|
| 1 | +{{- $secretName := printf "%s-%s" (include "main.fullname" .) "mongodb" }} |
| 2 | +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName ) }} |
| 3 | + |
| 4 | +{{- if and (gt .Release.Revision 1) .Values.mongodb.enabled .Values.backup.enabled }} |
| 5 | +apiVersion: batch/v1 |
| 6 | +kind: Job |
| 7 | +metadata: |
| 8 | + name: {{ include "app.fullname" . }}-pre-db-backup |
| 9 | + labels: |
| 10 | + {{- include "app.labels" . | nindent 4 }} |
| 11 | + annotations: |
| 12 | + "helm.sh/hook": "pre-install,pre-upgrade,pre-rollback" |
| 13 | + "helm.sh/hook-delete-policy": "before-hook-creation" |
| 14 | + "helm.sh/hook-weight": "-6" |
| 15 | +spec: |
| 16 | + backoffLimit: 0 |
| 17 | + activeDeadlineSeconds: 1800 |
| 18 | + template: |
| 19 | + metadata: |
| 20 | + name: {{ include "app.fullname" . }}-pre-db-backup |
| 21 | + annotations: |
| 22 | + {{- $podAnnotations := merge (.Values.podAnnotations | default dict) (.Values.global.vault.podAnnotations | default dict) -}} |
| 23 | + {{- with $podAnnotations }} |
| 24 | + {{- toYaml . | nindent 8 }} |
| 25 | + {{- end }} |
| 26 | + vault.hashicorp.com/role: {{ .Values.global.vault.role }} |
| 27 | + vault.hashicorp.com/agent-inject-secret-secrets.env: {{ .Values.global.vault.role }}/{{ .Values.global.vault.subPath }} |
| 28 | + vault.hashicorp.com/agent-inject-template-secrets.env: | |
| 29 | + {{`{{ with secret "`}}{{ .Values.global.vault.role }}/{{ .Values.global.vault.subPath }}{{`" -}} |
| 30 | + export MONGOARCHIVE__AWS_ENDPOINT='{{ .Data.data.S3_ENDPOINT_URL }}' |
| 31 | + export MONGOARCHIVE__AWS_ACCESS_KEY_ID='{{ .Data.data.S3_ACCESS_KEY_ID }}' |
| 32 | + export MONGOARCHIVE__AWS_SECRET_ACCESS_KEY='{{ .Data.data.S3_SECRET_ACCESS_KEY }}' |
| 33 | + export MONGOARCHIVE__AWS_BUCKET='{{ .Data.data.S3_DB_BACKUP_BUCKET_NAME }}' |
| 34 | + {{- end }}`}} |
| 35 | + spec: |
| 36 | + activeDeadlineSeconds: 1800 |
| 37 | + restartPolicy: Never |
| 38 | + serviceAccountName: {{ default .Values.global.serviceAccountName .Values.serviceAccountName }} |
| 39 | + containers: |
| 40 | + - name: {{ include "app.fullname" . }}-pre-db-backup |
| 41 | + image: ghcr.io/egose/database-tools:0.11.1 |
| 42 | + imagePullPolicy: IfNotPresent |
| 43 | + command: [/bin/sh, -c] |
| 44 | + args: |
| 45 | + - | |
| 46 | + set -euo pipefail |
| 47 | + . "/vault/secrets/secrets.env" |
| 48 | + exec mongo-archive --db=pltsvc --read-preference=secondaryPreferred --force-table-scan --aws-s3-force-path-style=true |
| 49 | + env: |
| 50 | + - name: MONGOARCHIVE__URI |
| 51 | + value: "mongodb://pltsvc-mongodb-headless/?authSource=admin" |
| 52 | + - name: MONGO__USERNAME |
| 53 | + value: root |
| 54 | + - name: MONGO__PASSWORD |
| 55 | + valueFrom: |
| 56 | + secretKeyRef: |
| 57 | + name: {{ $secretName }} |
| 58 | + key: mongodb-root-password |
| 59 | + - name: MONGOARCHIVE__CRON |
| 60 | + value: "false" |
| 61 | + - name: MONGOARCHIVE__EXPIRY_DAYS |
| 62 | + value: "30" |
| 63 | + - name: MONGOARCHIVE__ROCKETCHAT_WEBHOOK_URL |
| 64 | + value: {{ if and $secret.data (index $secret.data "rocketchat-webhook-url") }}{{ b64dec (index $secret.data "rocketchat-webhook-url") }}{{ else }}{{ "" }}{{ end }} |
| 65 | + - name: MONGOARCHIVE__ROCKETCHAT_WEBHOOK_PREFIX |
| 66 | + value: {{ .Values.backup.rocketchatPrefix | quote }} |
| 67 | + - name: ROCKETCHAT_NOTIFY_ON_FAILURE_ONLY |
| 68 | + value: "true" |
| 69 | + resources: |
| 70 | + limits: |
| 71 | + cpu: 200m |
| 72 | + memory: 256Mi |
| 73 | + requests: |
| 74 | + cpu: 50m |
| 75 | + memory: 128Mi |
| 76 | +{{- end }} |
0 commit comments