maintenance: extend Ariadne schedules and RBAC
This commit is contained in:
parent
95a7ac235f
commit
e2e7e58f32
@ -8,7 +8,7 @@ metadata:
|
|||||||
atlas.bstein.dev/glue: "true"
|
atlas.bstein.dev/glue: "true"
|
||||||
spec:
|
spec:
|
||||||
schedule: "*/1 * * * *"
|
schedule: "*/1 * * * *"
|
||||||
suspend: false
|
suspend: true
|
||||||
concurrencyPolicy: Forbid
|
concurrencyPolicy: Forbid
|
||||||
successfulJobsHistoryLimit: 1
|
successfulJobsHistoryLimit: 1
|
||||||
failedJobsHistoryLimit: 1
|
failedJobsHistoryLimit: 1
|
||||||
|
|||||||
@ -78,6 +78,8 @@ spec:
|
|||||||
value: bstein-dev-home-admin
|
value: bstein-dev-home-admin
|
||||||
- name: PORTAL_PUBLIC_BASE_URL
|
- name: PORTAL_PUBLIC_BASE_URL
|
||||||
value: https://bstein.dev
|
value: https://bstein.dev
|
||||||
|
- name: ARIADNE_LOG_LEVEL
|
||||||
|
value: INFO
|
||||||
- name: PORTAL_ADMIN_USERS
|
- name: PORTAL_ADMIN_USERS
|
||||||
value: bstein
|
value: bstein
|
||||||
- name: PORTAL_ADMIN_GROUPS
|
- name: PORTAL_ADMIN_GROUPS
|
||||||
@ -120,6 +122,26 @@ spec:
|
|||||||
value: firefly-user-sync
|
value: firefly-user-sync
|
||||||
- name: FIREFLY_USER_SYNC_WAIT_TIMEOUT_SEC
|
- name: FIREFLY_USER_SYNC_WAIT_TIMEOUT_SEC
|
||||||
value: "90"
|
value: "90"
|
||||||
|
- name: VAULT_NAMESPACE
|
||||||
|
value: vault
|
||||||
|
- name: VAULT_K8S_AUTH_CRONJOB
|
||||||
|
value: vault-k8s-auth-config
|
||||||
|
- name: VAULT_OIDC_CRONJOB
|
||||||
|
value: vault-oidc-config
|
||||||
|
- name: VAULT_JOB_WAIT_TIMEOUT_SEC
|
||||||
|
value: "120"
|
||||||
|
- name: COMMS_NAMESPACE
|
||||||
|
value: comms
|
||||||
|
- name: COMMS_GUEST_NAME_CRONJOB
|
||||||
|
value: guest-name-randomizer
|
||||||
|
- name: COMMS_PIN_INVITE_CRONJOB
|
||||||
|
value: pin-othrys-invite
|
||||||
|
- name: COMMS_RESET_ROOM_CRONJOB
|
||||||
|
value: othrys-room-reset
|
||||||
|
- name: COMMS_SEED_ROOM_CRONJOB
|
||||||
|
value: seed-othrys-room
|
||||||
|
- name: COMMS_JOB_WAIT_TIMEOUT_SEC
|
||||||
|
value: "60"
|
||||||
- name: VAULTWARDEN_NAMESPACE
|
- name: VAULTWARDEN_NAMESPACE
|
||||||
value: vaultwarden
|
value: vaultwarden
|
||||||
- name: VAULTWARDEN_POD_LABEL
|
- name: VAULTWARDEN_POD_LABEL
|
||||||
@ -154,6 +176,18 @@ spec:
|
|||||||
value: "*/15 * * * *"
|
value: "*/15 * * * *"
|
||||||
- name: ARIADNE_SCHEDULE_WGER_ADMIN
|
- name: ARIADNE_SCHEDULE_WGER_ADMIN
|
||||||
value: "15 3 * * *"
|
value: "15 3 * * *"
|
||||||
|
- name: ARIADNE_SCHEDULE_VAULT_K8S_AUTH
|
||||||
|
value: "*/15 * * * *"
|
||||||
|
- name: ARIADNE_SCHEDULE_VAULT_OIDC
|
||||||
|
value: "*/15 * * * *"
|
||||||
|
- name: ARIADNE_SCHEDULE_COMMS_GUEST_NAME
|
||||||
|
value: "*/1 * * * *"
|
||||||
|
- name: ARIADNE_SCHEDULE_COMMS_PIN_INVITE
|
||||||
|
value: "*/30 * * * *"
|
||||||
|
- name: ARIADNE_SCHEDULE_COMMS_RESET_ROOM
|
||||||
|
value: "0 0 1 1 *"
|
||||||
|
- name: ARIADNE_SCHEDULE_COMMS_SEED_ROOM
|
||||||
|
value: "*/10 * * * *"
|
||||||
- name: WELCOME_EMAIL_ENABLED
|
- name: WELCOME_EMAIL_ENABLED
|
||||||
value: "true"
|
value: "true"
|
||||||
- name: K8S_API_TIMEOUT_SEC
|
- name: K8S_API_TIMEOUT_SEC
|
||||||
|
|||||||
29
services/maintenance/ariadne-rbac.yaml
Normal file
29
services/maintenance/ariadne-rbac.yaml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# services/maintenance/ariadne-rbac.yaml
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: ariadne-job-spawner
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["batch"]
|
||||||
|
resources:
|
||||||
|
- cronjobs
|
||||||
|
- jobs
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- create
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: ariadne-job-spawner
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ariadne
|
||||||
|
namespace: maintenance
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: ariadne-job-spawner
|
||||||
@ -8,6 +8,7 @@ resources:
|
|||||||
- vault-serviceaccount.yaml
|
- vault-serviceaccount.yaml
|
||||||
- vault-sync-deployment.yaml
|
- vault-sync-deployment.yaml
|
||||||
- ariadne-serviceaccount.yaml
|
- ariadne-serviceaccount.yaml
|
||||||
|
- ariadne-rbac.yaml
|
||||||
- disable-k3s-traefik-serviceaccount.yaml
|
- disable-k3s-traefik-serviceaccount.yaml
|
||||||
- k3s-traefik-cleanup-rbac.yaml
|
- k3s-traefik-cleanup-rbac.yaml
|
||||||
- node-nofile-serviceaccount.yaml
|
- node-nofile-serviceaccount.yaml
|
||||||
|
|||||||
@ -8,6 +8,7 @@ metadata:
|
|||||||
atlas.bstein.dev/glue: "true"
|
atlas.bstein.dev/glue: "true"
|
||||||
spec:
|
spec:
|
||||||
schedule: "*/15 * * * *"
|
schedule: "*/15 * * * *"
|
||||||
|
suspend: true
|
||||||
concurrencyPolicy: Forbid
|
concurrencyPolicy: Forbid
|
||||||
successfulJobsHistoryLimit: 1
|
successfulJobsHistoryLimit: 1
|
||||||
failedJobsHistoryLimit: 3
|
failedJobsHistoryLimit: 3
|
||||||
|
|||||||
@ -8,6 +8,7 @@ metadata:
|
|||||||
atlas.bstein.dev/glue: "true"
|
atlas.bstein.dev/glue: "true"
|
||||||
spec:
|
spec:
|
||||||
schedule: "*/15 * * * *"
|
schedule: "*/15 * * * *"
|
||||||
|
suspend: true
|
||||||
concurrencyPolicy: Forbid
|
concurrencyPolicy: Forbid
|
||||||
successfulJobsHistoryLimit: 1
|
successfulJobsHistoryLimit: 1
|
||||||
failedJobsHistoryLimit: 3
|
failedJobsHistoryLimit: 3
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user