maintenance(titan-24): install Docker for Wolf

services/maintenance/kustomization.yaml

@@ -21,6 +21,7 @@ resources:
   - metis-rbac.yaml
   - metis-token-sync-serviceaccount.yaml
   - node-nofile-serviceaccount.yaml
+  - titan-24-docker-serviceaccount.yaml
   - pod-cleaner-rbac.yaml
   - ariadne-deployment.yaml
   - metis-deployment.yaml
@@ -36,6 +37,7 @@ resources:
   - metis-sentinel-amd64-daemonset.yaml
   - metis-sentinel-arm64-daemonset.yaml
   - k3s-agent-restart-daemonset.yaml
+  - titan-24-docker-daemonset.yaml
   - node-image-sweeper-serviceaccount.yaml
   - node-image-sweeper-daemonset.yaml
   - metis-service.yaml
@@ -85,6 +87,12 @@ configMapGenerator:
       - node_image_sweeper.sh=scripts/node_image_sweeper.sh
     options:
       disableNameSuffixHash: true
+  - name: titan-24-docker-script
+    namespace: maintenance
+    files:
+      - titan_24_docker.sh=scripts/titan_24_docker.sh
+    options:
+      disableNameSuffixHash: true
   - name: rpi-resource-reservation-script
     namespace: maintenance
     files:

services/maintenance/scripts/titan_24_docker.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+marker="/host/var/lib/atlas-maintenance/titan-24-docker.ready"
+host_sh() {
+  chroot /host /bin/sh -c "$*"
+}
+
+install_docker() {
+  host_sh "apt-get update"
+  host_sh "DEBIAN_FRONTEND=noninteractive apt-get install -y ca-certificates curl gnupg"
+  host_sh "install -m 0755 -d /etc/apt/keyrings"
+  host_sh "curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc"
+  host_sh "chmod a+r /etc/apt/keyrings/docker.asc"
+  host_sh '. /etc/os-release; codename="${VERSION_CODENAME:-trixie}"; echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian ${codename} stable" > /etc/apt/sources.list.d/docker.list'
+  host_sh "apt-get update"
+  host_sh "DEBIAN_FRONTEND=noninteractive apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin"
+}
+
+configure_docker() {
+  mkdir -p /host/etc/docker
+  if [ ! -f /host/etc/docker/daemon.json ]; then
+    cat >/host/etc/docker/daemon.json <<'JSON'
+{
+  "log-driver": "local",
+  "log-opts": {
+    "max-size": "50m",
+    "max-file": "3"
+  }
+}
+JSON
+  fi
+  host_sh "systemctl daemon-reload"
+  host_sh "systemctl enable --now docker"
+}
+
+if [ ! -x /host/usr/bin/docker ] || ! host_sh "docker version >/dev/null 2>&1"; then
+  install_docker
+fi
+
+configure_docker
+
+mkdir -p "$(dirname "${marker}")"
+date -Is >"${marker}"
+
+while true; do
+  if [ ! -S /host/var/run/docker.sock ]; then
+    configure_docker
+  fi
+  sleep 300
+done

services/maintenance/titan-24-docker-daemonset.yaml

@@ -0,0 +1,57 @@
+# services/maintenance/titan-24-docker-daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: titan-24-docker
+  namespace: maintenance
+  labels:
+    app: titan-24-docker
+spec:
+  selector:
+    matchLabels:
+      app: titan-24-docker
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: titan-24-docker
+    spec:
+      serviceAccountName: titan-24-docker
+      nodeSelector:
+        kubernetes.io/hostname: titan-24
+      tolerations:
+        - operator: Exists
+        - key: node-role.kubernetes.io/accelerator
+          operator: Exists
+          effect: NoSchedule
+      containers:
+        - name: installer
+          image: debian:13-slim
+          imagePullPolicy: IfNotPresent
+          command: ["/usr/bin/env", "bash"]
+          args: ["/scripts/titan_24_docker.sh"]
+          securityContext:
+            privileged: true
+            runAsUser: 0
+          resources:
+            requests:
+              cpu: 25m
+              memory: 64Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+          volumeMounts:
+            - name: host-root
+              mountPath: /host
+            - name: script
+              mountPath: /scripts
+              readOnly: true
+      volumes:
+        - name: host-root
+          hostPath:
+            path: /
+        - name: script
+          configMap:
+            name: titan-24-docker-script
+            defaultMode: 0555

services/maintenance/titan-24-docker-serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/maintenance/titan-24-docker-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: titan-24-docker
+  namespace: maintenance