# services/gitea/oneoffs/veles-feedback-acl-ensure-job.yaml
# One-off job for gitea/veles-feedback-acl-ensure-2.
# Purpose: keep Veles testers on the feedback repo without granting source access.
apiVersion: batch/v1
kind: Job
metadata:
  name: veles-feedback-acl-ensure-2
  namespace: gitea
spec:
  suspend: false
  backoffLimit: 0
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/role: "gitea"
        vault.hashicorp.com/agent-inject-secret-gitea-db-secret__password: "kv/data/atlas/gitea/gitea-db-secret"
        vault.hashicorp.com/agent-inject-template-gitea-db-secret__password: |
          {{ with secret "kv/data/atlas/gitea/gitea-db-secret" }}
          {{ .Data.data.password }}
          {{ end }}
    spec:
      serviceAccountName: gitea-vault
      restartPolicy: Never
      volumes:
        - name: veles-feedback-acl-ensure-script
          configMap:
            name: veles-feedback-acl-ensure-script
            defaultMode: 0555
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
                  - key: hardware
                    operator: In
                    values: ["rpi5"]
                  - key: node-role.kubernetes.io/worker
                    operator: Exists
      containers:
        - name: apply
          image: postgres:15
          command: ["/scripts/veles_feedback_acl_ensure.sh"]
          volumeMounts:
            - name: veles-feedback-acl-ensure-script
              mountPath: /scripts
              readOnly: true