118 lines
5.9 KiB
YAML
118 lines
5.9 KiB
YAML
|
{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
|
||
|
{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }}
|
||
|
{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }}
|
||
|
{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}}
|
||
|
{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}}
|
||
|
{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
|
||
|
apiVersion: batch/v1
|
||
|
kind: Job
|
||
|
metadata:
|
||
|
name: {{ template "consul.fullname" . }}-partition-init
|
||
|
namespace: {{ .Release.Namespace }}
|
||
|
labels:
|
||
|
app: {{ template "consul.name" . }}
|
||
|
chart: {{ template "consul.chart" . }}
|
||
|
heritage: {{ .Release.Service }}
|
||
|
release: {{ .Release.Name }}
|
||
|
component: partition-init
|
||
|
annotations:
|
||
|
"helm.sh/hook": pre-install
|
||
|
"helm.sh/hook-weight": "2"
|
||
|
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
|
||
|
spec:
|
||
|
template:
|
||
|
metadata:
|
||
|
name: {{ template "consul.fullname" . }}-partition-init
|
||
|
labels:
|
||
|
app: {{ template "consul.name" . }}
|
||
|
chart: {{ template "consul.chart" . }}
|
||
|
release: {{ .Release.Name }}
|
||
|
component: partition-init
|
||
|
annotations:
|
||
|
"consul.hashicorp.com/connect-inject": "false"
|
||
|
{{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }}
|
||
|
"vault.hashicorp.com/agent-pre-populate-only": "true"
|
||
|
"vault.hashicorp.com/agent-inject": "true"
|
||
|
{{- if .Values.global.acls.manageSystemACLs }}
|
||
|
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }}
|
||
|
{{- if .Values.global.acls.bootstrapToken.secretName }}
|
||
|
{{- with .Values.global.acls.bootstrapToken }}
|
||
|
"vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}"
|
||
|
"vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- else }}
|
||
|
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
|
||
|
{{- end }}
|
||
|
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
|
||
|
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
|
||
|
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
|
||
|
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
|
||
|
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
|
||
|
{{- end }}
|
||
|
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||
|
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
spec:
|
||
|
restartPolicy: Never
|
||
|
serviceAccountName: {{ template "consul.fullname" . }}-partition-init
|
||
|
{{- if .Values.global.tls.enabled }}
|
||
|
{{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }}
|
||
|
volumes:
|
||
|
- name: consul-ca-cert
|
||
|
secret:
|
||
|
{{- if .Values.global.tls.caCert.secretName }}
|
||
|
secretName: {{ .Values.global.tls.caCert.secretName }}
|
||
|
{{- else }}
|
||
|
secretName: {{ template "consul.fullname" . }}-ca-cert
|
||
|
{{- end }}
|
||
|
items:
|
||
|
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
|
||
|
path: tls.crt
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
containers:
|
||
|
- name: partition-init-job
|
||
|
image: {{ .Values.global.imageK8S }}
|
||
|
env:
|
||
|
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }}
|
||
|
{{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }}
|
||
|
{{- if .Values.global.secretsBackend.vault.enabled }}
|
||
|
- name: CONSUL_ACL_TOKEN_FILE
|
||
|
value: /vault/secrets/bootstrap-token
|
||
|
{{- else }}
|
||
|
- name: CONSUL_ACL_TOKEN
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: {{ .Values.global.acls.bootstrapToken.secretName }}
|
||
|
key: {{ .Values.global.acls.bootstrapToken.secretKey }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- if .Values.global.tls.enabled }}
|
||
|
{{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }}
|
||
|
volumeMounts:
|
||
|
- name: consul-ca-cert
|
||
|
mountPath: /consul/tls/ca
|
||
|
readOnly: true
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
command:
|
||
|
- "/bin/sh"
|
||
|
- "-ec"
|
||
|
- |
|
||
|
consul-k8s-control-plane partition-init \
|
||
|
-log-level={{ .Values.global.logLevel }} \
|
||
|
-log-json={{ .Values.global.logJSON }} \
|
||
|
{{- if .Values.global.cloud.enabled }}
|
||
|
-tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \
|
||
|
{{- end }}
|
||
|
resources:
|
||
|
requests:
|
||
|
memory: "50Mi"
|
||
|
cpu: "50m"
|
||
|
limits:
|
||
|
memory: "50Mi"
|
||
|
cpu: "50m"
|
||
|
{{- end }}
|