# services/comms/synapse-seeder-admin-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: synapse-seeder-admin-ensure-4
  namespace: comms
spec:
  backoffLimit: 2
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-turn-shared-secret__TURN_STATIC_AUTH_SECRET: "kv/data/atlas/comms/turn-shared-secret"
        vault.hashicorp.com/agent-inject-template-turn-shared-secret__TURN_STATIC_AUTH_SECRET: |
          {{- with secret "kv/data/atlas/comms/turn-shared-secret" -}}{{ .Data.data.TURN_STATIC_AUTH_SECRET }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-livekit-api__primary: "kv/data/atlas/comms/livekit-api"
        vault.hashicorp.com/agent-inject-template-livekit-api__primary: |
          {{- with secret "kv/data/atlas/comms/livekit-api" -}}{{ .Data.data.primary }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__bot-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__bot-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "bot-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-atlasbot-credentials-runtime__seeder-password: "kv/data/atlas/comms/atlasbot-credentials-runtime"
        vault.hashicorp.com/agent-inject-template-atlasbot-credentials-runtime__seeder-password: |
          {{- with secret "kv/data/atlas/comms/atlasbot-credentials-runtime" -}}{{ index .Data.data "seeder-password" }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__matrix: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__matrix: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.matrix }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-chat-ai-keys-runtime__homepage: "kv/data/atlas/shared/chat-ai-keys-runtime"
        vault.hashicorp.com/agent-inject-template-chat-ai-keys-runtime__homepage: |
          {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}{{ .Data.data.homepage }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-admin-client-runtime__client_secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-client-runtime__client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-synapse-db__POSTGRES_PASSWORD: "kv/data/atlas/comms/synapse-db"
        vault.hashicorp.com/agent-inject-template-synapse-db__POSTGRES_PASSWORD: |
          {{- with secret "kv/data/atlas/comms/synapse-db" -}}{{ .Data.data.POSTGRES_PASSWORD }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-db__password: "kv/data/atlas/comms/mas-db"
        vault.hashicorp.com/agent-inject-template-mas-db__password: |
          {{- with secret "kv/data/atlas/comms/mas-db" -}}{{ .Data.data.password }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__matrix_shared_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__matrix_shared_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.matrix_shared_secret }}{{- end -}}
        vault.hashicorp.com/agent-inject-secret-mas-secrets-runtime__keycloak_client_secret: "kv/data/atlas/comms/mas-secrets-runtime"
        vault.hashicorp.com/agent-inject-template-mas-secrets-runtime__keycloak_client_secret: |
          {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}}
    spec:
      restartPolicy: OnFailure
      serviceAccountName: comms-vault
      containers:
        - name: psql
          image: postgres:16-alpine
          env:
            - name: PGHOST
              value: postgres-service.postgres.svc.cluster.local
            - name: PGPORT
              value: "5432"
            - name: PGDATABASE
              value: synapse
            - name: PGUSER
              value: synapse
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail
              . /vault/scripts/comms_vault_env.sh
              psql -v ON_ERROR_STOP=1 <<'SQL'
              UPDATE users SET admin = 1 WHERE name = '@othrys-seeder:live.bstein.dev';
              SQL
          volumeMounts:
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      volumes:
        - name: vault-scripts
          configMap:
            name: comms-vault-env
            defaultMode: 0555