# An example Job to run a certificate check of OpenShift's internal
# certificate status from within OpenShift.
#
# The generated reports are stored in a Persistent Volume using
# the playbook 'html_and_json_timestamp.yaml'.
#
# This example uses the openshift/origin-ansible container image.
# (see README_CONTAINER_IMAGE.md in the top level dir for more details).
#
# The following objects are expected to be configured before the creation
# of this Job:
#   - A ConfigMap named 'inventory' with a key named 'hosts' that
#     contains the the Ansible inventory file
#   - A Secret named 'sshkey' with a key named 'ssh-privatekey
#     that contains the ssh key to connect to the hosts
#   - A PersistentVolumeClaim named 'certcheck-reports' where the
#     generated reports are going to be stored
# (see examples/README.md for more details)
---
apiVersion: batch/v1
kind: Job
metadata:
  name: certificate-check
spec:
  parallelism: 1
  completions: 1
  template:
    metadata:
      name: certificate-check
    spec:
      containers:
      - name: openshift-ansible
        image: openshift/origin-ansible
        env:
        - name: PLAYBOOK_FILE
          value: playbooks/certificate_expiry/html_and_json_timestamp.yaml
        - name: INVENTORY_FILE
          value: /tmp/inventory/hosts       # from configmap vol below
        - name: ANSIBLE_PRIVATE_KEY_FILE    # from secret vol below
          value: /opt/app-root/src/.ssh/id_rsa/ssh-privatekey
        - name: CERT_EXPIRY_WARN_DAYS
          value: "45"      # must be a string, don't forget the quotes
        volumeMounts:
        - name: sshkey
          mountPath: /opt/app-root/src/.ssh/id_rsa
        - name: inventory
          mountPath: /tmp/inventory
        - name: reports
          mountPath: /var/lib/certcheck
      volumes:
      - name: sshkey
        secret:
          secretName: sshkey
      - name: inventory
        configMap:
          name: inventory
      - name: reports
        persistentVolumeClaim:
          claimName: certcheck-reports
      restartPolicy: Never