| {{/* |
| # Copyright (C) 2021 Wipro Limited. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| */}} |
| apiVersion: batch/v1 |
| kind: Job |
| metadata: |
| name: {{ include "common.fullname" . }}-job |
| namespace: {{ include "common.namespace" . }} |
| labels: |
| app: {{ include "common.name" . }} |
| chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} |
| release: {{ include "common.release" . }} |
| heritage: {{ .Release.Service }} |
| spec: |
| backoffLimit: {{ .Values.backoffLimit }} |
| template: |
| metadata: |
| annotations: |
| # Workarround to exclude K8S API from istio communication |
| # as init-container (readinessCheck) does not work with the |
| # Istio CNI plugin, see: |
| # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) |
| traffic.sidecar.istio.io/excludeOutboundPorts: "443" |
| labels: |
| app: {{ include "common.name" . }} |
| release: {{ include "common.release" . }} |
| name: {{ include "common.name" . }} |
| spec: |
| initContainers: |
| - name: {{ include "common.name" . }}-readiness |
| command: |
| - /app/ready.py |
| args: |
| - --service-name |
| - {{ .Values.etcd.serviceName }} |
| env: |
| - name: NAMESPACE |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.namespace |
| image: {{ include "repositoryGenerator.image.readiness" . }} |
| imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} |
| resources: |
| limits: |
| cpu: "100m" |
| memory: "500Mi" |
| requests: |
| cpu: "3m" |
| memory: "20Mi" |
| containers: |
| - name: {{ include "common.name" . }} |
| image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} |
| imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} |
| command: |
| - /bin/sh |
| - -ec |
| - | |
| {{- if include "common.onServiceMesh" . }} |
| echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} |
| # Create users |
| export ETCDCTL_ENDPOINTS=http://${ETCD_HOST}:${ETCD_PORT} |
| export ETCDCTL_API=3 |
| echo "${ROOT_PASSWORD}" | etcdctl user add root --interactive=false |
| echo "${APP_PASSWORD}" | etcdctl user add ${APP_USER} --interactive=false |
| |
| # Create roles |
| etcdctl role add ${APP_ROLE} |
| etcdctl role grant-permission ${APP_ROLE} --prefix=true readwrite ${KEY_PREFIX} |
| |
| etcdctl user grant-role ${APP_USER} ${APP_ROLE} |
| etcdctl auth enable |
| env: |
| - name: ALLOW_NONE_AUTHENTICATION |
| value: "yes" |
| - name: ETCD_HOST |
| value: "{{ .Values.etcd.serviceName }}.{{ include "common.namespace" . }}" |
| - name: ETCD_PORT |
| value: "{{ .Values.etcd.port }}" |
| - name: ROOT_PASSWORD |
| {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-password" "key" "password" ) | indent 10 }} |
| - name: APP_USER |
| {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-creds" "key" "login") | indent 10 }} |
| - name: APP_PASSWORD |
| {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-creds" "key" "password") | indent 10 }} |
| - name: APP_ROLE |
| value: "{{ .Values.config.appRole }}" |
| - name: KEY_PREFIX |
| value: "{{ .Values.config.keyPrefix }}" |
| volumeMounts: |
| - mountPath: /etc/localtime |
| name: localtime |
| readOnly: true |
| resources: {{ include "common.resources" . | nindent 10 }} |
| {{ include "common.waitForJobContainer" . | indent 6 | trim }} |
| {{- if .Values.nodeSelector }} |
| nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} |
| {{- end -}} |
| {{- if .Values.affinity }} |
| affinity: {{ toYaml .Values.affinity | nindent 10 }} |
| {{- end }} |
| serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} |
| volumes: |
| - name: localtime |
| hostPath: |
| path: /etc/localtime |
| restartPolicy: Never |
| {{- include "common.imagePullSecrets" . | nindent 6 }} |