# services/health/endurain-oidc-config-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: endurain-oidc-config
  namespace: health
spec:
  schedule: "*/30 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/agent-pre-populate-only: "true"
            vault.hashicorp.com/role: "health"
            vault.hashicorp.com/agent-inject-secret-endurain-oidc-env: "kv/data/atlas/health/endurain-admin"
            vault.hashicorp.com/agent-inject-template-endurain-oidc-env: |
              {{- with secret "kv/data/atlas/health/endurain-admin" -}}
              export ENDURAIN_ADMIN_USERNAME="{{ .Data.data.username }}"
              export ENDURAIN_ADMIN_PASSWORD="{{ .Data.data.password }}"
              {{- end }}
              {{- with secret "kv/data/atlas/health/endurain-oidc" -}}
              export ENDURAIN_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
              export ENDURAIN_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
              export ENDURAIN_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}"
              {{- end -}}
        spec:
          serviceAccountName: health-vault-sync
          restartPolicy: Never
          affinity:
            nodeAffinity:
              requiredDuringSchedulingIgnoredDuringExecution:
                nodeSelectorTerms:
                  - matchExpressions:
                      - key: kubernetes.io/arch
                        operator: In
                        values: ["arm64"]
                      - key: node-role.kubernetes.io/worker
                        operator: Exists
              preferredDuringSchedulingIgnoredDuringExecution:
                - weight: 90
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi5"]
                - weight: 70
                  preference:
                    matchExpressions:
                      - key: hardware
                        operator: In
                        values: ["rpi4"]
          containers:
            - name: configure
              image: alpine:3.20
              command: ["/bin/sh", "-c"]
              args:
                - |
                  set -euo pipefail
                  apk add --no-cache bash curl jq >/dev/null
                  . /vault/secrets/endurain-oidc-env
                  exec /scripts/endurain_oidc_configure.sh
              env:
                - name: ENDURAIN_BASE_URL
                  value: http://endurain.health.svc.cluster.local
              volumeMounts:
                - name: endurain-oidc-config-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: endurain-oidc-config-script
              configMap:
                name: endurain-oidc-config-script
                defaultMode: 0555