cronjob.yaml 2.33 KB
Newer Older
1
{{- if (and .Values.backend.shibboleth.sessionCache.enabled .Values.backend.shibboleth.sessionCache.sealerKeys.manage) }}
Sandro Mathys's avatar
Sandro Mathys committed
2
---
3
{{- if .Values.openshiftv3 }}
Sandro Mathys's avatar
Sandro Mathys committed
4
apiVersion: batch/v1beta1
5
6
7
{{- else }}
apiVersion: batch/v1
{{- end }}
Sandro Mathys's avatar
Sandro Mathys committed
8
9
10
11
12
13
14
15
16
17
kind: CronJob
metadata:
  name: {{ include "shibboleth-sp.fullname" . }}-rotate-sealer-keys
  labels:
    {{- include "shibboleth-sp.labels" . | nindent 4 }}
  {{- if .Values.podAnnotations }}
  annotations:
    {{- toYaml .Values.podAnnotations | nindent 4 }}
  {{- end }}
spec:
18
  schedule: "{{ .Values.backend.shibboleth.sessionCache.sealerKeys.schedule }}"
Sandro Mathys's avatar
Sandro Mathys committed
19
20
21
22
  jobTemplate:
    spec:
      template:
        spec:
23
24
25
          {{- if .Values.imagePullSecrets }}
          imagePullSecrets:
          {{- with .Values.imagePullSecrets }}
Sandro Mathys's avatar
Sandro Mathys committed
26
            {{- toYaml . | nindent 12 }}
27
28
29
30
31
32
          {{- end }}
          {{- end }}
          {{- if .Values.podSecurityContext }}
          securityContext:
            {{- toYaml .Values.podSecurityContext | nindent 8 }}
          {{- end }}
Sandro Mathys's avatar
Sandro Mathys committed
33
34
35
36
37
38
39
40
41
42
43
44
          serviceAccountName: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
          containers:
            - name: rotate-sealer-keys
              image: "{{ include "shibboleth-sp.sealerKeys.image" . }}"
              imagePullPolicy: "{{ include "shibboleth-sp.sealerKeys.imagePullPolicy" . }}"
              command:
                - bash
                - -c
                - |
                  # extract current set of sealer keys
                  kubectl get secret {{ include "shibboleth-sp.sealerKeys.secretName" . }} -o=jsonpath='{.data.sealer\.keys}' | base64 -d > /dev/shm/sealer.keys
                  # add/rotate sealer keys
45
                  shib-seckeygen -o /dev/shm -f sealer.keys -h {{ .Values.backend.shibboleth.sessionCache.sealerKeys.numberOfKeysToKeep }} -b {{ .Values.backend.shibboleth.sessionCache.sealerKeys.sizeOfKeysInBits }} -u "$(id -u)" -g "$(id -g)"
Sandro Mathys's avatar
Sandro Mathys committed
46
47
48
                  # replace secret with new sealer keys
                  kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys --dry-run=client -o yaml | kubectl replace --save-config -f-
                  # restart all pods in deployment in order to pick up new secret
Sandro Mathys's avatar
Sandro Mathys committed
49
                  kubectl rollout restart deploy {{ include "shibboleth-sp.fullname" . }}
Sandro Mathys's avatar
Sandro Mathys committed
50
51
          restartPolicy: OnFailure
{{- end -}}