From 4db5ff68ebeb6bf8c92d1305eb477f37ef63c1e0 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Thu, 8 Jan 2026 03:31:19 -0300 Subject: [PATCH] comms: let mas db secret be job-owned --- services/comms/kustomization.yaml | 1 - services/comms/mas-db-ensure-job.yaml | 6 ++---- services/comms/mas-db-ensure-rbac.yaml | 3 +++ 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/services/comms/kustomization.yaml b/services/comms/kustomization.yaml index 24e153c..b08f6db 100644 --- a/services/comms/kustomization.yaml +++ b/services/comms/kustomization.yaml @@ -12,7 +12,6 @@ resources: - mas-admin-client-secret-ensure-job.yaml - mas-secrets-ensure-rbac.yaml - mas-db-ensure-rbac.yaml - - mas-db-secret.yaml - mas-db-ensure-job.yaml - mas-deployment.yaml - element-rendered.yaml diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml index 92252a2..1c8b5c4 100644 --- a/services/comms/mas-db-ensure-job.yaml +++ b/services/comms/mas-db-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: mas-db-ensure-15 + name: mas-db-ensure-16 namespace: comms spec: backoffLimit: 1 @@ -35,9 +35,7 @@ spec: fi else MAS_PASS="$(safe_pass)" - MAS_B64="$(printf '%s' "${MAS_PASS}" | base64 | tr -d '\n')" - payload="$(printf '{"data":{"password":"%s"}}' "${MAS_B64}")" - kubectl -n comms patch secret mas-db --type=merge -p "${payload}" >/dev/null + kubectl -n comms create secret generic mas-db --from-literal=password="${MAS_PASS}" >/dev/null fi POD_NAME="$(kubectl -n postgres get pods -l app=postgres -o jsonpath='{.items[0].metadata.name}')" diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml index 06522b9..19691d7 100644 --- a/services/comms/mas-db-ensure-rbac.yaml +++ b/services/comms/mas-db-ensure-rbac.yaml @@ -14,6 +14,9 @@ rules: resources: ["secrets"] resourceNames: ["mas-db"] verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"]