titan-iac/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml

# services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: vaultwarden-cred-sync
  namespace: bstein-dev-home
spec:
  schedule: "*/15 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "bstein-dev-home"
            vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
            vault.hashicorp.com/agent-inject-template-portal-env.sh: |
              {{- with secret "kv/data/atlas/portal/atlas-portal-db" -}}
              export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
              {{- end }}
              {{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}}
              export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
              {{- end }}
              {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}
              export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}"
              export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}"
              {{- end }}
              {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
              export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
              export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
              {{- end }}
        spec:
          serviceAccountName: bstein-dev-home
          restartPolicy: Never
          nodeSelector:
            kubernetes.io/arch: arm64
            node-role.kubernetes.io/worker: "true"
          imagePullSecrets:
            - name: harbor-regcred
          containers:
            - name: sync
              image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}
              imagePullPolicy: Always
              command: ["/bin/sh", "-c"]
              args:
                - >-
                  . /vault/secrets/portal-env.sh
                  && exec python /scripts/vaultwarden_cred_sync.py
              env:
                - name: PYTHONPATH
                  value: /app
                - name: KEYCLOAK_ENABLED
                  value: "true"
                - name: KEYCLOAK_REALM
                  value: atlas
                - name: KEYCLOAK_ADMIN_URL
                  value: http://keycloak.sso.svc.cluster.local
                - name: KEYCLOAK_ADMIN_REALM
                  value: atlas
                - name: KEYCLOAK_ADMIN_CLIENT_ID
                  value: bstein-dev-home-admin
                - name: HTTP_CHECK_TIMEOUT_SEC
                  value: "20"
              volumeMounts:
                - name: vaultwarden-cred-sync-script
                  mountPath: /scripts
                  readOnly: true
          volumes:
            - name: vaultwarden-cred-sync-script
              configMap:
                name: vaultwarden-cred-sync-script
                defaultMode: 0555