apiVersion: batch/v1 kind: CronJob metadata: name: tls-sync-wildcard namespace: {{ .Values.tlsSync.sourceNamespace }} labels: app: tls-sync-wildcard spec: schedule: {{ .Values.tlsSync.schedule | quote }} successfulJobsHistoryLimit: {{ .Values.tlsSync.successfulJobsHistoryLimit }} failedJobsHistoryLimit: {{ .Values.tlsSync.failedJobsHistoryLimit }} jobTemplate: spec: backoffLimit: {{ .Values.tlsSync.backoffLimit }} activeDeadlineSeconds: {{ .Values.tlsSync.activeDeadlineSeconds }} template: metadata: labels: app: tls-sync-wildcard spec: restartPolicy: {{ .Values.tlsSync.restartPolicy }} serviceAccountName: tls-sync-wildcard containers: - name: sync image: {{ .Values.tlsSync.image.repository }}:{{ .Values.tlsSync.image.tag }} imagePullPolicy: {{ .Values.tlsSync.image.pullPolicy }} securityContext: runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false readOnlyRootFilesystem: false # Nécessaire pour /tmp capabilities: drop: - ALL command: - /bin/bash - -c - | set -e # Vérifier que jq est disponible (doit être dans l'image) if ! command -v jq &> /dev/null; then echo "❌ Erreur: jq n'est pas disponible dans l'image" echo " Utilisez une image qui contient jq (ex: alpine/k8s, bitnami/kubectl, ou créez une image personnalisée)" exit 1 fi # Copier le script depuis le ConfigMap cp /scripts/sync-all-certificates.sh /tmp/sync-all-certificates.sh chmod +x /tmp/sync-all-certificates.sh # Exécuter le script /tmp/sync-all-certificates.sh \ --sourceCluster "{{ .Values.tlsSync.sourceCluster }}" \ --sourceNS "{{ .Values.tlsSync.sourceNamespace }}" volumeMounts: - name: kubeconfig mountPath: /home/user/.kube readOnly: true - name: script mountPath: /scripts readOnly: true env: - name: KUBECONFIG value: /home/user/.kube/config - name: HOME value: /home/user resources: {{- toYaml .Values.tlsSync.resources | nindent 14 }} volumes: - name: kubeconfig secret: secretName: {{ .Values.tlsSync.kubeconfigSecret }} - name: script configMap: name: tls-sync-wildcard-script defaultMode: 0755