# services/comms/oneoffs/mas-admin-client-secret-ensure-job.yaml # One-off job for comms/mas-admin-client-secret-writer. # Purpose: mas admin client secret writer (see container args/env in this file). # Run by setting spec.suspend to false, reconcile, then set it back to true. # Safe to delete the finished Job/pod; it should not run continuously. apiVersion: v1 kind: ServiceAccount metadata: name: mas-admin-client-secret-writer namespace: comms imagePullSecrets: - name: harbor-regcred --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: mas-admin-client-secret-writer namespace: comms rules: - apiGroups: [""] resources: ["secrets"] resourceNames: ["mas-admin-client-runtime"] verbs: ["get", "patch", "update"] - apiGroups: [""] resources: ["secrets"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: mas-admin-client-secret-writer namespace: comms roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: mas-admin-client-secret-writer subjects: - kind: ServiceAccount name: mas-admin-client-secret-writer namespace: comms --- apiVersion: batch/v1 kind: Job metadata: name: mas-admin-client-secret-ensure-11 namespace: comms spec: suspend: true backoffLimit: 2 template: spec: serviceAccountName: mas-admin-client-secret-writer restartPolicy: OnFailure affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/worker operator: Exists preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: kubernetes.io/arch operator: In values: ["arm64"] volumes: - name: work emptyDir: {} initContainers: - name: generate image: alpine:3.20 command: ["/bin/sh", "-c"] args: - | set -euo pipefail umask 077 dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n' > /work/client_secret chmod 0644 /work/client_secret volumeMounts: - name: work mountPath: /work containers: - name: patch image: registry.bstein.dev/bstein/kubectl:1.35.0 command: ["/bin/sh", "-c"] args: - | set -euo pipefail vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}" vault_role="${VAULT_ROLE:-comms-secrets}" jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')" vault_token="$(curl -sS --request POST --data "${login_payload}" \ "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then echo "vault login failed" >&2 exit 1 fi current="$(curl -sS -H "X-Vault-Token: ${vault_token}" \ "${vault_addr}/v1/kv/data/atlas/comms/mas-admin-client-runtime" | jq -r '.data.data.client_secret // empty')" if [ -n "${current}" ]; then exit 0 fi value="$(cat /work/client_secret)" payload="$(jq -nc --arg value "${value}" '{data:{client_secret:$value}}')" curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-admin-client-runtime" >/dev/null volumeMounts: - name: work mountPath: /work