titan-iac/services/comms/mas-db-ensure-job.yaml

# services/comms/mas-db-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: mas-db-ensure-22
  namespace: comms
spec:
  backoffLimit: 1
  ttlSecondsAfterFinished: 600
  template:
    spec:
      serviceAccountName: mas-db-ensure
      restartPolicy: Never
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
      containers:
        - name: ensure
          image: registry.bstein.dev/bstein/kubectl:1.35.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -eu
              trap 'echo "mas-db-ensure failed"; sleep 300' ERR
              umask 077
              safe_pass() {
                head -c 32 /dev/urandom | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '='
              }

              vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
              vault_role="${VAULT_ROLE:-comms-secrets}"
              jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
              vault_token="$(curl -sS --request POST --data "${login_payload}" \
                "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
              if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
                echo "vault login failed" >&2
                exit 1
              fi

              vault_read() {
                curl -sS -H "X-Vault-Token: ${vault_token}" \
                  "${vault_addr}/v1/kv/data/atlas/comms/mas-db" | jq -r '.data.data.password // empty'
              }

              vault_write() {
                value="$1"
                payload="$(jq -nc --arg value "${value}" '{data:{password:$value}}')"
                curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
                  -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-db" >/dev/null
              }

              MAS_PASS="$(vault_read)"
              if [ -z "${MAS_PASS}" ] || printf '%s' "${MAS_PASS}" | grep -Eq '[^A-Za-z0-9_-]'; then
                MAS_PASS="$(safe_pass)"
                vault_write "${MAS_PASS}"
              fi

              POD_NAME="$(kubectl -n postgres get pods -l app=postgres -o jsonpath='{.items[0].metadata.name}')"
              if [ -z "${POD_NAME}" ]; then
                echo "postgres pod not found" >&2
                exit 1
              fi

              MAS_PASS_SQL="$(printf '%s' "${MAS_PASS}" | sed "s/'/''/g")"
              kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \
                -c "CREATE ROLE mas LOGIN PASSWORD '${MAS_PASS_SQL}';" || true
              kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \
                -c "ALTER ROLE mas WITH PASSWORD '${MAS_PASS_SQL}';"
              kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \
                -c "CREATE DATABASE mas OWNER mas;" || true
              kubectl -n postgres exec -i "${POD_NAME}" -- /bin/sh -c \
                "PGPASSWORD='${MAS_PASS_SQL}' psql -U mas -d mas -c 'select 1;'"
comms: ensure mas db secret 2026-01-08 02:45:00 -03:00			`# services/comms/mas-db-ensure-job.yaml`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
comms: re-run mas db ensure 2026-01-17 20:23:32 -03:00			`name: mas-db-ensure-22`
comms: ensure mas db secret 2026-01-08 02:45:00 -03:00			`namespace: comms`
			`spec:`
comms: keep mas db job logs on failure 2026-01-08 03:09:27 -03:00			`backoffLimit: 1`
comms: stabilize mas db job 2026-01-08 03:00:19 -03:00			`ttlSecondsAfterFinished: 600`
comms: ensure mas db secret 2026-01-08 02:45:00 -03:00			`template:`
			`spec:`
			`serviceAccountName: mas-db-ensure`
comms: keep mas db job logs on failure 2026-01-08 03:09:27 -03:00			`restartPolicy: Never`
jobs: prefer arm64 workers 2026-01-17 01:47:53 -03:00			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: node-role.kubernetes.io/worker`
			`operator: Exists`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`preference:`
			`matchExpressions:`
			`- key: kubernetes.io/arch`
			`operator: In`
			`values: ["arm64"]`
comms: ensure mas db via postgres exec 2026-01-08 03:04:33 -03:00			`containers:`
			`- name: ensure`
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`image: registry.bstein.dev/bstein/kubectl:1.35.0`
comms: ensure mas db secret 2026-01-08 02:45:00 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
comms: stabilize mas db job 2026-01-08 03:00:19 -03:00			`set -eu`
comms: keep mas db job logs on failure 2026-01-08 03:09:27 -03:00			`trap 'echo "mas-db-ensure failed"; sleep 300' ERR`
comms: ensure mas db secret 2026-01-08 02:45:00 -03:00			`umask 077`
comms: ensure mas password is url-safe 2026-01-08 03:23:09 -03:00			`safe_pass() {`
			`head -c 32 /dev/urandom \| base64 \| tr -d '\n' \| tr '+/' '-_' \| tr -d '='`
			`}`

vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"`
			`vault_role="${VAULT_ROLE:-comms-secrets}"`
			`jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"`
			`login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"`
			`vault_token="$(curl -sS --request POST --data "${login_payload}" \`
			`"${vault_addr}/v1/auth/kubernetes/login" \| jq -r '.auth.client_token')"`
			`if [ -z "${vault_token}" ] \|\| [ "${vault_token}" = "null" ]; then`
			`echo "vault login failed" >&2`
			`exit 1`
			`fi`

			`vault_read() {`
			`curl -sS -H "X-Vault-Token: ${vault_token}" \`
			`"${vault_addr}/v1/kv/data/atlas/comms/mas-db" \| jq -r '.data.data.password // empty'`
			`}`

			`vault_write() {`
			`value="$1"`
			`payload="$(jq -nc --arg value "${value}" '{data:{password:$value}}')"`
			`curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \`
			`-d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-db" >/dev/null`
			`}`

			`MAS_PASS="$(vault_read)"`
			`if [ -z "${MAS_PASS}" ] \|\| printf '%s' "${MAS_PASS}" \| grep -Eq '[^A-Za-z0-9_-]'; then`
comms: ensure mas password is url-safe 2026-01-08 03:23:09 -03:00			`MAS_PASS="$(safe_pass)"`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`vault_write "${MAS_PASS}"`
comms: ensure mas db secret 2026-01-08 02:45:00 -03:00			`fi`
comms: ensure mas db via postgres exec 2026-01-08 03:04:33 -03:00
comms: allow postgres exec for mas db 2026-01-08 03:06:34 -03:00			`POD_NAME="$(kubectl -n postgres get pods -l app=postgres -o jsonpath='{.items[0].metadata.name}')"`
			`if [ -z "${POD_NAME}" ]; then`
			`echo "postgres pod not found" >&2`
comms: ensure mas db via postgres exec 2026-01-08 03:04:33 -03:00			`exit 1`
			`fi`

comms: avoid psql vars for mas 2026-01-08 03:20:28 -03:00			`MAS_PASS_SQL="$(printf '%s' "${MAS_PASS}" \| sed "s/'/''/g")"`
			`kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \`
			`-c "CREATE ROLE mas LOGIN PASSWORD '${MAS_PASS_SQL}';" \|\| true`
			`kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \`
			`-c "ALTER ROLE mas WITH PASSWORD '${MAS_PASS_SQL}';"`
comms: simplify mas db creation 2026-01-08 03:18:03 -03:00			`kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres \`
			`-c "CREATE DATABASE mas OWNER mas;" \|\| true`
comms: verify mas db login 2026-01-08 03:26:14 -03:00			`kubectl -n postgres exec -i "${POD_NAME}" -- /bin/sh -c \`
			`"PGPASSWORD='${MAS_PASS_SQL}' psql -U mas -d mas -c 'select 1;'"`