cscott/amplify-fusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Conan Scott
2026-01-21 17:37:42 +11:00
commit bd1ed71ac4
142 changed files with 18994 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
templates/common/jobs/domain-cert-watch/_helpers.tpl Normal file
View File

@@ -0,0 +1,30 @@
{{- define "domainCertWatch.appName" -}}
{{- $name := default "domain-cert-watch" .Values.common.domainCertWatch.nameOverride -}}
{{- $env := default "env" .Values.global.appEnv -}}
{{- printf "%s-%s" $name $env | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "domainCertWatch.serviceAccountName" -}}
{{- if .Values.common.domainCertWatch.serviceAccount.enabled -}}
{{ default "domain-cert-watch" .Values.common.domainCertWatch.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.common.domainCertWatch.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "domainCertWatch.domainCertHash" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace "domain-certificate") -}}
{{- if $secret -}}
{{- $secretData := $secret.data -}}
{{- $json := toJson $secretData -}}
{{- printf "%s" $json | sha1sum -}}
{{- else -}}
{{- "UNINITIALIZED" -}}
{{- end -}}
{{- end -}}

33
templates/common/jobs/domain-cert-watch/calico.netpol.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if .Values.common.domainCertWatch.calicoNetpol.enabled }}
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: domain-cert-watch-network-policy
namespace: {{ .Release.Namespace }}
spec:
order: 10
selector: dplane == 'domain-cert-watch-job'
types:
- Egress
egress:
# allow to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
- action: Allow
protocol: TCP
destination:
namespaceSelector: projectcalico.org/name == 'kube-system'
ports:
- 53
# allow to communicate with k8s api server
- action: Allow
destination:
services:
name: kubernetes
namespace: default
protocol: TCP
{{- end}}

11
templates/common/jobs/domain-cert-watch/domain-cert-watch-configmap.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.common.domainCertWatch.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "domainCertWatch.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "dataplane.labels" . | nindent 4 }}
data:
sha: {{ template "domainCertWatch.domainCertHash" . }}
{{- end }}

79
templates/common/jobs/domain-cert-watch/domain-cert-watch-cronjob.yaml Normal file
View File

@@ -0,0 +1,79 @@
{{- if .Values.common.domainCertWatch.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "domainCertWatch.appName" . }}
namespace: {{ .Release.Namespace }}
labels:
dplane: "domain-cert-watch-job"
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 1
jobTemplate:
spec:
ttlSecondsAfterFinished: {{ .Values.common.domainCertWatch.job_ttl }}
template:
metadata:
labels:
dplane: "domain-cert-watch-job"
spec:
serviceAccountName: {{ include "domainCertWatch.serviceAccountName" . }}
containers:
- image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
command: [ "/bin/sh", "-c" ]
args:
- |
cm_name={{ template "domainCertWatch.appName" . }}
if dcert=$(kubectl get secrets domain-certificate -o jsonpath='{.data}'); then
dc_sha=$(echo -n $dcert | sha1sum | awk '{print $1}');
echo "Generated domain-certificate secret sha - $dc_sha";
if dcert_cm=$(kubectl get configmap $cm_name -o json); then
stored_sha=$(echo -n $dcert_cm | jq -r .data.sha);
echo "Retrieved domain-certificate stored sha - $stored_sha";
if [[ "$stored_sha" == "UNINITIALIZED" || "$stored_sha" != "$dc_sha" ]]; then
echo "Stored sha found in configmap $cm_name does not match, updating entry";
if kubectl create configmap $cm_name --from-literal=sha="$dc_sha" -o yaml --dry-run=client | kubectl apply -f -; then
echo "Updated configmap $cm_name with new sha - $dc_sha";
if [[ "$stored_sha" != "UNINITIALIZED" ]]; then
echo "The domain-certificate secret has changed, rolling envoy and inbound-worker deployments";
kubectl rollout restart deployment -l dplane=envoy;
kubectl rollout restart deployment -l dplane=inbound-worker;
fi
exit 0;
else
echo "Failed to update configmap $cm_name";
exit 1;
fi
else
echo "The secret domain-certificate has not changed, no action needed";
exit 0;
fi
else
echo "Failed to retrieve stored domain-certificate sha";
exit 1;
fi
else
echo "Could not get the secret domain-certificate";
exit 1;
fi
name: domain-cert-watch
{{- with .Values.common.domainCertWatch.securityContext }}
securityContext:
{{- toYaml . | nindent 16 }}
{{- end }}
restartPolicy: Never
{{- with .Values.global.image.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.common.domainCertWatch.podSecurityContextEnabled -}}
{{- with .Values.common.domainCertWatch.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
schedule: {{ .Values.common.domainCertWatch.schedule | squote }}
successfulJobsHistoryLimit: 1
suspend: false
{{- end }}

33
templates/common/jobs/domain-cert-watch/role.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if ( and .Values.common.domainCertWatch.serviceAccount.enabled ( not .Values.common.domainCertWatch.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "domainCertWatch.appName" . }}-role
labels:
{{- include "dataplane.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- patch
{{- end }}

16
templates/common/jobs/domain-cert-watch/roleBinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if ( and .Values.common.domainCertWatch.serviceAccount.enabled ( not .Values.common.domainCertWatch.serviceAccount.preexisting ) ) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "domainCertWatch.appName" . }}-role-binding
labels:
{{- include "dataplane.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "domainCertWatch.appName" . }}-role
subjects:
- kind: ServiceAccount
name: {{ include "domainCertWatch.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

12
templates/common/jobs/domain-cert-watch/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.common.domainCertWatch.serviceAccount.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "domainCertWatch.serviceAccountName" . }}
labels:
{{- include "dataplane.labels" . | nindent 4 }}
{{- with .Values.common.domainCertWatch.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}