# services/keycloak/oneoffs/actual-oidc-secret-ensure-job.yaml # One-off job for sso/actual-oidc-secret-ensure-3. # Purpose: actual oidc secret ensure 3 (see container args/env in this file). # Run by setting spec.suspend to false, reconcile, then set it back to true. # Safe to delete the finished Job/pod; it should not run continuously. apiVersion: batch/v1 kind: Job metadata: name: actual-oidc-secret-ensure-3 namespace: sso spec: suspend: true backoffLimit: 0 ttlSecondsAfterFinished: 3600 template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "sso-secrets" vault.hashicorp.com/agent-inject-secret-keycloak-admin-env.sh: "kv/data/atlas/shared/keycloak-admin" vault.hashicorp.com/agent-inject-template-keycloak-admin-env.sh: | {{ with secret "kv/data/atlas/shared/keycloak-admin" }} export KEYCLOAK_ADMIN="{{ .Data.data.username }}" export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}" export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}" {{ end }} spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never volumes: - name: actual-oidc-secret-ensure-script configMap: name: actual-oidc-secret-ensure-script defaultMode: 0555 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: ["arm64"] - key: node-role.kubernetes.io/worker operator: Exists containers: - name: apply image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 command: ["/scripts/actual_oidc_secret_ensure.sh"] volumeMounts: - name: actual-oidc-secret-ensure-script mountPath: /scripts readOnly: true