titan-iac/services/maintenance/metis-k3s-token-sync-cronjob.yaml

# services/maintenance/metis-k3s-token-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: metis-k3s-token-sync
  namespace: maintenance
spec:
  schedule: "11 */6 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 2
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: metis-token-sync
          restartPolicy: OnFailure
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/control-plane: "true"
          tolerations:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule
          containers:
            - name: sync
              image: registry.bstein.dev/bstein/kubectl:1.35.0
              imagePullPolicy: IfNotPresent
              command:
                - /bin/sh
                - -c
              args:
                - |
                  set -euo pipefail
                  token="$(tr -d '\n' < /host/var/lib/rancher/k3s/server/node-token)"
                  kubectl -n maintenance create secret generic metis-runtime \
                    --from-literal=k3s_token="${token}" \
                    --dry-run=client -o yaml | kubectl apply -f -
              securityContext:
                runAsUser: 0
              volumeMounts:
                - name: k3s-server
                  mountPath: /host/var/lib/rancher/k3s/server
                  readOnly: true
          volumes:
            - name: k3s-server
              hostPath:
                path: /var/lib/rancher/k3s/server
maintenance: harden metis recovery and fix harbor rollout 2026-03-31 14:51:49 -03:00			`# services/maintenance/metis-k3s-token-sync-cronjob.yaml`
			`apiVersion: batch/v1`
			`kind: CronJob`
			`metadata:`
			`name: metis-k3s-token-sync`
			`namespace: maintenance`
			`spec:`
			`schedule: "11 /6 * *"`
			`concurrencyPolicy: Forbid`
			`successfulJobsHistoryLimit: 1`
			`failedJobsHistoryLimit: 2`
			`jobTemplate:`
			`spec:`
			`template:`
			`spec:`
			`serviceAccountName: metis-token-sync`
			`restartPolicy: OnFailure`
			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/control-plane: "true"`
			`tolerations:`
			`- key: node-role.kubernetes.io/control-plane`
			`operator: Exists`
			`effect: NoSchedule`
			`- key: node-role.kubernetes.io/master`
			`operator: Exists`
			`effect: NoSchedule`
			`containers:`
			`- name: sync`
			`image: registry.bstein.dev/bstein/kubectl:1.35.0`
			`imagePullPolicy: IfNotPresent`
			`command:`
			`- /bin/sh`
			`- -c`
			`args:`
			`- \|`
			`set -euo pipefail`
			`token="$(tr -d '\n' < /host/var/lib/rancher/k3s/server/node-token)"`
			`kubectl -n maintenance create secret generic metis-runtime \`
			`--from-literal=k3s_token="${token}" \`
			`--dry-run=client -o yaml \| kubectl apply -f -`
			`securityContext:`
			`runAsUser: 0`
			`volumeMounts:`
			`- name: k3s-server`
			`mountPath: /host/var/lib/rancher/k3s/server`
			`readOnly: true`
			`volumes:`
			`- name: k3s-server`
			`hostPath:`
			`path: /var/lib/rancher/k3s/server`