cron jobs

publishing-platform · Jan 31, 2025 · 4c4ff67 · 4c4ff67
1 parent 9891bac
commit 4c4ff67
Show file tree

Hide file tree

Showing 4 changed files with 154 additions and 9 deletions.
diff --git a/charts/app-config/templates/signon-service-account.yaml b/charts/app-config/templates/signon-service-account.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: signon
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: signon-secret-manager
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["patch", "create", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: signon-secret-manager-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: signon-secret-manager
+subjects:
+  - kind: ServiceAccount
+    name: signon
diff --git a/charts/app-config/values-production.yaml b/charts/app-config/values-production.yaml
@@ -74,7 +74,7 @@ publishingPlatformApplications:
           external-dns.alpha.kubernetes.io/hostname: signon.{{ .Values.k8sExternalDomainSuffix }}
         hosts:
           - name: signon.{{ .Values.publishingDomainSuffix }}
-      # cronTasks: # TODO - uncomment when implemented
+      cronTasks:
       #   - name: delete-expired-oauth-grants
       #     task: "oauth_access_grants:delete_expired"
       #     schedule: "22 12 * * 0"
@@ -92,14 +92,14 @@ publishingPlatformApplications:
       #     task: "users:suspend_inactive"
       #     schedule: "27 4 * * *"
       #     serviceAccount: signon
-      #   - name: sync-app-secrets-to-k8s
-      #     task: "kubernetes:sync_app_secrets"
-      #     schedule: "8 1 * * *"
-      #     serviceAccount: signon
-      #   - name: sync-token-secrets-to-k8s
-      #     task: "kubernetes:sync_token_secrets"
-      #     schedule: "9 1 * * *"
-      #     serviceAccount: signon
+        - name: sync-app-secrets-to-k8s
+          task: "kubernetes:sync_app_secrets"
+          schedule: "8 1 * * *"
+          serviceAccount: signon
+        - name: sync-token-secrets-to-k8s
+          task: "kubernetes:sync_token_secrets"
+          schedule: "9 1 * * *"
+          serviceAccount: signon
       extraEnv:
         - name: INSTANCE_NAME
           value: production

diff --git a/charts/generic-publishing-platform-app/templates/cron-task.yaml b/charts/generic-publishing-platform-app/templates/cron-task.yaml
@@ -0,0 +1,118 @@
+{{- $fullName := include "generic-publishing-platform-app.fullname" . }}
+{{- range .Values.cronTasks }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: "{{ $fullName }}-{{ .name }}"
+  labels:
+    {{- include "generic-publishing-platform-app.labels" $ | nindent 4 }}
+    app: "{{ $fullName }}-{{ .name }}"
+    app.kubernetes.io/name: "{{ $fullName }}-{{ .name }}"
+    app.kubernetes.io/component: "{{ .name }}"
+spec:
+  schedule: "{{ .schedule }}"
+  {{ if .timeZone }}timeZone: "{{ .timeZone }}"{{- end }}
+  suspend: {{ .suspend | default false }}
+  jobTemplate:
+    metadata:
+      name: "{{ $fullName }}-{{ .name }}"
+      labels:
+        {{- include "generic-publishing-platform-app.labels" $ | nindent 8 }}
+        app: "{{ $fullName }}-{{ .name }}"
+        app.kubernetes.io/name: "{{ $fullName }}-{{ .name }}"
+        app.kubernetes.io/component: "{{ .name }}"
+    spec:
+      backoffLimit: 0
+      template:
+        metadata:
+          name: "{{ $fullName }}-{{ .name }}"
+          labels:
+            {{- include "generic-publishing-platform-app.labels" $ | nindent 12 }}
+            app: "{{ $fullName }}-{{ .name }}"
+            app.kubernetes.io/name: "{{ $fullName }}-{{ .name }}"
+            app.kubernetes.io/component: "{{ .name }}"
+        spec:
+          automountServiceAccountToken: {{- if .serviceAccount }} true {{- else }} false {{- end }}
+          enableServiceLinks: false
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            fsGroup: {{ $.Values.securityContext.runAsGroup }}
+            runAsNonRoot: {{ $.Values.securityContext.runAsNonRoot }}
+            runAsUser: {{ $.Values.securityContext.runAsUser }}
+            runAsGroup: {{ $.Values.securityContext.runAsGroup }}
+          restartPolicy: Never
+          {{ if .serviceAccount }}serviceAccountName: {{ .serviceAccount }}{{- end }}
+          volumes:
+            - name: app-tmp
+              emptyDir: {}
+            {{- with $.Values.extraVolumes }}
+              {{- . | toYaml | trim | nindent 12 }}
+            {{- end }}
+          containers:
+            - name: cron-task
+              image: "{{ $.Values.appImage.repository }}:{{ $.Values.appImage.tag }}"
+              imagePullPolicy: {{ $.Values.appImage.pullPolicy | default "Always" }}
+              {{- if .task }}
+              command: ["rake"]
+              args: ["{{ .task }}"]
+              {{- else if .command }}
+              command: ["/bin/bash"]
+              args: ["-c", "{{ .command }}"]
+              {{- end }}
+              envFrom:
+                - configMapRef:
+                    name: publishing-platform-apps-env
+              env:
+                {{- if $.Values.rails.enabled }}
+                - name: SECRET_KEY_BASE
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ $.Values.rails.secretKeyBaseName | default (printf "%s-rails-secret-key-base" $.Values.repoName) }}
+                      key: secret-key-base
+                {{- end }}
+                {{- if $.Values.sentry.enabled }}
+                - name: SENTRY_DSN
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ $.Values.sentry.dsnSecretName | default (printf "%s-sentry" $.Values.repoName) }}
+                      key: dsn
+                - name: SENTRY_RELEASE
+                  value: "{{ $.Values.appImage.tag }}"
+                {{- end }}
+                {{- if $.Values.redis.enabled }}
+                - name: REDIS_URL
+                  value: {{ $.Values.redis.redisUrlOverride.app | default (printf "redis://%s-redis" $fullName) }}
+                {{- end }}
+                {{- with $.Values.extraEnv }}
+                  {{- . | toYaml | trim | nindent 16 }}
+                {{- end }}
+                {{- with .env }}
+                  {{- . | toYaml | trim | nindent 16 }}
+                {{- end }}
+              {{- with .resources | default $.Values.appResources }}
+              resources:
+                {{- . | toYaml | trim | nindent 16 }}
+              {{- end }}
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                capabilities:
+                  drop: ["ALL"]
+              volumeMounts:
+                - name: app-tmp
+                  mountPath: /tmp
+                {{- with $.Values.appExtraVolumeMounts }}
+                  {{- . | toYaml | trim | nindent 16 }}
+                {{- end }}
+          {{- if eq "arm64" $.Values.arch }}
+          tolerations:
+            - key: arch
+              operator: Equal
+              value: {{ $.Values.arch }}
+              effect: NoSchedule
+          nodeSelector:
+            kubernetes.io/arch: {{ $.Values.arch }}
+          {{- end }}
+{{- end }}
diff --git a/charts/generic-publishing-platform-app/values.yaml b/charts/generic-publishing-platform-app/values.yaml
@@ -41,6 +41,8 @@ redis:
 dbMigrationEnabled: false
 dbMigrationCommand: ["rails", "db:prepare"]
 
+cronTasks: []
+
 repoName: "example"  # Dummy value, overridden in ArgoCD config.
 # arch determines whether the app should schedule on amd64 or arm64 nodes.
 arch: amd64