charts/loki/templates/tokengen/job-tokengen.yaml - atmosphere - Gitiles

 {{ if and .Values.enterprise.tokengen.enabled .Values.enterprise.enabled }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ template "enterprise-logs.tokengenFullname" . }}
   namespace: {{ $.Release.Namespace }}
   labels:
     {{- include "enterprise-logs.tokengenLabels" . | nindent 4 }}
     {{- with .Values.enterprise.tokengen.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   annotations:
     {{- with .Values.enterprise.tokengen.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
     "helm.sh/hook": post-install
     "helm.sh/hook-weight": "10"
 spec:
   backoffLimit: 6
   completions: 1
   parallelism: 1
   template:
     metadata:
       labels:
         {{- include "enterprise-logs.tokengenSelectorLabels" . | nindent 8 }}
         {{- with .Values.enterprise.tokengen.labels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
         {{- with .Values.enterprise.tokengen.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
       {{- with .Values.enterprise.tokengen.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}
       securityContext:
         {{- toYaml .Values.enterprise.tokengen.securityContext | nindent 8 }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
       initContainers:
         - name: loki
           image: {{ template "loki.image" . }}
           imagePullPolicy: {{ .Values.loki.image.pullPolicy }}
           args:
             # The shared emptyDir exists only while the job is running, and is deleted once the job is completed.
             # The tokengen generates a new admin token in case the 'token-file' file doesn't exist.
             # As a result, subsequent executions of this tokengen job will generate new admin tokens.
             # Note that previously generated tokens remain valid, as these remain present in the object storage.
             - -config.file=/etc/loki/config/config.yaml
             - -target={{ .Values.enterprise.tokengen.targetModule }}
             - -tokengen.token-file=/shared/admin-token
             {{- with .Values.enterprise.tokengen.extraArgs }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
           volumeMounts:
             {{- if .Values.enterprise.tokengen.extraVolumeMounts }}
               {{ toYaml .Values.enterprise.tokengen.extraVolumeMounts | nindent 12 }}
             {{- end }}
             - name: shared
               mountPath: /shared
             - name: config
               mountPath: /etc/loki/config
             - name: runtime-config
               mountPath: /etc/loki/runtime-config
             - name: license
               mountPath: /etc/loki/license
           env:
             {{- if .Values.enterprise.tokengen.env }}
               {{ toYaml .Values.enterprise.tokengen.env | nindent 12 }}
             {{- end }}
           {{- with .Values.enterprise.tokengen.extraEnvFrom }}
           envFrom:
             {{- toYaml . | nindent 12 }}
           {{- end }}
       containers:
         - name: create-secret
           image: {{ include "loki.kubectlImage" . }}
           imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}
           command:
             - /bin/bash
             - -euc
             - |
               # Create or update admin token secrets generated by tokengen job
               kubectl create secret generic "{{ include "enterprise-logs.adminTokenSecret" . }}" \
                 --from-file=token=/shared/admin-token \
                 --dry-run=client -o yaml \
                 | kubectl apply -f -
               {{- with .Values.enterprise.adminToken.additionalNamespaces }}
               {{- range . }}
               kubectl --namespace "{{ . }}" create secret generic "{{ include "enterprise-logs.adminTokenSecret" $ }}" \
                 --from-file=token=/shared/admin-token \
                 --dry-run=client -o yaml \
                 | kubectl apply -f -
               {{- end }}
               {{- end }}
           volumeMounts:
             {{- if .Values.enterprise.tokengen.extraVolumeMounts }}
               {{ toYaml .Values.enterprise.tokengen.extraVolumeMounts | nindent 12 }}
             {{- end }}
             - name: shared
               mountPath: /shared
             - name: config
               mountPath: /etc/loki/config
             - name: license
               mountPath: /etc/loki/license
       restartPolicy: OnFailure
       serviceAccount: {{ template "enterprise-logs.tokengenFullname" . }}
       serviceAccountName: {{ template "enterprise-logs.tokengenFullname" . }}
       {{- with .Values.enterprise.tokengen.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
         - name: config
           {{- include "loki.configVolume" . | nindent 10 }}
         - name: runtime-config
           configMap:
             name: {{ template "loki.name" . }}-runtime
         - name: license
           secret:
           {{- if .Values.enterprise.useExternalLicense }}
             secretName: {{ .Values.enterprise.externalLicenseName }}
           {{- else }}
             secretName: enterprise-logs-license
           {{- end }}
         - name: shared
           emptyDir: {}
         {{- if .Values.enterprise.tokengen.extraVolumes }}
         {{ toYaml .Values.enterprise.tokengen.extraVolumes | nindent 8 }}
         {{- end }}
 {{- end }}
	{{ if and .Values.enterprise.tokengen.enabled .Values.enterprise.enabled }}
	---
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: {{ template "enterprise-logs.tokengenFullname" . }}
	namespace: {{ $.Release.Namespace }}
	labels:
	{{- include "enterprise-logs.tokengenLabels" . \| nindent 4 }}
	{{- with .Values.enterprise.tokengen.labels }}
	{{- toYaml . \| nindent 4 }}
	{{- end }}
	annotations:
	{{- with .Values.enterprise.tokengen.annotations }}
	{{- toYaml . \| nindent 4 }}
	{{- end }}
	"helm.sh/hook": post-install
	"helm.sh/hook-weight": "10"
	spec:
	backoffLimit: 6
	completions: 1
	parallelism: 1
	template:
	metadata:
	labels:
	{{- include "enterprise-logs.tokengenSelectorLabels" . \| nindent 8 }}
	{{- with .Values.enterprise.tokengen.labels }}
	{{- toYaml . \| nindent 8 }}
	{{- end }}
	annotations:
	{{- with .Values.enterprise.tokengen.annotations }}
	{{- toYaml . \| nindent 8 }}
	{{- end }}
	spec:
	{{- with .Values.enterprise.tokengen.priorityClassName }}
	priorityClassName: {{ . }}
	{{- end }}
	securityContext:
	{{- toYaml .Values.enterprise.tokengen.securityContext \| nindent 8 }}
	{{- if .Values.imagePullSecrets }}
	imagePullSecrets:
	{{- toYaml .Values.imagePullSecrets \| nindent 8 }}
	{{- end }}
	initContainers:
	- name: loki
	image: {{ template "loki.image" . }}
	imagePullPolicy: {{ .Values.loki.image.pullPolicy }}
	args:
	# The shared emptyDir exists only while the job is running, and is deleted once the job is completed.
	# The tokengen generates a new admin token in case the 'token-file' file doesn't exist.
	# As a result, subsequent executions of this tokengen job will generate new admin tokens.
	# Note that previously generated tokens remain valid, as these remain present in the object storage.
	- -config.file=/etc/loki/config/config.yaml
	- -target={{ .Values.enterprise.tokengen.targetModule }}
	- -tokengen.token-file=/shared/admin-token
	{{- with .Values.enterprise.tokengen.extraArgs }}
	{{- toYaml . \| nindent 12 }}
	{{- end }}
	volumeMounts:
	{{- if .Values.enterprise.tokengen.extraVolumeMounts }}
	{{ toYaml .Values.enterprise.tokengen.extraVolumeMounts \| nindent 12 }}
	{{- end }}
	- name: shared
	mountPath: /shared
	- name: config
	mountPath: /etc/loki/config
	- name: runtime-config
	mountPath: /etc/loki/runtime-config
	- name: license
	mountPath: /etc/loki/license
	env:
	{{- if .Values.enterprise.tokengen.env }}
	{{ toYaml .Values.enterprise.tokengen.env \| nindent 12 }}
	{{- end }}
	{{- with .Values.enterprise.tokengen.extraEnvFrom }}
	envFrom:
	{{- toYaml . \| nindent 12 }}
	{{- end }}
	containers:
	- name: create-secret
	image: {{ include "loki.kubectlImage" . }}
	imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}
	command:
	- /bin/bash
	- -euc
	- \|
	# Create or update admin token secrets generated by tokengen job
	kubectl create secret generic "{{ include "enterprise-logs.adminTokenSecret" . }}" \
	--from-file=token=/shared/admin-token \
	--dry-run=client -o yaml \
	\| kubectl apply -f -
	{{- with .Values.enterprise.adminToken.additionalNamespaces }}
	{{- range . }}
	kubectl --namespace "{{ . }}" create secret generic "{{ include "enterprise-logs.adminTokenSecret" $ }}" \
	--from-file=token=/shared/admin-token \
	--dry-run=client -o yaml \
	\| kubectl apply -f -
	{{- end }}
	{{- end }}
	volumeMounts:
	{{- if .Values.enterprise.tokengen.extraVolumeMounts }}
	{{ toYaml .Values.enterprise.tokengen.extraVolumeMounts \| nindent 12 }}
	{{- end }}
	- name: shared
	mountPath: /shared
	- name: config
	mountPath: /etc/loki/config
	- name: license
	mountPath: /etc/loki/license
	restartPolicy: OnFailure
	serviceAccount: {{ template "enterprise-logs.tokengenFullname" . }}
	serviceAccountName: {{ template "enterprise-logs.tokengenFullname" . }}
	{{- with .Values.enterprise.tokengen.tolerations }}
	tolerations:
	{{- toYaml . \| nindent 8 }}
	{{- end }}
	volumes:
	- name: config
	{{- include "loki.configVolume" . \| nindent 10 }}
	- name: runtime-config
	configMap:
	name: {{ template "loki.name" . }}-runtime
	- name: license
	secret:
	{{- if .Values.enterprise.useExternalLicense }}
	secretName: {{ .Values.enterprise.externalLicenseName }}
	{{- else }}
	secretName: enterprise-logs-license
	{{- end }}
	- name: shared
	emptyDir: {}
	{{- if .Values.enterprise.tokengen.extraVolumes }}
	{{ toYaml .Values.enterprise.tokengen.extraVolumes \| nindent 8 }}
	{{- end }}
	{{- end }}