blob: f77a8ec8ba38155bb3284657db6fc8be961afe4f [file] [log] [blame]
{{/*
# Copyright (C) 2021 Wipro Limited.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "common.fullname" . }}-job
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ include "common.release" . }}
heritage: {{ .Release.Service }}
spec:
backoffLimit: {{ .Values.backoffLimit }}
template:
metadata:
annotations:
# Workarround to exclude K8S API from istio communication
# as init-container (readinessCheck) does not work with the
# Istio CNI plugin, see:
# (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers)
traffic.sidecar.istio.io/excludeOutboundPorts: "443"
labels:
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
initContainers:
- name: {{ include "common.name" . }}-readiness
command:
- /app/ready.py
args:
- --service-name
- {{ .Values.etcd.serviceName }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: {{ include "repositoryGenerator.image.readiness" . }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
limits:
cpu: "100m"
memory: "500Mi"
requests:
cpu: "3m"
memory: "20Mi"
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- /bin/sh
- -ec
- |
{{- if include "common.onServiceMesh" . }}
echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }}
# Create users
export ETCDCTL_ENDPOINTS=http://${ETCD_HOST}:${ETCD_PORT}
export ETCDCTL_API=3
echo "${ROOT_PASSWORD}" | etcdctl user add root --interactive=false
echo "${APP_PASSWORD}" | etcdctl user add ${APP_USER} --interactive=false
# Create roles
etcdctl role add ${APP_ROLE}
etcdctl role grant-permission ${APP_ROLE} --prefix=true readwrite ${KEY_PREFIX}
etcdctl user grant-role ${APP_USER} ${APP_ROLE}
etcdctl auth enable
env:
- name: ALLOW_NONE_AUTHENTICATION
value: "yes"
- name: ETCD_HOST
value: "{{ .Values.etcd.serviceName }}.{{ include "common.namespace" . }}"
- name: ETCD_PORT
value: "{{ .Values.etcd.port }}"
- name: ROOT_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-password" "key" "password" ) | indent 10 }}
- name: APP_USER
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-creds" "key" "login") | indent 10 }}
- name: APP_PASSWORD
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-creds" "key" "password") | indent 10 }}
- name: APP_ROLE
value: "{{ .Values.config.appRole }}"
- name: KEY_PREFIX
value: "{{ .Values.config.keyPrefix }}"
volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
resources: {{ include "common.resources" . | nindent 10 }}
{{ include "common.waitForJobContainer" . | indent 6 | trim }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }}
{{- end -}}
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 10 }}
{{- end }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
volumes:
- name: localtime
hostPath:
path: /etc/localtime
restartPolicy: Never
{{- include "common.imagePullSecrets" . | nindent 6 }}