# Ory Kratos schema migration — runs `kratos migrate sql` against the Kratos
# database before the Kratos Deployment rolls. 03-deploy.sh applies this,
# waits for completion, then applies kratos.yaml.
#
# IMAGE: set the same oryd/kratos tag as kratos.yaml (Ory CalVer v25.x/v26.x);
# pin a @sha256: digest. See kratos/README.md.
apiVersion: batch/v1
kind: Job
metadata:
  name: kratos-migrate
  namespace: honeydue
  labels:
    app.kubernetes.io/name: kratos
    app.kubernetes.io/part-of: honeydue
spec:
  backoffLimit: 0
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kratos
        app.kubernetes.io/part-of: honeydue
    spec:
      restartPolicy: Never
      automountServiceAccountToken: false
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: kratos-migrate
          image: oryd/kratos:REPLACE_WITH_CURRENT_STABLE_TAG
          imagePullPolicy: IfNotPresent
          args: ["migrate", "sql", "-e", "--yes"]
          env:
            - name: DSN
              valueFrom:
                secretKeyRef:
                  name: kratos-secrets
                  key: dsn
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              cpu: 500m
              memory: 256Mi