Files
trade-gitops/environments/sol/trade-r001-canary/api-token-seed-job.yaml
mpabi 2e909026a7
All checks were successful
deploy-trade-r001-canary / apply (push) Successful in 6m14s
feat(sol): align canary ingestor and api auth
2026-04-12 18:30:30 +02:00

77 lines
2.5 KiB
YAML

apiVersion: batch/v1
kind: Job
metadata:
name: api-token-seed
namespace: trade-r001-canary
spec:
backoffLimit: 1
template:
spec:
restartPolicy: OnFailure
containers:
- name: seed
image: postgres:16-alpine
imagePullPolicy: IfNotPresent
command:
- sh
- -lc
- |
set -euo pipefail
read_json="$(tr -d '\n' </tokens/read.json)"
token="$(printf '%s' "$read_json" | sed -E 's/.*"token"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')"
name="$(printf '%s' "$read_json" | sed -E 's/.*"name"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')"
test -n "$token"
test -n "$name"
token_hash="$(printf '%s' "$token" | sha256sum | awk '{print $1}')"
export PGPASSWORD="$POSTGRES_PASSWORD"
psql "host=$PGHOST port=$PGPORT dbname=$POSTGRES_DB user=$POSTGRES_USER" \
-v token_name="$name" \
-v token_hash="$token_hash" \
-v token_meta='{"seed":"trade-frontend-tokens/read.json","namespace":"trade-r001-canary","scopes":["read"]}' <<'SQL'
INSERT INTO api_tokens (name, token_hash, scopes, meta, revoked_at)
VALUES (
:'token_name',
:'token_hash',
ARRAY['read'],
(:'token_meta')::jsonb,
NULL
)
ON CONFLICT (token_hash) DO UPDATE
SET name = EXCLUDED.name,
scopes = EXCLUDED.scopes,
meta = EXCLUDED.meta,
revoked_at = NULL;
SQL
env:
- name: PGHOST
value: postgres
- name: PGPORT
value: "5432"
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: trade-postgres
key: POSTGRES_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: trade-postgres
key: POSTGRES_PASSWORD
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: trade-postgres
key: POSTGRES_DB
volumeMounts:
- name: frontend-tokens
mountPath: /tokens
readOnly: true
volumes:
- name: frontend-tokens
secret:
secretName: trade-frontend-tokens