# services/finance/oneoffs/finance-secrets-ensure-job.yaml # One-off job for finance/finance-secrets-ensure-5. # Purpose: finance secrets ensure 5 (see container args/env in this file). # Run by setting spec.suspend to false, reconcile, then set it back to true. # Safe to delete the finished Job/pod; it should not run continuously. apiVersion: batch/v1 kind: Job metadata: name: finance-secrets-ensure-5 namespace: finance spec: suspend: true backoffLimit: 1 ttlSecondsAfterFinished: 3600 template: spec: serviceAccountName: finance-secrets-ensure restartPolicy: Never affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: hardware operator: In values: ["rpi5"] - weight: 70 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" containers: - name: ensure image: python:3.11-alpine command: ["/bin/sh", "-c"] args: - | set -e exec python /scripts/finance_secrets_ensure.py env: - name: VAULT_ROLE value: finance-secrets volumeMounts: - name: finance-secrets-ensure-script mountPath: /scripts readOnly: true - name: firefly-db mountPath: /secrets/firefly-db readOnly: true - name: actualbudget-db mountPath: /secrets/actualbudget-db readOnly: true volumes: - name: finance-secrets-ensure-script configMap: name: finance-secrets-ensure-script defaultMode: 0555 - name: firefly-db secret: secretName: firefly-db - name: actualbudget-db secret: secretName: actualbudget-db