# services/communication/mas-admin-client-secret-ensure-job.yaml apiVersion: v1 kind: ServiceAccount metadata: name: mas-admin-client-secret-writer namespace: comms --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: mas-admin-client-secret-writer namespace: comms rules: - apiGroups: [""] resources: ["secrets"] resourceNames: ["mas-admin-client"] verbs: ["get", "patch", "update"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: mas-admin-client-secret-writer namespace: comms roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: mas-admin-client-secret-writer subjects: - kind: ServiceAccount name: mas-admin-client-secret-writer namespace: comms --- apiVersion: batch/v1 kind: Job metadata: name: mas-admin-client-secret-ensure-5 namespace: comms spec: backoffLimit: 0 template: spec: serviceAccountName: mas-admin-client-secret-writer restartPolicy: Never volumes: - name: work emptyDir: {} initContainers: - name: generate image: alpine:3.20 command: ["/bin/sh", "-c"] args: - | set -euo pipefail umask 077 dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n' > /work/client_secret volumeMounts: - name: work mountPath: /work containers: - name: patch image: bitnami/kubectl:latest command: ["/bin/sh", "-c"] args: - | set -euo pipefail if kubectl -n comms get secret mas-admin-client -o jsonpath='{.data.client_secret}' 2>/dev/null | grep -q .; then exit 0 fi secret_b64="$(base64 /work/client_secret | tr -d '\n')" payload="$(printf '{"data":{"client_secret":"%s"}}' "${secret_b64}")" kubectl -n comms patch secret mas-admin-client --type=merge -p "${payload}" >/dev/null volumeMounts: - name: work mountPath: /work