diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml index 9ac32c2..71a9dad 100644 --- a/services/comms/mas-db-ensure-job.yaml +++ b/services/comms/mas-db-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: mas-db-ensure-3 + name: mas-db-ensure-4 namespace: comms spec: backoffLimit: 2 @@ -21,7 +21,17 @@ spec: - | set -euo pipefail umask 077 - kubectl -n postgres get secret postgres-auth -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d > /work/postgres_password + if kubectl -n postgres get secret postgres-auth >/dev/null 2>&1; then + kubectl -n postgres get secret postgres-auth -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d > /work/postgres_password + else + POSTGRES_PASS="$(kubectl -n postgres get statefulset postgres -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="POSTGRES_PASSWORD")].value}')" + if [ -z "${POSTGRES_PASS}" ]; then + echo "postgres password not found in statefulset env" >&2 + exit 1 + fi + printf '%s' "${POSTGRES_PASS}" > /work/postgres_password + kubectl -n postgres create secret generic postgres-auth --from-file=POSTGRES_PASSWORD=/work/postgres_password >/dev/null + fi if kubectl -n comms get secret mas-db >/dev/null 2>&1; then kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' | base64 -d > /work/mas_password else diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml index bbf5224..547b29b 100644 --- a/services/comms/mas-db-ensure-rbac.yaml +++ b/services/comms/mas-db-ensure-rbac.yaml @@ -14,6 +14,10 @@ rules: resources: ["secrets"] resourceNames: ["postgres-auth", "mas-db"] verbs: ["get", "create", "patch", "update"] + - apiGroups: ["apps"] + resources: ["statefulsets"] + resourceNames: ["postgres"] + verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding