---
apiVersion: v1
kind: ConfigMap
metadata:
  name: credentials-sync
data:
  # Patch this ConfigMap with additional values needed for your cloud
  KUBE_SECRET: my-registry-token  # does not yet exist -- will be created in the same Namespace

---
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync -n flux-system credentials-sync-init`
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: credentials-sync
  namespace: flux-system
spec:
  suspend: false
  schedule: 0 */6 * * *
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: credentials-sync
          restartPolicy: Never
          containers:
          - image: busybox  # override this with a cloud-specific image
            name: sync
            envFrom:
            - configMapRef:
                name: credentials-sync
            env:
            - name: RECONCILE_SH  # override this env var with a shell function in a kustomize patch
              value: |-
                reconcile() {
                  echo reconciling...
                }
            command:
            - bash
            - -ceu
            - |-
              # template reconcile() into the script
              # env var is expanded by k8s before the pod starts
              $(RECONCILE_SH)

              apply-secret() {
                /kbin/kubectl create secret docker-registry "$1" \
                  --docker-password="$2" \
                  --docker-username="$3" \
                  --docker-server="$4" \
                  --dry-run=client -o=yaml \
                  | grep -v "creationTimestamp:" \
                  | /kbin/kubectl apply -f -
              }

              reconcile
            resources: {}


# RBAC necessary for our Deployment to apply our imagePullSecret
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: credentials-sync
  namespace: flux-system
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - patch
  # # Lock this down to the specific Secret name  (Optional)
  resourceNames:
  - $(KUBE_SECRET)  # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: credentials-sync
  namespace: flux-system
subjects:
- kind: ServiceAccount
  name: credentials-sync
roleRef:
  kind: Role
  name: credentials-sync
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: credentials-sync
  namespace: flux-system