{{- $enabled := eq (include "osdu-developer-init.isEnabled" .) "1" -}} {{- $namespace := .Release.Namespace -}} {{- if and $enabled .Values.jobs.partitionInit }} --- apiVersion: batch/v1 kind: Job metadata: name: partition-init namespace: {{ $namespace }} spec: ttlSecondsAfterFinished: 120 template: metadata: labels: azure.workload.identity/use: "true" spec: serviceAccountName: workload-identity-sa volumes: - name: script configMap: name: partition-init-script defaultMode: 0500 initContainers: - name: data-seed image: mcr.microsoft.com/azure-cli:cbl-mariner2.0 command: - script/init.sh volumeMounts: - name: script mountPath: "/script" env: - name: NAMESPACE value: {{ $namespace }} - name: AZURE_TENANT_ID value: {{ .Values.tenantId | quote }} - name: AZURE_AD_APPLICATION_ID value: {{ .Values.clientId | quote }} - name: PARTITION value: {{ .Values.partition | quote }} - name: SERVICE_BUS_NAME value: {{ .Values.serviceBus | quote }} containers: - name: sleep image: istio/base command: ["/bin/sleep", "10"] volumeMounts: # Ensure this container also mounts the volume if needed - name: script mountPath: "/script" restartPolicy: Never --- apiVersion: v1 kind: ConfigMap metadata: name: partition-init-script namespace: {{ $namespace }} data: partition.json: | { "properties": { "compliance-ruleset": { "value": "shared" }, "elastic-endpoint": { "sensitive": true, "value": "elastic-endpoint" }, "elastic-username": { "sensitive": true, "value": "elastic-username" }, "elastic-password": { "sensitive": true, "value": "elastic-password" }, "elastic-ssl-enabled": { "sensitive": false, "value": "false" }, "cosmos-connection": { "sensitive": true, "value": "cosmos-connection" }, "cosmos-endpoint": { "sensitive": true, "value": "cosmos-endpoint" }, "cosmos-primary-key": { "sensitive": true, "value": "cosmos-primary-key" }, "sb-connection": { "sensitive": true, "value": "sb-connection" }, "sb-namespace": { "sensitive": true, "value": "sb-namespace" }, "storage-account-key": { "sensitive": true, "value": "storage-key" }, "storage-account-name": { "sensitive": true, "value": "storage" }, "storage-account-blob-endpoint": { "sensitive": true, "value": "storage-account-blob-endpoint" }, "ingest-storage-account-name": { "sensitive": true, "value": "ingest-storage" }, "ingest-storage-account-key": { "sensitive": true, "value": "ingest-storage-key" }, "hierarchical-storage-account-name": { "sensitive": true, "value": "hierarchical-storage" }, "hierarchical-storage-account-key": { "sensitive": true, "value": "hierarchical-storage-key" }, "eventgrid-recordstopic": { "sensitive": true, "value": "eventgrid-recordstopic" }, "eventgrid-recordstopic-accesskey": { "sensitive": true, "value": "eventgrid-recordstopic-accesskey" }, "eventgrid-legaltagschangedtopic": { "sensitive": true, "value": "eventgrid-legaltagschangedtopic" }, "eventgrid-legaltagschangedtopic-accesskey": { "sensitive": true, "value": "eventgrid-legaltagschangedtopic-accesskey" }, "eventgrid-resourcegroup": { "sensitive": true, "value": "eventgrid-resourcegroup" }, "encryption-key-identifier": { "sensitive": true, "value": "encryption-key-identifier" }, "sdms-storage-account-name": { "sensitive": true, "value": "sdms-storage" }, "sdms-storage-account-key": { "sensitive": true, "value": "sdms-storage-key" }, "eventgrid-schemanotificationtopic": { "sensitive": true, "value": "eventgrid-schemachangedtopic" }, "eventgrid-schemanotificationtopic-accesskey": { "sensitive": true, "value": "eventgrid-schemachangedtopic-accesskey" }, "eventgrid-gsmtopic": { "sensitive": true, "value": "eventgrid-statuschangedtopic" }, "eventgrid-gsmtopic-accesskey": { "sensitive": true, "value": "eventgrid-statuschangedtopic-accesskey" }, "eventgrid-statuschangedtopic": { "sensitive": true, "value": "eventgrid-statuschangedtopic" }, "eventgrid-statuschangedtopic-accesskey": { "sensitive": true, "value": "eventgrid-statuschangedtopic-accesskey" }, "eventgrid-schemachangedtopic": { "sensitive": true, "value": "eventgrid-schemachangedtopic" }, "eventgrid-schemachangedtopic-accesskey": { "sensitive": true, "value": "eventgrid-schemachangedtopic-accesskey" }, "reservoir-connection": { "sensitive": true, "value": "reservoir-conn" }, "indexer-decimation-enabled": { "sensitive": false, "value": "true" } } } init.sh: | #!/usr/bin/env sh set -euo pipefail set -o nounset tdnf install -y curl jq echo "==================================================================" echo " Logging in using Workload Identity" echo "==================================================================" # Login using the federated token from the environment variable az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ --service-principal \ -u ${AZURE_CLIENT_ID} \ -t ${AZURE_TENANT_ID} # Get token with the correct application ID as resource TOKEN=$(az account get-access-token --resource "https://management.azure.com/" --query accessToken -o tsv) OUTPUT=$(curl -s -w "%{http_code}" --request POST \ --url http://partition.{{ $namespace }}/api/partition/v1/partitions/${PARTITION} \ --header "Host: partition.{{ $namespace }}" \ --header "accept: application/json" \ --header "content-type: application/json" \ --header "authorization: Bearer $TOKEN" \ --header "data-partition-id: ${PARTITION}" \ --data $(jq -c '.' /script/partition.json)) HTTP_STATUS_CODE=$(echo $OUTPUT | grep -oE '[0-9]{3}$') BODY=${OUTPUT%???} if [ "$HTTP_STATUS_CODE" == "201" ]; then echo "Success: $(echo "$BODY" | jq .)" elif [ "$HTTP_STATUS_CODE" == "409" ]; then echo "Item already exists: $(echo "$BODY" | jq .)" else echo "Error: Unexpected HTTP status code $HTTP_STATUS_CODE" echo "Response body: $BODY" exit 1 fi exit 0 {{- end }}