From df5a5127f124c58442b7b722de24c234c068f8e9 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 8 Jan 2026 03:12:16 -0300
Subject: [PATCH] comms: add mas db secret stub

---
 services/comms/kustomization.yaml      |  1 +
 services/comms/mas-db-ensure-job.yaml  | 11 +++++++----
 services/comms/mas-db-ensure-rbac.yaml |  2 +-
 services/comms/mas-db-secret.yaml      |  7 +++++++
 4 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 services/comms/mas-db-secret.yaml

diff --git a/services/comms/kustomization.yaml b/services/comms/kustomization.yaml
index b08f6db..24e153c 100644
--- a/services/comms/kustomization.yaml
+++ b/services/comms/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
   - mas-admin-client-secret-ensure-job.yaml
   - mas-secrets-ensure-rbac.yaml
   - mas-db-ensure-rbac.yaml
+  - mas-db-secret.yaml
   - mas-db-ensure-job.yaml
   - mas-deployment.yaml
   - element-rendered.yaml
diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml
index 9e5cf3b..6a31080 100644
--- a/services/comms/mas-db-ensure-job.yaml
+++ b/services/comms/mas-db-ensure-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-db-ensure-9
+  name: mas-db-ensure-10
   namespace: comms
 spec:
   backoffLimit: 1
@@ -20,11 +20,14 @@ spec:
               set -eu
               trap 'echo "mas-db-ensure failed"; sleep 300' ERR
               umask 077
-              if kubectl -n comms get secret mas-db >/dev/null 2>&1; then
-                MAS_PASS="$(kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' | base64 -d)"
+              EXISTING_B64="$(kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' 2>/dev/null || true)"
+              if [ -n "${EXISTING_B64}" ]; then
+                MAS_PASS="$(printf '%s' "${EXISTING_B64}" | base64 -d)"
               else
                 MAS_PASS="$(head -c 32 /dev/urandom | base64 | tr -d '\n')"
-                kubectl -n comms create secret generic mas-db --from-literal=password="${MAS_PASS}" >/dev/null
+                MAS_B64="$(printf '%s' "${MAS_PASS}" | base64 | tr -d '\n')"
+                payload="$(printf '{"data":{"password":"%s"}}' "${MAS_B64}")"
+                kubectl -n comms patch secret mas-db --type=merge -p "${payload}" >/dev/null
               fi
 
               POD_NAME="$(kubectl -n postgres get pods -l app=postgres -o jsonpath='{.items[0].metadata.name}')"
diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml
index d65cd97..06522b9 100644
--- a/services/comms/mas-db-ensure-rbac.yaml
+++ b/services/comms/mas-db-ensure-rbac.yaml
@@ -13,7 +13,7 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     resourceNames: ["mas-db"]
-    verbs: ["get", "create", "patch", "update"]
+    verbs: ["get", "patch", "update"]
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list"]
diff --git a/services/comms/mas-db-secret.yaml b/services/comms/mas-db-secret.yaml
new file mode 100644
index 0000000..21b408d
--- /dev/null
+++ b/services/comms/mas-db-secret.yaml
@@ -0,0 +1,7 @@
+# services/comms/mas-db-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mas-db
+  namespace: comms
+type: Opaque