69 lines
2.1 KiB
YAML
69 lines
2.1 KiB
YAML
# services/finance/oneoffs/finance-secrets-ensure-job.yaml
|
|
# One-off job for finance/finance-secrets-ensure-5.
|
|
# Purpose: finance secrets ensure 5 (see container args/env in this file).
|
|
# Run by setting spec.suspend to false, reconcile, then set it back to true.
|
|
# Safe to delete the finished Job/pod; it should not run continuously.
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: finance-secrets-ensure-5
|
|
namespace: finance
|
|
spec:
|
|
suspend: true
|
|
backoffLimit: 1
|
|
ttlSecondsAfterFinished: 3600
|
|
template:
|
|
spec:
|
|
serviceAccountName: finance-secrets-ensure
|
|
restartPolicy: Never
|
|
affinity:
|
|
nodeAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
preference:
|
|
matchExpressions:
|
|
- key: hardware
|
|
operator: In
|
|
values: ["rpi5"]
|
|
- weight: 70
|
|
preference:
|
|
matchExpressions:
|
|
- key: hardware
|
|
operator: In
|
|
values: ["rpi4"]
|
|
nodeSelector:
|
|
kubernetes.io/arch: arm64
|
|
node-role.kubernetes.io/worker: "true"
|
|
containers:
|
|
- name: ensure
|
|
image: python:3.11-alpine
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
set -e
|
|
exec python /scripts/finance_secrets_ensure.py
|
|
env:
|
|
- name: VAULT_ROLE
|
|
value: finance-secrets
|
|
volumeMounts:
|
|
- name: finance-secrets-ensure-script
|
|
mountPath: /scripts
|
|
readOnly: true
|
|
- name: firefly-db
|
|
mountPath: /secrets/firefly-db
|
|
readOnly: true
|
|
- name: actualbudget-db
|
|
mountPath: /secrets/actualbudget-db
|
|
readOnly: true
|
|
volumes:
|
|
- name: finance-secrets-ensure-script
|
|
configMap:
|
|
name: finance-secrets-ensure-script
|
|
defaultMode: 0555
|
|
- name: firefly-db
|
|
secret:
|
|
secretName: firefly-db
|
|
- name: actualbudget-db
|
|
secret:
|
|
secretName: actualbudget-db
|