argocd/helm/tls-sync-wildcard/ops/templates/cronjob.yaml

apiVersion: batch/v1
kind: CronJob
metadata:
  name: tls-sync-wildcard
  namespace: {{ .Values.tlsSync.sourceNamespace }}
  labels:
    app: tls-sync-wildcard
spec:
  schedule: {{ .Values.tlsSync.schedule | quote }}
  successfulJobsHistoryLimit: {{ .Values.tlsSync.successfulJobsHistoryLimit }}
  failedJobsHistoryLimit: {{ .Values.tlsSync.failedJobsHistoryLimit }}
  jobTemplate:
    spec:
      backoffLimit: {{ .Values.tlsSync.backoffLimit }}
      activeDeadlineSeconds: {{ .Values.tlsSync.activeDeadlineSeconds }}
      template:
        metadata:
          labels:
            app: tls-sync-wildcard
        spec:
          restartPolicy: {{ .Values.tlsSync.restartPolicy }}
          serviceAccountName: tls-sync-wildcard
          containers:
          - name: sync
            image: {{ .Values.tlsSync.image.repository }}:{{ .Values.tlsSync.image.tag }}
            imagePullPolicy: {{ .Values.tlsSync.image.pullPolicy }}
            securityContext:
              runAsNonRoot: true
              runAsUser: 1000
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: false  # Nécessaire pour /tmp
              capabilities:
                drop:
                  - ALL
            command:
            - /bin/bash
            - -c
            - |
              set -e
              
              # Vérifier que jq est disponible (doit être dans l'image)
              if ! command -v jq &> /dev/null; then
                echo "❌ Erreur: jq n'est pas disponible dans l'image"
                echo "   Utilisez une image qui contient jq (ex: alpine/k8s, bitnami/kubectl, ou créez une image personnalisée)"
                exit 1
              fi
              
              # Copier le script depuis le ConfigMap
              cp /scripts/sync-all-certificates.sh /tmp/sync-all-certificates.sh
              chmod +x /tmp/sync-all-certificates.sh
              
              # Exécuter le script
              /tmp/sync-all-certificates.sh \
                --sourceCluster "{{ .Values.tlsSync.sourceCluster }}" \
                --sourceNS "{{ .Values.tlsSync.sourceNamespace }}"
            volumeMounts:
            - name: kubeconfig
              mountPath: /home/user/.kube
              readOnly: true
            - name: script
              mountPath: /scripts
              readOnly: true
            env:
            - name: KUBECONFIG
              value: /home/user/.kube/config
            - name: HOME
              value: /home/user
            resources:
{{- toYaml .Values.tlsSync.resources | nindent 14 }}
          volumes:
          - name: kubeconfig
            secret:
              secretName: {{ .Values.tlsSync.kubeconfigSecret }}
          - name: script
            configMap:
              name: tls-sync-wildcard-script
              defaultMode: 0755