# services/maintenance/metis-k3s-token-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: metis-k3s-token-sync
  namespace: maintenance
spec:
  schedule: "11 */6 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 2
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: metis-token-sync
          restartPolicy: OnFailure
          nodeName: titan-0a
          tolerations:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule
          containers:
            - name: sync
              image: hashicorp/vault:1.17.6
              imagePullPolicy: IfNotPresent
              command:
                - /bin/sh
                - -c
              args:
                - |
                  set -eu
                  token="$(tr -d '\n' < /host/var/lib/rancher/k3s/server/token)"
                  jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
                  VAULT_TOKEN="$(vault write -field=token auth/kubernetes/login role="${VAULT_K8S_ROLE}" jwt="${jwt}")"
                  export VAULT_TOKEN
                  vault kv put kv/atlas/maintenance/metis-runtime k3s_token="${token}"
              env:
                - name: VAULT_ADDR
                  value: http://vault.vault.svc.cluster.local:8200
                - name: VAULT_K8S_ROLE
                  value: maintenance-metis-token-sync
              securityContext:
                runAsUser: 0
              volumeMounts:
                - name: k3s-server
                  mountPath: /host/var/lib/rancher/k3s/server
                  readOnly: true
          volumes:
            - name: k3s-server
              hostPath:
                path: /var/lib/rancher/k3s/server