---
apiVersion: v1
kind: ConfigMap
metadata:
  name: credentials-sync-eventhub
data:
  # Patch this ConfigMap with additional values needed for your cloud
  KUBE_SECRET: webhook-url # does not yet exist -- will be created in the same Namespace
  ADDRESS: "fluxv2" # the Azure Event Hub name

---
# This CronJob frequently fetches registry tokens and applies them as an imagePullSecret.
# note: CronJob scheduling can block cluster bootstraps and cold-reboots from obtaining registry tokens for a considerable time.
# To run the job immediately, do `kubectl create job --from=cronjob/credentials-sync-eventhub -n flux-system credentials-sync-eventhub-init`
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: credentials-sync-eventhub
  namespace: flux-system
spec:
  suspend: false
  schedule: 0 */6 * * *
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: credentials-sync-eventhub
          securityContext:
            runAsNonRoot: true
            runAsUser: 1001
          restartPolicy: Never
          containers:
            - image: busybox # override this with a cloud-specific image
              name: sync
              envFrom:
                - configMapRef:
                    name: credentials-sync-eventhub
              env:
                - name: RECONCILE_SH # override this env var with a shell function in a kustomize patch
                  value: |-
                    reconcile() {
                      echo reconciling...
                    }
              command:
                - bash
                - -ceu
                - |-
                  # template reconcile() into the script
                  # env var is expanded by k8s before the pod starts
                  $(RECONCILE_SH)

                  apply-secret() {
                    /kbin/kubectl create secret generic "$1" \
                      --from-literal=token="$2" \
                      --from-literal=address="$3" \
                      --dry-run=client -o=yaml \
                      | grep -v "creationTimestamp:" \
                      | /kbin/kubectl apply -f -
                  }

                  reconcile
              resources: {}
              volumeMounts:
                - mountPath: /.azure
                  name: cache-volume
          volumes:
            - emptyDir: {}
              name: cache-volume

# RBAC necessary for our Deployment to apply our secret that will store the JWT token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: credentials-sync-eventhub
  namespace: flux-system
rules:
  - apiGroups: [""]
    resources:
      - secrets
    verbs:
      - get
      - create
      - update
      - patch
    # Lock this down to the specific Secret name  (Optional)
    resourceNames:
     - $(KUBE_SECRET) # templated from kustomize vars referencing ConfigMap, also see kustomizeconfig.yaml
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: credentials-sync-eventhub
  namespace: flux-system
subjects:
  - kind: ServiceAccount
    name: credentials-sync-eventhub
roleRef:
  kind: Role
  name: credentials-sync-eventhub
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: credentials-sync-eventhub
  namespace: flux-system