# CronJob: syncs OIDC client secret from registrar-managed
# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
# Runs every 2 min. No-ops if source secret doesn't exist yet
# (safe for fresh deploys before Keycloak is up).
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argocd-oidc-sync
  namespace: argocd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-oidc-sync
  namespace: argocd
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
  verbs: ["get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argocd-oidc-sync
  namespace: argocd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-oidc-sync
subjects:
- kind: ServiceAccount
  name: argocd-oidc-sync
  namespace: argocd
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: argocd-oidc-sync
  namespace: argocd
spec:
  schedule: "*/2 * * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          serviceAccountName: argocd-oidc-sync
          restartPolicy: Never
          containers:
          - name: sync
            image: bitnami/kubectl:latest
            command: ["/bin/sh", "-c"]
            args:
            - |
              set -e

              # Exit gracefully if source secret doesn't exist yet
              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
                exit 0
              fi

              # Read current OIDC client secret
              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
                -o jsonpath='{.data.client-secret}' | base64 -d)

              # Read current value in argocd-secret (if any)
              CURRENT=$(kubectl get secret argocd-secret -n argocd \
                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")

              # Only patch if changed
              if [ "$NEW_SECRET" = "$CURRENT" ]; then
                echo "oidc.clientSecret already up to date"
                exit 0
              fi

              kubectl patch secret argocd-secret -n argocd --type merge \
                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
              echo "Patched argocd-secret with oidc.clientSecret"