apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
subjects:
  - kind: ServiceAccount
    name: secret-sync
    namespace: minio-backup
roleRef:
  kind: Role
  name: secret-sync
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-sync
  namespace: velero
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: secret-sync
  namespace: velero
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
subjects:
  - kind: ServiceAccount
    name: secret-sync
    namespace: minio-backup
roleRef:
  kind: Role
  name: secret-sync
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: PostSync
spec:
  template:
    metadata:
      generateName: secret-sync
    spec:
      serviceAccountName: secret-sync
      restartPolicy: Never
      containers:
        - name: kubectl
          image: docker.io/bitnami/kubectl
          command: ["/bin/bash", "-c"]
          args:
            - |
              set -e
              kubectl get secrets -n minio-backup root-creds -o json > /tmp/secret
              ACCESS=$(jq -r '.data.rootUser | @base64d'  /tmp/secret)
              SECRET=$(jq -r '.data.rootPassword | @base64d'  /tmp/secret)
              
              echo \
              "apiVersion: v1
              kind: Secret
              metadata:
                name: secret-key
                namespace: velero
              type: Opaque
              stringData:
                aws: |
                  [default]
                    aws_access_key_id=${ACCESS}
                    aws_secret_access_key=${SECRET}
              " > /tmp/secret.yaml
              
              kubectl apply -f /tmp/secret.yaml
---
apiVersion: batch/v1
kind: Job
metadata:
  name: minio-root-creds
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-10"
spec:
  template:
    metadata:
      generateName: minio-root-creds
    spec:
      serviceAccountName: secret-sync
      restartPolicy: Never
      containers:
        - name: kubectl
          image: docker.io/bitnami/kubectl
          command: ["/bin/bash", "-c"]
          args:
            - |
              kubectl get secrets -n minio-backup root-creds
              if [ $? -eq 0 ]; then
                exit 0
              fi
              
              set -e
              
              NAME=$(openssl rand -base64 24)
              PASS=$(openssl rand -base64 36)
              
              echo \
              "apiVersion: v1
              kind: Secret
              metadata:
                name: root-creds
                namespace: minio-backup
              type: Opaque
              stringData:
                rootUser: "${NAME}"
                rootPassword: "${PASS}"
              " > /tmp/secret.yaml
              
              kubectl apply -f /tmp/secret.yaml