# services/mailu/oneoffs/mailu-sync-job.yaml # One-off job for mailu-mailserver/mailu-sync-9. # Purpose: mailu sync 9 (see container args/env in this file). # Run by setting spec.suspend to false, reconcile, then set it back to true. # Safe to delete the finished Job/pod; it should not run continuously. apiVersion: batch/v1 kind: Job metadata: name: mailu-sync-9 namespace: mailu-mailserver spec: suspend: true template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "mailu-mailserver" vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret" vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: | {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}} vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret" vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: | {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}} vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret" vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: | {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}} vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials" vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: | {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}} vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials" vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: | {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}} vault.hashicorp.com/agent-inject-secret-mailu-initial-account-secret__password: "kv/data/atlas/mailu/mailu-initial-account-secret" vault.hashicorp.com/agent-inject-template-mailu-initial-account-secret__password: | {{- with secret "kv/data/atlas/mailu/mailu-initial-account-secret" -}}{{ .Data.data.password }}{{- end -}} spec: restartPolicy: OnFailure affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/worker operator: Exists preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: kubernetes.io/arch operator: In values: ["arm64"] serviceAccountName: mailu-vault-sync containers: - name: mailu-sync image: python:3.11-alpine imagePullPolicy: IfNotPresent command: ["/bin/sh", "-c"] args: - | set -euo pipefail . /vault/scripts/mailu_vault_env.sh pip install --no-cache-dir requests psycopg2-binary passlib >/tmp/pip.log \ && python /app/sync.py env: - name: KEYCLOAK_BASE_URL value: http://keycloak.sso.svc.cluster.local - name: KEYCLOAK_REALM value: atlas - name: MAILU_DOMAIN value: bstein.dev - name: MAILU_DEFAULT_QUOTA value: "20000000000" - name: MAILU_SYSTEM_USERS value: no-reply-portal@bstein.dev,no-reply-vaultwarden@bstein.dev - name: MAILU_DB_HOST value: postgres-service.postgres.svc.cluster.local - name: MAILU_DB_PORT value: "5432" volumeMounts: - name: sync-script mountPath: /app/sync.py subPath: sync.py - name: vault-scripts mountPath: /vault/scripts readOnly: true resources: requests: cpu: 50m memory: 128Mi limits: cpu: 200m memory: 256Mi volumes: - name: sync-script configMap: name: mailu-sync-script defaultMode: 0444 - name: vault-scripts configMap: name: mailu-vault-env defaultMode: 0555