titan-iac/services/health/wger-admin-ensure-cronjob.yaml

# services/health/wger-admin-ensure-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: wger-admin-ensure
  namespace: health
spec:
  schedule: "15 3 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/agent-pre-populate-only: "true"
            vault.hashicorp.com/role: "health"
            vault.hashicorp.com/agent-inject-secret-wger-env: "kv/data/atlas/health/wger-db"
            vault.hashicorp.com/agent-inject-template-wger-env: |
              {{- with secret "kv/data/atlas/health/wger-db" -}}
              export DJANGO_DB_HOST='{{ .Data.data.DJANGO_DB_HOST | replace "'" "'\"'\"'" }}'
              export DJANGO_DB_PORT='{{ .Data.data.DJANGO_DB_PORT | replace "'" "'\"'\"'" }}'
              export DJANGO_DB_DATABASE='{{ .Data.data.DJANGO_DB_DATABASE | replace "'" "'\"'\"'" }}'
              export DJANGO_DB_USER='{{ .Data.data.DJANGO_DB_USER | replace "'" "'\"'\"'" }}'
              export DJANGO_DB_PASSWORD='{{ .Data.data.DJANGO_DB_PASSWORD | replace "'" "'\"'\"'" }}'
              {{- end }}
              {{- with secret "kv/data/atlas/health/wger-secrets" -}}
              export SECRET_KEY='{{ .Data.data.SECRET_KEY | replace "'" "'\"'\"'" }}'
              export SIGNING_KEY='{{ .Data.data.SIGNING_KEY | replace "'" "'\"'\"'" }}'
              {{- end }}
              {{- with secret "kv/data/atlas/health/wger-admin" -}}
              export WGER_ADMIN_USERNAME='{{ .Data.data.username | replace "'" "'\"'\"'" }}'
              export WGER_ADMIN_PASSWORD='{{ .Data.data.password | replace "'" "'\"'\"'" }}'
              {{- end -}}
        spec:
          serviceAccountName: health-vault-sync
          restartPolicy: Never
          affinity:
            nodeAffinity:
              preferredDuringSchedulingIgnoredDuringExecution:
                - weight: 100
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi5"]
                - weight: 70
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi4"]
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          containers:
            - name: ensure
              image: wger/server@sha256:710588b78af4e0aa0b4d8a8061e4563e16eae80eeaccfe7f9e0d9cbdd7f0cbc5
              imagePullPolicy: IfNotPresent
              command: ["/bin/sh", "-c"]
              args:
                - |
                  set -eu
                  . /vault/secrets/wger-env
                  exec python /scripts/wger_user_sync.py
              env:
                - name: SITE_URL
                  value: https://health.bstein.dev
                - name: TIME_ZONE
                  value: Etc/UTC
                - name: TZ
                  value: Etc/UTC
                - name: DJANGO_DEBUG
                  value: "False"
                - name: DJANGO_DB_ENGINE
                  value: django.db.backends.postgresql
                - name: DJANGO_CACHE_BACKEND
                  value: django.core.cache.backends.locmem.LocMemCache
                - name: DJANGO_CACHE_LOCATION
                  value: wger-cache
              volumeMounts:
                - name: wger-user-sync-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: wger-user-sync-script
              configMap:
                name: wger-user-sync-script
                defaultMode: 0555
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`# services/health/wger-admin-ensure-cronjob.yaml`
			`apiVersion: batch/v1`
			`kind: CronJob`
			`metadata:`
			`name: wger-admin-ensure`
			`namespace: health`
			`spec:`
			`schedule: "15 3 * * *"`
			`concurrencyPolicy: Forbid`
			`successfulJobsHistoryLimit: 1`
			`failedJobsHistoryLimit: 3`
			`jobTemplate:`
			`spec:`
			`backoffLimit: 1`
			`template:`
			`metadata:`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/agent-pre-populate-only: "true"`
			`vault.hashicorp.com/role: "health"`
			`vault.hashicorp.com/agent-inject-secret-wger-env: "kv/data/atlas/health/wger-db"`
			`vault.hashicorp.com/agent-inject-template-wger-env: \|`
			`{{- with secret "kv/data/atlas/health/wger-db" -}}`
health: escape wger env vars and fix nginx temp paths 2026-01-14 22:03:40 -03:00			`export DJANGO_DB_HOST='{{ .Data.data.DJANGO_DB_HOST \| replace "'" "'\"'\"'" }}'`
			`export DJANGO_DB_PORT='{{ .Data.data.DJANGO_DB_PORT \| replace "'" "'\"'\"'" }}'`
			`export DJANGO_DB_DATABASE='{{ .Data.data.DJANGO_DB_DATABASE \| replace "'" "'\"'\"'" }}'`
			`export DJANGO_DB_USER='{{ .Data.data.DJANGO_DB_USER \| replace "'" "'\"'\"'" }}'`
			`export DJANGO_DB_PASSWORD='{{ .Data.data.DJANGO_DB_PASSWORD \| replace "'" "'\"'\"'" }}'`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`{{- end }}`
			`{{- with secret "kv/data/atlas/health/wger-secrets" -}}`
health: escape wger env vars and fix nginx temp paths 2026-01-14 22:03:40 -03:00			`export SECRET_KEY='{{ .Data.data.SECRET_KEY \| replace "'" "'\"'\"'" }}'`
			`export SIGNING_KEY='{{ .Data.data.SIGNING_KEY \| replace "'" "'\"'\"'" }}'`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`{{- end }}`
			`{{- with secret "kv/data/atlas/health/wger-admin" -}}`
health: escape wger env vars and fix nginx temp paths 2026-01-14 22:03:40 -03:00			`export WGER_ADMIN_USERNAME='{{ .Data.data.username \| replace "'" "'\"'\"'" }}'`
			`export WGER_ADMIN_PASSWORD='{{ .Data.data.password \| replace "'" "'\"'\"'" }}'`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`{{- end -}}`
			`spec:`
			`serviceAccountName: health-vault-sync`
			`restartPolicy: Never`
			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5"]`
			`- weight: 70`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4"]`
			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
			`containers:`
			`- name: ensure`
			`image: wger/server@sha256:710588b78af4e0aa0b4d8a8061e4563e16eae80eeaccfe7f9e0d9cbdd7f0cbc5`
			`imagePullPolicy: IfNotPresent`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -eu`
			`. /vault/secrets/wger-env`
			`exec python /scripts/wger_user_sync.py`
			`env:`
			`- name: SITE_URL`
			`value: https://health.bstein.dev`
			`- name: TIME_ZONE`
			`value: Etc/UTC`
			`- name: TZ`
			`value: Etc/UTC`
			`- name: DJANGO_DEBUG`
			`value: "False"`
			`- name: DJANGO_DB_ENGINE`
			`value: django.db.backends.postgresql`
			`- name: DJANGO_CACHE_BACKEND`
			`value: django.core.cache.backends.locmem.LocMemCache`
			`- name: DJANGO_CACHE_LOCATION`
			`value: wger-cache`
			`volumeMounts:`
			`- name: wger-user-sync-script`
			`mountPath: /scripts`
			`readOnly: true`
			`volumes:`
			`- name: wger-user-sync-script`
			`configMap:`
			`name: wger-user-sync-script`
			`defaultMode: 0555`