From ae335fcff2b31d0d455a25ba620f83b4d730c369 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 1 Jan 2026 18:09:08 -0300
Subject: [PATCH] comms(mas): debug admin secret ensure job

---
 .../mas-admin-client-secret-ensure-job.yaml      | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/services/communication/mas-admin-client-secret-ensure-job.yaml b/services/communication/mas-admin-client-secret-ensure-job.yaml
index 5a9241d..da37915 100644
--- a/services/communication/mas-admin-client-secret-ensure-job.yaml
+++ b/services/communication/mas-admin-client-secret-ensure-job.yaml
@@ -33,14 +33,14 @@ subjects:
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-admin-client-secret-ensure-4
+  name: mas-admin-client-secret-ensure-5
   namespace: comms
 spec:
-  backoffLimit: 2
+  backoffLimit: 0
   template:
     spec:
       serviceAccountName: mas-admin-client-secret-writer
-      restartPolicy: OnFailure
+      restartPolicy: Never
       volumes:
         - name: work
           emptyDir: {}
@@ -50,7 +50,7 @@ spec:
           command: ["/bin/sh", "-c"]
           args:
             - |
-              set -eu
+              set -euo pipefail
               umask 077
               dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n' > /work/client_secret
           volumeMounts:
@@ -62,12 +62,12 @@ spec:
           command: ["/bin/sh", "-c"]
           args:
             - |
-              set -eu
-              if [ -n "$(kubectl -n comms get secret mas-admin-client -o jsonpath='{.data.client_secret}' 2>/dev/null || true)" ]; then
+              set -euo pipefail
+              if kubectl -n comms get secret mas-admin-client -o jsonpath='{.data.client_secret}' 2>/dev/null | grep -q .; then
                 exit 0
               fi
-              secret="$(cat /work/client_secret)"
-              payload="$(printf '{"stringData":{"client_secret":"%s"}}' "${secret}")"
+              secret_b64="$(base64 /work/client_secret | tr -d '\n')"
+              payload="$(printf '{"data":{"client_secret":"%s"}}' "${secret_b64}")"
               kubectl -n comms patch secret mas-admin-client --type=merge -p "${payload}" >/dev/null
           volumeMounts:
             - name: work