use hermes stock image for platform engineer

2026-06-27 20:40:42 +02:00
parent 3f3467cb13
commit 54579df4b3
2 changed files with 35 additions and 48 deletions
--- a/platform-engineer/deployment.yaml
+++ b/platform-engineer/deployment.yaml
@@ -18,8 +18,7 @@ spec:
        app: hermes
    spec:
      serviceAccountName: platform-engineer
-      imagePullSecrets:
-      - name: gitea-registry
+      # No imagePullSecrets — using the public stock Hermes image from Docker Hub.

      # Pin to the powerful amd64 node (image is linux/amd64; the NUC has 24 GiB).
      nodeSelector:
@@ -43,6 +42,28 @@ spec:
              topologyKey: kubernetes.io/hostname

      initContainers:
+      # Download kubectl + helm into a shared emptyDir so the stock Hermes image
+      # (which doesn't ship kubectl) can still drive the cluster. Avoids building
+      # and pushing a custom image through a slow / size-capped registry.
+      - name: install-tools
+        image: curlimages/curl:8.12.1
+        command: ["sh", "-c"]
+        args:
+        - |
+          set -e
+          echo "Downloading kubectl v1.35.0..."
+          curl -fsSL -o /tools/kubectl \
+            https://dl.k8s.io/release/v1.35.0/bin/linux/amd64/kubectl
+          chmod +x /tools/kubectl
+          echo "Downloading helm v3.16.3..."
+          curl -fsSL https://get.helm.sh/helm-v3.16.3-linux-amd64.tar.gz \
+            | tar -xz -C /tools --strip-components=1 linux-amd64/helm
+          chmod +x /tools/helm
+          echo "Tools installed:"; ls -la /tools
+        volumeMounts:
+        - name: tools
+          mountPath: /tools
+
      # Seed /opt/data with config.yaml + SOUL.md on first boot only.
      # ArgoCD owns the manifests; the PVC is runtime state and is NOT reconciled.
      - name: seed-data
@@ -68,8 +89,8 @@ spec:

      containers:
      - name: hermes
-        image: registry.rogi.casa/roger/hermes-agent:v1.35-1
-        imagePullPolicy: IfNotPresent   # falls back to local image if present
+        image: nousresearch/hermes-agent:latest
+        imagePullPolicy: Always
        command: ["gateway", "run"]
        ports:
        - name: gateway
@@ -80,14 +101,21 @@ spec:
        - secretRef:
            name: hermes-env
        env:
-        # k3s injects these automatically; kubectl inside the pod uses the SA token.
+        # k3s injects KUBERNETES_SERVICE_HOST/PORT + the SA token automatically;
+        # kubectl inside the pod authenticates as the platform-engineer SA.
        - name: HERMES_HOME
          value: /opt/data
+        # Put the initContainer-installed kubectl/helm on PATH for the hermes user.
+        - name: PATH
+          value: /opt/hermes/bin:/opt/hermes/.venv/bin:/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
        volumeMounts:
        - name: data
          mountPath: /opt/data
        - name: workspace
          mountPath: /workspace
+        - name: tools
+          mountPath: /tools
+          readOnly: true
        resources:
          requests:
            memory: "512Mi"
@@ -104,7 +132,6 @@ spec:
          failureThreshold: 3
        securityContext:
          allowPrivilegeEscalation: false
-          runAsNonRoot: false   # official image runs as root for s6 init then drops to hermes

      volumes:
      - name: data
@@ -112,6 +139,8 @@ spec:
          claimName: hermes-data
      - name: workspace
        emptyDir: {}
+      - name: tools
+        emptyDir: {}
      - name: seed
        configMap:
          name: hermes-seed