# services/health/wger-admin-ensure-cronjob.yaml apiVersion: batch/v1 kind: CronJob metadata: name: wger-admin-ensure namespace: health labels: atlas.bstein.dev/glue: "true" spec: schedule: "15 3 * * *" suspend: true concurrencyPolicy: Forbid successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 3 jobTemplate: spec: backoffLimit: 1 template: metadata: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "health" vault.hashicorp.com/agent-inject-secret-wger-env: "kv/data/atlas/health/wger-db" vault.hashicorp.com/agent-inject-template-wger-env: | {{ with secret "kv/data/atlas/health/wger-db" }} export DJANGO_DB_HOST="{{ .Data.data.DJANGO_DB_HOST }}" export DJANGO_DB_PORT="{{ .Data.data.DJANGO_DB_PORT }}" export DJANGO_DB_DATABASE="{{ .Data.data.DJANGO_DB_DATABASE }}" export DJANGO_DB_USER="{{ .Data.data.DJANGO_DB_USER }}" export DJANGO_DB_PASSWORD="$(cat /vault/secrets/wger-db-password)" {{ end }} {{ with secret "kv/data/atlas/health/wger-secrets" }} export SECRET_KEY="$(cat /vault/secrets/wger-secret-key)" export SIGNING_KEY="$(cat /vault/secrets/wger-signing-key)" {{ end }} {{ with secret "kv/data/atlas/health/wger-admin" }} export WGER_ADMIN_USERNAME="$(cat /vault/secrets/wger-admin-username)" export WGER_ADMIN_PASSWORD="$(cat /vault/secrets/wger-admin-password)" {{ end }} vault.hashicorp.com/agent-inject-secret-wger-db-password: "kv/data/atlas/health/wger-db" vault.hashicorp.com/agent-inject-template-wger-db-password: | {{- with secret "kv/data/atlas/health/wger-db" -}} {{ .Data.data.DJANGO_DB_PASSWORD }} {{- end -}} vault.hashicorp.com/agent-inject-secret-wger-secret-key: "kv/data/atlas/health/wger-secrets" vault.hashicorp.com/agent-inject-template-wger-secret-key: | {{- with secret "kv/data/atlas/health/wger-secrets" -}} {{ .Data.data.SECRET_KEY }} {{- end -}} vault.hashicorp.com/agent-inject-secret-wger-signing-key: "kv/data/atlas/health/wger-secrets" vault.hashicorp.com/agent-inject-template-wger-signing-key: | {{- with secret "kv/data/atlas/health/wger-secrets" -}} {{ .Data.data.SIGNING_KEY }} {{- end -}} vault.hashicorp.com/agent-inject-secret-wger-admin-username: "kv/data/atlas/health/wger-admin" vault.hashicorp.com/agent-inject-template-wger-admin-username: | {{- with secret "kv/data/atlas/health/wger-admin" -}} {{ .Data.data.username }} {{- end -}} vault.hashicorp.com/agent-inject-secret-wger-admin-password: "kv/data/atlas/health/wger-admin" vault.hashicorp.com/agent-inject-template-wger-admin-password: | {{- with secret "kv/data/atlas/health/wger-admin" -}} {{ .Data.data.password }} {{- end -}} spec: serviceAccountName: health-vault-sync restartPolicy: Never affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: hardware operator: In values: ["rpi5"] - weight: 70 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" containers: - name: ensure image: wger/server@sha256:710588b78af4e0aa0b4d8a8061e4563e16eae80eeaccfe7f9e0d9cbdd7f0cbc5 imagePullPolicy: IfNotPresent command: ["/bin/sh", "-c"] args: - | set -eu . /vault/secrets/wger-env exec python3 /scripts/wger_user_sync.py env: - name: SITE_URL value: https://health.bstein.dev - name: TIME_ZONE value: Etc/UTC - name: TZ value: Etc/UTC - name: DJANGO_DEBUG value: "False" - name: DJANGO_DB_ENGINE value: django.db.backends.postgresql - name: DJANGO_CACHE_BACKEND value: django.core.cache.backends.locmem.LocMemCache - name: DJANGO_CACHE_LOCATION value: wger-cache volumeMounts: - name: wger-user-sync-script mountPath: /scripts readOnly: true volumes: - name: wger-user-sync-script configMap: name: wger-user-sync-script defaultMode: 0555