oc-k8s/opencloud/charts/loki/templates/provisioner/job-provisioner.yaml

148 lines
6.3 KiB
YAML

{{ if and .Values.enterprise.provisioner.enabled .Values.enterprise.enabled }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "enterprise-logs.provisionerFullname" . }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "enterprise-logs.provisionerLabels" . | nindent 4 }}
{{- with .Values.enterprise.provisioner.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.enterprise.provisioner.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
"helm.sh/hook": post-install
"helm.sh/hook-weight": "15"
spec:
backoffLimit: 6
completions: 1
parallelism: 1
template:
metadata:
labels:
{{- include "enterprise-logs.provisionerSelectorLabels" . | nindent 8 }}
{{- with .Values.enterprise.provisioner.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.enterprise.provisioner.annotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.enterprise.provisioner.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
securityContext:
{{- toYaml .Values.enterprise.provisioner.securityContext | nindent 8 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
initContainers:
- name: provisioner
image: {{ template "enterprise-logs.provisionerImage" . }}
imagePullPolicy: {{ .Values.enterprise.provisioner.image.pullPolicy }}
command:
- /bin/sh
- -exuc
- |
{{- range .Values.enterprise.provisioner.additionalTenants }}
/usr/bin/enterprise-logs-provisioner \
-bootstrap-path=/bootstrap \
-cluster-name={{ include "loki.clusterName" $ }} \
-gel-url={{ include "loki.address" $ }} \
-instance={{ .name }} \
-access-policy=write-{{ .name }}:{{ .name }}:logs:write \
-access-policy=read-{{ .name }}:{{ .name }}:logs:read \
-token=write-{{ .name }} \
-token=read-{{ .name }}
{{- end -}}
{{- with .Values.monitoring.selfMonitoring.tenant }}
/usr/bin/enterprise-logs-provisioner \
-bootstrap-path=/bootstrap \
-cluster-name={{ include "loki.clusterName" $ }} \
-gel-url={{ include "loki.address" $ }} \
-instance={{ .name }} \
-access-policy=self-monitoring:{{ .name }}:logs:write,logs:read \
-token=self-monitoring
{{- end }}
volumeMounts:
{{- with .Values.enterprise.provisioner.extraVolumeMounts }}
{{ toYaml . | nindent 12 }}
{{- end }}
- name: bootstrap
mountPath: /bootstrap
- name: admin-token
mountPath: /bootstrap/token
subPath: token
{{- with .Values.enterprise.provisioner.env }}
env:
{{ toYaml . | nindent 12 }}
{{- end }}
containers:
- name: create-secret
image: {{ include "loki.kubectlImage" . }}
imagePullPolicy: {{ .Values.kubectlImage.pullPolicy }}
command:
- /bin/bash
- -exuc
- |
# In case, the admin resources have already been created, the provisioner job
# does not write the token files to the bootstrap mount.
# Therefore, secrets are only created if the respective token files exist.
# Note: the following bash commands should always return a success status code.
# Therefore, in case the token file does not exist, the first clause of the
# or-operation is successful.
{{- range .Values.enterprise.provisioner.additionalTenants }}
! test -s /bootstrap/token-write-{{ .name }} || \
kubectl --namespace "{{ .secretNamespace }}" create secret generic "{{ include "enterprise-logs.provisionedSecretPrefix" $ }}-{{ .name }}" \
--from-literal=token-write="$(cat /bootstrap/token-write-{{ .name }})" \
--from-literal=token-read="$(cat /bootstrap/token-read-{{ .name }})"
{{- end }}
{{- $namespace := $.Release.Namespace }}
{{- with .Values.monitoring.selfMonitoring.tenant }}
{{- $secretNamespace := tpl .secretNamespace $ }}
! test -s /bootstrap/token-self-monitoring || \
kubectl --namespace "{{ $namespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \
--from-literal=username="{{ .name }}" \
--from-literal=password="$(cat /bootstrap/token-self-monitoring)"
{{- if not (eq $secretNamespace $namespace) }}
! test -s /bootstrap/token-self-monitoring || \
kubectl --namespace "{{ $secretNamespace }}" create secret generic "{{ include "enterprise-logs.selfMonitoringTenantSecret" $ }}" \
--from-literal=username="{{ .name }}" \
--from-literal=password="$(cat /bootstrap/token-self-monitoring)"
{{- end }}
{{- end }}
volumeMounts:
{{- with .Values.enterprise.provisioner.extraVolumeMounts }}
{{ toYaml . | nindent 12 }}
{{- end }}
- name: bootstrap
mountPath: /bootstrap
{{- with .Values.enterprise.provisioner.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.enterprise.provisioner.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.enterprise.provisioner.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
serviceAccount: {{ include "enterprise-logs.provisionerFullname" . }}
serviceAccountName: {{ include "enterprise-logs.provisionerFullname" . }}
volumes:
- name: admin-token
secret:
secretName: "{{ include "enterprise-logs.adminTokenSecret" . }}"
- name: bootstrap
emptyDir: {}
{{- end }}