first commit
This commit is contained in:
@@ -0,0 +1,79 @@
|
||||
{{- if .Values.common.domainCertWatch.enabled -}}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: {{ template "domainCertWatch.appName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
dplane: "domain-cert-watch-job"
|
||||
spec:
|
||||
concurrencyPolicy: Forbid
|
||||
failedJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.common.domainCertWatch.job_ttl }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
dplane: "domain-cert-watch-job"
|
||||
spec:
|
||||
serviceAccountName: {{ include "domainCertWatch.serviceAccountName" . }}
|
||||
containers:
|
||||
- image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
|
||||
command: [ "/bin/sh", "-c" ]
|
||||
args:
|
||||
- |
|
||||
cm_name={{ template "domainCertWatch.appName" . }}
|
||||
if dcert=$(kubectl get secrets domain-certificate -o jsonpath='{.data}'); then
|
||||
dc_sha=$(echo -n $dcert | sha1sum | awk '{print $1}');
|
||||
echo "Generated domain-certificate secret sha - $dc_sha";
|
||||
if dcert_cm=$(kubectl get configmap $cm_name -o json); then
|
||||
stored_sha=$(echo -n $dcert_cm | jq -r .data.sha);
|
||||
echo "Retrieved domain-certificate stored sha - $stored_sha";
|
||||
if [[ "$stored_sha" == "UNINITIALIZED" || "$stored_sha" != "$dc_sha" ]]; then
|
||||
echo "Stored sha found in configmap $cm_name does not match, updating entry";
|
||||
if kubectl create configmap $cm_name --from-literal=sha="$dc_sha" -o yaml --dry-run=client | kubectl apply -f -; then
|
||||
echo "Updated configmap $cm_name with new sha - $dc_sha";
|
||||
if [[ "$stored_sha" != "UNINITIALIZED" ]]; then
|
||||
echo "The domain-certificate secret has changed, rolling envoy and inbound-worker deployments";
|
||||
kubectl rollout restart deployment -l dplane=envoy;
|
||||
kubectl rollout restart deployment -l dplane=inbound-worker;
|
||||
fi
|
||||
exit 0;
|
||||
else
|
||||
echo "Failed to update configmap $cm_name";
|
||||
exit 1;
|
||||
fi
|
||||
else
|
||||
echo "The secret domain-certificate has not changed, no action needed";
|
||||
exit 0;
|
||||
fi
|
||||
else
|
||||
echo "Failed to retrieve stored domain-certificate sha";
|
||||
exit 1;
|
||||
fi
|
||||
else
|
||||
echo "Could not get the secret domain-certificate";
|
||||
exit 1;
|
||||
fi
|
||||
name: domain-cert-watch
|
||||
{{- with .Values.common.domainCertWatch.securityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 16 }}
|
||||
{{- end }}
|
||||
restartPolicy: Never
|
||||
{{- with .Values.global.image.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.common.domainCertWatch.podSecurityContextEnabled -}}
|
||||
{{- with .Values.common.domainCertWatch.podSecurityContext }}
|
||||
securityContext:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
schedule: {{ .Values.common.domainCertWatch.schedule | squote }}
|
||||
successfulJobsHistoryLimit: 1
|
||||
suspend: false
|
||||
{{- end }}
|
||||
Reference in New Issue
Block a user