@ metadata:
name: harbor-core name: harbor-core
namespace: harbor namespace: harbor
spec: spec:
image: registry.bstein.dev/infra/harbor-core-vault image: registry.bstein.dev/infra/harbor-core
interval: 5m0s interval: 5m0s
--- ---
apiVersion: image.toolkit.fluxcd.io/v1beta2 apiVersion: image.toolkit.fluxcd.io/v1beta2
@ -29,7 +29,7 @@ metadata:
name: harbor-jobservice name: harbor-jobservice
namespace: harbor namespace: harbor
spec: spec:
image: registry.bstein.dev/infra/harbor-jobservice-vault image: registry.bstein.dev/infra/harbor-jobservice
interval: 5m0s interval: 5m0s
--- ---
apiVersion: image.toolkit.fluxcd.io/v1beta2 apiVersion: image.toolkit.fluxcd.io/v1beta2
@ -77,7 +77,7 @@ metadata:
name: harbor-registry name: harbor-registry
namespace: harbor namespace: harbor
spec: spec:
image: registry.bstein.dev/infra/harbor-registry-vault image: registry.bstein.dev/infra/harbor-registry
interval: 5m0s interval: 5m0s
--- ---
apiVersion: image.toolkit.fluxcd.io/v1beta2 apiVersion: image.toolkit.fluxcd.io/v1beta2
@ -101,7 +101,7 @@ metadata:
name: harbor-registryctl name: harbor-registryctl
namespace: harbor namespace: harbor
spec: spec:
image: registry.bstein.dev/infra/harbor-registryctl-vault image: registry.bstein.dev/infra/harbor-registryctl
interval: 5m0s interval: 5m0s
--- ---
apiVersion: image.toolkit.fluxcd.io/v1beta2 apiVersion: image.toolkit.fluxcd.io/v1beta2

6
services/harbor/kustomization.yaml
View File

@ -2,6 +2,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: harbor namespace: harbor
generatorOptions:
disableNameSuffixHash: true
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
@ -11,3 +13,7 @@ resources:
- helmrelease.yaml - helmrelease.yaml
- vault-sync-deployment.yaml - vault-sync-deployment.yaml
- image.yaml - image.yaml
configMapGenerator:
- name: harbor-vault-entrypoint
files:
- scripts/vault-entrypoint.sh

35
services/harbor/scripts/vault-entrypoint.sh Normal file
View File

@ -0,0 +1,35 @@
#!/bin/sh
set -eu
if [ -n "${VAULT_ENV_FILE:-}" ]; then
if [ -f "${VAULT_ENV_FILE}" ]; then
# shellcheck disable=SC1090
. "${VAULT_ENV_FILE}"
else
echo "Vault env file not found: ${VAULT_ENV_FILE}" >&2
exit 1
fi
fi
if [ -n "${VAULT_COPY_FILES:-}" ]; then
old_ifs="$IFS"
IFS=','
set -- ${VAULT_COPY_FILES}
IFS="$old_ifs"
for pair in "$@"; do
src="${pair%%:*}"
dest="${pair#*:}"
if [ -z "${src}" ] || [ -z "${dest}" ]; then
echo "Vault copy entry malformed: ${pair}" >&2
exit 1
fi
if [ ! -f "${src}" ]; then
echo "Vault file not found: ${src}" >&2
exit 1
fi
mkdir -p "$(dirname "${dest}")"
cp "${src}" "${dest}"
done
fi
exec "$@"