# services/maintenance/metis-k3s-token-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: metis-k3s-token-sync
  namespace: maintenance
spec:
  schedule: "11 */6 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 2
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: metis-token-sync
          restartPolicy: OnFailure
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/control-plane: "true"
          tolerations:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
              effect: NoSchedule
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule
          containers:
            - name: sync
              image: registry.bstein.dev/bstein/kubectl:1.35.0
              imagePullPolicy: IfNotPresent
              command:
                - /bin/sh
                - -c
              args:
                - |
                  set -euo pipefail
                  token="$(tr -d '\n' < /host/var/lib/rancher/k3s/server/node-token)"
                  kubectl -n maintenance create secret generic metis-runtime \
                    --from-literal=k3s_token="${token}" \
                    --dry-run=client -o yaml | kubectl apply -f -
              securityContext:
                runAsUser: 0
              volumeMounts:
                - name: k3s-server
                  mountPath: /host/var/lib/rancher/k3s/server
                  readOnly: true
          volumes:
            - name: k3s-server
              hostPath:
                path: /var/lib/rancher/k3s/server