diff --git a/Dockerfile b/Dockerfile
index 744c9739..1785b5d8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -84,8 +84,7 @@ COPY --from=builder /install/celery_worker.py ./celery_worker.py
 COPY --from=builder /install/config/ ./config/
 COPY --from=builder /install/templates/ ./templates/
 COPY --from=builder /install/translations.yaml .
-COPY --from=builder /install/script/seed_roles.py ./script/seed_roles.py
-COPY --from=builder /install/script/sync-crls ./script/sync-crls
+COPY --from=builder /install/script/ ./script/
 COPY --from=builder /install/static/ ./static/
 COPY --from=builder /install/fixtures/ ./fixtures
 COPY --from=builder /install/uwsgi.ini .
diff --git a/deploy/overlays/staging/kustomization.yaml b/deploy/overlays/staging/kustomization.yaml
index 38251002..ee6f3a0c 100644
--- a/deploy/overlays/staging/kustomization.yaml
+++ b/deploy/overlays/staging/kustomization.yaml
@@ -3,6 +3,7 @@ bases:
   - ../../azure/
 resources:
   - namespace.yml
+  - reset-cron-job.yml
 patchesStrategicMerge:
   - replica_count.yml
   - ports.yml
diff --git a/deploy/overlays/staging/reset-cron-job.yml b/deploy/overlays/staging/reset-cron-job.yml
new file mode 100644
index 00000000..b4792e5d
--- /dev/null
+++ b/deploy/overlays/staging/reset-cron-job.yml
@@ -0,0 +1,46 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: reset-db
+  namespace: atat
+spec:
+  schedule: "0 4 * * *"
+  concurrencyPolicy: Replace
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: atst
+            role: reset-db
+            aadpodidbinding: atat-kv-id-binding
+        spec:
+          restartPolicy: OnFailure
+          containers:
+          - name: reset
+            image: $CONTAINER_IMAGE
+            command: [
+              "/bin/sh", "-c"
+            ]
+            args: [
+              "/opt/atat/atst/.venv/bin/python",
+              "/opt/atat/atst/script/reset_database.py"
+            ]
+            envFrom:
+            - configMapRef:
+                name: atst-worker-envvars
+            volumeMounts:
+              - name: flask-secret
+                mountPath: "/config"
+          volumes:
+            - name: flask-secret
+              flexVolume:
+                driver: "azure/kv"
+                options:
+                  usepodidentity: "true"
+                  keyvaultname: "atat-vault-test"
+                  keyvaultobjectnames: "staging-AZURE-STORAGE-KEY;staging-MAIL-PASSWORD;staging-PGPASSWORD;staging-REDIS-PASSWORD;staging-SECRET-KEY"
+                  keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
+                  keyvaultobjecttypes: "secret;secret;secret;secret;key"
+                  tenantid: $TENANT_ID