apiVersion: batch/v1
kind: Job
metadata:
  generateName: host-provision-
  labels: &labels
    app.kubernetes.io/name: host-provisioner
    app.kubernetes.io/component: host-provisioner
spec:
  backoffLimit: 0
  template:
    metadata:
      labels: *labels
    spec:
      restartPolicy: Never
      initContainers:
      - name: ssh-agent
        image: &image git.pyrocufflink.net/infra/host-provisioner
        imagePullPolicy: Always
        command:
        - tini
        - ssh-agent
        - --
        - -D
        - -a
        - /run/ssh/agent.sock
        restartPolicy: Always
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
      - name: ssh-add
        image: *image
        command:
        - ssh-add
        - -t
        - 30m
        - /run/secrets/ssh/host-provisioner.key
        env:
        - name: SSH_AUTH_SOCK
          value: /run/ssh/agent.sock
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
        - mountPath: /run/secrets/ssh
          name: provisioner-key
          readOnly: true
      containers:
      - name: host-provisioner
        image: *image
        env:
        - name: SSH_AUTH_SOCK
          value: /run/ssh/agent.sock
        - name: AMQP_HOST
          value: rabbitmq.pyrocufflink.blue
        - name: AMQP_PORT
          value: '5671'
        - name: AMQP_CA_CERT
          value: /run/dch-ca/dch-root-ca.crt
        - name: AMQP_CLIENT_CERT
          value: /run/secrets/host-provisioner/rabbitmq/tls.crt
        - name: AMQP_CLIENT_KEY
          value: /run/secrets/host-provisioner/rabbitmq/tls.key
        - name: AMQP_EXTERNAL_CREDENTIALS
          value: '1'
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /etc/ssh/ssh_known_hosts
          name: ssh-known-hosts
          subPath: ssh_known_hosts
          readOnly: true
        - mountPath: /home/jenkins
          name: workspace
        - mountPath: /run/dch-ca
          name: dch-root-ca
          readOnly: true
        - mountPath: /run/ssh
          name: tmp
          subPath: run/ssh
        - mountPath: /run/secrets/host-provisioner/rabbitmq
          name: rabbitmq-cert
          readOnly: true
        - mountPath: /tmp
          name: tmp
          subPath: tmp
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      volumes:
      - name: dch-root-ca
        configMap:
          name: dch-root-ca
      - name: provisioner-key
        secret:
          secretName: provisioner-ssh-key
          defaultMode: 0440
      - name: ssh-known-hosts
        configMap:
          name: ssh-known-hosts
      - name: rabbitmq-cert
        secret:
          secretName: rabbitmq-cert
          defaultMode: 0440
      - name: tmp
        emptyDir:
          medium: Memory
      - name: workspace
        emptyDir: {}