From b8e50bb0a6e5faebe9b88ed3e68c062fbb95d944 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 14 Jan 2026 06:41:34 -0300
Subject: [PATCH] monitoring: move grafana smtp to vault

---
 scripts/dashboards_render_atlas.py            |  2 +-
 .../monitoring/dashboards/atlas-storage.json  |  2 +-
 .../monitoring/grafana-alerting-config.yaml   |  2 +-
 .../monitoring/grafana-dashboard-storage.yaml |  2 +-
 .../monitoring/grafana-smtp-sync-cronjob.yaml | 44 -----------------
 .../monitoring/grafana-smtp-sync-rbac.yaml    | 49 -------------------
 .../grafana-smtp-sync-serviceaccount.yaml     |  6 ---
 services/monitoring/kustomization.yaml        |  9 ----
 .../monitoring/scripts/grafana_smtp_sync.sh   | 31 ------------
 services/monitoring/secretproviderclass.yaml  | 13 +++++
 .../vault/scripts/vault_k8s_auth_configure.sh |  2 +-
 11 files changed, 18 insertions(+), 144 deletions(-)
 delete mode 100644 services/monitoring/grafana-smtp-sync-cronjob.yaml
 delete mode 100644 services/monitoring/grafana-smtp-sync-rbac.yaml
 delete mode 100644 services/monitoring/grafana-smtp-sync-serviceaccount.yaml
 delete mode 100644 services/monitoring/scripts/grafana_smtp_sync.sh

diff --git a/scripts/dashboards_render_atlas.py b/scripts/dashboards_render_atlas.py
index 01fe9c7..a5abfe8 100644
--- a/scripts/dashboards_render_atlas.py
+++ b/scripts/dashboards_render_atlas.py
@@ -1727,7 +1727,7 @@ def build_storage_dashboard():
         stat_panel(
             31,
             "Maintenance Cron Freshness (s)",
-            'time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob=~"image-sweeper|grafana-smtp-sync"})',
+            'time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob="image-sweeper"})',
             {"h": 4, "w": 12, "x": 12, "y": 44},
             unit="s",
             thresholds={
diff --git a/services/monitoring/dashboards/atlas-storage.json b/services/monitoring/dashboards/atlas-storage.json
index d93a941..0eca11c 100644
--- a/services/monitoring/dashboards/atlas-storage.json
+++ b/services/monitoring/dashboards/atlas-storage.json
@@ -494,7 +494,7 @@
       },
       "targets": [
         {
-          "expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=~\"image-sweeper|grafana-smtp-sync\"})",
+          "expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=\"image-sweeper\"})",
           "refId": "A"
         }
       ],
diff --git a/services/monitoring/grafana-alerting-config.yaml b/services/monitoring/grafana-alerting-config.yaml
index c679bff..daa1e29 100644
--- a/services/monitoring/grafana-alerting-config.yaml
+++ b/services/monitoring/grafana-alerting-config.yaml
@@ -244,7 +244,7 @@ data:
                   to: 0
                 datasourceUid: atlas-vm
                 model:
-                  expr: time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob=~"image-sweeper|grafana-smtp-sync"})
+                  expr: time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace="maintenance",cronjob="image-sweeper"})
                   intervalMs: 60000
                   maxDataPoints: 43200
                   legendFormat: '{{cronjob}}'
diff --git a/services/monitoring/grafana-dashboard-storage.yaml b/services/monitoring/grafana-dashboard-storage.yaml
index 5ce4186..d25e922 100644
--- a/services/monitoring/grafana-dashboard-storage.yaml
+++ b/services/monitoring/grafana-dashboard-storage.yaml
@@ -503,7 +503,7 @@ data:
           },
           "targets": [
             {
-              "expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=~\"image-sweeper|grafana-smtp-sync\"})",
+              "expr": "time() - max by (cronjob) (kube_cronjob_status_last_successful_time{namespace=\"maintenance\",cronjob=\"image-sweeper\"})",
               "refId": "A"
             }
           ],
diff --git a/services/monitoring/grafana-smtp-sync-cronjob.yaml b/services/monitoring/grafana-smtp-sync-cronjob.yaml
deleted file mode 100644
index 3b92d4c..0000000
--- a/services/monitoring/grafana-smtp-sync-cronjob.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-# services/monitoring/grafana-smtp-sync-cronjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: grafana-smtp-sync
-  namespace: monitoring
-spec:
-  schedule: "15 3 * * *"
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          serviceAccountName: grafana-smtp-sync
-          restartPolicy: OnFailure
-          containers:
-            - name: sync
-              image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
-              command: ["/bin/sh", "-c"]
-              args:
-                - |
-                  set -euo pipefail
-                  if ! command -v jq >/dev/null 2>&1; then
-                    apt-get update >/dev/null && apt-get install -y jq >/dev/null
-                  fi
-                  exec /scripts/sync.sh
-              env:
-                - name: SOURCE_NS
-                  value: mailu-mailserver
-                - name: SOURCE_SECRET
-                  value: mailu-postmark-relay
-                - name: TARGET_NS
-                  value: monitoring
-                - name: TARGET_SECRET
-                  value: grafana-smtp
-              volumeMounts:
-                - name: script
-                  mountPath: /scripts
-                  readOnly: true
-          volumes:
-            - name: script
-              configMap:
-                name: grafana-smtp-sync-script
-                defaultMode: 0555
diff --git a/services/monitoring/grafana-smtp-sync-rbac.yaml b/services/monitoring/grafana-smtp-sync-rbac.yaml
deleted file mode 100644
index 532d622..0000000
--- a/services/monitoring/grafana-smtp-sync-rbac.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-# services/monitoring/grafana-smtp-sync-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: grafana-smtp-sync
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get"]
-    resourceNames:
-      - mailu-postmark-relay
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: grafana-smtp-sync
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: grafana-smtp-sync
-subjects:
-  - kind: ServiceAccount
-    name: grafana-smtp-sync
-    namespace: monitoring
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: grafana-smtp-sync
-  namespace: monitoring
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "create", "update", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: grafana-smtp-sync
-  namespace: monitoring
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: grafana-smtp-sync
-subjects:
-  - kind: ServiceAccount
-    name: grafana-smtp-sync
-    namespace: monitoring
diff --git a/services/monitoring/grafana-smtp-sync-serviceaccount.yaml b/services/monitoring/grafana-smtp-sync-serviceaccount.yaml
deleted file mode 100644
index 6ad0e18..0000000
--- a/services/monitoring/grafana-smtp-sync-serviceaccount.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-# services/monitoring/grafana-smtp-sync-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: grafana-smtp-sync
-  namespace: monitoring
diff --git a/services/monitoring/kustomization.yaml b/services/monitoring/kustomization.yaml
index 66065cb..6596a36 100644
--- a/services/monitoring/kustomization.yaml
+++ b/services/monitoring/kustomization.yaml
@@ -20,9 +20,6 @@ resources:
   - postmark-exporter-deployment.yaml
   - vault-sync-deployment.yaml
   - grafana-alerting-config.yaml
-  - grafana-smtp-sync-serviceaccount.yaml
-  - grafana-smtp-sync-rbac.yaml
-  - grafana-smtp-sync-cronjob.yaml
   - grafana-folders.yaml
   - helmrelease.yaml
   - grafana-org-bootstrap.yaml
@@ -34,12 +31,6 @@ configMapGenerator:
       - monitoring_postmark_exporter.py=scripts/postmark_exporter.py
     options:
       disableNameSuffixHash: true
-  - name: grafana-smtp-sync-script
-    namespace: monitoring
-    files:
-      - sync.sh=scripts/grafana_smtp_sync.sh
-    options:
-      disableNameSuffixHash: true
   - name: jetson-tegrastats-exporter-script
     namespace: monitoring
     files:
diff --git a/services/monitoring/scripts/grafana_smtp_sync.sh b/services/monitoring/scripts/grafana_smtp_sync.sh
deleted file mode 100644
index c8207ad..0000000
--- a/services/monitoring/scripts/grafana_smtp_sync.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-set -euo pipefail
-
-SOURCE_NS=${SOURCE_NS:-mailu-mailserver}
-SOURCE_SECRET=${SOURCE_SECRET:-mailu-postmark-relay}
-TARGET_NS=${TARGET_NS:-monitoring}
-TARGET_SECRET=${TARGET_SECRET:-grafana-smtp}
-
-tmp=$(mktemp)
-cleanup() { rm -f "$tmp"; }
-trap cleanup EXIT
-
-kubectl -n "$SOURCE_NS" get secret "$SOURCE_SECRET" -o json > "$tmp"
-
-pass=$(jq -r '.data["relay-password"]' "$tmp")
-user=$pass
-
-if [ -z "$user" ] || [ -z "$pass" ] || [ "$user" = "null" ] || [ "$pass" = "null" ]; then
-  echo "missing credentials from $SOURCE_NS/$SOURCE_SECRET" >&2
-  exit 1
-fi
-
-cat <<SECRET | kubectl -n "$TARGET_NS" apply -f -
-apiVersion: v1
-kind: Secret
-metadata:
-  name: $TARGET_SECRET
-stringData:
-  username: $(echo "$user" | base64 -d)
-  password: $(echo "$pass" | base64 -d)
-SECRET
diff --git a/services/monitoring/secretproviderclass.yaml b/services/monitoring/secretproviderclass.yaml
index fcb7967..3f94c08 100644
--- a/services/monitoring/secretproviderclass.yaml
+++ b/services/monitoring/secretproviderclass.yaml
@@ -25,6 +25,12 @@ spec:
       - objectName: "postmark-exporter__sending-limit"
         secretPath: "kv/data/atlas/monitoring/postmark-exporter"
         secretKey: "sending-limit"
+      - objectName: "postmark-relay__relay-username"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
+        secretKey: "relay-username"
+      - objectName: "postmark-relay__relay-password"
+        secretPath: "kv/data/atlas/shared/postmark-relay"
+        secretKey: "relay-password"
   secretObjects:
     - secretName: grafana-admin
       type: Opaque
@@ -42,3 +48,10 @@ spec:
           key: server-token-fallback
         - objectName: postmark-exporter__sending-limit
           key: sending-limit
+    - secretName: grafana-smtp
+      type: Opaque
+      data:
+        - objectName: postmark-relay__relay-username
+          key: username
+        - objectName: postmark-relay__relay-password
+          key: password
diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh
index c849461..f7b61df 100644
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@@ -98,7 +98,7 @@ write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
 write_policy_and_role "jenkins" "jenkins" "jenkins-vault-sync" \
   "jenkins/*" ""
 write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
-  "monitoring/*" ""
+  "monitoring/* shared/postmark-relay" ""
 write_policy_and_role "logging" "logging" "logging-vault-sync" \
   "logging/*" ""
 write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \