comms: bootstrap mas db secret

services/comms/mas-db-ensure-job.yaml

@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: mas-db-ensure-3
+  name: mas-db-ensure-4
   namespace: comms
 spec:
   backoffLimit: 2
@@ -21,7 +21,17 @@ spec:
             - |
               set -euo pipefail
               umask 077
-              kubectl -n postgres get secret postgres-auth -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d > /work/postgres_password
+              if kubectl -n postgres get secret postgres-auth >/dev/null 2>&1; then
+                kubectl -n postgres get secret postgres-auth -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d > /work/postgres_password
+              else
+                POSTGRES_PASS="$(kubectl -n postgres get statefulset postgres -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="POSTGRES_PASSWORD")].value}')"
+                if [ -z "${POSTGRES_PASS}" ]; then
+                  echo "postgres password not found in statefulset env" >&2
+                  exit 1
+                fi
+                printf '%s' "${POSTGRES_PASS}" > /work/postgres_password
+                kubectl -n postgres create secret generic postgres-auth --from-file=POSTGRES_PASSWORD=/work/postgres_password >/dev/null
+              fi
               if kubectl -n comms get secret mas-db >/dev/null 2>&1; then
                 kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' | base64 -d > /work/mas_password
               else

services/comms/mas-db-ensure-rbac.yaml

@@ -14,6 +14,10 @@ rules:
     resources: ["secrets"]
     resourceNames: ["postgres-auth", "mas-db"]
     verbs: ["get", "create", "patch", "update"]
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    resourceNames: ["postgres"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding