titan-iac/services/health/endurain-oidc-config-cronjob.yaml

# services/health/endurain-oidc-config-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: endurain-oidc-config
  namespace: health
spec:
  schedule: "*/30 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/agent-pre-populate-only: "true"
            vault.hashicorp.com/role: "health"
            vault.hashicorp.com/agent-inject-secret-endurain-oidc-env: "kv/data/atlas/health/endurain-admin"
            vault.hashicorp.com/agent-inject-template-endurain-oidc-env: |
              {{- with secret "kv/data/atlas/health/endurain-admin" -}}
              export ENDURAIN_ADMIN_USERNAME="{{ .Data.data.username }}"
              export ENDURAIN_ADMIN_PASSWORD="{{ .Data.data.password }}"
              {{- end }}
              {{- with secret "kv/data/atlas/health/endurain-oidc" -}}
              export ENDURAIN_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
              export ENDURAIN_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
              export ENDURAIN_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}"
              {{- end -}}
        spec:
          serviceAccountName: health-vault-sync
          restartPolicy: Never
          affinity:
            nodeAffinity:
              requiredDuringSchedulingIgnoredDuringExecution:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/arch
                        operator: In
                        values: ["arm64"]
                      - key: node-role.kubernetes.io/worker
                        operator: Exists
              preferredDuringSchedulingIgnoredDuringExecution:
                - weight: 90
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi5"]
                - weight: 70
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi4"]
          containers:
            - name: configure
              image: alpine:3.20
              command: ["/bin/sh", "-c"]
              args:
                - |
                  set -euo pipefail
                  apk add --no-cache bash curl jq >/dev/null
                  . /vault/secrets/endurain-oidc-env
                  exec /scripts/endurain_oidc_configure.sh
              env:
                - name: ENDURAIN_BASE_URL
                  value: http://endurain.health.svc.cluster.local
              volumeMounts:
                - name: endurain-oidc-config-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: endurain-oidc-config-script
              configMap:
                name: endurain-oidc-config-script
                defaultMode: 0555
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`# services/health/endurain-oidc-config-cronjob.yaml`
			`apiVersion: batch/v1`
			`kind: CronJob`
			`metadata:`
			`name: endurain-oidc-config`
			`namespace: health`
			`spec:`
			`schedule: "/30 * * *"`
			`concurrencyPolicy: Forbid`
			`successfulJobsHistoryLimit: 1`
			`failedJobsHistoryLimit: 3`
			`jobTemplate:`
			`spec:`
			`backoffLimit: 1`
			`template:`
vault: inject monitoring exporter and health jobs 2026-01-14 14:49:41 -03:00			`metadata:`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/agent-pre-populate-only: "true"`
			`vault.hashicorp.com/role: "health"`
			`vault.hashicorp.com/agent-inject-secret-endurain-oidc-env: "kv/data/atlas/health/endurain-admin"`
			`vault.hashicorp.com/agent-inject-template-endurain-oidc-env: \|`
			`{{- with secret "kv/data/atlas/health/endurain-admin" -}}`
			`export ENDURAIN_ADMIN_USERNAME="{{ .Data.data.username }}"`
			`export ENDURAIN_ADMIN_PASSWORD="{{ .Data.data.password }}"`
			`{{- end }}`
			`{{- with secret "kv/data/atlas/health/endurain-oidc" -}}`
			`export ENDURAIN_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"`
			`export ENDURAIN_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"`
			`export ENDURAIN_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}"`
			`{{- end -}}`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`spec:`
			`serviceAccountName: health-vault-sync`
			`restartPolicy: Never`
			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: kubernetes.io/arch`
			`operator: In`
			`values: ["arm64"]`
			`- key: node-role.kubernetes.io/worker`
			`operator: Exists`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 90`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5"]`
			`- weight: 70`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4"]`
			`containers:`
			`- name: configure`
			`image: alpine:3.20`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
			`apk add --no-cache bash curl jq >/dev/null`
vault: inject monitoring exporter and health jobs 2026-01-14 14:49:41 -03:00			`. /vault/secrets/endurain-oidc-env`
vault: stabilize injector templates and add health apps 2026-01-14 13:40:29 -03:00			`exec /scripts/endurain_oidc_configure.sh`
			`env:`
			`- name: ENDURAIN_BASE_URL`
			`value: http://endurain.health.svc.cluster.local`
			`volumeMounts:`
			`- name: endurain-oidc-config-script`
			`mountPath: /scripts`
			`readOnly: true`
			`volumes:`
			`- name: endurain-oidc-config-script`
			`configMap:`
			`name: endurain-oidc-config-script`
			`defaultMode: 0555`