titan-iac/services/finance/finance-secrets-ensure-job.yaml

# services/finance/finance-secrets-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: finance-secrets-ensure-5
  namespace: finance
spec:
  backoffLimit: 1
  ttlSecondsAfterFinished: 3600
  template:
    spec:
      serviceAccountName: finance-secrets-ensure
      restartPolicy: Never
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5"]
            - weight: 70
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi4"]
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      containers:
        - name: ensure
          image: python:3.11-alpine
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -e
              exec python /scripts/finance_secrets_ensure.py
          env:
            - name: VAULT_ROLE
              value: finance-secrets
          volumeMounts:
            - name: finance-secrets-ensure-script
              mountPath: /scripts
              readOnly: true
            - name: firefly-db
              mountPath: /secrets/firefly-db
              readOnly: true
            - name: actualbudget-db
              mountPath: /secrets/actualbudget-db
              readOnly: true
      volumes:
        - name: finance-secrets-ensure-script
          configMap:
            name: finance-secrets-ensure-script
            defaultMode: 0555
        - name: firefly-db
          secret:
            secretName: firefly-db
        - name: actualbudget-db
          secret:
            secretName: actualbudget-db
finance: seed vault secrets 2026-01-17 00:54:49 -03:00			`# services/finance/finance-secrets-ensure-job.yaml`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
platform: restore cert-manager and encrypt budget storage 2026-01-17 07:38:38 -03:00			`name: finance-secrets-ensure-5`
finance: seed vault secrets 2026-01-17 00:54:49 -03:00			`namespace: finance`
			`spec:`
			`backoffLimit: 1`
			`ttlSecondsAfterFinished: 3600`
			`template:`
			`spec:`
			`serviceAccountName: finance-secrets-ensure`
			`restartPolicy: Never`
			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 100`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5"]`
			`- weight: 70`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4"]`
			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
			`containers:`
			`- name: ensure`
finance: switch vault seed to python 2026-01-17 02:22:59 -03:00			`image: python:3.11-alpine`
finance: fix vault seed job 2026-01-17 01:07:46 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -e`
finance: switch vault seed to python 2026-01-17 02:22:59 -03:00			`exec python /scripts/finance_secrets_ensure.py`
finance: seed vault secrets 2026-01-17 00:54:49 -03:00			`env:`
			`- name: VAULT_ROLE`
			`value: finance-secrets`
			`volumeMounts:`
			`- name: finance-secrets-ensure-script`
			`mountPath: /scripts`
			`readOnly: true`
			`- name: firefly-db`
			`mountPath: /secrets/firefly-db`
			`readOnly: true`
			`- name: actualbudget-db`
			`mountPath: /secrets/actualbudget-db`
			`readOnly: true`
			`volumes:`
			`- name: finance-secrets-ensure-script`
			`configMap:`
			`name: finance-secrets-ensure-script`
			`defaultMode: 0555`
			`- name: firefly-db`
			`secret:`
			`secretName: firefly-db`
			`- name: actualbudget-db`
			`secret:`
			`secretName: actualbudget-db`