# services/maintenance/ariadne-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: ariadne namespace: maintenance spec: replicas: 1 revisionHistoryLimit: 3 selector: matchLabels: app: ariadne template: metadata: labels: app: ariadne annotations: prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics" vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "maintenance" vault.hashicorp.com/agent-inject-secret-ariadne-env.sh: "kv/data/atlas/maintenance/ariadne-db" vault.hashicorp.com/agent-inject-template-ariadne-env.sh: | {{ with secret "kv/data/atlas/maintenance/ariadne-db" }} export ARIADNE_DATABASE_URL="{{ .Data.data.database_url }}" {{ end }} {{ with secret "kv/data/atlas/portal/atlas-portal-db" }} export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}" {{ end }} {{ with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" }} export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}" {{ end }} {{ with secret "kv/data/atlas/nextcloud/nextcloud-db" }} export NEXTCLOUD_DB_NAME="{{ .Data.data.database }}" export NEXTCLOUD_DB_USER="{{ index .Data.data "db-username" }}" export NEXTCLOUD_DB_PASSWORD="{{ index .Data.data "db-password" }}" {{ end }} {{ with secret "kv/data/atlas/nextcloud/nextcloud-admin" }} export NEXTCLOUD_ADMIN_USER="{{ index .Data.data "admin-user" }}" export NEXTCLOUD_ADMIN_PASSWORD="{{ index .Data.data "admin-password" }}" {{ end }} {{ with secret "kv/data/atlas/health/wger-admin" }} export WGER_ADMIN_USERNAME="{{ .Data.data.username }}" export WGER_ADMIN_PASSWORD="{{ .Data.data.password }}" {{ end }} {{ with secret "kv/data/atlas/finance/firefly-secrets" }} export FIREFLY_CRON_TOKEN="{{ .Data.data.STATIC_CRON_TOKEN }}" {{ end }} {{ with secret "kv/data/atlas/mailu/mailu-db-secret" }} export MAILU_DB_NAME="{{ .Data.data.database }}" export MAILU_DB_USER="{{ .Data.data.username }}" export MAILU_DB_PASSWORD="{{ .Data.data.password }}" {{ end }} {{ with secret "kv/data/atlas/mailu/mailu-initial-account-secret" }} export SMTP_HOST="mailu-front.mailu-mailserver.svc.cluster.local" export SMTP_PORT="587" export SMTP_STARTTLS="true" export SMTP_USE_TLS="false" export SMTP_USERNAME="no-reply-portal@bstein.dev" export SMTP_PASSWORD="{{ .Data.data.password }}" export SMTP_FROM="no-reply-portal@bstein.dev" export MAILU_SYSTEM_PASSWORD="{{ .Data.data.password }}" {{ end }} {{ with secret "kv/data/atlas/comms/mas-admin-client-runtime" }} export COMMS_MAS_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}" {{ end }} {{ with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" }} export COMMS_BOT_PASSWORD="{{ index .Data.data "bot-password" }}" export COMMS_SEEDER_PASSWORD="{{ index .Data.data "seeder-password" }}" {{ end }} {{ with secret "kv/data/atlas/comms/synapse-db" }} export COMMS_SYNAPSE_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}" {{ end }} {{ with secret "kv/data/atlas/vault/vault-oidc-config" }} export VAULT_OIDC_DISCOVERY_URL="{{ .Data.data.discovery_url }}" export VAULT_OIDC_CLIENT_ID="{{ .Data.data.client_id }}" export VAULT_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}" export VAULT_OIDC_DEFAULT_ROLE="{{ .Data.data.default_role }}" export VAULT_OIDC_SCOPES="{{ .Data.data.scopes }}" export VAULT_OIDC_USER_CLAIM="{{ .Data.data.user_claim }}" export VAULT_OIDC_GROUPS_CLAIM="{{ .Data.data.groups_claim }}" export VAULT_OIDC_TOKEN_POLICIES="{{ .Data.data.token_policies }}" export VAULT_OIDC_ADMIN_GROUP="{{ .Data.data.admin_group }}" export VAULT_OIDC_ADMIN_POLICIES="{{ .Data.data.admin_policies }}" export VAULT_OIDC_DEV_GROUP="{{ .Data.data.dev_group }}" export VAULT_OIDC_DEV_POLICIES="{{ .Data.data.dev_policies }}" export VAULT_OIDC_USER_GROUP="{{ .Data.data.user_group }}" export VAULT_OIDC_USER_POLICIES="{{ .Data.data.user_policies }}" export VAULT_OIDC_REDIRECT_URIS="{{ .Data.data.redirect_uris }}" export VAULT_OIDC_BOUND_AUDIENCES="{{ .Data.data.bound_audiences }}" export VAULT_OIDC_BOUND_CLAIMS_TYPE="{{ .Data.data.bound_claims_type }}" {{ end }} spec: serviceAccountName: ariadne nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" containers: - name: ariadne image: registry.bstein.dev/bstein/ariadne:0.1.0-0 imagePullPolicy: Always command: ["/bin/sh", "-c"] args: - >- . /vault/secrets/ariadne-env.sh && exec uvicorn ariadne.app:app --host 0.0.0.0 --port 8080 ports: - name: http containerPort: 8080 env: - name: KEYCLOAK_URL value: https://sso.bstein.dev - name: KEYCLOAK_REALM value: atlas - name: KEYCLOAK_CLIENT_ID value: bstein-dev-home - name: KEYCLOAK_ISSUER value: https://sso.bstein.dev/realms/atlas - name: KEYCLOAK_JWKS_URL value: http://keycloak.sso.svc.cluster.local/realms/atlas/protocol/openid-connect/certs - name: KEYCLOAK_ADMIN_URL value: http://keycloak.sso.svc.cluster.local - name: KEYCLOAK_ADMIN_REALM value: atlas - name: KEYCLOAK_ADMIN_CLIENT_ID value: bstein-dev-home-admin - name: PORTAL_PUBLIC_BASE_URL value: https://bstein.dev - name: ARIADNE_LOG_LEVEL value: INFO - name: PORTAL_ADMIN_USERS value: bstein - name: PORTAL_ADMIN_GROUPS value: admin - name: ACCOUNT_ALLOWED_GROUPS value: dev,admin - name: ALLOWED_FLAG_GROUPS value: demo,test - name: DEFAULT_USER_GROUPS value: dev - name: MAILU_DOMAIN value: bstein.dev - name: MAILU_HOST value: mail.bstein.dev - name: MAILU_SYNC_URL value: http://ariadne.maintenance.svc.cluster.local/events - name: MAILU_EVENT_MIN_INTERVAL_SEC value: "10" - name: MAILU_SYSTEM_USERS value: no-reply-portal@bstein.dev,no-reply-vaultwarden@bstein.dev - name: MAILU_MAILBOX_WAIT_TIMEOUT_SEC value: "180" - name: MAILU_DB_HOST value: postgres-service.postgres.svc.cluster.local - name: MAILU_DB_PORT value: "5432" - name: NEXTCLOUD_NAMESPACE value: nextcloud - name: NEXTCLOUD_POD_LABEL value: app=nextcloud - name: NEXTCLOUD_CONTAINER value: nextcloud - name: NEXTCLOUD_EXEC_TIMEOUT_SEC value: "120" - name: NEXTCLOUD_URL value: https://cloud.bstein.dev - name: NEXTCLOUD_DB_HOST value: postgres-service.postgres.svc.cluster.local - name: NEXTCLOUD_DB_PORT value: "5432" - name: WGER_NAMESPACE value: health - name: WGER_USER_SYNC_WAIT_TIMEOUT_SEC value: "90" - name: WGER_POD_LABEL value: app=wger - name: WGER_CONTAINER value: wger - name: WGER_ADMIN_EMAIL value: brad@bstein.dev - name: FIREFLY_NAMESPACE value: finance - name: FIREFLY_USER_SYNC_WAIT_TIMEOUT_SEC value: "90" - name: FIREFLY_POD_LABEL value: app=firefly - name: FIREFLY_CONTAINER value: firefly - name: FIREFLY_CRON_BASE_URL value: http://firefly.finance.svc.cluster.local/api/v1/cron - name: FIREFLY_CRON_TIMEOUT_SEC value: "30" - name: VAULT_NAMESPACE value: vault - name: VAULT_ADDR value: http://vault.vault.svc.cluster.local:8200 - name: VAULT_K8S_ROLE value: vault-admin - name: VAULT_K8S_ROLE_TTL value: 1h - name: COMMS_NAMESPACE value: comms - name: COMMS_SYNAPSE_BASE value: http://othrys-synapse-matrix-synapse.comms.svc.cluster.local:8008 - name: COMMS_AUTH_BASE value: http://matrix-authentication-service.comms.svc.cluster.local:8080 - name: COMMS_MAS_ADMIN_API_BASE value: http://matrix-authentication-service.comms.svc.cluster.local:8081/api/admin/v1 - name: COMMS_MAS_TOKEN_URL value: http://matrix-authentication-service.comms.svc.cluster.local:8080/oauth2/token - name: COMMS_MAS_ADMIN_CLIENT_ID value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM - name: COMMS_SERVER_NAME value: live.bstein.dev - name: COMMS_ROOM_ALIAS value: "#othrys:live.bstein.dev" - name: COMMS_ROOM_NAME value: Othrys - name: COMMS_PIN_MESSAGE value: "Invite guests: share https://live.bstein.dev/#/room/#othrys:live.bstein.dev?action=join and choose 'Continue' -> 'Join as guest'." - name: COMMS_SEEDER_USER value: othrys-seeder - name: COMMS_BOT_USER value: atlasbot - name: COMMS_SYNAPSE_DB_HOST value: postgres-service.postgres.svc.cluster.local - name: COMMS_SYNAPSE_DB_PORT value: "5432" - name: COMMS_SYNAPSE_DB_NAME value: synapse - name: COMMS_SYNAPSE_DB_USER value: synapse - name: COMMS_TIMEOUT_SEC value: "30" - name: COMMS_GUEST_STALE_DAYS value: "14" - name: VAULTWARDEN_NAMESPACE value: vaultwarden - name: VAULTWARDEN_POD_LABEL value: app=vaultwarden - name: VAULTWARDEN_POD_PORT value: "80" - name: VAULTWARDEN_SERVICE_HOST value: vaultwarden-service.vaultwarden.svc.cluster.local - name: VAULTWARDEN_ADMIN_SECRET_NAME value: vaultwarden-admin - name: VAULTWARDEN_ADMIN_SECRET_KEY value: ADMIN_TOKEN - name: VAULTWARDEN_ADMIN_SESSION_TTL_SEC value: "900" - name: VAULTWARDEN_ADMIN_RATE_LIMIT_BACKOFF_SEC value: "600" - name: VAULTWARDEN_RETRY_COOLDOWN_SEC value: "1800" - name: VAULTWARDEN_FAILURE_BAILOUT value: "2" - name: ARIADNE_PROVISION_POLL_INTERVAL_SEC value: "5" - name: ARIADNE_PROVISION_RETRY_COOLDOWN_SEC value: "30" - name: ARIADNE_SCHEDULE_TICK_SEC value: "5" - name: ARIADNE_SCHEDULE_MAILU_SYNC value: "30 4 * * *" - name: ARIADNE_SCHEDULE_NEXTCLOUD_SYNC value: "0 5 * * *" - name: ARIADNE_SCHEDULE_NEXTCLOUD_CRON value: "*/5 * * * *" - name: ARIADNE_SCHEDULE_NEXTCLOUD_MAINTENANCE value: "30 4 * * *" - name: ARIADNE_SCHEDULE_VAULTWARDEN_SYNC value: "0 * * * *" - name: ARIADNE_SCHEDULE_WGER_USER_SYNC value: "0 5 * * *" - name: ARIADNE_SCHEDULE_WGER_ADMIN value: "15 3 * * *" - name: ARIADNE_SCHEDULE_FIREFLY_USER_SYNC value: "0 6 * * *" - name: ARIADNE_SCHEDULE_FIREFLY_CRON value: "0 3 * * *" - name: ARIADNE_SCHEDULE_POD_CLEANER value: "0 * * * *" - name: ARIADNE_SCHEDULE_OPENSEARCH_PRUNE value: "23 3 * * *" - name: ARIADNE_SCHEDULE_IMAGE_SWEEPER value: "30 4 * * 0" - name: ARIADNE_SCHEDULE_VAULT_K8S_AUTH value: "0 * * * *" - name: ARIADNE_SCHEDULE_VAULT_OIDC value: "0 * * * *" - name: ARIADNE_SCHEDULE_COMMS_GUEST_NAME value: "*/5 * * * *" - name: ARIADNE_SCHEDULE_COMMS_PIN_INVITE value: "*/30 * * * *" - name: ARIADNE_SCHEDULE_COMMS_RESET_ROOM value: "0 0 1 1 *" - name: ARIADNE_SCHEDULE_COMMS_SEED_ROOM value: "*/10 * * * *" - name: WELCOME_EMAIL_ENABLED value: "true" - name: K8S_API_TIMEOUT_SEC value: "5" - name: OPENSEARCH_URL value: http://opensearch-master.logging.svc.cluster.local:9200 - name: OPENSEARCH_LIMIT_BYTES value: "1099511627776" - name: OPENSEARCH_INDEX_PATTERNS value: kube-*,journald-*,trace-analytics-* - name: METRICS_PATH value: "/metrics" resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi livenessProbe: httpGet: path: /health port: http initialDelaySeconds: 10 periodSeconds: 10 readinessProbe: httpGet: path: /health port: http initialDelaySeconds: 5 periodSeconds: 10