From 0efc1ed6c41e301ab7e679fb02d03611cb1eae30 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 21 Jan 2026 03:39:17 -0300
Subject: [PATCH] ariadne: split portal and ariadne db secrets

---
 services/maintenance/ariadne-deployment.yaml       | 4 +++-
 services/vault/scripts/vault_k8s_auth_configure.sh | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/services/maintenance/ariadne-deployment.yaml b/services/maintenance/ariadne-deployment.yaml
index 57862ab..bb9766f 100644
--- a/services/maintenance/ariadne-deployment.yaml
+++ b/services/maintenance/ariadne-deployment.yaml
@@ -24,7 +24,9 @@ spec:
         vault.hashicorp.com/agent-inject-template-ariadne-env.sh: |
           {{ with secret "kv/data/atlas/maintenance/ariadne-db" }}
           export ARIADNE_DATABASE_URL="{{ .Data.data.database_url }}"
-          export PORTAL_DATABASE_URL="{{ .Data.data.database_url }}"
+          {{ end }}
+          {{ with secret "kv/data/atlas/portal/atlas-portal-db" }}
+          export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
           {{ end }}
           {{ with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" }}
           export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index 2fce3f4..bc03cf4 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -231,7 +231,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
 write_policy_and_role "health" "health" "health-vault-sync" \
   "health/*" ""
 write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync" \
-  "maintenance/ariadne-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db vault/vault-oidc-config shared/harbor-pull" ""
+  "maintenance/ariadne-db portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db vault/vault-oidc-config shared/harbor-pull" ""
 write_policy_and_role "finance" "finance" "finance-vault" \
   "finance/* shared/postmark-relay" ""
 write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \