From 05c2d245b9b5e3fb3b42836101b1a53842f78a94 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 8 Jan 2026 03:23:09 -0300
Subject: [PATCH] comms: ensure mas password is url-safe

---
 services/comms/mas-db-ensure-job.yaml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml
index 5d30268..4a10fcd 100644
--- a/services/comms/mas-db-ensure-job.yaml
+++ b/services/comms/mas-db-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-db-ensure-13
+  name: mas-db-ensure-14
   namespace: comms
 spec:
   backoffLimit: 1
@@ -20,11 +20,21 @@ spec:
               set -eu
               trap 'echo "mas-db-ensure failed"; sleep 300' ERR
               umask 077
+              safe_pass() {
+                head -c 32 /dev/urandom | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '='
+              }
+
               EXISTING_B64="$(kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' 2>/dev/null || true)"
               if [ -n "${EXISTING_B64}" ]; then
                 MAS_PASS="$(printf '%s' "${EXISTING_B64}" | base64 -d)"
+                if printf '%s' "${MAS_PASS}" | grep -Eq '[^A-Za-z0-9_-]'; then
+                  MAS_PASS="$(safe_pass)"
+                  MAS_B64="$(printf '%s' "${MAS_PASS}" | base64 | tr -d '\n')"
+                  payload="$(printf '{"data":{"password":"%s"}}' "${MAS_B64}")"
+                  kubectl -n comms patch secret mas-db --type=merge -p "${payload}" >/dev/null
+                fi
               else
-                MAS_PASS="$(head -c 32 /dev/urandom | base64 | tr -d '\n')"
+                MAS_PASS="$(safe_pass)"
                 MAS_B64="$(printf '%s' "${MAS_PASS}" | base64 | tr -d '\n')"
                 payload="$(printf '{"data":{"password":"%s"}}' "${MAS_B64}")"
                 kubectl -n comms patch secret mas-db --type=merge -p "${payload}" >/dev/null