bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: bstein:d5a19ca9c3c17b8bfbfd9ca160654e9283cd122b
Branches Tags
bstein:main
bstein:feature/ariadne
bstein:feature/pi-usb-scratch-rollout
bstein:feature/sso-hardening
bstein:codex/titan-iac-work-quality-gate
bstein:codex/titan-iac-main-platform-metrics
bstein:codex/titan-iac-platform-metrics
bstein:feature/atlas-jobs-schedule-observability
bstein:lane2/jenkins-cleanup-activate
bstein:lane2/jenkins-cleanup-wiring-split
bstein:codex-ananke-fixes
bstein:feature/atlasbot-ananke-recovery
bstein:feature/atlasbot
bstein:feature/ci-gitops
bstein:deploy
bstein:feature/vault-consumption
bstein:feature/postgres-migration
bstein:feature/bstein-dev-home
bstein:feature/mailu
bstein:feature/sso
bstein:feature/atlas-monitoring
bstein:restructure/hybrid-clusters
bstein:fea/titan24-gpu
..
compare: bstein:aaf7e236035e1ae2bd82f3944f3dfddbe062f59b
Branches Tags
bstein:main
bstein:feature/ariadne
bstein:feature/pi-usb-scratch-rollout
bstein:feature/sso-hardening
bstein:codex/titan-iac-work-quality-gate
bstein:codex/titan-iac-main-platform-metrics
bstein:codex/titan-iac-platform-metrics
bstein:feature/atlas-jobs-schedule-observability
bstein:lane2/jenkins-cleanup-activate
bstein:lane2/jenkins-cleanup-wiring-split
bstein:codex-ananke-fixes
bstein:feature/atlasbot-ananke-recovery
bstein:feature/atlasbot
bstein:feature/ci-gitops
bstein:deploy
bstein:feature/vault-consumption
bstein:feature/postgres-migration
bstein:feature/bstein-dev-home
bstein:feature/mailu
bstein:feature/sso
bstein:feature/atlas-monitoring
bstein:restructure/hybrid-clusters
bstein:fea/titan24-gpu

No commits in common. "d5a19ca9c3c17b8bfbfd9ca160654e9283cd122b" and "aaf7e236035e1ae2bd82f3944f3dfddbe062f59b" have entirely different histories.
d5a19ca9c3 ... aaf7e23603

7 changed files with 4 additions and 70 deletions
Show Stats Expand all files Collapse all files

4
services/bstein-dev-home/backend-deployment.yaml
View File

@ -38,9 +38,9 @@ spec:
export SMTP_PORT="587"
export SMTP_STARTTLS="true"
export SMTP_USE_TLS="false"
export SMTP_USERNAME="no-reply-portal@bstein.dev"
export SMTP_USERNAME="test@bstein.dev"
export SMTP_PASSWORD="{{ .Data.data.password }}"
export SMTP_FROM="no-reply-portal@bstein.dev"
export SMTP_FROM="test@bstein.dev"
{{ end }}
spec:
automountServiceAccountToken: true

26
services/bstein-dev-home/scripts/test_portal_onboarding_flow.py
View File

@ -65,23 +65,6 @@ def _get_json(url: str, headers: dict[str, str] | None = None, timeout_s: int =
raise SystemExit(f"HTTP {exc.code} from {url}: {raw}")
def _wait_for_portal_ready(base_url: str, timeout_s: int = 60) -> None:
health_url = f"{base_url.rstrip('/')}/api/healthz"
deadline_at = time.monotonic() + timeout_s
last_error = None
while time.monotonic() < deadline_at:
try:
req = urllib.request.Request(health_url, method="GET")
with urllib.request.urlopen(req, timeout=10) as resp:
if resp.status == 200:
return
except Exception as exc:
last_error = str(exc)
time.sleep(2)
suffix = f" (last_error={last_error})" if last_error else ""
raise SystemExit(f"portal health check timed out{suffix}")
def _request_json(
method: str,
url: str,
@ -252,7 +235,6 @@ def _imap_wait_for_verify_token(
def main() -> int:
portal_base = _env("PORTAL_BASE_URL").rstrip("/")
portal_ready_timeout = int(os.environ.get("E2E_PORTAL_READY_TIMEOUT_SECONDS", "60"))
keycloak_base = _env("KEYCLOAK_ADMIN_URL").rstrip("/")
realm = _env("KEYCLOAK_REALM", "atlas")
@ -292,8 +274,6 @@ def main() -> int:
if not mailu_password:
raise SystemExit(f"Keycloak user {imap_keycloak_username!r} missing mailu_app_password attribute")
_wait_for_portal_ready(portal_base, timeout_s=portal_ready_timeout)
username_prefix = os.environ.get("E2E_USERNAME_PREFIX", "e2e-user")
now = int(time.time())
username = f"{username_prefix}-{now}"
@ -356,8 +336,6 @@ def main() -> int:
except SystemExit as exc:
raise SystemExit(f"failed to exchange token for portal approval as {portal_admin_username!r}: {exc}")
_wait_for_portal_ready(portal_base, timeout_s=portal_ready_timeout)
approve_url = f"{portal_base}/api/admin/access/requests/{urllib.parse.quote(username, safe='')}/approve"
approve_timeout_s = int(os.environ.get("E2E_APPROVE_TIMEOUT_SECONDS", "180"))
approve_attempts = int(os.environ.get("E2E_APPROVE_ATTEMPTS", "3"))
@ -370,10 +348,6 @@ def main() -> int:
break
except (http.client.RemoteDisconnected, TimeoutError, urllib.error.URLError) as exc:
approve_error = str(exc)
try:
_wait_for_portal_ready(portal_base, timeout_s=min(30, portal_ready_timeout))
except SystemExit:
pass
if attempt == approve_attempts:
break
time.sleep(3)

5
services/mailu/mailu-sync-cronjob.yaml
View File

@ -32,9 +32,6 @@ spec:
vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
{{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
vault.hashicorp.com/agent-inject-secret-mailu-initial-account-secret__password: "kv/data/atlas/mailu/mailu-initial-account-secret"
vault.hashicorp.com/agent-inject-template-mailu-initial-account-secret__password: |
{{- with secret "kv/data/atlas/mailu/mailu-initial-account-secret" -}}{{ .Data.data.password }}{{- end -}}
spec:
restartPolicy: OnFailure
serviceAccountName: mailu-vault-sync
@ -58,8 +55,6 @@ spec:
value: bstein.dev
- name: MAILU_DEFAULT_QUOTA
value: "20000000000"
- name: MAILU_SYSTEM_USERS
value: no-reply-portal@bstein.dev
- name: MAILU_DB_HOST
value: postgres-service.postgres.svc.cluster.local
- name: MAILU_DB_PORT

7
services/mailu/mailu-sync-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: mailu-sync-8
name: mailu-sync-7
namespace: mailu-mailserver
spec:
template:
@ -26,9 +26,6 @@ spec:
vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
{{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
vault.hashicorp.com/agent-inject-secret-mailu-initial-account-secret__password: "kv/data/atlas/mailu/mailu-initial-account-secret"
vault.hashicorp.com/agent-inject-template-mailu-initial-account-secret__password: |
{{- with secret "kv/data/atlas/mailu/mailu-initial-account-secret" -}}{{ .Data.data.password }}{{- end -}}
spec:
restartPolicy: OnFailure
affinity:
@ -66,8 +63,6 @@ spec:
value: bstein.dev
- name: MAILU_DEFAULT_QUOTA
value: "20000000000"
- name: MAILU_SYSTEM_USERS
value: no-reply-portal@bstein.dev
- name: MAILU_DB_HOST
value: postgres-service.postgres.svc.cluster.local
- name: MAILU_DB_PORT

5
services/mailu/mailu-sync-listener.yaml
View File

@ -46,9 +46,6 @@ spec:
vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
{{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
vault.hashicorp.com/agent-inject-secret-mailu-initial-account-secret__password: "kv/data/atlas/mailu/mailu-initial-account-secret"
vault.hashicorp.com/agent-inject-template-mailu-initial-account-secret__password: |
{{- with secret "kv/data/atlas/mailu/mailu-initial-account-secret" -}}{{ .Data.data.password }}{{- end -}}
spec:
restartPolicy: Always
serviceAccountName: mailu-vault-sync
@ -72,8 +69,6 @@ spec:
value: bstein.dev
- name: MAILU_DEFAULT_QUOTA
value: "20000000000"
- name: MAILU_SYSTEM_USERS
value: no-reply-portal@bstein.dev
- name: MAILU_DB_HOST
value: postgres-service.postgres.svc.cluster.local
- name: MAILU_DB_PORT

26
services/mailu/scripts/mailu_sync.py
View File

@ -27,12 +27,6 @@ MAILU_DOMAIN = os.environ["MAILU_DOMAIN"]
MAILU_DEFAULT_QUOTA = int(os.environ.get("MAILU_DEFAULT_QUOTA", "20000000000"))
MAILU_ENABLED_ATTR = os.environ.get("MAILU_ENABLED_ATTR", "mailu_enabled")
MAILU_EMAIL_ATTR = "mailu_email"
MAILU_SYSTEM_USERS = [
item.strip()
for item in os.environ.get("MAILU_SYSTEM_USERS", "").split(",")
if item.strip()
]
MAILU_SYSTEM_PASSWORD = os.environ.get("MAILU_SYSTEM_PASSWORD", "").strip()
DB_CONFIG = {
"host": os.environ["MAILU_DB_HOST"],
@ -219,26 +213,10 @@ def ensure_mailu_user(cursor, email, password, display_name):
)
def ensure_system_mailboxes(cursor):
if not MAILU_SYSTEM_USERS:
return
if not MAILU_SYSTEM_PASSWORD:
log("MAILU_SYSTEM_USERS set but MAILU_SYSTEM_PASSWORD is missing; skipping system mailboxes")
return
for email in MAILU_SYSTEM_USERS:
localpart = email.split("@", 1)[0] if "@" in email else email
try:
ensure_mailu_user(cursor, email, MAILU_SYSTEM_PASSWORD, localpart)
log(f"Ensured system mailbox for {email}")
except Exception as exc:
log(f"Failed to ensure system mailbox {email}: {exc}")
def main():
token = retry_request("Keycloak token", get_kc_token)
users = retry_request("Keycloak user list", lambda: kc_get_users(token))
if not users and not MAILU_SYSTEM_USERS:
if not users:
log("No users found; exiting.")
return
@ -279,8 +257,6 @@ def main():
ensure_mailu_user(cursor, mailu_email, app_pw, display_name)
log(f"Synced mailbox for {mailu_email}")
ensure_system_mailboxes(cursor)
cursor.close()
conn.close()

1
services/mailu/scripts/mailu_vault_env.sh
View File

@ -12,4 +12,3 @@ export MAILU_DB_USER="$(read_secret mailu-db-secret__username)"
export MAILU_DB_PASSWORD="$(read_secret mailu-db-secret__password)"
export KEYCLOAK_CLIENT_ID="$(read_secret mailu-sync-credentials__client-id)"
export KEYCLOAK_CLIENT_SECRET="$(read_secret mailu-sync-credentials__client-secret)"
export MAILU_SYSTEM_PASSWORD="$(read_secret mailu-initial-account-secret__password)"