# CronJob + RBAC to clean up orphaned Woodpecker step secrets (wp-*-step-secret)
# These accumulate when builds fail or are cancelled before cleanup runs.
# Runs every 6 hours. TTL auto-deletes completed Job pods after 5 minutes.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: wp-secret-cleanup
  namespace: woodpecker
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: wp-secret-cleanup
  namespace: woodpecker
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: wp-secret-cleanup
subjects:
  - kind: ServiceAccount
    name: default
    namespace: woodpecker
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: cleanup-wp-step-secrets
  namespace: woodpecker
spec:
  schedule: "0 */6 * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      ttlSecondsAfterFinished: 300
      template:
        spec:
          serviceAccountName: default
          restartPolicy: Never
          containers:
            - name: cleanup
              image: registry.celestium.life/dockerhub-cache/bitnami/kubectl:latest
              command:
                - /bin/sh
                - -c
                - |
                  echo 'Cleaning up orphaned Woodpecker step secrets...'
                  SECRETS=$(kubectl get secret -n woodpecker -o name | grep 'wp-.*step-secret')
                  COUNT=$(echo "$SECRETS" | grep -c 'step-secret' || true)
                  echo "Found $COUNT orphaned step secrets"
                  if [ "$COUNT" -gt 0 ]; then
                    echo "$SECRETS" | while read s; do
                      kubectl delete -n woodpecker "$s" 2>/dev/null || true
                    done
                    echo "Cleanup complete"
                  else
                    echo "Nothing to clean"
                  fi