一些更新

matrix/dendrite.old/templates/jobs.yaml

@@ -0,0 +1,100 @@
+{{ if and .Values.signing_key.create (not .Values.signing_key.existingSecret ) }}
+{{ $name := (print ( include "dendrite.fullname" . ) "-signing-key") }}
+{{ $secretName := (print ( include "dendrite.fullname" . ) "-signing-key") }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $name }}
+  labels:
+    app.kubernetes.io/component: signingkey-job
+    {{- include "dendrite.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+  labels:
+    app.kubernetes.io/component: signingkey-job
+    {{- include "dendrite.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ $secretName }}
+    verbs:
+      - get
+      - update
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+  labels:
+    app.kubernetes.io/component: signingkey-job
+    {{- include "dendrite.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $name }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: generate-signing-key
+  labels:
+    {{- include "dendrite.labels" . | nindent 4 }}
+spec:
+  template:
+    spec:
+      restartPolicy: "Never"
+      serviceAccount: {{ $name }}
+      containers:
+      - name: upload-key
+        image: {{ $.Values.image.kubectl }}
+        command:
+        - sh
+        - -c
+        - | 
+          # check if key already exists
+          key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data['signing\.key']}" 2> /dev/null)
+          [ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1
+          [ -n "$key" ] && echo "Key already created, exiting." && exit 0
+          # wait for signing key
+          while [ ! -f /etc/dendrite/signing-key.pem ]; do
+            echo "Waiting for signing key.."
+            sleep 5;
+          done
+          # update secret
+          kubectl patch secret {{ $secretName }} -p "{\"data\":{\"signing.key\":\"$(base64 /etc/dendrite/signing-key.pem | tr -d '\n')\"}}"
+          [ $? -ne 0 ] && echo "Failed to update secret." && exit 1
+          echo "Signing key successfully created."
+        volumeMounts:
+        - mountPath: /etc/dendrite/
+          name: signing-key
+          readOnly: true
+      - name: generate-key
+        {{- include "image.name" . | nindent 8 }}
+        command:
+        - sh 
+        - -c
+        - |
+          /usr/bin/generate-keys -private-key /etc/dendrite/signing-key.pem
+          chown 1001:1001 /etc/dendrite/signing-key.pem
+        volumeMounts:
+        - mountPath: /etc/dendrite/
+          name: signing-key
+      volumes:
+      - name: signing-key
+        emptyDir: {}
+  parallelism: 1
+  completions: 1
+  backoffLimit: 1
+{{ end }}