titan-iac/services/comms/mas-admin-client-secret-ensure-job.yaml

# services/comms/mas-admin-client-secret-ensure-job.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mas-admin-client-secret-writer
  namespace: comms
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mas-admin-client-secret-writer
  namespace: comms
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["mas-admin-client-runtime"]
    verbs: ["get", "patch", "update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: mas-admin-client-secret-writer
  namespace: comms
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mas-admin-client-secret-writer
subjects:
  - kind: ServiceAccount
    name: mas-admin-client-secret-writer
    namespace: comms
---
apiVersion: batch/v1
kind: Job
metadata:
  name: mas-admin-client-secret-ensure-8
  namespace: comms
spec:
  backoffLimit: 2
  template:
    spec:
      serviceAccountName: mas-admin-client-secret-writer
      restartPolicy: OnFailure
      volumes:
        - name: work
          emptyDir: {}
      initContainers:
        - name: generate
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              umask 077
              dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n' > /work/client_secret
              chmod 0644 /work/client_secret
          volumeMounts:
            - name: work
              mountPath: /work
      containers:
        - name: patch
          image: registry.bstein.dev/bstein/kubectl:1.35.0
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              apk add --no-cache curl jq >/dev/null

              vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
              vault_role="${VAULT_ROLE:-comms-secrets}"
              jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
              login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
              vault_token="$(curl -sS --request POST --data "${login_payload}" \
                "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
              if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
                echo "vault login failed" >&2
                exit 1
              fi

              current="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
                "${vault_addr}/v1/kv/data/atlas/comms/mas-admin-client-runtime" | jq -r '.data.data.client_secret // empty')"
              if [ -n "${current}" ]; then
                exit 0
              fi

              value="$(cat /work/client_secret)"
              payload="$(jq -nc --arg value "${value}" '{data:{client_secret:$value}}')"
              curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
                -d "${payload}" "${vault_addr}/v1/kv/data/atlas/comms/mas-admin-client-runtime" >/dev/null
          volumeMounts:
            - name: work
              mountPath: /work