chore: centralize harbor pull credentials

2026-01-19 19:02:14 -03:00 · 2026-01-19 19:02:14 -03:00 · ff3ed195ac
commit ff3ed195ac
parent bb41c219f6
15 changed files with 49 additions and 23 deletions
--- a/infrastructure/longhorn/core/secretproviderclass.yaml
+++ b/infrastructure/longhorn/core/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "longhorn"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/longhorn"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: longhorn-registry
--- a/services/bstein-dev-home/secretproviderclass.yaml
+++ b/services/bstein-dev-home/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "bstein-dev-home"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/comms/secretproviderclass.yaml
+++ b/services/comms/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "comms"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/comms"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/crypto/xmr-miner/secretproviderclass.yaml
+++ b/services/crypto/xmr-miner/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "crypto"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/crypto"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/harbor/secretproviderclass.yaml
+++ b/services/harbor/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "harbor"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/harbor"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/keycloak/secretproviderclass.yaml
+++ b/services/keycloak/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "sso"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/sso"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/logging/secretproviderclass.yaml
+++ b/services/logging/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "logging"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/logging"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/mailu/secretproviderclass.yaml
+++ b/services/mailu/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "mailu-mailserver"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/maintenance/ariadne-deployment.yaml
+++ b/services/maintenance/ariadne-deployment.yaml
@ -49,7 +49,7 @@ spec:
        node-role.kubernetes.io/worker: "true"
      containers:
        - name: ariadne
-          image: registry.bstein.dev/bstein/ariadne:0.1.0
+          image: registry.bstein.dev/bstein/ariadne:0.1.0-0
          imagePullPolicy: Always
          command: ["/bin/sh", "-c"]
          args:
--- a/services/maintenance/image.yaml
+++ b/services/maintenance/image.yaml
@ -0,0 +1,21 @@
 # services/maintenance/image.yaml
 apiVersion: image.toolkit.fluxcd.io/v1beta2
 kind: ImageRepository
 metadata:
  name: ariadne
  namespace: maintenance
 spec:
  image: registry.bstein.dev/bstein/ariadne
  interval: 1m0s
 ---
 apiVersion: image.toolkit.fluxcd.io/v1beta2
 kind: ImagePolicy
 metadata:
  name: ariadne
  namespace: maintenance
 spec:
  imageRepositoryRef:
    name: ariadne
  policy:
    semver:
      range: ">=0.1.0-0"
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - image.yaml
  - secretproviderclass.yaml
  - vault-serviceaccount.yaml
  - vault-sync-deployment.yaml
@ -22,6 +23,10 @@ resources:
  - node-image-sweeper-daemonset.yaml
  - image-sweeper-cronjob.yaml
 images:
  - name: registry.bstein.dev/bstein/ariadne
    newTag: 0.1.0-0 # {"$imagepolicy": "maintenance:ariadne"}
 configMapGenerator:
  - name: disable-k3s-traefik-script
    namespace: maintenance
--- a/services/maintenance/secretproviderclass.yaml
+++ b/services/maintenance/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "maintenance"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/maintenance"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/monitoring/secretproviderclass.yaml
+++ b/services/monitoring/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "monitoring"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/monitoring"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/pegasus/secretproviderclass.yaml
+++ b/services/pegasus/secretproviderclass.yaml
@ -11,7 +11,7 @@ spec:
    roleName: "pegasus"
    objects: |
      - objectName: "harbor-pull__dockerconfigjson"
-        secretPath: "kv/data/atlas/harbor-pull/jellyfin"
+        secretPath: "kv/data/atlas/shared/harbor-pull"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -203,42 +203,42 @@ write_policy_and_role "outline" "outline" "outline-vault" \
 write_policy_and_role "planka" "planka" "planka-vault" \
  "planka/* shared/postmark-relay" ""
 write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home,bstein-dev-home-vault-sync" \
-  "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client shared/postmark-relay mailu/mailu-initial-account-secret harbor-pull/bstein-dev-home" ""
+  "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client shared/postmark-relay mailu/mailu-initial-account-secret shared/harbor-pull" ""
 write_policy_and_role "gitea" "gitea" "gitea-vault" \
  "gitea/*" ""
 write_policy_and_role "vaultwarden" "vaultwarden" "vaultwarden-vault" \
  "vaultwarden/* mailu/mailu-initial-account-secret" ""
 write_policy_and_role "sso" "sso" "sso-vault,sso-vault-sync,mas-secrets-ensure" \
-  "sso/* portal/bstein-dev-home-keycloak-admin shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay harbor-pull/sso" ""
+  "sso/* portal/bstein-dev-home-keycloak-admin shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay shared/harbor-pull" ""
 write_policy_and_role "mailu-mailserver" "mailu-mailserver" "mailu-vault-sync" \
-  "mailu/* shared/postmark-relay harbor-pull/mailu-mailserver" ""
+  "mailu/* shared/postmark-relay shared/harbor-pull" ""
 write_policy_and_role "harbor" "harbor" "harbor-vault-sync" \
-  "harbor/* harbor-pull/harbor" ""
+  "harbor/* shared/harbor-pull" ""
 write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
  "nextcloud/* shared/keycloak-admin shared/postmark-relay" ""
 write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
-  "comms/* shared/chat-ai-keys-runtime harbor-pull/comms" ""
+  "comms/* shared/chat-ai-keys-runtime shared/harbor-pull" ""
 write_policy_and_role "jenkins" "jenkins" "jenkins" \
  "jenkins/*" ""
 write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
-  "monitoring/* shared/postmark-relay harbor-pull/monitoring" ""
+  "monitoring/* shared/postmark-relay shared/harbor-pull" ""
 write_policy_and_role "logging" "logging" "logging-vault-sync" \
-  "logging/* harbor-pull/logging" ""
+  "logging/* shared/harbor-pull" ""
 write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \
-  "pegasus/* harbor-pull/jellyfin" ""
+  "pegasus/* shared/harbor-pull" ""
 write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
-  "crypto/* harbor-pull/crypto" ""
+  "crypto/* shared/harbor-pull" ""
 write_policy_and_role "health" "health" "health-vault-sync" \
  "health/*" ""
 write_policy_and_role "maintenance" "maintenance" "ariadne" \
-  "portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret harbor-pull/maintenance" ""
+  "portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret shared/harbor-pull" ""
 write_policy_and_role "finance" "finance" "finance-vault" \
  "finance/* shared/postmark-relay" ""
 write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \
  "" \
  "finance/*"
 write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault,longhorn-vault-sync" \
-  "longhorn/* harbor-pull/longhorn" ""
+  "longhorn/* shared/harbor-pull" ""
 write_policy_and_role "postgres" "postgres" "postgres-vault" \
  "postgres/postgres-db" ""
 write_policy_and_role "vault" "vault" "vault" \