mirror of
https://github.com/bvanroll/cicdTest.git
synced 2025-08-29 20:12:43 +00:00
131 lines
6.4 KiB
YAML
131 lines
6.4 KiB
YAML
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
|
|
{{- if .Values.global.bootstrapACLs }}
|
|
{{- /* We don't render this job when server.updatePartition > 0 because that
|
|
means a server rollout is in progress and this job won't complete unless
|
|
the rollout is finished (which won't happen until the partition is 0).
|
|
If we ran it in this case, then the job would not complete which would cause
|
|
the server-acl-init-cleanup hook to run indefinitely which would cause the
|
|
helm upgrade command to hang.
|
|
*/ -}}
|
|
{{- if eq (int .Values.server.updatePartition) 0 }}
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ template "consul.fullname" . }}-server-acl-init
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
heritage: {{ .Release.Service }}
|
|
release: {{ .Release.Name }}
|
|
spec:
|
|
template:
|
|
metadata:
|
|
name: {{ template "consul.fullname" . }}-server-acl-init
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
release: {{ .Release.Name }}
|
|
component: server-acl-init
|
|
annotations:
|
|
"consul.hashicorp.com/connect-inject": "false"
|
|
spec:
|
|
restartPolicy: Never
|
|
serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init
|
|
{{- if .Values.global.tls.enabled }}
|
|
volumes:
|
|
- name: consul-ca-cert
|
|
secret:
|
|
{{- if .Values.global.tls.caCert.secretName }}
|
|
secretName: {{ .Values.global.tls.caCert.secretName }}
|
|
{{- else }}
|
|
secretName: {{ template "consul.fullname" . }}-ca-cert
|
|
{{- end }}
|
|
items:
|
|
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
|
|
path: tls.crt
|
|
{{- end }}
|
|
containers:
|
|
- name: post-install-job
|
|
image: {{ .Values.global.imageK8S }}
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
{{- if .Values.global.tls.enabled }}
|
|
volumeMounts:
|
|
- name: consul-ca-cert
|
|
mountPath: /consul/tls/ca
|
|
readOnly: true
|
|
{{- end }}
|
|
command:
|
|
- "/bin/sh"
|
|
- "-ec"
|
|
- |
|
|
consul-k8s server-acl-init \
|
|
-server-label-selector=component=server,app={{ template "consul.name" . }},release={{ .Release.Name }} \
|
|
-resource-prefix={{ template "consul.fullname" . }} \
|
|
-k8s-namespace={{ .Release.Namespace }} \
|
|
{{- if .Values.global.tls.enabled }}
|
|
-use-https \
|
|
-consul-ca-cert=/consul/tls/ca/tls.crt \
|
|
-consul-tls-server-name=server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }} \
|
|
{{- end }}
|
|
{{- if .Values.syncCatalog.enabled }}
|
|
-create-sync-token=true \
|
|
{{- end }}
|
|
{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.global.enabled)) }}
|
|
-allow-dns=true \
|
|
{{- end }}
|
|
{{- if .Values.connectInject.enabled }}
|
|
-create-inject-auth-method=true \
|
|
{{- end }}
|
|
{{- if .Values.meshGateway.enabled }}
|
|
-create-mesh-gateway-token=true \
|
|
{{- end }}
|
|
{{- if .Values.connectInject.aclBindingRuleSelector }}
|
|
-acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \
|
|
{{- end }}
|
|
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
|
|
-create-enterprise-license-token=true \
|
|
{{- end }}
|
|
{{- if .Values.client.snapshotAgent.enabled }}
|
|
-create-snapshot-agent-token=true \
|
|
{{- end }}
|
|
{{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
|
|
-create-client-token=false \
|
|
{{- end }}
|
|
{{- if .Values.global.enableConsulNamespaces }}
|
|
-enable-namespaces=true \
|
|
{{- /* syncCatalog must be enabled to set sync flags */}}
|
|
{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
|
|
{{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }}
|
|
-consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \
|
|
{{- end }}
|
|
{{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }}
|
|
-enable-sync-k8s-namespace-mirroring=true \
|
|
{{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }}
|
|
-sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- /* connectInject must be enabled to set inject flags */}}
|
|
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
|
|
-create-inject-namespace-token=true \
|
|
{{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }}
|
|
-consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \
|
|
{{- end }}
|
|
{{- if .Values.connectInject.consulNamespaces.mirroringK8S }}
|
|
-enable-inject-k8s-namespace-mirroring=true \
|
|
{{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}
|
|
-inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
-expected-replicas={{ .Values.server.replicas }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|