apiVersion: batch/v1
kind: Job
metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    argocd.argoproj.io/sync-options: Replace=true
    argocd.argoproj.io/sync-wave: "-1"
  name: mkcert-ca-precheck
  namespace: cert-manager
spec:
  template:
    spec:
      containers:
        - command:
            - sh
            - -c
            - |
              set -e
              if ! kubectl get secret mkcert-ca -n "${NAMESPACE}" >/dev/null 2>&1; then
                echo "ERROR: External secret mkcert-ca must be created in ${NAMESPACE} before deploying cert-manager."
                echo "Run: mkcert -install && kubectl -n ${NAMESPACE} create secret tls mkcert-ca --cert=\"\$(mkcert -CAROOT)/rootCA.pem\" --key=\"\$(mkcert -CAROOT)/rootCA-key.pem\""
                exit 1
              fi
              echo "OK: mkcert-ca exists"
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: alpine/k8s:1.32.3
          name: precheck
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
      restartPolicy: OnFailure
      securityContext:
        runAsGroup: 65532
        runAsNonRoot: true
        runAsUser: 65532
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: mkcert-ca-precheck
  ttlSecondsAfterFinished: 300