{{- with .Values.components.sharedTlsSecretSync }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ .name }} namespace: {{ $.Values.namespaces.platform }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ .name }}-source namespace: {{ .sourceNamespace }} rules: - apiGroups: [""] resources: ["secrets"] resourceNames: ["{{ .sourceSecretName }}"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ .name }}-target namespace: {{ .targetNamespace }} rules: - apiGroups: [""] resources: ["secrets"] resourceNames: ["{{ .targetSecretName }}"] verbs: ["get", "create", "update", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ .name }}-source namespace: {{ .sourceNamespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ .name }}-source subjects: - kind: ServiceAccount name: {{ .name }} namespace: {{ $.Values.namespaces.platform }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ .name }}-target namespace: {{ .targetNamespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ .name }}-target subjects: - kind: ServiceAccount name: {{ .name }} namespace: {{ $.Values.namespaces.platform }} --- apiVersion: batch/v1 kind: CronJob metadata: name: {{ .name }} namespace: {{ $.Values.namespaces.platform }} spec: schedule: {{ .refreshSchedule | quote }} concurrencyPolicy: Forbid jobTemplate: spec: template: spec: serviceAccountName: {{ .name }} restartPolicy: OnFailure containers: - name: sync image: bitnami/kubectl:latest command: - /bin/sh - -ec - | tmp=$(mktemp) kubectl -n {{ .sourceNamespace }} get secret {{ .sourceSecretName }} -o yaml \ | sed '/^ resourceVersion:/d;/^ uid:/d;/^ creationTimestamp:/d;/^ managedFields:/d;/^ annotations:/d;/^ ownerReferences:/d;/^ namespace:/d;/^ selfLink:/d' \ | kubectl -n {{ .targetNamespace }} apply -f - {{- end }}