/
google-manage-account-access-cronjob.yaml
141 lines (141 loc) · 5.58 KB
/
google-manage-account-access-cronjob.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
---
# Note: change to batch/v1beta1 once we bump to k8s 1.8
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: google-manage-account-access
spec:
schedule: "@hourly"
successfulJobsHistoryLimit: 2
failedJobsHistoryLimit: 2
jobTemplate:
spec:
# not yet supported - backOffLimit: 3
template:
metadata:
labels:
app: gen3job
spec:
serviceAccountName: useryaml-job
volumes:
# -----------------------------------------------------------------------------
# DEPRECATED! Remove when all commons are no longer using local_settings.py
# for fence.
# -----------------------------------------------------------------------------
- name: old-config-volume
secret:
secretName: "fence-secret"
- name: json-secret-volume
secret:
secretName: "fence-json-secret"
- name: creds-volume
secret:
secretName: "fence-creds"
- name: config-helper
configMap:
name: config-helper
# -----------------------------------------------------------------------------
- name: config-volume
secret:
secretName: "fence-config"
- name: fence-google-app-creds-secret-volume
secret:
secretName: "fence-google-app-creds-secret"
- name: fence-google-storage-creds-secret-volume
secret:
secretName: "fence-google-storage-creds-secret"
- name: fence-yaml
configMap:
name: fence
- name: shared-data
emptyDir: {}
initContainers:
- name: fence
GEN3_FENCE_IMAGE
imagePullPolicy: Always
env:
- name: PYTHONPATH
value: /var/www/fence
volumeMounts:
# -----------------------------------------------------------------------------
# DEPRECATED! Remove when all commons are no longer using local_settings.py
# for fence.
# -----------------------------------------------------------------------------
- name: "old-config-volume"
readOnly: true
mountPath: "/var/www/fence/local_settings.py"
subPath: local_settings.py
- name: "json-secret-volume"
readOnly: true
mountPath: "/var/www/fence/fence_credentials.json"
subPath: fence_credentials.json
- name: "creds-volume"
readOnly: true
mountPath: "/var/www/fence/creds.json"
subPath: creds.json
- name: "config-helper"
readOnly: true
mountPath: "/var/www/fence/config_helper.py"
subPath: config_helper.py
# -----------------------------------------------------------------------------
- name: "config-volume"
readOnly: true
mountPath: "/var/www/fence/fence-config.yaml"
subPath: fence-config.yaml
- name: "fence-google-app-creds-secret-volume"
readOnly: true
mountPath: "/var/www/fence/fence_google_app_creds_secret.json"
subPath: fence_google_app_creds_secret.json
- name: "fence-google-storage-creds-secret-volume"
readOnly: true
mountPath: "/var/www/fence/fence_google_storage_creds_secret.json"
subPath: fence_google_storage_creds_secret.json
- name: "fence-yaml"
mountPath: "/var/www/fence/user.yaml"
subPath: user.yaml
- name: shared-data
mountPath: /mnt/shared
command: ["/bin/bash"]
args:
- "-c"
- |
echo 'options use-vc' >> /etc/resolv.conf
fence-create google-manage-account-access
if [[ $? != 0 ]]; then
echo "WARNING: non zero exit code: $?"
else
touch /mnt/shared/success
fi
containers:
- name: awshelper
env:
- name: slackWebHook
valueFrom:
configMapKeyRef:
name: global
key: slack_webhook
- name: gen3Env
valueFrom:
configMapKeyRef:
name: global
key: environment
image: quay.io/cdis/awshelper:master
volumeMounts:
- name: shared-data
mountPath: /mnt/shared
command: ["/bin/bash"]
args:
- "-c"
- |
if ! [ -f /mnt/shared/success ]; then
# AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone)
# RE=${AZ::-1}
# aws --region ${RE} sns publish --message "google-manage-account-access failed for ${gen3Env}" --topic-arn <TOPIC ARN>
curl -X POST --data-urlencode "payload={\"text\": \"JOBFAIL: google-manage-account-access failed for ${gen3Env} \"}" "${slackWebHook}"
else
HOUR=$(TZ='America/Chicago' date "+%H")
if [ ${HOUR} -eq 09 ]; then
curl -X POST --data-urlencode "payload={\"text\": \"AWSHelper: google-manage-account-access succeeded for ${gen3Env} \"}" "${slackWebHook}"
fi
fi
restartPolicy: Never