apiVersion: batch/v1
kind: Job
metadata:
  name: plane-secret-patcher
  namespace: plane
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
  template:
    spec:
      serviceAccountName: plane-secret-patcher
      restartPolicy: Never
      containers:
      - name: patcher
        image: bitnami/kubectl:latest
        command:
        - /bin/sh
        - -c
        - |
          echo "Patching Plane Secrets & DNS Config…"

          DB_URL=$(echo -n "postgresql://plane:plane@plane-pgdb:5432/plane" | base64)
          REDIS_URL=$(echo -n "redis://plane-redis:6379/" | base64)
          AMQP_URL=$(echo -n "amqp://plane:plane@plane-rabbitmq/" | base64)

          kubectl patch secret plane-app-secrets -n plane --type=json -p "
          [
            {\"op\": \"replace\", \"path\": \"/data/DATABASE_URL\", \"value\": \"${DB_URL}\"},
            {\"op\": \"replace\", \"path\": \"/data/REDIS_URL\", \"value\": \"${REDIS_URL}\"},
            {\"op\": \"replace\", \"path\": \"/data/AMQP_URL\", \"value\": \"${AMQP_URL}\"}
          ]"

          kubectl patch secret plane-live-secrets -n plane --type=json -p "
          [
            {\"op\": \"replace\", \"path\": \"/data/REDIS_URL\", \"value\": \"${REDIS_URL}\"}
          ]"

          echo "Secrets patched successfully!"

          # Deployments: plane-api-wl, plane-worker-wl, plane-beat-worker-wl
          for item in plane-api-wl plane-worker-wl plane-beat-worker-wl; do
            kubectl patch deployment $item -n plane --type=json -p "
            [
              {
                \"op\": \"add\",
                \"path\": \"/spec/template/spec/dnsConfig\",
                \"value\": {
                  \"options\": [{\"name\": \"ndots\", \"value\": \"1\"}]
                }
              }
            ]" || echo "DNS patch failed or already applied for $item"
          done

          echo "All patches completed!"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: plane-secret-patcher
  namespace: plane
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: plane-secret-patcher
  namespace: plane
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "patch"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["patch", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: plane-secret-patcher
  namespace: plane
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: plane-secret-patcher
subjects:
- kind: ServiceAccount
  name: plane-secret-patcher
  namespace: plane