bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

maintenance: extend Ariadne schedules and RBAC

Browse Source
This commit is contained in:
Brad Stein 2026-01-20 03:01:59 -03:00
parent 95a7ac235f
commit e2e7e58f32
6 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/comms/guest-name-job.yaml
View File

@ -8,7 +8,7 @@ metadata:
atlas.bstein.dev/glue: "true"
spec:
schedule: "*/1 * * * *"
suspend: false
suspend: true
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1

34
services/maintenance/ariadne-deployment.yaml
View File

@ -78,6 +78,8 @@ spec:
value: bstein-dev-home-admin
- name: PORTAL_PUBLIC_BASE_URL
value: https://bstein.dev
- name: ARIADNE_LOG_LEVEL
value: INFO
- name: PORTAL_ADMIN_USERS
value: bstein
- name: PORTAL_ADMIN_GROUPS
@ -120,6 +122,26 @@ spec:
value: firefly-user-sync
- name: FIREFLY_USER_SYNC_WAIT_TIMEOUT_SEC
value: "90"
- name: VAULT_NAMESPACE
value: vault
- name: VAULT_K8S_AUTH_CRONJOB
value: vault-k8s-auth-config
- name: VAULT_OIDC_CRONJOB
value: vault-oidc-config
- name: VAULT_JOB_WAIT_TIMEOUT_SEC
value: "120"
- name: COMMS_NAMESPACE
value: comms
- name: COMMS_GUEST_NAME_CRONJOB
value: guest-name-randomizer
- name: COMMS_PIN_INVITE_CRONJOB
value: pin-othrys-invite
- name: COMMS_RESET_ROOM_CRONJOB
value: othrys-room-reset
- name: COMMS_SEED_ROOM_CRONJOB
value: seed-othrys-room
- name: COMMS_JOB_WAIT_TIMEOUT_SEC
value: "60"
- name: VAULTWARDEN_NAMESPACE
value: vaultwarden
- name: VAULTWARDEN_POD_LABEL
@ -154,6 +176,18 @@ spec:
value: "*/15 * * * *"
- name: ARIADNE_SCHEDULE_WGER_ADMIN
value: "15 3 * * *"
- name: ARIADNE_SCHEDULE_VAULT_K8S_AUTH
value: "*/15 * * * *"
- name: ARIADNE_SCHEDULE_VAULT_OIDC
value: "*/15 * * * *"
- name: ARIADNE_SCHEDULE_COMMS_GUEST_NAME
value: "*/1 * * * *"
- name: ARIADNE_SCHEDULE_COMMS_PIN_INVITE
value: "*/30 * * * *"
- name: ARIADNE_SCHEDULE_COMMS_RESET_ROOM
value: "0 0 1 1 *"
- name: ARIADNE_SCHEDULE_COMMS_SEED_ROOM
value: "*/10 * * * *"
- name: WELCOME_EMAIL_ENABLED
value: "true"
- name: K8S_API_TIMEOUT_SEC

29
services/maintenance/ariadne-rbac.yaml Normal file
View File

@ -0,0 +1,29 @@
# services/maintenance/ariadne-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ariadne-job-spawner
rules:
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ariadne-job-spawner
subjects:
- kind: ServiceAccount
name: ariadne
namespace: maintenance
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ariadne-job-spawner

1
services/maintenance/kustomization.yaml
View File

@ -8,6 +8,7 @@ resources:
- vault-serviceaccount.yaml
- vault-sync-deployment.yaml
- ariadne-serviceaccount.yaml
- ariadne-rbac.yaml
- disable-k3s-traefik-serviceaccount.yaml
- k3s-traefik-cleanup-rbac.yaml
- node-nofile-serviceaccount.yaml

1
services/vault/k8s-auth-config-cronjob.yaml
View File

@ -8,6 +8,7 @@ metadata:
atlas.bstein.dev/glue: "true"
spec:
schedule: "*/15 * * * *"
suspend: true
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 3

1
services/vault/oidc-config-cronjob.yaml
View File

@ -8,6 +8,7 @@ metadata:
atlas.bstein.dev/glue: "true"
spec:
schedule: "*/15 * * * *"
suspend: true
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 3