Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / heat / templates / job-trusts.yaml
blob: e539e7f9a014d21844f961e34b2e744e2b54bf76 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1{{/*
2Licensed under the Apache License, Version 2.0 (the "License");
3you may not use this file except in compliance with the License.
4You may obtain a copy of the License at
5
6 http://www.apache.org/licenses/LICENSE-2.0
7
8Unless required by applicable law or agreed to in writing, software
9distributed under the License is distributed on an "AS IS" BASIS,
10WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11See the License for the specific language governing permissions and
12limitations under the License.
13*/}}
14
15{{- $envAll := . }}
16
17{{- $mounts_heat_trusts := .Values.pod.mounts.heat_trusts.heat_trusts }}
18{{- $mounts_heat_trusts_init := .Values.pod.mounts.heat_trusts.init_container }}
19
20{{- $serviceAccountName := "heat-trusts" }}
21{{ tuple $envAll "trusts" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
22---
23apiVersion: batch/v1
24kind: Job
25metadata:
26 name: heat-trusts
27 labels:
28{{ tuple $envAll "heat" "trusts" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
29 annotations:
30{{- if .Values.helm3_hook }}
31 "helm.sh/hook": post-install,post-upgrade
32 "helm.sh/hook-delete-policy": before-hook-creation
33{{- end }}
34 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
35spec:
36 template:
37 metadata:
38 labels:
39{{ tuple $envAll "heat" "trusts" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
40 annotations:
41{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
42 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
43 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
44{{ dict "envAll" $envAll "podName" "heat-trusts" "containerNames" (list "heat-trusts" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
45 spec:
Dong Ma36b89222025-02-13 16:15:52 +0000[diff] [blame]46{{- if and $envAll.Values.pod.priorityClassName $envAll.Values.pod.priorityClassName.heat_trusts }}
47 priorityClassName: {{ $envAll.Values.pod.priorityClassName.heat_trusts }}
48{{- end }}
49{{- if and $envAll.Values.pod.runtimeClassName $envAll.Values.pod.runtimeClassName.heat_trusts }}
50 runtimeClassName: {{ $envAll.Values.pod.runtimeClassName.heat_trusts }}
51{{- end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]52 serviceAccountName: {{ $serviceAccountName }}
53{{ dict "envAll" $envAll "application" "trusts" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
54 restartPolicy: OnFailure
55 nodeSelector:
56 {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]57{{ if $envAll.Values.pod.tolerations.heat.enabled }}
58{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
59{{ end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]60 initContainers:
61{{ tuple $envAll "trusts" $mounts_heat_trusts_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
62 containers:
63 - name: heat-trusts
64{{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.image" | indent 10 }}
65{{ tuple $envAll $envAll.Values.pod.resources.jobs.trusts | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
66{{ dict "envAll" $envAll "application" "trusts" "container" "heat_trusts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
67 command:
68 - bash
69 - /tmp/trusts.sh
70 volumeMounts:
71 - name: pod-tmp
72 mountPath: /tmp
73 - name: heat-bin
74 mountPath: /tmp/trusts.sh
75 subPath: trusts.sh
76 readOnly: true
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]77{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]78{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
79 env:
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]80{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]81{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
82{{- end }}
83 - name: SERVICE_OS_ROLES
84 value: {{ .Values.conf.heat.DEFAULT.trusts_delegated_roles }}
85 - name: SERVICE_OS_TRUSTEE
86 value: {{ .Values.endpoints.identity.auth.heat_trustee.username }}
87 - name: SERVICE_OS_TRUSTEE_DOMAIN
88 value: {{ .Values.endpoints.identity.auth.heat_trustee.user_domain_name }}
89 volumes:
90 - name: pod-tmp
91 emptyDir: {}
92 - name: heat-bin
93 configMap:
94 name: heat-bin
95 defaultMode: 0555
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]96{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]97{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}