finance: fix vault seed job

services/finance/finance-secrets-ensure-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: finance-secrets-ensure-1
+  name: finance-secrets-ensure-2
   namespace: finance
 spec:
   backoffLimit: 1
@@ -32,7 +32,12 @@ spec:
       containers:
         - name: ensure
           image: alpine:3.20
-          command: ["/scripts/finance_secrets_ensure.sh"]
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -e
+              apk add --no-cache bash curl jq >/dev/null
+              exec bash /scripts/finance_secrets_ensure.sh
           env:
             - name: VAULT_ROLE
               value: finance-secrets

services/finance/scripts/finance_secrets_ensure.sh

@@ -1,8 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-apk add --no-cache curl jq >/dev/null
-
 vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
 vault_role="${VAULT_ROLE:-finance-secrets}"
 jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"