apiVersion: batch/v1
kind: Job
metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/sync-options: Replace=true
    argocd.argoproj.io/sync-wave: "-1"
  name: ocis-external-secret-precheck
  namespace: ocis
spec:
  template:
    spec:
      containers:
        - command:
            - sh
            - -c
            - |
              set -e
              for s in ocis-s3-credentials ocis-storagebox-credentials; do
                if ! kubectl get secret "$s" -n "${NAMESPACE}" >/dev/null 2>&1; then
                  echo "ERROR: External secret $s must be created manually before deploying ocis"
                  exit 1
                fi
                echo "OK: $s exists"
              done
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: alpine/k8s:1.32.3
          name: precheck
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
      restartPolicy: OnFailure
      securityContext:
        runAsGroup: 65532
        runAsNonRoot: true
        runAsUser: 65532
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: ocis-external-secret-precheck
  ttlSecondsAfterFinished: 300