{{ if and .Values.enterprise.tokengen.enabled .Values.enterprise.enabled }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ template "enterprise-logs.tokengenFullname" . }}
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "enterprise-logs.tokengenLabels" . | nindent 4 }}
    {{- with .Values.enterprise.tokengen.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  annotations:
    {{- with .Values.enterprise.tokengen.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    "helm.sh/hook": post-install
    "helm.sh/hook-weight": "10"
spec:
  backoffLimit: 6
  completions: 1
  parallelism: 1
  template:
    metadata:
      labels:
        {{- include "enterprise-logs.tokengenSelectorLabels" . | nindent 8 }}
        {{- with .Values.enterprise.tokengen.labels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      annotations:
        {{- with .Values.enterprise.tokengen.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      {{- with .Values.enterprise.tokengen.priorityClassName }}
      priorityClassName: {{ . }}
      {{- end }}
      securityContext:
        {{- toYaml .Values.enterprise.tokengen.securityContext | nindent 8 }}
      {{- if .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml .Values.imagePullSecrets | nindent 8 }}
      {{- end }}
      initContainers:
        - name: loki
          image: {{ template "loki.image" . }}
          imagePullPolicy: {{ .Values.loki.image.pullPolicy }}
          args:
            # The shared emptyDir exists only while the job is running, and is deleted once the job is completed.
            # The tokengen generates a new admin token in case the 'token-file' file doesn't exist.
            # As a result, subsequent executions of this tokengen job will generate new admin tokens.
            # Note that previously generated tokens remain valid, as these remain present in the object storage.
            - -config.file=/etc/loki/config/config.yaml
            - -target={{ .Values.enterprise.tokengen.targetModule }}
            - -tokengen.token-file=/shared/admin-token
            {{- with .Values.enterprise.tokengen.extraArgs }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
          volumeMounts:
            {{- if .Values.enterprise.tokengen.extraVolumeMounts }}
              {{ toYaml .Values.enterprise.tokengen.extraVolumeMounts | nindent 12 }}
            {{- end }}
            - name: shared
              mountPath: /shared
            - name: config
              mountPath: /etc/loki/config
            - name: runtime-config
              mountPath: /etc/loki/runtime-config
            - name: license
              mountPath: /etc/loki/license
          env:
            {{- if .Values.enterprise.tokengen.env }}
              {{ toYaml .Values.enterprise.tokengen.env | nindent 12 }}
            {{- end }}
          {{- with .Values.enterprise.tokengen.extraEnvFrom }}
          envFrom:
            {{- toYaml . | nindent 12 }}
          {{- end }}
      containers:
        - name: create-secret
          image: {{ include "loki.kubectlImage" . }}
          imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}
          command:
            - /bin/bash
            - -euc
            - |
              # Create or update admin token secrets generated by tokengen job
              kubectl create secret generic "{{ include "enterprise-logs.adminTokenSecret" . }}" \
                --from-file=token=/shared/admin-token \
                --dry-run=client -o yaml \
                | kubectl apply -f -
              {{- with .Values.enterprise.adminToken.additionalNamespaces }}
              {{- range . }}
              kubectl --namespace "{{ . }}" create secret generic "{{ include "enterprise-logs.adminTokenSecret" $ }}" \
                --from-file=token=/shared/admin-token \
                --dry-run=client -o yaml \
                | kubectl apply -f -
              {{- end }}
              {{- end }}
          volumeMounts:
            {{- if .Values.enterprise.tokengen.extraVolumeMounts }}
              {{ toYaml .Values.enterprise.tokengen.extraVolumeMounts | nindent 12 }}
            {{- end }}
            - name: shared
              mountPath: /shared
            - name: config
              mountPath: /etc/loki/config
            - name: license
              mountPath: /etc/loki/license
      restartPolicy: OnFailure
      serviceAccount: {{ template "enterprise-logs.tokengenFullname" . }}
      serviceAccountName: {{ template "enterprise-logs.tokengenFullname" . }}
      {{- with .Values.enterprise.tokengen.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.enterprise.tokengen.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.enterprise.tokengen.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      volumes:
        - name: config
          {{- include "loki.configVolume" . | nindent 10 }}
        - name: runtime-config
          configMap:
            name: {{ template "loki.name" . }}-runtime
        - name: license
          secret:
          {{- if .Values.enterprise.useExternalLicense }}
            secretName: {{ .Values.enterprise.externalLicenseName }}
          {{- else }}
            secretName: enterprise-logs-license
          {{- end }}
        - name: shared
          emptyDir: {}
        {{- if .Values.enterprise.tokengen.extraVolumes }}
        {{ toYaml .Values.enterprise.tokengen.extraVolumes | nindent 8 }}
        {{- end }}
{{- end }}