helm/matrix/dendrite/templates/jobs.yaml

{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret ) }}
{{ $name := (print ( include "dendrite.fullname" . ) "-signing-key") }}
{{ $secretName := (print ( include "dendrite.fullname" . ) "-signing-key") }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $name }}
  labels:
    app.kubernetes.io/component: signingkey-job
    {{- include "dendrite.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $name }}
  labels:
    app.kubernetes.io/component: signingkey-job
    {{- include "dendrite.labels" . | nindent 4 }}
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - {{ $secretName }}
    verbs:
      - get
      - update
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $name }}
  labels:
    app.kubernetes.io/component: signingkey-job
    {{- include "dendrite.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $name }}
subjects:
  - kind: ServiceAccount
    name: {{ $name }}
    namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: generate-signing-key
  labels:
    {{- include "dendrite.labels" . | nindent 4 }}
spec:
  template:
    spec:
      restartPolicy: "Never"
      serviceAccount: {{ $name }}
      containers:
      - name: upload-key
        image: {{ $.Values.image.kubectl }}
        command:
        - sh
        - -c
        - | 
          # check if key already exists
          key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing\.key']}" 2> /dev/null)
          [ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1
          [ -n "$key" ] && echo "Key already created, exiting." && exit 0
          # wait for signing key
          while [ ! -f /etc/dendrite/signing-key.pem ]; do
            echo "Waiting for signing key.."
            sleep 5;
          done
          # update secret
          kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /etc/dendrite/signing-key.pem | tr -d '\n')\"}}"
          [ $? -ne 0 ] && echo "Failed to update secret." && exit 1
          echo "Signing key successfully created."
        volumeMounts:
        - mountPath: /etc/dendrite/
          name: signing-key
          readOnly: true
      - name: generate-key
        {{- include "image.name" . | nindent 8 }}
        command:
        - sh 
        - -c
        - |
          /usr/bin/generate-keys -private-key /etc/dendrite/signing-key.pem
          chown 1001:1001 /etc/dendrite/signing-key.pem
        volumeMounts:
        - mountPath: /etc/dendrite/
          name: signing-key
      volumes:
      - name: signing-key
        emptyDir: {}
  parallelism: 1
  completions: 1
  backoffLimit: 1
{{ end }}
matrix 2025-01-13 12:43:26 +00:00			`{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret ) }}`
			`{{ $name := (print ( include "dendrite.fullname" . ) "-signing-key") }}`
			`{{ $secretName := (print ( include "dendrite.fullname" . ) "-signing-key") }}`
			`---`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: {{ $name }}`
			`labels:`
			`app.kubernetes.io/component: signingkey-job`
			`{{- include "dendrite.labels" . \| nindent 4 }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: {{ $name }}`
			`labels:`
			`app.kubernetes.io/component: signingkey-job`
			`{{- include "dendrite.labels" . \| nindent 4 }}`
			`rules:`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- secrets`
			`resourceNames:`
			`- {{ $secretName }}`
			`verbs:`
			`- get`
			`- update`
			`- patch`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: {{ $name }}`
			`labels:`
			`app.kubernetes.io/component: signingkey-job`
			`{{- include "dendrite.labels" . \| nindent 4 }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: {{ $name }}`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ $name }}`
			`namespace: {{ .Release.Namespace }}`
			`---`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: generate-signing-key`
			`labels:`
			`{{- include "dendrite.labels" . \| nindent 4 }}`
			`spec:`
			`template:`
			`spec:`
			`restartPolicy: "Never"`
			`serviceAccount: {{ $name }}`
			`containers:`
			`- name: upload-key`
			`image: {{ $.Values.image.kubectl }}`
			`command:`
			`- sh`
			`- -c`
			`- \|`
			`# check if key already exists`
			`key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing\.key']}" 2> /dev/null)`
			`[ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1`
			`[ -n "$key" ] && echo "Key already created, exiting." && exit 0`
			`# wait for signing key`
			`while [ ! -f /etc/dendrite/signing-key.pem ]; do`
			`echo "Waiting for signing key.."`
			`sleep 5;`
			`done`
			`# update secret`
			`kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /etc/dendrite/signing-key.pem \| tr -d '\n')\"}}"`
			`[ $? -ne 0 ] && echo "Failed to update secret." && exit 1`
			`echo "Signing key successfully created."`
			`volumeMounts:`
			`- mountPath: /etc/dendrite/`
			`name: signing-key`
			`readOnly: true`
			`- name: generate-key`
			`{{- include "image.name" . \| nindent 8 }}`
			`command:`
			`- sh`
			`- -c`
			`- \|`
			`/usr/bin/generate-keys -private-key /etc/dendrite/signing-key.pem`
			`chown 1001:1001 /etc/dendrite/signing-key.pem`
			`volumeMounts:`
			`- mountPath: /etc/dendrite/`
			`name: signing-key`
			`volumes:`
			`- name: signing-key`
			`emptyDir: {}`
			`parallelism: 1`
			`completions: 1`
			`backoffLimit: 1`
			`{{ end }}`