apiVersion: batch/v1 kind: Job metadata: annotations: a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git argocd.argoproj.io/hook: PreSync argocd.argoproj.io/sync-options: Replace=true argocd.argoproj.io/sync-wave: "-1" name: ocis-admin-user-id-init namespace: ocis spec: backoffLimit: 10 template: spec: containers: - command: - sh - -c - | set -eu UUID_RE='^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$' for i in $(seq 1 30); do if kubectl -n "${NAMESPACE}" get secret ocis-admin-user >/dev/null 2>&1; then break; fi echo "[admin-user-id-init] waiting for ocis-admin-user secret..." sleep 2 done CUR_B64=$(kubectl -n "${NAMESPACE}" get secret ocis-admin-user -o jsonpath='{.data.user-id}' 2>/dev/null || echo "") if [ -n "${CUR_B64}" ]; then CUR=$(echo "${CUR_B64}" | base64 -d) if echo "${CUR}" | grep -Eq "${UUID_RE}"; then echo "[admin-user-id-init] user-id is a valid UUID, leaving alone" exit 0 fi echo "[admin-user-id-init] user-id present but not a valid UUID; replacing" else echo "[admin-user-id-init] user-id missing; generating" fi NEW_UUID=$(cat /proc/sys/kernel/random/uuid) NEW_B64=$(printf '%s' "${NEW_UUID}" | base64 -w0) kubectl -n "${NAMESPACE}" patch secret ocis-admin-user --type=json \ -p "[{\"op\":\"replace\",\"path\":\"/data/user-id\",\"value\":\"${NEW_B64}\"}]" \ || kubectl -n "${NAMESPACE}" patch secret ocis-admin-user --type=json \ -p "[{\"op\":\"add\",\"path\":\"/data/user-id\",\"value\":\"${NEW_B64}\"}]" echo "[admin-user-id-init] set user-id to ${NEW_UUID}" env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: alpine/k8s:1.32.3 name: ensure-uuid securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true restartPolicy: OnFailure securityContext: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault serviceAccountName: ocis-admin-user-id-init ttlSecondsAfterFinished: 300