Dustin C. Hatch
74fa9264df
The `xactfetch` script now uses a helper tool, `secretsocket` to handle looking up secrets. This tool supports various secret source types, including files, environment variables, and external commands. Separating this functionality out of the main script makes it a lot more flexible and pluggable. It's main purpose, though, was actually to allow `xactfetch` to run in a container while communicating with `rbw` outside that container, specifically for development puposes. The `secretsocket` tool reads its configuration from a TOML document. This document defines the secrets the tool handles, and how to look them up. Note that the `xactfetch` container image no longer defines the `XDG_CONFIG_HOME` environment variable, as it uses Chromium instead of Firefox now, and the former does not work with a read-only config directory. As such, we have to mount the `rbw` configuration in the default location.
215 lines
6.4 KiB
YAML
215 lines
6.4 KiB
YAML
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: xactfetch-commerce
|
|
labels:
|
|
app.kubernetes.io/name: xactfetch-commerce
|
|
app.kubernetes.io/component: xactfetch
|
|
app.kubernetes.io/part-of: xactfetch
|
|
spec:
|
|
schedule: 4 9 * * *
|
|
timeZone: America/Chicago
|
|
concurrencyPolicy: Forbid
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: xactfetch-commerce
|
|
app.kubernetes.io/component: xactfetch
|
|
app.kubernetes.io/part-of: xactfetch
|
|
spec:
|
|
restartPolicy: Never
|
|
imagePullSecrets:
|
|
- name: imagepull-gitea
|
|
initContainers:
|
|
- name: wait
|
|
image: registry.fedoraproject.org/fedora-minimal
|
|
command:
|
|
- sh
|
|
- -c
|
|
- case ${HOSTNAME} in *-manual-*);; *)sleep $((RANDOM % 3600));; esac
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 999
|
|
runAsUser: 999
|
|
- name: sync
|
|
image: git.pyrocufflink.net/packages/xactfetch
|
|
command:
|
|
- rbw
|
|
- sync
|
|
envFrom:
|
|
- configMapRef:
|
|
name: xactfetch
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /run/secrets/xactfetch
|
|
name: xactfetch-secrets
|
|
readOnly: true
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
subPath: tmp
|
|
- mountPath: /var/lib/xactfetch
|
|
name: xactfetch-data
|
|
subPath: data
|
|
- mountPath: /var/lib/xactfetch/.config/rbw
|
|
name: xactfetch-rbw
|
|
readOnly: true
|
|
containers:
|
|
- name: xactfetch
|
|
image: git.pyrocufflink.net/packages/xactfetch
|
|
args:
|
|
- commerce
|
|
envFrom:
|
|
- configMapRef:
|
|
name: xactfetch
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /run/secrets/xactfetch
|
|
name: xactfetch-secrets
|
|
readOnly: true
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
subPath: tmp
|
|
- mountPath: /var/lib/xactfetch
|
|
name: xactfetch-data
|
|
subPath: data
|
|
- mountPath: /var/lib/xactfetch/.config/rbw
|
|
name: xactfetch-rbw
|
|
readOnly: true
|
|
- mountPath: /var/lib/xactfetch/secrets.toml
|
|
name: xactfetch-secrets-config
|
|
subPath: secrets.toml
|
|
readOnly: true
|
|
nodeSelector:
|
|
kubernetes.io/arch: amd64
|
|
securityContext:
|
|
fsGroup: 2468
|
|
runAsNonRoot: true
|
|
volumes:
|
|
- name: tmp
|
|
emptyDir:
|
|
medium: Memory
|
|
- name: xactfetch-data
|
|
persistentVolumeClaim:
|
|
claimName: xactfetch
|
|
- name: xactfetch-rbw
|
|
configMap:
|
|
name: xactfetch-rbw
|
|
- name: xactfetch-secrets-config
|
|
configMap:
|
|
name: xactfetch-secrets
|
|
- name: xactfetch-secrets
|
|
secret:
|
|
secretName: xactfetch
|
|
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: xactfetch-chase
|
|
labels:
|
|
app.kubernetes.io/name: xactfetch-chase
|
|
app.kubernetes.io/component: xactfetch
|
|
app.kubernetes.io/part-of: xactfetch
|
|
spec:
|
|
schedule: 4 9 * * *
|
|
timeZone: America/Chicago
|
|
concurrencyPolicy: Forbid
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: xactfetch-chase
|
|
app.kubernetes.io/component: xactfetch
|
|
app.kubernetes.io/part-of: xactfetch
|
|
spec:
|
|
restartPolicy: Never
|
|
imagePullSecrets:
|
|
- name: imagepull-gitea
|
|
initContainers:
|
|
- name: wait
|
|
image: registry.fedoraproject.org/fedora-minimal
|
|
command:
|
|
- sh
|
|
- -c
|
|
- case ${HOSTNAME} in *-manual-*);; *)sleep $((RANDOM % 3600));; esac
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 999
|
|
runAsUser: 999
|
|
- name: sync
|
|
image: git.pyrocufflink.net/packages/xactfetch
|
|
command:
|
|
- rbw
|
|
- sync
|
|
envFrom:
|
|
- configMapRef:
|
|
name: xactfetch
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /run/secrets/xactfetch
|
|
name: xactfetch-secrets
|
|
readOnly: true
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
subPath: tmp
|
|
- mountPath: /var/lib/xactfetch
|
|
name: xactfetch-data
|
|
subPath: data
|
|
- mountPath: /var/lib/xactfetch/.config/rbw
|
|
name: xactfetch-rbw
|
|
readOnly: true
|
|
containers:
|
|
- name: xactfetch
|
|
image: git.pyrocufflink.net/packages/xactfetch
|
|
args:
|
|
- chase
|
|
envFrom:
|
|
- configMapRef:
|
|
name: xactfetch
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /run/secrets/xactfetch
|
|
name: xactfetch-secrets
|
|
readOnly: true
|
|
- mountPath: /tmp
|
|
name: tmp
|
|
subPath: tmp
|
|
- mountPath: /var/lib/xactfetch
|
|
name: xactfetch-data
|
|
subPath: data
|
|
- mountPath: /var/lib/xactfetch/.config/rbw
|
|
name: xactfetch-rbw
|
|
readOnly: true
|
|
- mountPath: /var/lib/xactfetch/secrets.toml
|
|
name: xactfetch-secrets-config
|
|
subPath: secrets.toml
|
|
readOnly: true
|
|
nodeSelector:
|
|
kubernetes.io/arch: amd64
|
|
securityContext:
|
|
fsGroup: 2468
|
|
runAsNonRoot: true
|
|
volumes:
|
|
- name: tmp
|
|
emptyDir:
|
|
medium: Memory
|
|
- name: xactfetch-data
|
|
persistentVolumeClaim:
|
|
claimName: xactfetch
|
|
- name: xactfetch-rbw
|
|
configMap:
|
|
name: xactfetch-rbw
|
|
- name: xactfetch-secrets-config
|
|
configMap:
|
|
name: xactfetch-secrets
|
|
- name: xactfetch-secrets
|
|
secret:
|
|
secretName: xactfetch
|