80 lines
3.7 KiB
YAML
80 lines
3.7 KiB
YAML
{{- if .Values.common.domainCertWatch.enabled -}}
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: {{ template "domainCertWatch.appName" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
dplane: "domain-cert-watch-job"
|
|
spec:
|
|
concurrencyPolicy: Forbid
|
|
failedJobsHistoryLimit: 1
|
|
jobTemplate:
|
|
spec:
|
|
ttlSecondsAfterFinished: {{ .Values.common.domainCertWatch.job_ttl }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
dplane: "domain-cert-watch-job"
|
|
spec:
|
|
serviceAccountName: {{ include "domainCertWatch.serviceAccountName" . }}
|
|
containers:
|
|
- image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
|
|
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
|
|
command: [ "/bin/sh", "-c" ]
|
|
args:
|
|
- |
|
|
cm_name={{ template "domainCertWatch.appName" . }}
|
|
if dcert=$(kubectl get secrets domain-certificate -o jsonpath='{.data}'); then
|
|
dc_sha=$(echo -n $dcert | sha1sum | awk '{print $1}');
|
|
echo "Generated domain-certificate secret sha - $dc_sha";
|
|
if dcert_cm=$(kubectl get configmap $cm_name -o json); then
|
|
stored_sha=$(echo -n $dcert_cm | jq -r .data.sha);
|
|
echo "Retrieved domain-certificate stored sha - $stored_sha";
|
|
if [[ "$stored_sha" == "UNINITIALIZED" || "$stored_sha" != "$dc_sha" ]]; then
|
|
echo "Stored sha found in configmap $cm_name does not match, updating entry";
|
|
if kubectl create configmap $cm_name --from-literal=sha="$dc_sha" -o yaml --dry-run=client | kubectl apply -f -; then
|
|
echo "Updated configmap $cm_name with new sha - $dc_sha";
|
|
if [[ "$stored_sha" != "UNINITIALIZED" ]]; then
|
|
echo "The domain-certificate secret has changed, rolling envoy and inbound-worker deployments";
|
|
kubectl rollout restart deployment -l dplane=envoy;
|
|
kubectl rollout restart deployment -l dplane=inbound-worker;
|
|
fi
|
|
exit 0;
|
|
else
|
|
echo "Failed to update configmap $cm_name";
|
|
exit 1;
|
|
fi
|
|
else
|
|
echo "The secret domain-certificate has not changed, no action needed";
|
|
exit 0;
|
|
fi
|
|
else
|
|
echo "Failed to retrieve stored domain-certificate sha";
|
|
exit 1;
|
|
fi
|
|
else
|
|
echo "Could not get the secret domain-certificate";
|
|
exit 1;
|
|
fi
|
|
name: domain-cert-watch
|
|
{{- with .Values.common.domainCertWatch.securityContext }}
|
|
securityContext:
|
|
{{- toYaml . | nindent 16 }}
|
|
{{- end }}
|
|
restartPolicy: Never
|
|
{{- with .Values.global.image.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
{{- if .Values.common.domainCertWatch.podSecurityContextEnabled -}}
|
|
{{- with .Values.common.domainCertWatch.podSecurityContext }}
|
|
securityContext:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
schedule: {{ .Values.common.domainCertWatch.schedule | squote }}
|
|
successfulJobsHistoryLimit: 1
|
|
suspend: false
|
|
{{- end }}
|