feat: add Ariadne service and glue scheduling

2026-01-19 16:58:02 -03:00 · 2026-01-19 16:58:02 -03:00 · bb41c219f6
commit bb41c219f6
parent 791108723e
21 changed files with 685 additions and 1 deletions
--- a/scripts/dashboards_render_atlas.py
+++ b/scripts/dashboards_render_atlas.py
@ -336,6 +336,10 @@ GLUE_MISSING_ACTIVE = f"({GLUE_MISSING} unless on(namespace,cronjob) {GLUE_SUSPE
 GLUE_STALE_COUNT = f"(sum({GLUE_STALE_ACTIVE}) + count({GLUE_MISSING_ACTIVE}))"
 GLUE_MISSING_COUNT = f"count({GLUE_MISSING_ACTIVE})"
 GLUE_SUSPENDED_COUNT = f"sum({GLUE_SUSPENDED})"
+ARIADNE_TASK_ERRORS_24H = 'sum by (task) (increase(ariadne_task_runs_total{status="error"}[24h]))'
+ARIADNE_TASK_SUCCESS_24H = 'sum by (task) (increase(ariadne_task_runs_total{status="ok"}[24h]))'
+ARIADNE_SCHEDULE_LAST_SUCCESS_HOURS = "(time() - ariadne_schedule_last_success_timestamp_seconds) / 3600"
+ARIADNE_ACCESS_REQUESTS = "ariadne_access_requests_total"
 GPU_NODES = ["titan-20", "titan-21", "titan-22", "titan-24"]
 GPU_NODE_REGEX = "|".join(GPU_NODES)
 TRAEFIK_ROUTER_EXPR = "sum by (router) (rate(traefik_router_requests_total[5m]))"
@ -2230,6 +2234,39 @@ def build_testing_dashboard():
            instant=True,
        )
    )
+    panels.append(
+        table_panel(
+            7,
+            "Ariadne Task Errors (24h)",
+            ARIADNE_TASK_ERRORS_24H,
+            {"h": 6, "w": 12, "x": 0, "y": 12},
+            unit="none",
+            transformations=sort_desc,
+            instant=True,
+        )
+    )
+    panels.append(
+        table_panel(
+            8,
+            "Ariadne Schedule Last Success (hours ago)",
+            ARIADNE_SCHEDULE_LAST_SUCCESS_HOURS,
+            {"h": 6, "w": 12, "x": 12, "y": 12},
+            unit="h",
+            transformations=sort_desc,
+            instant=True,
+        )
+    )
+    panels.append(
+        table_panel(
+            9,
+            "Ariadne Access Requests",
+            ARIADNE_ACCESS_REQUESTS,
+            {"h": 4, "w": 24, "x": 0, "y": 18},
+            unit="none",
+            transformations=sort_desc,
+            instant=True,
+        )
+    )

    return {
        "uid": "atlas-testing",
--- a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
+++ b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
@ -8,6 +8,7 @@ metadata:
    atlas.bstein.dev/glue: "true"
 spec:
  schedule: "*/15 * * * *"
+  suspend: true
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
--- a/services/finance/portal-rbac.yaml
+++ b/services/finance/portal-rbac.yaml
@ -29,3 +29,17 @@ subjects:
  - kind: ServiceAccount
    name: bstein-dev-home
    namespace: bstein-dev-home
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ariadne-firefly-user-sync
+  namespace: finance
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: bstein-dev-home-firefly-user-sync
+subjects:
+  - kind: ServiceAccount
+    name: ariadne
+    namespace: maintenance
--- a/services/health/portal-rbac.yaml
+++ b/services/health/portal-rbac.yaml
@ -8,7 +8,7 @@ rules:
  - apiGroups: ["batch"]
    resources: ["cronjobs"]
    verbs: ["get"]
-    resourceNames: ["wger-user-sync"]
+    resourceNames: ["wger-user-sync", "wger-admin-ensure"]
  - apiGroups: ["batch"]
    resources: ["jobs"]
    verbs: ["create", "get", "list", "watch"]
@ -29,3 +29,17 @@ subjects:
  - kind: ServiceAccount
    name: bstein-dev-home
    namespace: bstein-dev-home
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ariadne-wger-user-sync
+  namespace: health
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: bstein-dev-home-wger-user-sync
+subjects:
+  - kind: ServiceAccount
+    name: ariadne
+    namespace: maintenance
--- a/services/health/wger-admin-ensure-cronjob.yaml
+++ b/services/health/wger-admin-ensure-cronjob.yaml
@ -8,6 +8,7 @@ metadata:
    atlas.bstein.dev/glue: "true"
 spec:
  schedule: "15 3 * * *"
+  suspend: true
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
--- a/services/keycloak/realm-settings-job.yaml
+++ b/services/keycloak/realm-settings-job.yaml
@ -331,6 +331,8 @@ spec:
              # Ensure basic realm groups exist for provisioning.
              ensure_group("dev")
              ensure_group("admin")
+              ensure_group("demo")
+              ensure_group("test")
              planka_group = ensure_group("planka-users")

              if planka_group and planka_group.get("id"):
--- a/services/mailu/mailu-sync-cronjob.yaml
+++ b/services/mailu/mailu-sync-cronjob.yaml
@ -8,6 +8,7 @@ metadata:
    atlas.bstein.dev/glue: "true"
 spec:
  schedule: "30 4 * * *"
+  suspend: true
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
--- a/services/maintenance/ariadne-deployment.yaml
+++ b/services/maintenance/ariadne-deployment.yaml
@ -0,0 +1,181 @@
+# services/maintenance/ariadne-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ariadne
+  namespace: maintenance
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: ariadne
+  template:
+    metadata:
+      labels:
+        app: ariadne
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8080"
+        prometheus.io/path: "/metrics"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "maintenance"
+        vault.hashicorp.com/agent-inject-secret-ariadne-env.sh: "kv/data/atlas/portal/atlas-portal-db"
+        vault.hashicorp.com/agent-inject-template-ariadne-env.sh: |
+          {{ with secret "kv/data/atlas/portal/atlas-portal-db" }}
+          export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
+          {{ end }}
+          {{ with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" }}
+          export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
+          {{ end }}
+          {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }}
+          export MAILU_DB_NAME="{{ .Data.data.database }}"
+          export MAILU_DB_USER="{{ .Data.data.username }}"
+          export MAILU_DB_PASSWORD="{{ .Data.data.password }}"
+          {{ end }}
+          {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }}
+          export SMTP_HOST="mailu-front.mailu-mailserver.svc.cluster.local"
+          export SMTP_PORT="587"
+          export SMTP_STARTTLS="true"
+          export SMTP_USE_TLS="false"
+          export SMTP_USERNAME="no-reply-portal@bstein.dev"
+          export SMTP_PASSWORD="{{ .Data.data.password }}"
+          export SMTP_FROM="no-reply-portal@bstein.dev"
+          {{ end }}
+    spec:
+      serviceAccountName: ariadne
+      nodeSelector:
+        kubernetes.io/arch: arm64
+        node-role.kubernetes.io/worker: "true"
+      containers:
+        - name: ariadne
+          image: registry.bstein.dev/bstein/ariadne:0.1.0
+          imagePullPolicy: Always
+          command: ["/bin/sh", "-c"]
+          args:
+            - >-
+              . /vault/secrets/ariadne-env.sh
+              && exec uvicorn ariadne.app:app --host 0.0.0.0 --port 8080
+          ports:
+            - name: http
+              containerPort: 8080
+          env:
+            - name: KEYCLOAK_URL
+              value: https://sso.bstein.dev
+            - name: KEYCLOAK_REALM
+              value: atlas
+            - name: KEYCLOAK_CLIENT_ID
+              value: bstein-dev-home
+            - name: KEYCLOAK_ISSUER
+              value: https://sso.bstein.dev/realms/atlas
+            - name: KEYCLOAK_JWKS_URL
+              value: http://keycloak.sso.svc.cluster.local/realms/atlas/protocol/openid-connect/certs
+            - name: KEYCLOAK_ADMIN_URL
+              value: http://keycloak.sso.svc.cluster.local
+            - name: KEYCLOAK_ADMIN_REALM
+              value: atlas
+            - name: KEYCLOAK_ADMIN_CLIENT_ID
+              value: bstein-dev-home-admin
+            - name: PORTAL_PUBLIC_BASE_URL
+              value: https://bstein.dev
+            - name: PORTAL_ADMIN_USERS
+              value: bstein
+            - name: PORTAL_ADMIN_GROUPS
+              value: admin
+            - name: ACCOUNT_ALLOWED_GROUPS
+              value: dev,admin
+            - name: ALLOWED_FLAG_GROUPS
+              value: demo,test
+            - name: DEFAULT_USER_GROUPS
+              value: dev
+            - name: MAILU_DOMAIN
+              value: bstein.dev
+            - name: MAILU_SYNC_URL
+              value: http://mailu-sync-listener.mailu-mailserver.svc.cluster.local:8080/events
+            - name: MAILU_MAILBOX_WAIT_TIMEOUT_SEC
+              value: "60"
+            - name: MAILU_DB_HOST
+              value: postgres-service.postgres.svc.cluster.local
+            - name: MAILU_DB_PORT
+              value: "5432"
+            - name: NEXTCLOUD_NAMESPACE
+              value: nextcloud
+            - name: NEXTCLOUD_MAIL_SYNC_CRONJOB
+              value: nextcloud-mail-sync
+            - name: NEXTCLOUD_MAIL_SYNC_WAIT_TIMEOUT_SEC
+              value: "90"
+            - name: NEXTCLOUD_MAIL_SYNC_JOB_TTL_SEC
+              value: "3600"
+            - name: WGER_NAMESPACE
+              value: health
+            - name: WGER_USER_SYNC_CRONJOB
+              value: wger-user-sync
+            - name: WGER_ADMIN_CRONJOB
+              value: wger-admin-ensure
+            - name: WGER_USER_SYNC_WAIT_TIMEOUT_SEC
+              value: "90"
+            - name: FIREFLY_NAMESPACE
+              value: finance
+            - name: FIREFLY_USER_SYNC_CRONJOB
+              value: firefly-user-sync
+            - name: FIREFLY_USER_SYNC_WAIT_TIMEOUT_SEC
+              value: "90"
+            - name: VAULTWARDEN_NAMESPACE
+              value: vaultwarden
+            - name: VAULTWARDEN_POD_LABEL
+              value: app=vaultwarden
+            - name: VAULTWARDEN_POD_PORT
+              value: "80"
+            - name: VAULTWARDEN_SERVICE_HOST
+              value: vaultwarden-service.vaultwarden.svc.cluster.local
+            - name: VAULTWARDEN_ADMIN_SECRET_NAME
+              value: vaultwarden-admin
+            - name: VAULTWARDEN_ADMIN_SECRET_KEY
+              value: ADMIN_TOKEN
+            - name: VAULTWARDEN_ADMIN_SESSION_TTL_SEC
+              value: "900"
+            - name: VAULTWARDEN_ADMIN_RATE_LIMIT_BACKOFF_SEC
+              value: "600"
+            - name: VAULTWARDEN_RETRY_COOLDOWN_SEC
+              value: "1800"
+            - name: VAULTWARDEN_FAILURE_BAILOUT
+              value: "2"
+            - name: ARIADNE_PROVISION_POLL_INTERVAL_SEC
+              value: "5"
+            - name: ARIADNE_PROVISION_RETRY_COOLDOWN_SEC
+              value: "30"
+            - name: ARIADNE_SCHEDULE_TICK_SEC
+              value: "5"
+            - name: ARIADNE_SCHEDULE_MAILU_SYNC
+              value: "30 4 * * *"
+            - name: ARIADNE_SCHEDULE_NEXTCLOUD_SYNC
+              value: "0 5 * * *"
+            - name: ARIADNE_SCHEDULE_VAULTWARDEN_SYNC
+              value: "*/15 * * * *"
+            - name: ARIADNE_SCHEDULE_WGER_ADMIN
+              value: "15 3 * * *"
+            - name: WELCOME_EMAIL_ENABLED
+              value: "true"
+            - name: K8S_API_TIMEOUT_SEC
+              value: "5"
+            - name: METRICS_PATH
+              value: "/metrics"
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
--- a/services/maintenance/ariadne-service.yaml
+++ b/services/maintenance/ariadne-service.yaml
@ -0,0 +1,13 @@
+# services/maintenance/ariadne-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: ariadne
+  namespace: maintenance
+spec:
+  selector:
+    app: ariadne
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
--- a/services/maintenance/ariadne-serviceaccount.yaml
+++ b/services/maintenance/ariadne-serviceaccount.yaml
@ -0,0 +1,8 @@
+# services/maintenance/ariadne-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ariadne
+  namespace: maintenance
+imagePullSecrets:
+  - name: harbor-regcred
--- a/services/maintenance/kustomization.yaml
+++ b/services/maintenance/kustomization.yaml
@ -3,10 +3,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
+  - secretproviderclass.yaml
+  - vault-serviceaccount.yaml
+  - vault-sync-deployment.yaml
+  - ariadne-serviceaccount.yaml
  - disable-k3s-traefik-serviceaccount.yaml
  - k3s-traefik-cleanup-rbac.yaml
  - node-nofile-serviceaccount.yaml
  - pod-cleaner-rbac.yaml
+  - ariadne-deployment.yaml
+  - ariadne-service.yaml
  - disable-k3s-traefik-daemonset.yaml
  - k3s-traefik-cleanup-job.yaml
  - node-nofile-daemonset.yaml
--- a/services/maintenance/secretproviderclass.yaml
+++ b/services/maintenance/secretproviderclass.yaml
@ -0,0 +1,21 @@
+# services/maintenance/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: maintenance-vault
+  namespace: maintenance
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "maintenance"
+    objects: |
+      - objectName: "harbor-pull__dockerconfigjson"
+        secretPath: "kv/data/atlas/harbor-pull/maintenance"
+        secretKey: "dockerconfigjson"
+  secretObjects:
+    - secretName: harbor-regcred
+      type: kubernetes.io/dockerconfigjson
+      data:
+        - objectName: harbor-pull__dockerconfigjson
+          key: .dockerconfigjson
--- a/services/maintenance/vault-serviceaccount.yaml
+++ b/services/maintenance/vault-serviceaccount.yaml
@ -0,0 +1,6 @@
+# services/maintenance/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: maintenance-vault-sync
+  namespace: maintenance
--- a/services/maintenance/vault-sync-deployment.yaml
+++ b/services/maintenance/vault-sync-deployment.yaml
@ -0,0 +1,34 @@
+# services/maintenance/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: maintenance-vault-sync
+  namespace: maintenance
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: maintenance-vault-sync
+  template:
+    metadata:
+      labels:
+        app: maintenance-vault-sync
+    spec:
+      serviceAccountName: maintenance-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: maintenance-vault
--- a/services/monitoring/dashboards/atlas-testing.json
+++ b/services/monitoring/dashboards/atlas-testing.json
@ -321,6 +321,156 @@
          }
        }
      ]
+    },
+    {
+      "id": 7,
+      "type": "table",
+      "title": "Ariadne Task Errors (24h)",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "atlas-vm"
+      },
+      "gridPos": {
+        "h": 6,
+        "w": 12,
+        "x": 0,
+        "y": 12
+      },
+      "targets": [
+        {
+          "expr": "sum by (task) (increase(ariadne_task_runs_total{status=\"error\"}[24h]))",
+          "refId": "A",
+          "instant": true
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "none",
+          "custom": {
+            "filterable": true
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "showHeader": true,
+        "columnFilters": false
+      },
+      "transformations": [
+        {
+          "id": "labelsToFields",
+          "options": {}
+        },
+        {
+          "id": "sortBy",
+          "options": {
+            "fields": [
+              "Value"
+            ],
+            "order": "desc"
+          }
+        }
+      ]
+    },
+    {
+      "id": 8,
+      "type": "table",
+      "title": "Ariadne Schedule Last Success (hours ago)",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "atlas-vm"
+      },
+      "gridPos": {
+        "h": 6,
+        "w": 12,
+        "x": 12,
+        "y": 12
+      },
+      "targets": [
+        {
+          "expr": "(time() - ariadne_schedule_last_success_timestamp_seconds) / 3600",
+          "refId": "A",
+          "instant": true
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "h",
+          "custom": {
+            "filterable": true
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "showHeader": true,
+        "columnFilters": false
+      },
+      "transformations": [
+        {
+          "id": "labelsToFields",
+          "options": {}
+        },
+        {
+          "id": "sortBy",
+          "options": {
+            "fields": [
+              "Value"
+            ],
+            "order": "desc"
+          }
+        }
+      ]
+    },
+    {
+      "id": 9,
+      "type": "table",
+      "title": "Ariadne Access Requests",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "atlas-vm"
+      },
+      "gridPos": {
+        "h": 4,
+        "w": 24,
+        "x": 0,
+        "y": 18
+      },
+      "targets": [
+        {
+          "expr": "ariadne_access_requests_total",
+          "refId": "A",
+          "instant": true
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "none",
+          "custom": {
+            "filterable": true
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "showHeader": true,
+        "columnFilters": false
+      },
+      "transformations": [
+        {
+          "id": "labelsToFields",
+          "options": {}
+        },
+        {
+          "id": "sortBy",
+          "options": {
+            "fields": [
+              "Value"
+            ],
+            "order": "desc"
+          }
+        }
+      ]
    }
  ],
  "time": {
--- a/services/monitoring/grafana-dashboard-testing.yaml
+++ b/services/monitoring/grafana-dashboard-testing.yaml
@ -330,6 +330,156 @@ data:
              }
            }
          ]
+        },
+        {
+          "id": 7,
+          "type": "table",
+          "title": "Ariadne Task Errors (24h)",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "atlas-vm"
+          },
+          "gridPos": {
+            "h": 6,
+            "w": 12,
+            "x": 0,
+            "y": 12
+          },
+          "targets": [
+            {
+              "expr": "sum by (task) (increase(ariadne_task_runs_total{status=\"error\"}[24h]))",
+              "refId": "A",
+              "instant": true
+            }
+          ],
+          "fieldConfig": {
+            "defaults": {
+              "unit": "none",
+              "custom": {
+                "filterable": true
+              }
+            },
+            "overrides": []
+          },
+          "options": {
+            "showHeader": true,
+            "columnFilters": false
+          },
+          "transformations": [
+            {
+              "id": "labelsToFields",
+              "options": {}
+            },
+            {
+              "id": "sortBy",
+              "options": {
+                "fields": [
+                  "Value"
+                ],
+                "order": "desc"
+              }
+            }
+          ]
+        },
+        {
+          "id": 8,
+          "type": "table",
+          "title": "Ariadne Schedule Last Success (hours ago)",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "atlas-vm"
+          },
+          "gridPos": {
+            "h": 6,
+            "w": 12,
+            "x": 12,
+            "y": 12
+          },
+          "targets": [
+            {
+              "expr": "(time() - ariadne_schedule_last_success_timestamp_seconds) / 3600",
+              "refId": "A",
+              "instant": true
+            }
+          ],
+          "fieldConfig": {
+            "defaults": {
+              "unit": "h",
+              "custom": {
+                "filterable": true
+              }
+            },
+            "overrides": []
+          },
+          "options": {
+            "showHeader": true,
+            "columnFilters": false
+          },
+          "transformations": [
+            {
+              "id": "labelsToFields",
+              "options": {}
+            },
+            {
+              "id": "sortBy",
+              "options": {
+                "fields": [
+                  "Value"
+                ],
+                "order": "desc"
+              }
+            }
+          ]
+        },
+        {
+          "id": 9,
+          "type": "table",
+          "title": "Ariadne Access Requests",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "atlas-vm"
+          },
+          "gridPos": {
+            "h": 4,
+            "w": 24,
+            "x": 0,
+            "y": 18
+          },
+          "targets": [
+            {
+              "expr": "ariadne_access_requests_total",
+              "refId": "A",
+              "instant": true
+            }
+          ],
+          "fieldConfig": {
+            "defaults": {
+              "unit": "none",
+              "custom": {
+                "filterable": true
+              }
+            },
+            "overrides": []
+          },
+          "options": {
+            "showHeader": true,
+            "columnFilters": false
+          },
+          "transformations": [
+            {
+              "id": "labelsToFields",
+              "options": {}
+            },
+            {
+              "id": "sortBy",
+              "options": {
+                "fields": [
+                  "Value"
+                ],
+                "order": "desc"
+              }
+            }
+          ]
        }
      ],
      "time": {
--- a/services/nextcloud-mail-sync/cronjob.yaml
+++ b/services/nextcloud-mail-sync/cronjob.yaml
@ -8,6 +8,7 @@ metadata:
    atlas.bstein.dev/glue: "true"
 spec:
  schedule: "0 5 * * *"
+  suspend: true
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 1
--- a/services/nextcloud-mail-sync/portal-rbac.yaml
+++ b/services/nextcloud-mail-sync/portal-rbac.yaml
@ -27,3 +27,16 @@ subjects:
  - kind: ServiceAccount
    name: bstein-dev-home
    namespace: bstein-dev-home
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ariadne-nextcloud-mail-sync
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: bstein-dev-home-nextcloud-mail-sync
+subjects:
+  - kind: ServiceAccount
+    name: ariadne
+    namespace: maintenance
--- a/services/vault/scripts/vault_k8s_auth_configure.sh
+++ b/services/vault/scripts/vault_k8s_auth_configure.sh
@ -230,6 +230,8 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
  "crypto/* harbor-pull/crypto" ""
 write_policy_and_role "health" "health" "health-vault-sync" \
  "health/*" ""
+write_policy_and_role "maintenance" "maintenance" "ariadne" \
+  "portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret harbor-pull/maintenance" ""
 write_policy_and_role "finance" "finance" "finance-vault" \
  "finance/* shared/postmark-relay" ""
 write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \
--- a/services/vaultwarden/ariadne-rbac.yaml
+++ b/services/vaultwarden/ariadne-rbac.yaml
@ -0,0 +1,28 @@
+# services/vaultwarden/ariadne-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ariadne-vaultwarden-admin-reader
+  namespace: vaultwarden
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+    resourceNames: ["vaultwarden-admin"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ariadne-vaultwarden-admin-reader
+  namespace: vaultwarden
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ariadne-vaultwarden-admin-reader
+subjects:
+  - kind: ServiceAccount
+    name: ariadne
+    namespace: maintenance
--- a/services/vaultwarden/kustomization.yaml
+++ b/services/vaultwarden/kustomization.yaml
@ -5,6 +5,7 @@ namespace: vaultwarden
 resources:
  - namespace.yaml
  - serviceaccount.yaml
+  - ariadne-rbac.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml