vault: sync harbor pulls

2026-01-14 10:07:31 -03:00 · 2026-01-14 10:07:31 -03:00 · b1f9df4d83
commit b1f9df4d83
parent b8e50bb0a6
46 changed files with 254 additions and 141 deletions
--- a/services/bstein-dev-home/backend-deployment.yaml
+++ b/services/bstein-dev-home/backend-deployment.yaml
@ -21,7 +21,7 @@ spec:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      imagePullSecrets:
-        - name: harbor-bstein-robot
+        - name: harbor-regcred
      containers:
        - name: backend
          image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}
--- a/services/bstein-dev-home/frontend-deployment.yaml
+++ b/services/bstein-dev-home/frontend-deployment.yaml
@ -19,7 +19,7 @@ spec:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      imagePullSecrets:
-        - name: harbor-bstein-robot
+        - name: harbor-regcred
      containers:
        - name: frontend
          image: registry.bstein.dev/bstein/bstein-dev-home-frontend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"}
--- a/services/bstein-dev-home/kustomization.yaml
+++ b/services/bstein-dev-home/kustomization.yaml
@ -6,7 +6,9 @@ resources:
  - namespace.yaml
  - image.yaml
  - rbac.yaml
  - vault-serviceaccount.yaml
  - secretproviderclass.yaml
  - vault-sync-deployment.yaml
  - chat-ai-gateway-deployment.yaml
  - chat-ai-gateway-service.yaml
  - frontend-deployment.yaml
--- a/services/bstein-dev-home/secretproviderclass.yaml
+++ b/services/bstein-dev-home/secretproviderclass.yaml
@ -11,16 +11,16 @@ spec:
    roleName: "bstein-dev-home"
    objects: |
      - objectName: "atlas-portal-db__PORTAL_DATABASE_URL"
-        secretPath: "kv/data/atlas/bstein-dev-home/atlas-portal-db"
+        secretPath: "kv/data/atlas/portal/atlas-portal-db"
        secretKey: "PORTAL_DATABASE_URL"
      - objectName: "bstein-dev-home-keycloak-admin__client_secret"
-        secretPath: "kv/data/atlas/bstein-dev-home/bstein-dev-home-keycloak-admin"
+        secretPath: "kv/data/atlas/portal/bstein-dev-home-keycloak-admin"
        secretKey: "client_secret"
      - objectName: "chat-ai-keys__homepage"
-        secretPath: "kv/data/atlas/bstein-dev-home/chat-ai-keys"
+        secretPath: "kv/data/atlas/portal/chat-ai-keys"
        secretKey: "homepage"
      - objectName: "chat-ai-keys__matrix"
-        secretPath: "kv/data/atlas/bstein-dev-home/chat-ai-keys"
+        secretPath: "kv/data/atlas/portal/chat-ai-keys"
        secretKey: "matrix"
      - objectName: "chat-ai-keys-runtime__homepage"
        secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime"
@ -34,3 +34,12 @@ spec:
      - objectName: "portal-e2e-client__client_secret"
        secretPath: "kv/data/atlas/shared/portal-e2e-client"
        secretKey: "client_secret"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/bstein-dev-home/vault-serviceaccount.yaml
+++ b/services/bstein-dev-home/vault-serviceaccount.yaml
@ -0,0 +1,6 @@
 # services/bstein-dev-home/vault-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: bstein-dev-home-vault-sync
  namespace: bstein-dev-home
--- a/services/bstein-dev-home/vault-sync-deployment.yaml
+++ b/services/bstein-dev-home/vault-sync-deployment.yaml
@ -0,0 +1,34 @@
 # services/bstein-dev-home/vault-sync-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: bstein-dev-home-vault-sync
  namespace: bstein-dev-home
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: bstein-dev-home-vault-sync
  template:
    metadata:
      labels:
        app: bstein-dev-home-vault-sync
    spec:
      serviceAccountName: bstein-dev-home-vault-sync
      containers:
        - name: sync
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - "sleep infinity"
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: bstein-dev-home-vault
--- a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
+++ b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
@ -20,7 +20,7 @@ spec:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          imagePullSecrets:
-            - name: harbor-bstein-robot
+            - name: harbor-regcred
          containers:
            - name: sync
              image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}
--- a/services/comms/comms-secrets-ensure-rbac.yaml
+++ b/services/comms/comms-secrets-ensure-rbac.yaml
@ -4,6 +4,8 @@ kind: ServiceAccount
 metadata:
  name: comms-secrets-ensure
  namespace: comms
 imagePullSecrets:
  - name: harbor-regcred
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/services/comms/mas-admin-client-secret-ensure-job.yaml
+++ b/services/comms/mas-admin-client-secret-ensure-job.yaml
@ -4,6 +4,8 @@ kind: ServiceAccount
 metadata:
  name: mas-admin-client-secret-writer
  namespace: comms
 imagePullSecrets:
  - name: harbor-regcred
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/services/comms/mas-db-ensure-rbac.yaml
+++ b/services/comms/mas-db-ensure-rbac.yaml
@ -4,6 +4,8 @@ kind: ServiceAccount
 metadata:
  name: mas-db-ensure
  namespace: comms
 imagePullSecrets:
  - name: harbor-regcred
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/services/comms/secretproviderclass.yaml
+++ b/services/comms/secretproviderclass.yaml
@ -61,6 +61,9 @@ spec:
      - objectName: "synapse-oidc__client-secret"
        secretPath: "kv/data/atlas/comms/synapse-oidc"
        secretKey: "client-secret"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/comms"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: turn-shared-secret
      type: Opaque
@ -132,3 +135,8 @@ spec:
      data:
        - objectName: synapse-oidc__client-secret
          key: client-secret
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/comms/synapse-signingkey-ensure-rbac.yaml
+++ b/services/comms/synapse-signingkey-ensure-rbac.yaml
@ -4,6 +4,8 @@ kind: ServiceAccount
 metadata:
  name: othrys-synapse-signingkey-job
  namespace: comms
 imagePullSecrets:
  - name: harbor-regcred
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/services/crypto/monerod/deployment.yaml
+++ b/services/crypto/monerod/deployment.yaml
@ -18,6 +18,8 @@ spec:
        fsGroupChangePolicy: OnRootMismatch
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      imagePullSecrets:
        - name: harbor-regcred
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
--- a/services/crypto/xmr-miner/secretproviderclass.yaml
+++ b/services/crypto/xmr-miner/secretproviderclass.yaml
@ -13,9 +13,17 @@ spec:
      - objectName: "xmr-payout__address"
        secretPath: "kv/data/atlas/crypto/xmr-payout"
        secretKey: "address"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/crypto"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: xmr-payout
      type: Opaque
      data:
        - objectName: xmr-payout__address
          key: address
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/harbor/helmrelease.yaml
+++ b/services/harbor/helmrelease.yaml
@ -29,6 +29,8 @@ spec:
  values:
    externalURL: https://registry.bstein.dev
    imagePullPolicy: IfNotPresent
    imagePullSecrets:
      - name: harbor-regcred
    expose:
      type: ingress
      tls:
--- a/services/harbor/secretproviderclass.yaml
+++ b/services/harbor/secretproviderclass.yaml
@ -49,6 +49,9 @@ spec:
      - objectName: "harbor-oidc__CONFIG_OVERWRITE_JSON"
        secretPath: "kv/data/atlas/harbor/harbor-oidc"
        secretKey: "CONFIG_OVERWRITE_JSON"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/harbor"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: harbor-core
      type: Opaque
@ -85,3 +88,8 @@ spec:
      data:
        - objectName: harbor-oidc__CONFIG_OVERWRITE_JSON
          key: CONFIG_OVERWRITE_JSON
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@ -6,7 +6,9 @@ resources:
  - namespace.yaml
  - pvc.yaml
  - serviceaccount.yaml
  - vault-serviceaccount.yaml
  - secretproviderclass.yaml
  - vault-sync-deployment.yaml
  - deployment.yaml
  - realm-settings-job.yaml
  - portal-e2e-client-job.yaml
@ -33,9 +35,6 @@ configMapGenerator:
    files:
      - test_portal_token_exchange.py=scripts/tests/test_portal_token_exchange.py
      - test_keycloak_execute_actions_email.py=scripts/tests/test_keycloak_execute_actions_email.py
  - name: portal-e2e-client-secret-sync-script
    files:
      - sso_portal_e2e_client_secret_sync.sh=scripts/sso_portal_e2e_client_secret_sync.sh
  - name: harbor-oidc-secret-ensure-script
    files:
      - harbor_oidc_secret_ensure.sh=scripts/harbor_oidc_secret_ensure.sh
--- a/services/keycloak/mas-secrets-ensure-job.yaml
+++ b/services/keycloak/mas-secrets-ensure-job.yaml
@ -4,6 +4,8 @@ kind: ServiceAccount
 metadata:
  name: mas-secrets-ensure
  namespace: sso
 imagePullSecrets:
  - name: harbor-regcred
 ---
 apiVersion: batch/v1
 kind: Job
--- a/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
+++ b/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
@ -1,32 +0,0 @@
 # services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: portal-e2e-client-secret-sync
  namespace: sso
 spec:
  schedule: "*/10 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: portal-e2e-client-secret-sync
          restartPolicy: Never
          containers:
            - name: sync
              image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
              command: ["/usr/bin/env", "bash"]
              args: ["/scripts/sso_portal_e2e_client_secret_sync.sh"]
              volumeMounts:
                - name: script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: script
              configMap:
                name: portal-e2e-client-secret-sync-script
                defaultMode: 0555
--- a/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
+++ b/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
@ -1,31 +0,0 @@
 # services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: portal-e2e-client-secret-sync
  namespace: sso
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: portal-e2e-client-secret-sync-source
  namespace: sso
 rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["portal-e2e-client"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: portal-e2e-client-secret-sync-source
  namespace: sso
 subjects:
  - kind: ServiceAccount
    name: portal-e2e-client-secret-sync
    namespace: sso
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: portal-e2e-client-secret-sync-source
--- a/services/keycloak/realm-settings-job.yaml
+++ b/services/keycloak/realm-settings-job.yaml
@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-17
+  name: keycloak-realm-settings-18
  namespace: sso
 spec:
  backoffLimit: 0
@ -29,15 +29,15 @@ spec:
            - name: KEYCLOAK_REALM
              value: atlas
            - name: KEYCLOAK_SMTP_HOST
-              value: mailu-front.mailu-mailserver.svc.cluster.local
+              value: smtp.postmarkapp.com
            - name: KEYCLOAK_SMTP_PORT
-              value: "25"
+              value: "587"
            - name: KEYCLOAK_SMTP_FROM
-              value: no-reply@bstein.dev
+              value: no-reply-sso@bstein.dev
            - name: KEYCLOAK_SMTP_FROM_NAME
              value: Atlas SSO
            - name: KEYCLOAK_SMTP_REPLY_TO
-              value: no-reply@bstein.dev
+              value: no-reply-sso@bstein.dev
            - name: KEYCLOAK_SMTP_REPLY_TO_NAME
              value: Atlas SSO
          command: ["/bin/sh", "-c"]
@ -118,8 +118,10 @@ spec:
                      "fromDisplayName": os.environ["KEYCLOAK_SMTP_FROM_NAME"],
                      "replyTo": os.environ["KEYCLOAK_SMTP_REPLY_TO"],
                      "replyToDisplayName": os.environ["KEYCLOAK_SMTP_REPLY_TO_NAME"],
-                      "auth": "false",
+                      "user": os.environ["KEYCLOAK_SMTP_USER"],
-                      "starttls": "false",
+                      "password": os.environ["KEYCLOAK_SMTP_PASSWORD"],
                      "auth": "true",
                      "starttls": "true",
                      "ssl": "false",
                  }
              )
--- a/services/keycloak/scripts/keycloak_vault_env.sh
+++ b/services/keycloak/scripts/keycloak_vault_env.sh
@ -24,3 +24,6 @@ export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret)
 export LDAP_ADMIN_PASSWORD="$(read_secret openldap-admin__LDAP_ADMIN_PASSWORD)"
 export LDAP_CONFIG_PASSWORD="$(read_secret openldap-admin__LDAP_CONFIG_PASSWORD)"
 export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
 export KEYCLOAK_SMTP_USER="$(read_secret postmark-relay__relay-username)"
 export KEYCLOAK_SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)"
--- a/services/keycloak/scripts/sso_portal_e2e_client_secret_sync.sh
+++ b/services/keycloak/scripts/sso_portal_e2e_client_secret_sync.sh
@ -1,20 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 SOURCE_NAMESPACE="${SOURCE_NAMESPACE:-sso}"
 DEST_NAMESPACE="${DEST_NAMESPACE:-bstein-dev-home}"
 SECRET_NAME="${SECRET_NAME:-portal-e2e-client}"
 client_id="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_id}')"
 client_secret="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_secret}')"
 cat <<EOF | kubectl -n "${DEST_NAMESPACE}" apply -f - >/dev/null
 apiVersion: v1
 kind: Secret
 metadata:
  name: ${SECRET_NAME}
 type: Opaque
 data:
  client_id: ${client_id}
  client_secret: ${client_secret}
 EOF
--- a/services/keycloak/secretproviderclass.yaml
+++ b/services/keycloak/secretproviderclass.yaml
@ -46,6 +46,15 @@ spec:
      - objectName: "oauth2-proxy-oidc__cookie_secret"
        secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
        secretKey: "cookie_secret"
      - objectName: "postmark-relay__relay-username"
        secretPath: "kv/data/atlas/shared/postmark-relay"
        secretKey: "relay-username"
      - objectName: "postmark-relay__relay-password"
        secretPath: "kv/data/atlas/shared/postmark-relay"
        secretKey: "relay-password"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/sso"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: openldap-admin
      type: Opaque
@ -63,3 +72,8 @@ spec:
          key: client_secret
        - objectName: oauth2-proxy-oidc__cookie_secret
          key: cookie_secret
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/keycloak/serviceaccount.yaml
+++ b/services/keycloak/serviceaccount.yaml
@ -4,3 +4,5 @@ kind: ServiceAccount
 metadata:
  name: sso-vault
  namespace: sso
 imagePullSecrets:
  - name: harbor-regcred
--- a/services/keycloak/vault-serviceaccount.yaml
+++ b/services/keycloak/vault-serviceaccount.yaml
@ -0,0 +1,6 @@
 # services/keycloak/vault-serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: sso-vault-sync
  namespace: sso
--- a/services/keycloak/vault-sync-deployment.yaml
+++ b/services/keycloak/vault-sync-deployment.yaml
@ -0,0 +1,34 @@
 # services/keycloak/vault-sync-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: sso-vault-sync
  namespace: sso
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: sso-vault-sync
  template:
    metadata:
      labels:
        app: sso-vault-sync
    spec:
      serviceAccountName: sso-vault-sync
      containers:
        - name: sync
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - "sleep infinity"
          volumeMounts:
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: sso-vault
--- a/services/logging/data-prepper-helmrelease.yaml
+++ b/services/logging/data-prepper-helmrelease.yaml
@ -22,7 +22,7 @@ spec:
      repository: registry.bstein.dev/streaming/data-prepper
      tag: "2.8.0"
    imagePullSecrets:
-      - name: harbor-robot-pipeline
+      - name: harbor-regcred
    config:
      data-prepper-config.yaml: |
        ssl: false
--- a/services/logging/secretproviderclass.yaml
+++ b/services/logging/secretproviderclass.yaml
@ -19,6 +19,9 @@ spec:
      - objectName: "oauth2-proxy-logs-oidc__cookie_secret"
        secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc"
        secretKey: "cookie_secret"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/logging"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: oauth2-proxy-logs-oidc
      type: Opaque
@ -29,3 +32,8 @@ spec:
          key: client_secret
        - objectName: oauth2-proxy-logs-oidc__cookie_secret
          key: cookie_secret
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/mailu/secretproviderclass.yaml
+++ b/services/mailu/secretproviderclass.yaml
@ -40,6 +40,9 @@ spec:
      - objectName: "mailu-sync-credentials__client-secret"
        secretPath: "kv/data/atlas/mailu/mailu-sync-credentials"
        secretKey: "client-secret"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: mailu-secret
      type: Opaque
@ -76,3 +79,8 @@ spec:
          key: client-id
        - objectName: mailu-sync-credentials__client-secret
          key: client-secret
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/mailu/vip-controller.yaml
+++ b/services/mailu/vip-controller.yaml
@ -5,6 +5,8 @@ kind: ServiceAccount
 metadata:
  name: vip-controller
  namespace: mailu-mailserver
 imagePullSecrets:
  - name: harbor-regcred
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/services/monitoring/dcgm-exporter.yaml
+++ b/services/monitoring/dcgm-exporter.yaml
@ -22,6 +22,8 @@ spec:
        prometheus.io/port: "9400"
    spec:
      serviceAccountName: default
      imagePullSecrets:
        - name: harbor-regcred
      runtimeClassName: nvidia
      affinity:
        nodeAffinity:
--- a/services/monitoring/helmrelease.yaml
+++ b/services/monitoring/helmrelease.yaml
@ -275,8 +275,8 @@ spec:
      GF_AUTH_ANONYMOUS_ORG_ROLE: "Viewer"
      GF_SMTP_ENABLED: "true"
      GF_SMTP_HOST: "smtp.postmarkapp.com:587"
-      GF_SMTP_FROM: "alerts@bstein.dev"
+      GF_SMTP_FROM: "no-reply-grafana@bstein.dev"
-      GF_SMTP_FROM_NAME: "Atlas Alerts"
+      GF_SMTP_FROM_NAME: "Atlas Grafana"
      GRAFANA_ALERT_EMAILS: "alerts@bstein.dev"
      GF_SECURITY_ALLOW_EMBEDDING: "true"
      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
--- a/services/monitoring/secretproviderclass.yaml
+++ b/services/monitoring/secretproviderclass.yaml
@ -31,6 +31,9 @@ spec:
      - objectName: "postmark-relay__relay-password"
        secretPath: "kv/data/atlas/shared/postmark-relay"
        secretKey: "relay-password"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/monitoring"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: grafana-admin
      type: Opaque
@ -55,3 +58,8 @@ spec:
          key: username
        - objectName: postmark-relay__relay-password
          key: password
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/nextcloud/configmap.yaml
+++ b/services/nextcloud/configmap.yaml
@ -18,13 +18,13 @@ data:
      'default_phone_region' => 'US',
      'mail_smtpmode' => 'smtp',
      'mail_sendmailmode' => 'smtp',
-      'mail_smtphost' => 'mail.bstein.dev',
+      'mail_smtphost' => 'smtp.postmarkapp.com',
      'mail_smtpport' => '587',
      'mail_smtpsecure' => 'tls',
      'mail_smtpauth' => true,
      'mail_smtpauthtype' => 'LOGIN',
      'mail_domain' => 'bstein.dev',
-      'mail_from_address' => 'no-reply',
+      'mail_from_address' => 'no-reply-nextcloud',
      'datadirectory' => '/var/www/html/data',
      'apps_paths' =>
      array (
--- a/services/nextcloud/deployment.yaml
+++ b/services/nextcloud/deployment.yaml
@ -194,13 +194,13 @@ spec:
              value: https://cloud.bstein.dev
            # SMTP (external secret: nextcloud-smtp with keys username, password)
            - name: SMTP_HOST
-              value: mail.bstein.dev
+              value: smtp.postmarkapp.com
            - name: SMTP_PORT
              value: "587"
            - name: SMTP_SECURE
              value: tls
            - name: MAIL_FROM_ADDRESS
-              value: no-reply
+              value: no-reply-nextcloud
            - name: MAIL_DOMAIN
              value: bstein.dev
            # OIDC (external secret: nextcloud-oidc with keys client-id, client-secret)
--- a/services/nextcloud/secretproviderclass.yaml
+++ b/services/nextcloud/secretproviderclass.yaml
@ -32,11 +32,11 @@ spec:
        secretPath: "kv/data/atlas/nextcloud/nextcloud-oidc"
        secretKey: "client-secret"
      - objectName: "nextcloud-smtp__smtp-username"
-        secretPath: "kv/data/atlas/nextcloud/nextcloud-smtp"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "smtp-username"
+        secretKey: "relay-username"
      - objectName: "nextcloud-smtp__smtp-password"
-        secretPath: "kv/data/atlas/nextcloud/nextcloud-smtp"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "smtp-password"
+        secretKey: "relay-password"
      - objectName: "keycloak-admin__username"
        secretPath: "kv/data/atlas/shared/keycloak-admin"
        secretKey: "username"
--- a/services/outline/deployment.yaml
+++ b/services/outline/deployment.yaml
@ -71,7 +71,7 @@ spec:
            - name: SMTP_SECURE
              value: "false"
            - name: SMTP_PORT
-              value: "25"
+              value: "587"
          volumeMounts:
            - name: user-data
              mountPath: /var/lib/outline/data
--- a/services/outline/secretproviderclass.yaml
+++ b/services/outline/secretproviderclass.yaml
@ -44,11 +44,11 @@ spec:
        secretPath: "kv/data/atlas/outline/outline-smtp"
        secretKey: "SMTP_HOST"
      - objectName: "SMTP_PASSWORD"
-        secretPath: "kv/data/atlas/outline/outline-smtp"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "SMTP_PASSWORD"
+        secretKey: "relay-password"
      - objectName: "SMTP_USERNAME"
-        secretPath: "kv/data/atlas/outline/outline-smtp"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "SMTP_USERNAME"
+        secretKey: "relay-username"
      - objectName: "AWS_ACCESS_KEY_ID"
        secretPath: "kv/data/atlas/outline/outline-s3"
        secretKey: "AWS_ACCESS_KEY_ID"
--- a/services/pegasus/deployment.yaml
+++ b/services/pegasus/deployment.yaml
@ -19,6 +19,8 @@ spec:
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      imagePullSecrets:
        - name: harbor-regcred
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
--- a/services/pegasus/secretproviderclass.yaml
+++ b/services/pegasus/secretproviderclass.yaml
@ -19,6 +19,9 @@ spec:
      - objectName: "pegasus-secrets__JELLYFIN_API_KEY"
        secretPath: "kv/data/atlas/pegasus/pegasus-secrets"
        secretKey: "JELLYFIN_API_KEY"
      - objectName: "harbor-pull__dockerconfigjson"
        secretPath: "kv/data/atlas/harbor-pull/jellyfin"
        secretKey: "dockerconfigjson"
  secretObjects:
    - secretName: pegasus-secrets
      type: Opaque
@ -29,3 +32,8 @@ spec:
          key: JELLYFIN_URL
        - objectName: pegasus-secrets__JELLYFIN_API_KEY
          key: JELLYFIN_API_KEY
    - secretName: harbor-regcred
      type: kubernetes.io/dockerconfigjson
      data:
        - objectName: harbor-pull__dockerconfigjson
          key: .dockerconfigjson
--- a/services/planka/secretproviderclass.yaml
+++ b/services/planka/secretproviderclass.yaml
@ -44,8 +44,8 @@ spec:
        secretPath: "kv/data/atlas/planka/planka-smtp"
        secretKey: "SMTP_HOST"
      - objectName: "SMTP_PASSWORD"
-        secretPath: "kv/data/atlas/planka/planka-smtp"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "SMTP_PASSWORD"
+        secretKey: "relay-password"
      - objectName: "SMTP_PORT"
        secretPath: "kv/data/atlas/planka/planka-smtp"
        secretKey: "SMTP_PORT"
@ -56,5 +56,5 @@ spec:
        secretPath: "kv/data/atlas/planka/planka-smtp"
        secretKey: "SMTP_TLS_REJECT_UNAUTHORIZED"
      - objectName: "SMTP_USER"
-        secretPath: "kv/data/atlas/planka/planka-smtp"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
-        secretKey: "SMTP_USER"
+        secretKey: "relay-username"
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -76,35 +76,35 @@ path \"kv/metadata/atlas/${path}\" {
 }
 write_policy_and_role "outline" "outline" "outline-vault" \
-  "outline/*" ""
+  "outline/* shared/postmark-relay" ""
 write_policy_and_role "planka" "planka" "planka-vault" \
-  "planka/*" ""
+  "planka/* shared/postmark-relay" ""
-write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home" \
+write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home,bstein-dev-home-vault-sync" \
-  "bstein-dev-home/* shared/chat-ai-keys-runtime shared/portal-e2e-client" ""
+  "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client harbor-pull/bstein-dev-home" ""
 write_policy_and_role "gitea" "gitea" "gitea-vault" \
  "gitea/*" ""
 write_policy_and_role "vaultwarden" "vaultwarden" "vaultwarden-vault" \
-  "vaultwarden/*" ""
+  "vaultwarden/* shared/postmark-relay" ""
-write_policy_and_role "sso" "sso" "sso-vault,mas-secrets-ensure" \
+write_policy_and_role "sso" "sso" "sso-vault,sso-vault-sync,mas-secrets-ensure" \
-  "sso/* shared/keycloak-admin shared/portal-e2e-client" ""
+  "sso/* shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay harbor-pull/sso" ""
 write_policy_and_role "mailu-mailserver" "mailu-mailserver" "mailu-vault-sync" \
-  "mailu/* shared/postmark-relay" ""
+  "mailu/* shared/postmark-relay harbor-pull/mailu-mailserver" ""
 write_policy_and_role "harbor" "harbor" "harbor-vault-sync" \
-  "harbor/*" ""
+  "harbor/* harbor-pull/harbor" ""
 write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
-  "nextcloud/* shared/keycloak-admin" ""
+  "nextcloud/* shared/keycloak-admin shared/postmark-relay" ""
 write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
-  "comms/* shared/chat-ai-keys-runtime" ""
+  "comms/* shared/chat-ai-keys-runtime harbor-pull/comms" ""
 write_policy_and_role "jenkins" "jenkins" "jenkins-vault-sync" \
  "jenkins/*" ""
 write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
-  "monitoring/* shared/postmark-relay" ""
+  "monitoring/* shared/postmark-relay harbor-pull/monitoring" ""
 write_policy_and_role "logging" "logging" "logging-vault-sync" \
-  "logging/*" ""
+  "logging/* harbor-pull/logging" ""
 write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \
-  "pegasus/*" ""
+  "pegasus/* harbor-pull/jellyfin" ""
 write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
-  "crypto/*" ""
+  "crypto/* harbor-pull/crypto" ""
 write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \
  "shared/keycloak-admin" \
--- a/services/vaultwarden/deployment.yaml
+++ b/services/vaultwarden/deployment.yaml
@ -36,19 +36,19 @@ spec:
            - name: DOMAIN
              value: "https://vault.bstein.dev"
            - name: SMTP_HOST
-              value: "mailu-front.mailu-mailserver.svc.cluster.local"
+              value: "smtp.postmarkapp.com"
            - name: SMTP_PORT
-              value: "25"
+              value: "587"
            - name: SMTP_SECURITY
              value: "starttls"
            - name: SMTP_ACCEPT_INVALID_HOSTNAMES
-              value: "true"
+              value: "false"
            - name: SMTP_ACCEPT_INVALID_CERTS
-              value: "true"
+              value: "false"
            - name: SMTP_FROM
-              value: "postmaster@bstein.dev"
+              value: "no-reply-vaultwarden@bstein.dev"
            - name: SMTP_FROM_NAME
-              value: "Atlas Vaultwarden"
+              value: "Vaultwarden"
          ports:
            - name: http
              containerPort: 80
--- a/services/vaultwarden/scripts/vaultwarden_vault_env.sh
+++ b/services/vaultwarden/scripts/vaultwarden_vault_env.sh
@ -9,3 +9,6 @@ read_secret() {
 export DATABASE_URL="$(read_secret vaultwarden-db-url__DATABASE_URL)"
 export ADMIN_TOKEN="$(read_secret vaultwarden-admin__ADMIN_TOKEN)"
 export SMTP_USERNAME="$(read_secret postmark-relay__relay-username)"
 export SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)"
--- a/services/vaultwarden/secretproviderclass.yaml
+++ b/services/vaultwarden/secretproviderclass.yaml
@ -16,3 +16,9 @@ spec:
      - objectName: "vaultwarden-admin__ADMIN_TOKEN"
        secretPath: "kv/data/atlas/vaultwarden/vaultwarden-admin"
        secretKey: "ADMIN_TOKEN"
      - objectName: "postmark-relay__relay-username"
        secretPath: "kv/data/atlas/shared/postmark-relay"
        secretKey: "relay-username"
      - objectName: "postmark-relay__relay-password"
        secretPath: "kv/data/atlas/shared/postmark-relay"
        secretKey: "relay-password"