From 775a6e41124c2396fb120dc74845263d097756d7 Mon Sep 17 00:00:00 2001
From: Yisheng Cai <yisheng.cai@streamnative.io>
Date: Thu, 2 Nov 2023 10:21:45 +0800
Subject: [PATCH] [sn-platform] Avoid downloading in jwt secret int job (#1121)

* Remove kubectl download

* Make isito-proxy quit after job completed

* Apply to slim

* Fix curl when istio disabled
---
 .../toolset/jwt-secret-init-job.yaml          | 26 ++++++++++++++++--
 charts/sn-platform-slim/values.yaml           |  4 +++
 .../toolset/jwt-secret-init-job.yaml          | 27 +++++++++++++++++--
 charts/sn-platform/values.yaml                |  4 +++
 4 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml
index 70c0c8119..74ed5189f 100644
--- a/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml
+++ b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml
@@ -50,24 +50,44 @@ spec:
       - name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
         configMap:
           name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+      - name: tmp
+        emptyDir: {}
+      initContainers:
+      - name: "kubectl"
+        image: "{{ .Values.images.toolset.kubectl.repository }}:{{ .Values.images.toolset.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.images.toolset.kubectl.pullPolicy }}
+        command: ["cp", "/opt/bitnami/kubectl/bin/kubectl", "/tmp/binaries"]
+      {{- if .Values.toolset.resources }}
+        resources:
+{{ toYaml .Values.toolset.resources | indent 10 }}
+      {{- end }}
+        volumeMounts:
+         - name: tmp
+           mountPath: /tmp/binaries
+      {{- if .Values.toolset.securityContext }}
+      securityContext: {{- toYaml .Values.toolset.securityContext | nindent 8 }}
+      {{- end }}
       containers:
       - name: "{{ template "pulsar.fullname" . }}-jwt-secret-init"
         image: "{{ .Values.images.toolset.repository }}:{{ .Values.images.toolset.tag }}"
         imagePullPolicy: {{ .Values.images.toolset.pullPolicy }}
         command: ["bash", "-c"]
         args:
-          - >
-            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl";
+          - |
+            set -ex;
+            cp /tmp/binaries/kubectl /pulsar/kubectl;
             chmod +x /pulsar/kubectl;
             mkdir -p scripts/pulsar;
             cp scripts/jwt-secret-config/* scripts/pulsar;
             chmod +x scripts/pulsar/*;
             usingSecretKey={{ .Values.auth.authentication.jwt.usingSecretKey }};
+            ls -lh scripts/pulsar/;
             if [ "${usingSecretKey}" = "true" ]; then
               ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }} --symmetric;
             else 
               ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }};
             fi;
+            curl -sf -XPOST http://127.0.0.1:15020/quitquitquit || true;
       {{- if .Values.toolset.resources }}
         resources:
 {{ toYaml .Values.toolset.resources | indent 10 }}
@@ -75,6 +95,8 @@ spec:
         volumeMounts:
         - mountPath: /pulsar/scripts/jwt-secret-config
           name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+        - name: tmp
+          mountPath: /tmp/binaries
       restartPolicy: Never
       {{- if .Values.toolset.securityContext }}
       securityContext: {{- toYaml .Values.toolset.securityContext | nindent 8 }}
diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml
index 4ca29391a..f9f918eb6 100644
--- a/charts/sn-platform-slim/values.yaml
+++ b/charts/sn-platform-slim/values.yaml
@@ -166,6 +166,10 @@ images:
       repository: busybox
       tag: "1.36.1-uclibc"
       pullPolicy: IfNotPresent
+    kubectl:
+      repository: bitnami/kubectl
+      tag: "1.28.3"
+      pullPolicy: IfNotPresent
   prometheus:
     repository: quay.io/prometheus/prometheus
     tag: "v2.43.0"
diff --git a/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml b/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml
index 70c0c8119..48a8b4ccc 100644
--- a/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml
+++ b/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml
@@ -50,24 +50,45 @@ spec:
       - name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
         configMap:
           name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+      - name: tmp
+        emptyDir: {}
+      initContainers:
+      - name: "kubectl"
+        image: "{{ .Values.images.toolset.kubectl.repository }}:{{ .Values.images.toolset.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.images.toolset.kubectl.pullPolicy }}
+        command: ["cp", "/opt/bitnami/kubectl/bin/kubectl", "/tmp/binaries"]
+      {{- if .Values.toolset.resources }}
+        resources:
+{{ toYaml .Values.toolset.resources | indent 10 }}
+      {{- end }}
+        volumeMounts:
+         - name: tmp
+           mountPath: /tmp/binaries
+      {{- if .Values.toolset.securityContext }}
+      securityContext: {{- toYaml .Values.toolset.securityContext | nindent 8 }}
+      {{- end }}
       containers:
       - name: "{{ template "pulsar.fullname" . }}-jwt-secret-init"
         image: "{{ .Values.images.toolset.repository }}:{{ .Values.images.toolset.tag }}"
         imagePullPolicy: {{ .Values.images.toolset.pullPolicy }}
         command: ["bash", "-c"]
         args:
-          - >
-            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl";
+          - |
+            set -ex;
+            cp /tmp/binaries/kubectl /pulsar/kubectl;
             chmod +x /pulsar/kubectl;
             mkdir -p scripts/pulsar;
             cp scripts/jwt-secret-config/* scripts/pulsar;
             chmod +x scripts/pulsar/*;
             usingSecretKey={{ .Values.auth.authentication.jwt.usingSecretKey }};
+            ls -lh scripts/pulsar/;
             if [ "${usingSecretKey}" = "true" ]; then
               ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }} --symmetric;
             else 
               ./scripts/pulsar/prepare_helm_release.sh -n {{ template "pulsar.namespace" . }} -k {{ .Release.Name }};
             fi;
+
+            curl -sf -XPOST http://127.0.0.1:15020/quitquitquit || true;
       {{- if .Values.toolset.resources }}
         resources:
 {{ toYaml .Values.toolset.resources | indent 10 }}
@@ -75,6 +96,8 @@ spec:
         volumeMounts:
         - mountPath: /pulsar/scripts/jwt-secret-config
           name: {{ template "pulsar.fullname" . }}-jwt-secret-init-config
+        - name: tmp
+          mountPath: /tmp/binaries
       restartPolicy: Never
       {{- if .Values.toolset.securityContext }}
       securityContext: {{- toYaml .Values.toolset.securityContext | nindent 8 }}
diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml
index b26aa115d..26b257fab 100644
--- a/charts/sn-platform/values.yaml
+++ b/charts/sn-platform/values.yaml
@@ -193,6 +193,10 @@ images:
       repository: busybox
       tag: "1.36.1-uclibc"
       pullPolicy: IfNotPresent
+    kubectl:
+      repository: bitnami/kubectl
+      tag: "1.28.3"
+      pullPolicy: IfNotPresent
   prometheus:
     repository: quay.io/prometheus/prometheus
     tag: "v2.43.0"