47 lines
1.9 KiB
YAML
47 lines
1.9 KiB
YAML
{{- if and .Values.tls.enabled (and .Values.tls.certs.selfSigner.enabled (not .Values.tls.certs.selfSigner.caProvided)) }}
|
|
{{- if .Values.tls.certs.selfSigner.rotateCerts }}
|
|
{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
|
|
apiVersion: batch/v1
|
|
{{- else }}
|
|
apiVersion: batch/v1beta1
|
|
{{- end }}
|
|
kind: CronJob
|
|
metadata:
|
|
name: {{ template "rotatecerts.fullname" . }}
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
labels:
|
|
helm.sh/chart: {{ template "cockroachdb.chart" . }}
|
|
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name | quote }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
|
|
spec:
|
|
schedule: {{ template "selfcerts.caRotateSchedule" . }}
|
|
jobTemplate:
|
|
spec:
|
|
backoffLimit: 1
|
|
template:
|
|
spec:
|
|
restartPolicy: Never
|
|
containers:
|
|
- name: cert-rotate-job
|
|
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
|
|
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
|
|
args:
|
|
- rotate
|
|
- --ca
|
|
- --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
|
|
- --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
|
|
- --ca-cron={{ template "selfcerts.caRotateSchedule" . }}
|
|
- --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
|
|
- --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
|
|
env:
|
|
- name: STATEFULSET_NAME
|
|
value: {{ template "cockroachdb.fullname" . }}
|
|
- name: NAMESPACE
|
|
value: {{ .Release.Namespace }}
|
|
- name: CLUSTER_DOMAIN
|
|
value: {{ .Values.clusterDomain}}
|
|
serviceAccountName: {{ template "rotatecerts.fullname" . }}
|
|
{{- end }}
|
|
{{- end }}
|