50 lines
1.7 KiB
YAML
50 lines
1.7 KiB
YAML
# services/gitea/oneoffs/veles-feedback-acl-ensure-job.yaml
|
|
# One-off job for gitea/veles-feedback-acl-ensure-1.
|
|
# Purpose: keep Veles testers on the feedback repo without granting source access.
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: veles-feedback-acl-ensure-1
|
|
namespace: gitea
|
|
spec:
|
|
suspend: true
|
|
backoffLimit: 0
|
|
ttlSecondsAfterFinished: 3600
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
vault.hashicorp.com/agent-pre-populate-only: "true"
|
|
vault.hashicorp.com/role: "gitea"
|
|
vault.hashicorp.com/agent-inject-secret-gitea-db-secret__password: "kv/data/atlas/gitea/gitea-db-secret"
|
|
vault.hashicorp.com/agent-inject-template-gitea-db-secret__password: |
|
|
{{ with secret "kv/data/atlas/gitea/gitea-db-secret" }}
|
|
{{ .Data.data.password }}
|
|
{{ end }}
|
|
spec:
|
|
serviceAccountName: gitea-vault
|
|
restartPolicy: Never
|
|
volumes:
|
|
- name: veles-feedback-acl-ensure-script
|
|
configMap:
|
|
name: veles-feedback-acl-ensure-script
|
|
defaultMode: 0555
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: kubernetes.io/arch
|
|
operator: In
|
|
values: ["arm64"]
|
|
- key: node-role.kubernetes.io/worker
|
|
operator: Exists
|
|
containers:
|
|
- name: apply
|
|
image: postgres:15
|
|
command: ["/scripts/veles_feedback_acl_ensure.sh"]
|
|
volumeMounts:
|
|
- name: veles-feedback-acl-ensure-script
|
|
mountPath: /scripts
|
|
readOnly: true
|