---
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-unseal
  namespace: vault
spec:
  template:
    spec:
      serviceAccountName: vault-unseal-sa
      containers:
        - name: vault-unseal
          image: 'bitnami/kubectl:latest'
          command:
            - /bin/sh
          args:
            - '-c'
            - >-
              vault_running="NotRunning";
              while [ "$vault_running" != "Running" ]; do vault_running=`kubectl get pods -n vault vault-vault-0 -o jsonpath="{.status.phase}"` && echo waiting; sleep 10; done; sleep 10;
              kubectl exec -ti vault-vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > /tmp/unseal.json;
              vault_unseal=`cat /tmp/unseal.json | jq -r '.unseal_keys_hex[0]'`;
              kubectl exec -ti vault-vault-0 -- vault operator unseal $vault_unseal;
              kubectl create secret generic vault-unseal-token --from-file='/tmp/unseal.json';
              sleep 10;
      restartPolicy: Never
  backoffLimit: 4