oc-k8s/opencloud/charts/loki/templates/provisioner/job-provisioner.yaml

{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ template "enterprise-logs.provisionerFullname" . }}
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "enterprise-logs.provisionerLabels" . | nindent 4 }}
    {{- with .Values.enterprise.provisioner.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  annotations:
    {{- with .Values.enterprise.provisioner.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    "helm.sh/hook": post-install
    "helm.sh/hook-weight": "15"
spec:
  backoffLimit: 6
  completions: 1
  parallelism: 1
  template:
    metadata:
      labels:
        {{- include "enterprise-logs.provisionerSelectorLabels" . | nindent 8 }}
        {{- with .Values.enterprise.provisioner.labels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.enterprise.provisioner.annotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    spec:
      {{- with .Values.enterprise.provisioner.priorityClassName }}
      priorityClassName: {{ . }}
      {{- end }}
      securityContext:
        {{- toYaml .Values.enterprise.provisioner.securityContext | nindent 8 }}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      initContainers:
        - name: provisioner
          image: {{ template "enterprise-logs.provisionerImage" . }}
          imagePullPolicy: {{ .Values.enterprise.provisioner.image.pullPolicy }}
          command:
            - /bin/sh
            - -exuc
            - |
              {{- range .Values.enterprise.provisioner.additionalTenants }}
              /usr/bin/enterprise-logs-provisioner \
                -bootstrap-path=/bootstrap \
                -cluster-name={{ include "loki.clusterName" $ }} \
                -gel-url={{ include "loki.address" $ }} \
                -instance={{ .name }} \
                -access-policy=write-{{ .name }}:{{ .name }}:logs:write \
                -access-policy=read-{{ .name }}:{{ .name }}:logs:read \
                -token=write-{{ .name }} \
                -token=read-{{ .name }}
              {{- end -}}

              {{- with .Values.monitoring.selfMonitoring.tenant }}
              /usr/bin/enterprise-logs-provisioner \
                -bootstrap-path=/bootstrap \
                -cluster-name={{ include "loki.clusterName" $ }} \
                -gel-url={{ include "loki.address" $ }} \
                -instance={{ .name }} \
                -access-policy=self-monitoring:{{ .name }}:logs:write,logs:read \
                -token=self-monitoring
              {{- end }}
          volumeMounts:
            {{- with .Values.enterprise.provisioner.extraVolumeMounts }}
              {{ toYaml . | nindent 12 }}
            {{- end }}
            - name: bootstrap
              mountPath: /bootstrap
            - name: admin-token
              mountPath: /bootstrap/token
              subPath: token
          {{- with .Values.enterprise.provisioner.env }}
          env:
            {{ toYaml . | nindent 12 }}
          {{- end }}
      containers:
        - name: create-secret
          image: {{ include "loki.kubectlImage" . }}
          imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}
          command:
            - /bin/bash
            - -exuc
            - |
              # In case, the admin resources have already been created, the provisioner job
              # does not write the token files to the bootstrap mount.
              # Therefore, secrets are only created if the respective token files exist.
              # Note: the following bash commands should always return a success status code. 
              # Therefore, in case the token file does not exist, the first clause of the 
              # or-operation is successful.
              {{- range .Values.enterprise.provisioner.additionalTenants }}
              ! test -s /bootstrap/token-write-{{ .name }} || \
                kubectl --namespace "{{ .secretNamespace }}" create secret generic "{{ include "enterprise-logs.provisionedSecretPrefix" $ }}-{{ .name }}" \
                  --from-literal=token-write="$(cat /bootstrap/token-write-{{ .name }})" \
                  --from-literal=token-read="$(cat /bootstrap/token-read-{{ .name }})"
              {{- end }}
              {{- $namespace := $.Release.Namespace }}
              {{- with .Values.monitoring.selfMonitoring.tenant }}
              {{- $secretNamespace := tpl .secretNamespace $ }}
              ! test -s /bootstrap/token-self-monitoring || \
                kubectl --namespace "{{ $namespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \
                  --from-literal=username="{{ .name }}" \
                  --from-literal=password="$(cat /bootstrap/token-self-monitoring)"
              {{- if not (eq $secretNamespace $namespace) }}
              ! test -s /bootstrap/token-self-monitoring || \
                kubectl --namespace "{{ $secretNamespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \
                  --from-literal=username="{{ .name }}" \
                  --from-literal=password="$(cat /bootstrap/token-self-monitoring)"
              {{- end }}
              {{- end }}
          volumeMounts:
            {{- with .Values.enterprise.provisioner.extraVolumeMounts }}
              {{ toYaml . | nindent 12 }}
            {{- end }}
            - name: bootstrap
              mountPath: /bootstrap
      {{- with .Values.enterprise.provisioner.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.enterprise.provisioner.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.enterprise.provisioner.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      restartPolicy: OnFailure
      serviceAccount: {{ include "enterprise-logs.provisionerFullname" . }}
      serviceAccountName: {{ include "enterprise-logs.provisionerFullname" . }}
      volumes:
        - name: admin-token
          secret:
            secretName: "{{ include "enterprise-logs.adminTokenSecret" . }}"
        - name: bootstrap
          emptyDir: {}
{{- end }}
Adding dependencies, binary autostart 2024-12-16 14:55:43 +01:00			`{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled }}`
			`---`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: {{ template "enterprise-logs.provisionerFullname" . }}`
			`namespace: {{ $.Release.Namespace }}`
			`labels:`
			`{{- include "enterprise-logs.provisionerLabels" . \| nindent 4 }}`
			`{{- with .Values.enterprise.provisioner.labels }}`
			`{{- toYaml . \| nindent 4 }}`
			`{{- end }}`
			`annotations:`
			`{{- with .Values.enterprise.provisioner.annotations }}`
			`{{- toYaml . \| nindent 4 }}`
			`{{- end }}`
			`"helm.sh/hook": post-install`
			`"helm.sh/hook-weight": "15"`
			`spec:`
			`backoffLimit: 6`
			`completions: 1`
			`parallelism: 1`
			`template:`
			`metadata:`
			`labels:`
			`{{- include "enterprise-logs.provisionerSelectorLabels" . \| nindent 8 }}`
			`{{- with .Values.enterprise.provisioner.labels }}`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`{{- with .Values.enterprise.provisioner.annotations }}`
			`annotations:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`spec:`
			`{{- with .Values.enterprise.provisioner.priorityClassName }}`
			`priorityClassName: {{ . }}`
			`{{- end }}`
			`securityContext:`
			`{{- toYaml .Values.enterprise.provisioner.securityContext \| nindent 8 }}`
			`{{- with .Values.imagePullSecrets }}`
			`imagePullSecrets:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`initContainers:`
			`- name: provisioner`
			`image: {{ template "enterprise-logs.provisionerImage" . }}`
			`imagePullPolicy: {{ .Values.enterprise.provisioner.image.pullPolicy }}`
			`command:`
			`- /bin/sh`
			`- -exuc`
			`- \|`
			`{{- range .Values.enterprise.provisioner.additionalTenants }}`
			`/usr/bin/enterprise-logs-provisioner \`
			`-bootstrap-path=/bootstrap \`
			`-cluster-name={{ include "loki.clusterName" $ }} \`
			`-gel-url={{ include "loki.address" $ }} \`
			`-instance={{ .name }} \`
			`-access-policy=write-{{ .name }}:{{ .name }}:logs:write \`
			`-access-policy=read-{{ .name }}:{{ .name }}:logs:read \`
			`-token=write-{{ .name }} \`
			`-token=read-{{ .name }}`
			`{{- end -}}`

			`{{- with .Values.monitoring.selfMonitoring.tenant }}`
			`/usr/bin/enterprise-logs-provisioner \`
			`-bootstrap-path=/bootstrap \`
			`-cluster-name={{ include "loki.clusterName" $ }} \`
			`-gel-url={{ include "loki.address" $ }} \`
			`-instance={{ .name }} \`
			`-access-policy=self-monitoring:{{ .name }}:logs:write,logs:read \`
			`-token=self-monitoring`
			`{{- end }}`
			`volumeMounts:`
			`{{- with .Values.enterprise.provisioner.extraVolumeMounts }}`
			`{{ toYaml . \| nindent 12 }}`
			`{{- end }}`
			`- name: bootstrap`
			`mountPath: /bootstrap`
			`- name: admin-token`
			`mountPath: /bootstrap/token`
			`subPath: token`
			`{{- with .Values.enterprise.provisioner.env }}`
			`env:`
			`{{ toYaml . \| nindent 12 }}`
			`{{- end }}`
			`containers:`
			`- name: create-secret`
			`image: {{ include "loki.kubectlImage" . }}`
			`imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}`
			`command:`
			`- /bin/bash`
			`- -exuc`
			`- \|`
			`# In case, the admin resources have already been created, the provisioner job`
			`# does not write the token files to the bootstrap mount.`
			`# Therefore, secrets are only created if the respective token files exist.`
			`# Note: the following bash commands should always return a success status code.`
			`# Therefore, in case the token file does not exist, the first clause of the`
			`# or-operation is successful.`
			`{{- range .Values.enterprise.provisioner.additionalTenants }}`
			`! test -s /bootstrap/token-write-{{ .name }} \|\| \`
			`kubectl --namespace "{{ .secretNamespace }}" create secret generic "{{ include "enterprise-logs.provisionedSecretPrefix" $ }}-{{ .name }}" \`
			`--from-literal=token-write="$(cat /bootstrap/token-write-{{ .name }})" \`
			`--from-literal=token-read="$(cat /bootstrap/token-read-{{ .name }})"`
			`{{- end }}`
			`{{- $namespace := $.Release.Namespace }}`
			`{{- with .Values.monitoring.selfMonitoring.tenant }}`
			`{{- $secretNamespace := tpl .secretNamespace $ }}`
			`! test -s /bootstrap/token-self-monitoring \|\| \`
			`kubectl --namespace "{{ $namespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \`
			`--from-literal=username="{{ .name }}" \`
			`--from-literal=password="$(cat /bootstrap/token-self-monitoring)"`
			`{{- if not (eq $secretNamespace $namespace) }}`
			`! test -s /bootstrap/token-self-monitoring \|\| \`
			`kubectl --namespace "{{ $secretNamespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \`
			`--from-literal=username="{{ .name }}" \`
			`--from-literal=password="$(cat /bootstrap/token-self-monitoring)"`
			`{{- end }}`
			`{{- end }}`
			`volumeMounts:`
			`{{- with .Values.enterprise.provisioner.extraVolumeMounts }}`
			`{{ toYaml . \| nindent 12 }}`
			`{{- end }}`
			`- name: bootstrap`
			`mountPath: /bootstrap`
			`{{- with .Values.enterprise.provisioner.affinity }}`
			`affinity:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`{{- with .Values.enterprise.provisioner.nodeSelector }}`
			`nodeSelector:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`{{- with .Values.enterprise.provisioner.tolerations }}`
			`tolerations:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
			`restartPolicy: OnFailure`
			`serviceAccount: {{ include "enterprise-logs.provisionerFullname" . }}`
			`serviceAccountName: {{ include "enterprise-logs.provisionerFullname" . }}`
			`volumes:`
			`- name: admin-token`
			`secret:`
			`secretName: "{{ include "enterprise-logs.adminTokenSecret" . }}"`
			`- name: bootstrap`
			`emptyDir: {}`
			`{{- end }}`