{{- if and (hasKey .Values "tls") (hasKey .Values.tls "enabled") .Values.tls.enabled (hasKey .Values.tls "secretName") }} apiVersion: batch/v1 kind: Job metadata: name: {{ template "landing.name" . }}-tls-sync-{{ randAlphaNum 5 | lower }} namespace: {{ .Release.Namespace }} labels: app: {{ template "landing.name" . }} annotations: # This annotation is used to automatically trigger the job when the certificate is updated cert-manager.io/certificate-name: {{ .Values.tls.secretName }} # Add a unique identifier so each deployment creates a new job "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-weight": "0" "helm.sh/hook-delete-policy": hook-succeeded spec: ttlSecondsAfterFinished: 3600 backoffLimit: 10 template: metadata: labels: app: {{ template "landing.name" . }} spec: serviceAccountName: {{ .Values.serviceAccount.name }} restartPolicy: OnFailure containers: - name: sync-tls-cert image: registry.redhat.io/openshift4/ose-cli:latest command: - /bin/bash - -c - | set -e echo "Waiting for certificate to be ready..." # Give cert-manager some time to create the secret sleep 10 MAX_ATTEMPTS=30 ATTEMPT=0 while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do if oc get secret {{ .Values.tls.secretName }} -n {{ .Release.Namespace }} &>/dev/null; then echo "Certificate secret found, proceeding with sync..." break fi echo "Certificate secret not found yet, waiting... (Attempt $(($ATTEMPT+1))/$MAX_ATTEMPTS)" sleep 10 ATTEMPT=$(($ATTEMPT+1)) done if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then echo "Timed out waiting for certificate secret to be created." exit 1 fi # Ensure we can access the secret and the openshift-ingress namespace echo "Checking access to required resources..." if ! oc get secret {{ .Values.tls.secretName }} -n {{ .Release.Namespace }} &>/dev/null; then echo "Error: Cannot access certificate secret in {{ .Release.Namespace }} namespace!" exit 1 fi if ! oc get namespace openshift-ingress &>/dev/null; then echo "Error: Cannot access openshift-ingress namespace!" exit 1 fi echo "Extracting certificate data..." TLS_CRT=$(oc get secret {{ .Values.tls.secretName }} -n {{ .Release.Namespace }} -o jsonpath='{.data.tls\.crt}') TLS_KEY=$(oc get secret {{ .Values.tls.secretName }} -n {{ .Release.Namespace }} -o jsonpath='{.data.tls\.key}') if [ -z "$TLS_CRT" ] || [ -z "$TLS_KEY" ]; then echo "Error: Certificate data is missing from the secret!" exit 1 fi echo "Creating or updating certificate secret in openshift-ingress namespace..." # Create a JSON template for the secret cat > /tmp/router-tls-secret.json << EOF { "apiVersion": "v1", "kind": "Secret", "metadata": { "name": "{{ .Values.tls.secretName }}", "namespace": "openshift-ingress", "labels": { "app": "{{ template "landing.name" . }}" } }, "type": "kubernetes.io/tls", "data": { "tls.crt": "${TLS_CRT}", "tls.key": "${TLS_KEY}" } } EOF # Apply the secret to the openshift-ingress namespace if oc apply -f /tmp/router-tls-secret.json; then echo "TLS certificate synced successfully to openshift-ingress namespace!" else echo "Error: Failed to sync TLS certificate to openshift-ingress namespace!" exit 1 fi # Clean up temporary file rm -f /tmp/router-tls-secret.json # Force route to use the new certificate echo "Annotating routes to use the synced certificate..." oc annotate route {{ template "landing.routename" . }} -n {{ .Release.Namespace }} route.openshift.io/certificate-update=$(date +%s) --overwrite {{- if and (hasKey .Values.ingress "www") (hasKey .Values.ingress.www "enabled") .Values.ingress.www.enabled }} oc annotate route {{ template "landing.routename" . }}-www -n {{ .Release.Namespace }} route.openshift.io/certificate-update=$(date +%s) --overwrite {{- end }} echo "Certificate sync job completed successfully!" {{- end }}