From 0e55dbeaa9ec1c8157a37fd31d694b5d3a7f5468 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 8 Jan 2026 02:45:00 -0300
Subject: [PATCH] comms: ensure mas db secret

---
 services/comms/kustomization.yaml      |  2 +
 services/comms/mas-db-ensure-job.yaml  | 72 ++++++++++++++++++++++++++
 services/comms/mas-db-ensure-rbac.yaml | 56 ++++++++++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 services/comms/mas-db-ensure-job.yaml
 create mode 100644 services/comms/mas-db-ensure-rbac.yaml

diff --git a/services/comms/kustomization.yaml b/services/comms/kustomization.yaml
index e3e182f..b08f6db 100644
--- a/services/comms/kustomization.yaml
+++ b/services/comms/kustomization.yaml
@@ -11,6 +11,8 @@ resources:
   - mas-configmap.yaml
   - mas-admin-client-secret-ensure-job.yaml
   - mas-secrets-ensure-rbac.yaml
+  - mas-db-ensure-rbac.yaml
+  - mas-db-ensure-job.yaml
   - mas-deployment.yaml
   - element-rendered.yaml
   - livekit-config.yaml
diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml
new file mode 100644
index 0000000..f4b4653
--- /dev/null
+++ b/services/comms/mas-db-ensure-job.yaml
@@ -0,0 +1,72 @@
+# services/comms/mas-db-ensure-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mas-db-ensure-2
+  namespace: comms
+spec:
+  backoffLimit: 2
+  template:
+    spec:
+      serviceAccountName: mas-db-ensure
+      restartPolicy: OnFailure
+      volumes:
+        - name: work
+          emptyDir: {}
+      initContainers:
+        - name: prepare
+          image: bitnami/kubectl:latest
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              umask 077
+              kubectl -n postgres get secret postgres-auth -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d > /work/postgres_password
+              if kubectl -n comms get secret mas-db >/dev/null 2>&1; then
+                kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' | base64 -d > /work/mas_password
+              else
+                head -c 32 /dev/urandom | base64 | tr -d '\n' > /work/mas_password
+                kubectl -n comms create secret generic mas-db --from-file=password=/work/mas_password >/dev/null
+              fi
+          volumeMounts:
+            - name: work
+              mountPath: /work
+      containers:
+        - name: ensure
+          image: postgres:15
+          env:
+            - name: PGHOST
+              value: postgres-service.postgres.svc.cluster.local
+            - name: PGPORT
+              value: "5432"
+            - name: PGDATABASE
+              value: postgres
+            - name: PGUSER
+              value: postgres
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              export PGPASSWORD="$(cat /work/postgres_password)"
+              MAS_PASS="$(cat /work/mas_password)"
+              psql -v ON_ERROR_STOP=1 -v mas_pass="${MAS_PASS}" <<'SQL'
+              DO $$
+              BEGIN
+                IF NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = 'mas') THEN
+                  EXECUTE format('CREATE ROLE mas LOGIN PASSWORD %L', :mas_pass);
+                ELSE
+                  EXECUTE format('ALTER ROLE mas WITH PASSWORD %L', :mas_pass);
+                END IF;
+              END
+              $$;
+              DO $$
+              BEGIN
+                IF NOT EXISTS (SELECT 1 FROM pg_database WHERE datname = 'mas') THEN
+                  CREATE DATABASE mas OWNER mas;
+                END IF;
+              END
+              $$;
+              SQL
+          volumeMounts:
+            - name: work
+              mountPath: /work
diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml
new file mode 100644
index 0000000..fe075d6
--- /dev/null
+++ b/services/comms/mas-db-ensure-rbac.yaml
@@ -0,0 +1,56 @@
+# services/comms/mas-db-ensure-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mas-db-ensure
+  namespace: comms
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mas-db-ensure-postgres
+  namespace: postgres
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["postgres-auth"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mas-db-ensure-postgres
+  namespace: postgres
+subjects:
+  - kind: ServiceAccount
+    name: mas-db-ensure
+    namespace: comms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mas-db-ensure-postgres
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mas-db-ensure-comms
+  namespace: comms
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["mas-db"]
+    verbs: ["get", "create", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mas-db-ensure-comms
+  namespace: comms
+subjects:
+  - kind: ServiceAccount
+    name: mas-db-ensure
+    namespace: comms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mas-db-ensure-comms