titan-iac/services/keycloak/oneoffs/vault-oidc-secret-ensure-job.yaml

# services/keycloak/oneoffs/vault-oidc-secret-ensure-job.yaml
# One-off job for sso/vault-oidc-secret-ensure-8.
# Purpose: vault oidc secret ensure 8 (see container args/env in this file).
# Run by setting spec.suspend to false, reconcile, then set it back to true.
# Safe to delete the finished Job/pod; it should not run continuously.
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-oidc-secret-ensure-8
  namespace: sso
spec:
  suspend: true
  backoffLimit: 0
  ttlSecondsAfterFinished: 3600
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/role: "sso-secrets"
        vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"
        vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: |
          {{ with secret "kv/data/atlas/shared/keycloak-admin" }}
          export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
          export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
          export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
          {{ end }}
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      volumes:
        - name: vault-oidc-secret-ensure-script
          configMap:
            name: vault-oidc-secret-ensure-script
            defaultMode: 0555
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
      containers:
        - name: apply
          image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
          command: ["/scripts/vault_oidc_secret_ensure.sh"]
          volumeMounts:
            - name: vault-oidc-secret-ensure-script
              mountPath: /scripts
              readOnly: true
chore: organize one-off jobs 2026-01-28 01:48:32 -03:00			`# services/keycloak/oneoffs/vault-oidc-secret-ensure-job.yaml`
			`# One-off job for sso/vault-oidc-secret-ensure-8.`
			`# Purpose: vault oidc secret ensure 8 (see container args/env in this file).`
			`# Run by setting spec.suspend to false, reconcile, then set it back to true.`
			`# Safe to delete the finished Job/pod; it should not run continuously.`
vault: align oidc roles with keycloak 2026-01-14 02:24:32 -03:00			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
sso: harden keycloak jobs and rerun 2026-01-17 01:41:39 -03:00			`name: vault-oidc-secret-ensure-8`
vault: align oidc roles with keycloak 2026-01-14 02:24:32 -03:00			`namespace: sso`
			`spec:`
chore: organize one-off jobs 2026-01-28 01:48:32 -03:00			`suspend: true`
vault: align oidc roles with keycloak 2026-01-14 02:24:32 -03:00			`backoffLimit: 0`
			`ttlSecondsAfterFinished: 3600`
			`template:`
keycloak: switch jobs to vault injector 2026-01-14 13:20:57 -03:00			`metadata:`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
vault: prepopulate injector for jobs 2026-01-14 14:29:29 -03:00			`vault.hashicorp.com/agent-pre-populate-only: "true"`
keycloak: switch jobs to vault injector 2026-01-14 13:20:57 -03:00			`vault.hashicorp.com/role: "sso-secrets"`
			`vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin"`
			`vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: \|`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ with secret "kv/data/atlas/shared/keycloak-admin" }}`
keycloak: switch jobs to vault injector 2026-01-14 13:20:57 -03:00			`export KEYCLOAK_ADMIN="{{ .Data.data.username }}"`
			`export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"`
			`export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`{{ end }}`
vault: align oidc roles with keycloak 2026-01-14 02:24:32 -03:00			`spec:`
			`serviceAccountName: mas-secrets-ensure`
			`restartPolicy: Never`
			`volumes:`
			`- name: vault-oidc-secret-ensure-script`
			`configMap:`
			`name: vault-oidc-secret-ensure-script`
			`defaultMode: 0555`
			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: kubernetes.io/arch`
			`operator: In`
			`values: ["arm64"]`
			`- key: node-role.kubernetes.io/worker`
			`operator: Exists`
			`containers:`
			`- name: apply`
jobs: drop apk installs and prefer arm64 2026-01-17 01:02:58 -03:00			`image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131`
vault: align oidc roles with keycloak 2026-01-14 02:24:32 -03:00			`command: ["/scripts/vault_oidc_secret_ensure.sh"]`
			`volumeMounts:`
			`- name: vault-oidc-secret-ensure-script`
			`mountPath: /scripts`
jobs: drop apk installs and prefer arm64 2026-01-17 01:02:58 -03:00			`readOnly: true`