# services/keycloak/harbor-oidc-secret-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: harbor-oidc-secret-ensure-3
  namespace: sso
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 3600
  template:
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      volumes:
        - name: harbor-oidc-secret-ensure-script
          configMap:
            name: harbor-oidc-secret-ensure-script
            defaultMode: 0555
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
      containers:
        - name: apply
          image: alpine:3.20
          command: ["/scripts/harbor_oidc_secret_ensure.sh"]
          env:
            - name: KEYCLOAK_ADMIN
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
          volumeMounts:
            - name: harbor-oidc-secret-ensure-script
              mountPath: /scripts
              readOnly: true