Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / keystone / templates / cron-job-fernet-rotate.yaml
blob: e91184235531a2a856b776a36c82fdd3b1f0cd5d [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1{{/*
2Licensed under the Apache License, Version 2.0 (the "License");
3you may not use this file except in compliance with the License.
4You may obtain a copy of the License at
5
6 http://www.apache.org/licenses/LICENSE-2.0
7
8Unless required by applicable law or agreed to in writing, software
9distributed under the License is distributed on an "AS IS" BASIS,
10WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11See the License for the specific language governing permissions and
12limitations under the License.
13*/}}
14
15{{- if .Values.manifests.cron_fernet_rotate }}
16{{- if eq .Values.conf.keystone.token.provider "fernet" }}
17{{- $envAll := . }}
18
19{{- $mounts_keystone_fernet_rotate := .Values.pod.mounts.keystone_fernet_rotate.keystone_fernet_rotate }}
20{{- $mounts_keystone_fernet_rotate_init := .Values.pod.mounts.keystone_fernet_rotate.init_container }}
21
22{{- $serviceAccountName := "keystone-fernet-rotate" }}
23{{ tuple $envAll "fernet_rotate" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
24---
25apiVersion: rbac.authorization.k8s.io/v1
26kind: Role
27metadata:
28 name: {{ $serviceAccountName }}
29rules:
30 - apiGroups:
31 - ""
32 resources:
33 - secrets
34 verbs:
35 - get
36 - list
37 - create
38 - update
39---
40apiVersion: rbac.authorization.k8s.io/v1
41kind: RoleBinding
42metadata:
43 name: {{ $serviceAccountName }}
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: Role
47 name: {{ $serviceAccountName }}
48subjects:
49 - kind: ServiceAccount
50 name: {{ $serviceAccountName }}
51 namespace: {{ $envAll.Release.Namespace }}
52---
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]53apiVersion: batch/v1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]54kind: CronJob
55metadata:
56 name: keystone-fernet-rotate
57 annotations:
58 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
59spec:
60 schedule: {{ .Values.jobs.fernet_rotate.cron | quote }}
61 successfulJobsHistoryLimit: {{ .Values.jobs.fernet_rotate.history.success }}
62 failedJobsHistoryLimit: {{ .Values.jobs.fernet_rotate.history.failed }}
63 concurrencyPolicy: Forbid
64 jobTemplate:
65 metadata:
66 labels:
67{{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
68 spec:
69 template:
70 metadata:
71 labels:
72{{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
73 spec:
Dong Macf2006c2025-02-10 14:58:50 +0000[diff] [blame]74{{ with .Values.pod.priorityClassName.keystone_fernet_rotate }}
75 priorityClassName: {{ . }}
76{{ end }}
77{{ with .Values.pod.runtimeClassName.keystone_fernet_rotate }}
78 runtimeClassName: {{ . }}
79{{ end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]80 serviceAccountName: {{ $serviceAccountName }}
81{{ dict "envAll" $envAll "application" "fernet_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
82 initContainers:
83{{ tuple $envAll "fernet_rotate" $mounts_keystone_fernet_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
84 restartPolicy: OnFailure
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]85{{ if $envAll.Values.pod.tolerations.keystone.enabled }}
86{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
87{{ end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]88 nodeSelector:
89 {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
90 containers:
91 - name: keystone-fernet-rotate
92{{ tuple $envAll "keystone_fernet_rotate" | include "helm-toolkit.snippets.image" | indent 14 }}
93{{ tuple $envAll $envAll.Values.pod.resources.jobs.fernet_rotate | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
94{{ dict "envAll" $envAll "application" "fernet_rotate" "container" "keystone_fernet_rotate" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14}}
95 env:
96 - name: KEYSTONE_USER
97 value: {{ .Values.jobs.fernet_rotate.user | quote }}
98 - name: KEYSTONE_GROUP
99 value: {{ .Values.jobs.fernet_rotate.group | quote }}
100 - name: KUBERNETES_NAMESPACE
101 value: {{ .Release.Namespace | quote }}
102 - name: KEYSTONE_KEYS_REPOSITORY
103 value: {{ .Values.conf.keystone.fernet_tokens.key_repository | quote }}
104 command:
105 - python
106 - /tmp/fernet-manage.py
107 - fernet_rotate
108 volumeMounts:
109 - name: pod-tmp
110 mountPath: /tmp
111 - name: etckeystone
112 mountPath: /etc/keystone
113 - name: keystone-etc
114 mountPath: /etc/keystone/keystone.conf
115 subPath: keystone.conf
116 readOnly: true
117 {{- if .Values.conf.keystone.DEFAULT.log_config_append }}
118 - name: keystone-etc
119 mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }}
120 subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }}
121 readOnly: true
122 {{- end }}
123 - name: keystone-bin
124 mountPath: /tmp/fernet-manage.py
125 subPath: fernet-manage.py
126 readOnly: true
127{{ if $mounts_keystone_fernet_rotate.volumeMounts }}{{ toYaml $mounts_keystone_fernet_rotate.volumeMounts | indent 16 }}{{ end }}
128 volumes:
129 - name: pod-tmp
130 emptyDir: {}
131 - name: etckeystone
132 emptyDir: {}
133 - name: keystone-etc
134 secret:
135 secretName: keystone-etc
136 defaultMode: 0444
137 - name: keystone-bin
138 configMap:
139 name: keystone-bin
140 defaultMode: 0555
141{{ if $mounts_keystone_fernet_rotate.volumes }}{{ toYaml $mounts_keystone_fernet_rotate.volumes | indent 12 }}{{ end }}
142{{- end }}
143{{- end }}