From 6ec0414fcd741fdfe063eb256283fff403caee32 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sat, 17 Jan 2026 01:47:53 -0300 Subject: [PATCH] jobs: prefer arm64 workers --- .../cleanup/cert-manager-cleanup-job.yaml | 14 ++++++++++++++ .../longhorn/adopt/longhorn-helm-adopt-job.yaml | 14 ++++++++++++++ .../portal-onboarding-e2e-test-job.yaml | 14 ++++++++++++++ services/comms/bstein-force-leave-job.yaml | 16 +++++++++++++++- services/comms/comms-secrets-ensure-job.yaml | 14 ++++++++++++++ .../mas-admin-client-secret-ensure-job.yaml | 14 ++++++++++++++ services/comms/mas-db-ensure-job.yaml | 14 ++++++++++++++ services/comms/mas-local-users-ensure-job.yaml | 16 +++++++++++++++- services/comms/othrys-kick-numeric-job.yaml | 16 +++++++++++++++- .../comms/synapse-seeder-admin-ensure-job.yaml | 16 +++++++++++++++- .../comms/synapse-signingkey-ensure-job.yaml | 14 ++++++++++++++ services/comms/synapse-user-seed-job.yaml | 16 +++++++++++++++- .../keycloak/logs-oidc-secret-ensure-job.yaml | 14 ++++++++++++++ .../portal-admin-client-secret-ensure-job.yaml | 14 ++++++++++++++ services/keycloak/portal-e2e-client-job.yaml | 16 +++++++++++++++- ...ortal-e2e-execute-actions-email-test-job.yaml | 14 ++++++++++++++ .../keycloak/portal-e2e-target-client-job.yaml | 16 +++++++++++++++- ...ortal-e2e-token-exchange-permissions-job.yaml | 16 +++++++++++++++- .../portal-e2e-token-exchange-test-job.yaml | 16 +++++++++++++++- .../keycloak/synapse-oidc-secret-ensure-job.yaml | 14 ++++++++++++++ services/mailu/mailu-sync-job.yaml | 16 +++++++++++++++- .../maintenance/k3s-traefik-cleanup-job.yaml | 14 ++++++++++++++ services/monitoring/grafana-org-bootstrap.yaml | 14 ++++++++++++++ 23 files changed, 332 insertions(+), 10 deletions(-) diff --git a/infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml b/infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml index 93cf53a..5c6a07e 100644 --- a/infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml +++ b/infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml @@ -10,6 +10,20 @@ spec: spec: serviceAccountName: cert-manager-cleanup restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] containers: - name: cleanup image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 diff --git a/infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml b/infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml index 7484e47..580f5f6 100644 --- a/infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml +++ b/infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml @@ -10,6 +10,20 @@ spec: spec: serviceAccountName: longhorn-helm-adopt restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] containers: - name: adopt image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 diff --git a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml index e6e0baa..7661a31 100644 --- a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml +++ b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml @@ -30,6 +30,20 @@ spec: {{ end }} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: bstein-dev-home containers: - name: test diff --git a/services/comms/bstein-force-leave-job.yaml b/services/comms/bstein-force-leave-job.yaml index 172ffb4..07e7471 100644 --- a/services/comms/bstein-force-leave-job.yaml +++ b/services/comms/bstein-force-leave-job.yaml @@ -17,6 +17,20 @@ spec: {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: comms-vault volumes: containers: @@ -186,4 +200,4 @@ spec: print(json.dumps(results, indent=2, sort_keys=True)) if failures: raise SystemExit(f"failed to leave/forget rooms: {', '.join(failures)}") - PY \ No newline at end of file + PY diff --git a/services/comms/comms-secrets-ensure-job.yaml b/services/comms/comms-secrets-ensure-job.yaml index 2dfcdf0..f95baa1 100644 --- a/services/comms/comms-secrets-ensure-job.yaml +++ b/services/comms/comms-secrets-ensure-job.yaml @@ -11,6 +11,20 @@ spec: spec: serviceAccountName: comms-secrets-ensure restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] containers: - name: ensure image: registry.bstein.dev/bstein/kubectl:1.35.0 diff --git a/services/comms/mas-admin-client-secret-ensure-job.yaml b/services/comms/mas-admin-client-secret-ensure-job.yaml index 07f59a6..19f2fdf 100644 --- a/services/comms/mas-admin-client-secret-ensure-job.yaml +++ b/services/comms/mas-admin-client-secret-ensure-job.yaml @@ -46,6 +46,20 @@ spec: spec: serviceAccountName: mas-admin-client-secret-writer restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] volumes: - name: work emptyDir: {} diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml index 8aab110..b309fb3 100644 --- a/services/comms/mas-db-ensure-job.yaml +++ b/services/comms/mas-db-ensure-job.yaml @@ -11,6 +11,20 @@ spec: spec: serviceAccountName: mas-db-ensure restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] containers: - name: ensure image: registry.bstein.dev/bstein/kubectl:1.35.0 diff --git a/services/comms/mas-local-users-ensure-job.yaml b/services/comms/mas-local-users-ensure-job.yaml index ac3428c..db19be2 100644 --- a/services/comms/mas-local-users-ensure-job.yaml +++ b/services/comms/mas-local-users-ensure-job.yaml @@ -48,6 +48,20 @@ spec: {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: comms-vault volumes: - name: vault-scripts @@ -187,4 +201,4 @@ spec: token = admin_token() ensure_user(token, os.environ["SEEDER_USER"], os.environ["SEEDER_PASS"]) ensure_user(token, os.environ["BOT_USER"], os.environ["BOT_PASS"]) - PY \ No newline at end of file + PY diff --git a/services/comms/othrys-kick-numeric-job.yaml b/services/comms/othrys-kick-numeric-job.yaml index 637ad58..213cc3a 100644 --- a/services/comms/othrys-kick-numeric-job.yaml +++ b/services/comms/othrys-kick-numeric-job.yaml @@ -47,6 +47,20 @@ spec: {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: comms-vault containers: - name: kick @@ -156,4 +170,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 \ No newline at end of file + defaultMode: 0555 diff --git a/services/comms/synapse-seeder-admin-ensure-job.yaml b/services/comms/synapse-seeder-admin-ensure-job.yaml index ad22634..6fe7d97 100644 --- a/services/comms/synapse-seeder-admin-ensure-job.yaml +++ b/services/comms/synapse-seeder-admin-ensure-job.yaml @@ -47,6 +47,20 @@ spec: {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}} spec: restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: comms-vault containers: - name: psql @@ -77,4 +91,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 \ No newline at end of file + defaultMode: 0555 diff --git a/services/comms/synapse-signingkey-ensure-job.yaml b/services/comms/synapse-signingkey-ensure-job.yaml index 3b87eb3..ee165f0 100644 --- a/services/comms/synapse-signingkey-ensure-job.yaml +++ b/services/comms/synapse-signingkey-ensure-job.yaml @@ -10,6 +10,20 @@ spec: spec: serviceAccountName: othrys-synapse-signingkey-job restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] volumes: - name: work emptyDir: {} diff --git a/services/comms/synapse-user-seed-job.yaml b/services/comms/synapse-user-seed-job.yaml index 9afe882..7099e9c 100644 --- a/services/comms/synapse-user-seed-job.yaml +++ b/services/comms/synapse-user-seed-job.yaml @@ -48,6 +48,20 @@ spec: {{- with secret "kv/data/atlas/comms/mas-secrets-runtime" -}}{{ .Data.data.keycloak_client_secret }}{{- end -}} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: comms-vault containers: - name: seed @@ -151,4 +165,4 @@ spec: - name: vault-scripts configMap: name: comms-vault-env - defaultMode: 0555 \ No newline at end of file + defaultMode: 0555 diff --git a/services/keycloak/logs-oidc-secret-ensure-job.yaml b/services/keycloak/logs-oidc-secret-ensure-job.yaml index df89fa0..94191e8 100644 --- a/services/keycloak/logs-oidc-secret-ensure-job.yaml +++ b/services/keycloak/logs-oidc-secret-ensure-job.yaml @@ -23,6 +23,20 @@ spec: spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] containers: - name: apply image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 diff --git a/services/keycloak/portal-admin-client-secret-ensure-job.yaml b/services/keycloak/portal-admin-client-secret-ensure-job.yaml index af053a9..2eedb61 100644 --- a/services/keycloak/portal-admin-client-secret-ensure-job.yaml +++ b/services/keycloak/portal-admin-client-secret-ensure-job.yaml @@ -23,6 +23,20 @@ spec: {{ end }} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: sso-vault containers: - name: configure diff --git a/services/keycloak/portal-e2e-client-job.yaml b/services/keycloak/portal-e2e-client-job.yaml index 9c5229f..eb20440 100644 --- a/services/keycloak/portal-e2e-client-job.yaml +++ b/services/keycloak/portal-e2e-client-job.yaml @@ -39,6 +39,20 @@ spec: {{ end }} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: sso-vault containers: - name: configure @@ -258,4 +272,4 @@ spec: raise SystemExit(f"Role mapping update failed (status={status}) resp={resp}") PY volumeMounts: - volumes: \ No newline at end of file + volumes: diff --git a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml index 892d5aa..211bd3e 100644 --- a/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml +++ b/services/keycloak/portal-e2e-execute-actions-email-test-job.yaml @@ -39,6 +39,20 @@ spec: {{ end }} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: sso-vault containers: - name: test diff --git a/services/keycloak/portal-e2e-target-client-job.yaml b/services/keycloak/portal-e2e-target-client-job.yaml index 6c1086f..5fc9b7f 100644 --- a/services/keycloak/portal-e2e-target-client-job.yaml +++ b/services/keycloak/portal-e2e-target-client-job.yaml @@ -39,6 +39,20 @@ spec: {{ end }} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: sso-vault containers: - name: configure @@ -159,4 +173,4 @@ spec: print(f"OK: ensured token exchange enabled on client {target_client_id}") PY volumeMounts: - volumes: \ No newline at end of file + volumes: diff --git a/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml index 9e3f11c..77828ab 100644 --- a/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml +++ b/services/keycloak/portal-e2e-token-exchange-permissions-job.yaml @@ -39,6 +39,20 @@ spec: {{ end }} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: sso-vault containers: - name: configure @@ -291,4 +305,4 @@ spec: print("OK: configured token exchange permissions for portal E2E client") PY - volumeMounts: \ No newline at end of file + volumeMounts: diff --git a/services/keycloak/portal-e2e-token-exchange-test-job.yaml b/services/keycloak/portal-e2e-token-exchange-test-job.yaml index 4e6960d..21551e0 100644 --- a/services/keycloak/portal-e2e-token-exchange-test-job.yaml +++ b/services/keycloak/portal-e2e-token-exchange-test-job.yaml @@ -40,6 +40,20 @@ spec: {{ end }} spec: restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: sso-vault containers: - name: test @@ -71,4 +85,4 @@ spec: - name: tests configMap: name: portal-e2e-tests - defaultMode: 0555 \ No newline at end of file + defaultMode: 0555 diff --git a/services/keycloak/synapse-oidc-secret-ensure-job.yaml b/services/keycloak/synapse-oidc-secret-ensure-job.yaml index 07d1378..1780d2e 100644 --- a/services/keycloak/synapse-oidc-secret-ensure-job.yaml +++ b/services/keycloak/synapse-oidc-secret-ensure-job.yaml @@ -23,6 +23,20 @@ spec: spec: serviceAccountName: mas-secrets-ensure restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] containers: - name: apply image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 diff --git a/services/mailu/mailu-sync-job.yaml b/services/mailu/mailu-sync-job.yaml index 38cea89..421dceb 100644 --- a/services/mailu/mailu-sync-job.yaml +++ b/services/mailu/mailu-sync-job.yaml @@ -28,6 +28,20 @@ spec: {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}} spec: restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: mailu-vault-sync containers: - name: mailu-sync @@ -75,4 +89,4 @@ spec: - name: vault-scripts configMap: name: mailu-vault-env - defaultMode: 0555 \ No newline at end of file + defaultMode: 0555 diff --git a/services/maintenance/k3s-traefik-cleanup-job.yaml b/services/maintenance/k3s-traefik-cleanup-job.yaml index 33fa7be..5638e83 100644 --- a/services/maintenance/k3s-traefik-cleanup-job.yaml +++ b/services/maintenance/k3s-traefik-cleanup-job.yaml @@ -10,6 +10,20 @@ spec: spec: serviceAccountName: k3s-traefik-cleanup restartPolicy: Never + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] containers: - name: cleanup image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 diff --git a/services/monitoring/grafana-org-bootstrap.yaml b/services/monitoring/grafana-org-bootstrap.yaml index a39d938..d0791f5 100644 --- a/services/monitoring/grafana-org-bootstrap.yaml +++ b/services/monitoring/grafana-org-bootstrap.yaml @@ -20,6 +20,20 @@ spec: {{- end -}} spec: restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["arm64"] serviceAccountName: monitoring-vault-sync containers: - name: bootstrap