From ff3ed195ac8cb1333a4c8d660085139bd7503010 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Mon, 19 Jan 2026 19:02:14 -0300 Subject: [PATCH] chore: centralize harbor pull credentials --- .../longhorn/core/secretproviderclass.yaml | 2 +- .../bstein-dev-home/secretproviderclass.yaml | 2 +- services/comms/secretproviderclass.yaml | 2 +- .../crypto/xmr-miner/secretproviderclass.yaml | 2 +- services/harbor/secretproviderclass.yaml | 2 +- services/keycloak/secretproviderclass.yaml | 2 +- services/logging/secretproviderclass.yaml | 2 +- services/mailu/secretproviderclass.yaml | 2 +- services/maintenance/ariadne-deployment.yaml | 2 +- services/maintenance/image.yaml | 21 ++++++++++++++++++ services/maintenance/kustomization.yaml | 5 +++++ services/maintenance/secretproviderclass.yaml | 2 +- services/monitoring/secretproviderclass.yaml | 2 +- services/pegasus/secretproviderclass.yaml | 2 +- .../vault/scripts/vault_k8s_auth_configure.sh | 22 +++++++++---------- 15 files changed, 49 insertions(+), 23 deletions(-) create mode 100644 services/maintenance/image.yaml diff --git a/infrastructure/longhorn/core/secretproviderclass.yaml b/infrastructure/longhorn/core/secretproviderclass.yaml index 031d1d8..e292b86 100644 --- a/infrastructure/longhorn/core/secretproviderclass.yaml +++ b/infrastructure/longhorn/core/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "longhorn" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/longhorn" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: longhorn-registry diff --git a/services/bstein-dev-home/secretproviderclass.yaml b/services/bstein-dev-home/secretproviderclass.yaml index f330fe6..2fa714a 100644 --- a/services/bstein-dev-home/secretproviderclass.yaml +++ b/services/bstein-dev-home/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "bstein-dev-home" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/comms/secretproviderclass.yaml b/services/comms/secretproviderclass.yaml index 69d4b2b..0a89552 100644 --- a/services/comms/secretproviderclass.yaml +++ b/services/comms/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "comms" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/comms" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/crypto/xmr-miner/secretproviderclass.yaml b/services/crypto/xmr-miner/secretproviderclass.yaml index a72097f..12e4ba1 100644 --- a/services/crypto/xmr-miner/secretproviderclass.yaml +++ b/services/crypto/xmr-miner/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "crypto" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/crypto" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/harbor/secretproviderclass.yaml b/services/harbor/secretproviderclass.yaml index 03fef95..636f6fa 100644 --- a/services/harbor/secretproviderclass.yaml +++ b/services/harbor/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "harbor" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/harbor" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/keycloak/secretproviderclass.yaml b/services/keycloak/secretproviderclass.yaml index 86cebd2..d4c094f 100644 --- a/services/keycloak/secretproviderclass.yaml +++ b/services/keycloak/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "sso" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/sso" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/logging/secretproviderclass.yaml b/services/logging/secretproviderclass.yaml index f5db15e..6ff642d 100644 --- a/services/logging/secretproviderclass.yaml +++ b/services/logging/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "logging" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/logging" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/mailu/secretproviderclass.yaml b/services/mailu/secretproviderclass.yaml index f58c69b..f9e281e 100644 --- a/services/mailu/secretproviderclass.yaml +++ b/services/mailu/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "mailu-mailserver" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/maintenance/ariadne-deployment.yaml b/services/maintenance/ariadne-deployment.yaml index fd2fb79..ee4884d 100644 --- a/services/maintenance/ariadne-deployment.yaml +++ b/services/maintenance/ariadne-deployment.yaml @@ -49,7 +49,7 @@ spec: node-role.kubernetes.io/worker: "true" containers: - name: ariadne - image: registry.bstein.dev/bstein/ariadne:0.1.0 + image: registry.bstein.dev/bstein/ariadne:0.1.0-0 imagePullPolicy: Always command: ["/bin/sh", "-c"] args: diff --git a/services/maintenance/image.yaml b/services/maintenance/image.yaml new file mode 100644 index 0000000..95acbd0 --- /dev/null +++ b/services/maintenance/image.yaml @@ -0,0 +1,21 @@ +# services/maintenance/image.yaml +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImageRepository +metadata: + name: ariadne + namespace: maintenance +spec: + image: registry.bstein.dev/bstein/ariadne + interval: 1m0s +--- +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImagePolicy +metadata: + name: ariadne + namespace: maintenance +spec: + imageRepositoryRef: + name: ariadne + policy: + semver: + range: ">=0.1.0-0" diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml index f0f3de5..5e199a9 100644 --- a/services/maintenance/kustomization.yaml +++ b/services/maintenance/kustomization.yaml @@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml + - image.yaml - secretproviderclass.yaml - vault-serviceaccount.yaml - vault-sync-deployment.yaml @@ -22,6 +23,10 @@ resources: - node-image-sweeper-daemonset.yaml - image-sweeper-cronjob.yaml +images: + - name: registry.bstein.dev/bstein/ariadne + newTag: 0.1.0-0 # {"$imagepolicy": "maintenance:ariadne"} + configMapGenerator: - name: disable-k3s-traefik-script namespace: maintenance diff --git a/services/maintenance/secretproviderclass.yaml b/services/maintenance/secretproviderclass.yaml index dd95948..85df2af 100644 --- a/services/maintenance/secretproviderclass.yaml +++ b/services/maintenance/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "maintenance" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/maintenance" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/monitoring/secretproviderclass.yaml b/services/monitoring/secretproviderclass.yaml index 8a6c5fb..350d6aa 100644 --- a/services/monitoring/secretproviderclass.yaml +++ b/services/monitoring/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "monitoring" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/monitoring" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/pegasus/secretproviderclass.yaml b/services/pegasus/secretproviderclass.yaml index b4621a5..b8d1df9 100644 --- a/services/pegasus/secretproviderclass.yaml +++ b/services/pegasus/secretproviderclass.yaml @@ -11,7 +11,7 @@ spec: roleName: "pegasus" objects: | - objectName: "harbor-pull__dockerconfigjson" - secretPath: "kv/data/atlas/harbor-pull/jellyfin" + secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-regcred diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index ca94ac6..c7eaf85 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -203,42 +203,42 @@ write_policy_and_role "outline" "outline" "outline-vault" \ write_policy_and_role "planka" "planka" "planka-vault" \ "planka/* shared/postmark-relay" "" write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home,bstein-dev-home-vault-sync" \ - "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client shared/postmark-relay mailu/mailu-initial-account-secret harbor-pull/bstein-dev-home" "" + "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client shared/postmark-relay mailu/mailu-initial-account-secret shared/harbor-pull" "" write_policy_and_role "gitea" "gitea" "gitea-vault" \ "gitea/*" "" write_policy_and_role "vaultwarden" "vaultwarden" "vaultwarden-vault" \ "vaultwarden/* mailu/mailu-initial-account-secret" "" write_policy_and_role "sso" "sso" "sso-vault,sso-vault-sync,mas-secrets-ensure" \ - "sso/* portal/bstein-dev-home-keycloak-admin shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay harbor-pull/sso" "" + "sso/* portal/bstein-dev-home-keycloak-admin shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay shared/harbor-pull" "" write_policy_and_role "mailu-mailserver" "mailu-mailserver" "mailu-vault-sync" \ - "mailu/* shared/postmark-relay harbor-pull/mailu-mailserver" "" + "mailu/* shared/postmark-relay shared/harbor-pull" "" write_policy_and_role "harbor" "harbor" "harbor-vault-sync" \ - "harbor/* harbor-pull/harbor" "" + "harbor/* shared/harbor-pull" "" write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \ "nextcloud/* shared/keycloak-admin shared/postmark-relay" "" write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \ - "comms/* shared/chat-ai-keys-runtime harbor-pull/comms" "" + "comms/* shared/chat-ai-keys-runtime shared/harbor-pull" "" write_policy_and_role "jenkins" "jenkins" "jenkins" \ "jenkins/*" "" write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \ - "monitoring/* shared/postmark-relay harbor-pull/monitoring" "" + "monitoring/* shared/postmark-relay shared/harbor-pull" "" write_policy_and_role "logging" "logging" "logging-vault-sync" \ - "logging/* harbor-pull/logging" "" + "logging/* shared/harbor-pull" "" write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \ - "pegasus/* harbor-pull/jellyfin" "" + "pegasus/* shared/harbor-pull" "" write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ - "crypto/* harbor-pull/crypto" "" + "crypto/* shared/harbor-pull" "" write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" write_policy_and_role "maintenance" "maintenance" "ariadne" \ - "portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret harbor-pull/maintenance" "" + "portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret shared/harbor-pull" "" write_policy_and_role "finance" "finance" "finance-vault" \ "finance/* shared/postmark-relay" "" write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \ "" \ "finance/*" write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault,longhorn-vault-sync" \ - "longhorn/* harbor-pull/longhorn" "" + "longhorn/* shared/harbor-pull" "" write_policy_and_role "postgres" "postgres" "postgres-vault" \ "postgres/postgres-db" "" write_policy_and_role "vault" "vault" "vault" \