{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} {{- if .Values.global.bootstrapACLs }} {{- /* We don't render this job when server.updatePartition > 0 because that means a server rollout is in progress and this job won't complete unless the rollout is finished (which won't happen until the partition is 0). If we ran it in this case, then the job would not complete which would cause the server-acl-init-cleanup hook to run indefinitely which would cause the helm upgrade command to hang. */ -}} {{- if eq (int .Values.server.updatePartition) 0 }} apiVersion: batch/v1 kind: Job metadata: name: {{ template "consul.fullname" . }}-server-acl-init namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: template: metadata: name: {{ template "consul.fullname" . }}-server-acl-init labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} release: {{ .Release.Name }} component: server-acl-init annotations: "consul.hashicorp.com/connect-inject": "false" spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init {{- if .Values.global.tls.enabled }} volumes: - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} secretName: {{ .Values.global.tls.caCert.secretName }} {{- else }} secretName: {{ template "consul.fullname" . }}-ca-cert {{- end }} items: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} containers: - name: post-install-job image: {{ .Values.global.imageK8S }} env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace {{- if .Values.global.tls.enabled }} volumeMounts: - name: consul-ca-cert mountPath: /consul/tls/ca readOnly: true {{- end }} command: - "/bin/sh" - "-ec" - | consul-k8s server-acl-init \ -server-label-selector=component=server,app={{ template "consul.name" . }},release={{ .Release.Name }} \ -resource-prefix={{ template "consul.fullname" . }} \ -k8s-namespace={{ .Release.Namespace }} \ {{- if .Values.global.tls.enabled }} -use-https \ -consul-ca-cert=/consul/tls/ca/tls.crt \ -consul-tls-server-name=server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }} \ {{- end }} {{- if .Values.syncCatalog.enabled }} -create-sync-token=true \ {{- end }} {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }} -allow-dns=true \ {{- end }} {{- if .Values.connectInject.enabled }} -create-inject-auth-method=true \ {{- end }} {{- if .Values.meshGateway.enabled }} -create-mesh-gateway-token=true \ {{- end }} {{- if .Values.connectInject.aclBindingRuleSelector }} -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ {{- end }} {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} -create-enterprise-license-token=true \ {{- end }} {{- if .Values.client.snapshotAgent.enabled }} -create-snapshot-agent-token=true \ {{- end }} {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} -create-client-token=false \ {{- end }} {{- if .Values.global.enableConsulNamespaces }} -enable-namespaces=true \ {{- /* syncCatalog must be enabled to set sync flags */}} {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ {{- end }} {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} -enable-sync-k8s-namespace-mirroring=true \ {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ {{- end }} {{- end }} {{- end }} {{- /* connectInject must be enabled to set inject flags */}} {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} -create-inject-namespace-token=true \ {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ {{- end }} {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} -enable-inject-k8s-namespace-mirroring=true \ {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ {{- end }} {{- end }} {{- end }} {{- end }} -expected-replicas={{ .Values.server.replicas }} {{- end }} {{- end }} {{- end }}