# services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: vaultwarden-cred-sync
  namespace: bstein-dev-home
  labels:
    atlas.bstein.dev/glue: "true"
spec:
  schedule: "*/15 * * * *"
  suspend: true
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/agent-pre-populate-only: "true"
            vault.hashicorp.com/role: "bstein-dev-home"
            vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
            vault.hashicorp.com/agent-inject-template-portal-env.sh: |
              {{ with secret "kv/data/atlas/portal/atlas-portal-db" }}
              export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
              {{ end }}
              {{ with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" }}
              export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
              {{ end }}
              {{ with secret "kv/data/atlas/shared/chat-ai-keys-runtime" }}
              export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}"
              export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}"
              {{ end }}
              {{ with secret "kv/data/atlas/shared/portal-e2e-client" }}
              export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
              export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
              {{ end }}
        spec:
          serviceAccountName: bstein-dev-home
          restartPolicy: Never
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          imagePullSecrets:
            - name: harbor-regcred
          containers:
            - name: sync
              image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-95
              imagePullPolicy: Always
              command: ["/bin/sh", "-c"]
              args:
                - >-
                  . /vault/secrets/portal-env.sh
                  && exec python /scripts/vaultwarden_cred_sync.py
              env:
                - name: PYTHONPATH
                  value: /app
                - name: KEYCLOAK_ENABLED
                  value: "true"
                - name: KEYCLOAK_REALM
                  value: atlas
                - name: KEYCLOAK_ADMIN_URL
                  value: http://keycloak.sso.svc.cluster.local
                - name: KEYCLOAK_ADMIN_REALM
                  value: atlas
                - name: KEYCLOAK_ADMIN_CLIENT_ID
                  value: bstein-dev-home-admin
                - name: HTTP_CHECK_TIMEOUT_SEC
                  value: "20"
                - name: VAULTWARDEN_ADMIN_SESSION_TTL_SEC
                  value: "900"
                - name: VAULTWARDEN_RETRY_COOLDOWN_SEC
                  value: "1800"
                - name: VAULTWARDEN_FAILURE_BAILOUT
                  value: "2"
              volumeMounts:
                - name: vaultwarden-cred-sync-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: vaultwarden-cred-sync-script
              configMap:
                name: vaultwarden-cred-sync-script
                defaultMode: 0555