{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ template "enterprise-logs.provisionerFullname" . }}
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "enterprise-logs.provisionerLabels" . | nindent 4 }}
    {{- with .Values.enterprise.provisioner.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  annotations:
    {{- with .Values.enterprise.provisioner.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    "helm.sh/hook": post-install
    "helm.sh/hook-weight": "15"
spec:
  backoffLimit: 6
  completions: 1
  parallelism: 1
  template:
    metadata:
      labels:
        {{- include "enterprise-logs.provisionerSelectorLabels" . | nindent 8 }}
        {{- with .Values.enterprise.provisioner.labels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.enterprise.provisioner.annotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    spec:
      {{- with .Values.enterprise.provisioner.priorityClassName }}
      priorityClassName: {{ . }}
      {{- end }}
      securityContext:
        {{- toYaml .Values.enterprise.provisioner.securityContext | nindent 8 }}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      initContainers:
        - name: provisioner
          image: {{ template "enterprise-logs.provisionerImage" . }}
          imagePullPolicy: {{ .Values.enterprise.provisioner.image.pullPolicy }}
          command:
            - /bin/sh
            - -exuc
            - |
              {{- range .Values.enterprise.provisioner.additionalTenants }}
              /usr/bin/enterprise-logs-provisioner \
                -bootstrap-path=/bootstrap \
                -cluster-name={{ include "loki.clusterName" $ }} \
                -gel-url={{ include "loki.address" $ }} \
                -instance={{ .name }} \
                -access-policy=write-{{ .name }}:{{ .name }}:logs:write \
                -access-policy=read-{{ .name }}:{{ .name }}:logs:read \
                -token=write-{{ .name }} \
                -token=read-{{ .name }}
              {{- end -}}

              {{- with .Values.monitoring.selfMonitoring.tenant }}
              /usr/bin/enterprise-logs-provisioner \
                -bootstrap-path=/bootstrap \
                -cluster-name={{ include "loki.clusterName" $ }} \
                -gel-url={{ include "loki.address" $ }} \
                -instance={{ .name }} \
                -access-policy=self-monitoring:{{ .name }}:logs:write,logs:read \
                -token=self-monitoring
              {{- end }}
          volumeMounts:
            {{- with .Values.enterprise.provisioner.extraVolumeMounts }}
              {{ toYaml . | nindent 12 }}
            {{- end }}
            - name: bootstrap
              mountPath: /bootstrap
            - name: admin-token
              mountPath: /bootstrap/token
              subPath: token
          {{- with .Values.enterprise.provisioner.env }}
          env:
            {{ toYaml . | nindent 12 }}
          {{- end }}
      containers:
        - name: create-secret
          image: {{ include "loki.kubectlImage" . }}
          imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}
          command:
            - /bin/bash
            - -exuc
            - |
              # In case, the admin resources have already been created, the provisioner job
              # does not write the token files to the bootstrap mount.
              # Therefore, secrets are only created if the respective token files exist.
              # Note: the following bash commands should always return a success status code. 
              # Therefore, in case the token file does not exist, the first clause of the 
              # or-operation is successful.
              {{- range .Values.enterprise.provisioner.additionalTenants }}
              ! test -s /bootstrap/token-write-{{ .name }} || \
                kubectl --namespace "{{ .secretNamespace }}" create secret generic "{{ include "enterprise-logs.provisionedSecretPrefix" $ }}-{{ .name }}" \
                  --from-literal=token-write="$(cat /bootstrap/token-write-{{ .name }})" \
                  --from-literal=token-read="$(cat /bootstrap/token-read-{{ .name }})"
              {{- end }}
              {{- $namespace := $.Release.Namespace }}
              {{- with .Values.monitoring.selfMonitoring.tenant }}
              {{- $secretNamespace := tpl .secretNamespace $ }}
              ! test -s /bootstrap/token-self-monitoring || \
                kubectl --namespace "{{ $namespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \
                  --from-literal=username="{{ .name }}" \
                  --from-literal=password="$(cat /bootstrap/token-self-monitoring)"
              {{- if not (eq $secretNamespace $namespace) }}
              ! test -s /bootstrap/token-self-monitoring || \
                kubectl --namespace "{{ $secretNamespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \
                  --from-literal=username="{{ .name }}" \
                  --from-literal=password="$(cat /bootstrap/token-self-monitoring)"
              {{- end }}
              {{- end }}
          volumeMounts:
            {{- with .Values.enterprise.provisioner.extraVolumeMounts }}
              {{ toYaml . | nindent 12 }}
            {{- end }}
            - name: bootstrap
              mountPath: /bootstrap
      {{- with .Values.enterprise.provisioner.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.enterprise.provisioner.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.enterprise.provisioner.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      restartPolicy: OnFailure
      serviceAccount: {{ include "enterprise-logs.provisionerFullname" . }}
      serviceAccountName: {{ include "enterprise-logs.provisionerFullname" . }}
      volumes:
        - name: admin-token
          secret:
            secretName: "{{ include "enterprise-logs.adminTokenSecret" . }}"
        - name: bootstrap
          emptyDir: {}
{{- end }}