apiVersion: batch/v1
kind: Job  # TODO switch to CronJob
metadata:
  name: generate-secrets
  namespace: {{ .Release.Namespace }}
  annotations:
    # TODO init and unseal in previous waves for production usage
    argocd.argoproj.io/sync-wave: "3"
spec:
  backoffLimit: 3
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: apply
          image: golang:1.17-alpine
          env:
            - name: VAULT_ADDR
              value: http://vault:8200
            - name: VAULT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: vault-token  # TODO use production token
                  key: token
          workingDir: /go/src/generate-secrets
          command:
            - sh
            - -c
          args:
            - |
              go get .
              go run .
          volumeMounts:
            - name: source
              mountPath: /go/src/generate-secrets
      volumes:
        - name: source
          configMap:
            name: generate-secrets-source