apiVersion: batch/v1
kind: Job
metadata:
  name: plane-secret-patcher
  namespace: plane
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
  template:
    spec:
      serviceAccountName: plane-secret-patcher
      restartPolicy: Never
      containers:
      - name: patcher
        image: bitnami/kubectl:latest
        command:
        - /bin/sh
        - -c
        - |
          # Patch plane-app-secrets
          kubectl patch secret plane-app-secrets -n plane --type='json' -p='[
            {"op": "replace", "path": "/data/DATABASE_URL", "value": "'$(echo -n "postgresql://plane:plane@plane-pgdb:5432/plane" | base64)'"},
            {"op": "replace", "path": "/data/REDIS_URL", "value": "'$(echo -n "redis://plane-redis:6379/" | base64)'"},
            {"op": "replace", "path": "/data/AMQP_URL", "value": "'$(echo -n "amqp://plane:plane@plane-rabbitmq/" | base64)'"}
          ]'
          
          # Patch plane-live-secrets
          kubectl patch secret plane-live-secrets -n plane --type='json' -p='[
            {"op": "replace", "path": "/data/REDIS_URL", "value": "'$(echo -n "redis://plane-redis:6379/" | base64)'"}
          ]'
          
          echo "Secrets patched successfully"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: plane-secret-patcher
  namespace: plane
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: plane-secret-patcher
  namespace: plane
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: plane-secret-patcher
  namespace: plane
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: plane-secret-patcher
subjects:
- kind: ServiceAccount
  name: plane-secret-patcher
  namespace: plane