move deployment restart to kube cronjob

.github/workflows/deploy-chart.yaml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [master]
     paths:
-      - 'kubernetes/charts/base/chart/**/*.*'
+      - 'kubernetes/charts/base/chart*/**/*.*'
   workflow_dispatch:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

kubernetes/charts/base/chart-cronjob/templates/cronjob.yaml

@@ -12,6 +12,7 @@ spec:
     spec:
       template:
         spec:
+          serviceAccountName: {{ .Values.serviceAccountName }}
           containers:
            {{ range .Values.containers }}
             - name: {{ .name }}

kubernetes/clusters/snikt/README.md

@@ -33,9 +33,13 @@ kubectl taint nodes fringe-division storage-required=true:NoSchedule
 | [helm_release.jobs_fringe_division](https://registry.terraform.io/providers/hashicorp/helm/2.12.1/docs/resources/release) | resource |
 | [helm_release.livegrep_indexer](https://registry.terraform.io/providers/hashicorp/helm/2.12.1/docs/resources/release) | resource |
 | [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/2.12.1/docs/resources/release) | resource |
+| [kubernetes_cluster_role.deployment_restart](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role_binding.readonly](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/resources/cluster_role_binding) | resource |
 | [kubernetes_config_map.configmaps](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/resources/config_map) | resource |
 | [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/resources/namespace) | resource |
+| [kubernetes_secret.deployment_restart](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/resources/secret) | resource |
 | [kubernetes_secret.secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/resources/secret) | resource |
+| [kubernetes_service_account.deployment_restart](https://registry.terraform.io/providers/hashicorp/kubernetes/2.25.2/docs/resources/service_account) | resource |
 | [sops_file.configmaps](https://registry.terraform.io/providers/carlpett/sops/1.0.0/docs/data-sources/file) | data source |
 | [sops_file.livegrep](https://registry.terraform.io/providers/carlpett/sops/1.0.0/docs/data-sources/file) | data source |
 | [sops_file.secrets](https://registry.terraform.io/providers/carlpett/sops/1.0.0/docs/data-sources/file) | data source |

kubernetes/clusters/snikt/cronjobs.tf

@@ -9,6 +9,7 @@ locals {
       "backup-wallabag-content",
       "backup-wallabag-db",
       "ddns",
+      "restart-livegrep",
       "water-cut-notify",
     ]
     jobs-family-alerts = [

kubernetes/clusters/snikt/helm/jobs/jobs/restart-livegrep.yaml

@@ -0,0 +1,15 @@
+---
+# https://stackoverflow.com/a/58378834
+
+name: restart-livegrep
+schedule: "1 0 * * *"
+
+serviceAccountName: sa-deployment-restart
+containers:
+  - name: kubectl
+    repository: bitnami/kubectl
+    tag: 1.30.3
+    command: ["sh", "-c"]
+    args:
+      - |
+        kubectl rollout restart deploy livegrep-backend --namespace tools

kubernetes/clusters/snikt/k8s_sa_deployment_restart.tf

@@ -0,0 +1,49 @@
+# ------------------------ service account ------------------------ #
+resource "kubernetes_secret" "deployment_restart" {
+  metadata {
+    annotations = {
+      "kubernetes.io/service-account.name" = kubernetes_service_account.deployment_restart.metadata.0.name
+    }
+    namespace = "jobs"
+    name      = "${kubernetes_service_account.deployment_restart.metadata.0.name}-token"
+  }
+  type                           = "kubernetes.io/service-account-token"
+  wait_for_service_account_token = true
+}
+resource "kubernetes_service_account" "deployment_restart" {
+  metadata {
+    name      = "sa-deployment-restart"
+    namespace = "jobs"
+  }
+}
+
+# ------------------------ cluster role ------------------------ #
+resource "kubernetes_cluster_role" "deployment_restart" {
+  metadata {
+    name = "cr-deployment-restart"
+  }
+
+  rule {
+    api_groups     = ["apps", "extensions"]
+    resources      = ["deployments"]
+    resource_names = ["livegrep-backend"]
+    verbs          = ["get", "patch", "list", "watch"]
+  }
+}
+
+# ------------------------ cluster role binding ------------------------ #
+resource "kubernetes_cluster_role_binding" "readonly" {
+  metadata {
+    name = "crb-deployment-restart"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.deployment_restart.metadata.0.name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.deployment_restart.metadata.0.name
+    namespace = "jobs"
+  }
+}

scripts/daily_cleanup.sh

@@ -15,8 +15,3 @@ echo "$WALLABAG_STATEFULSET_POD_NAME"
 kubectl exec "$WALLABAG_POD_NAME" -c wallabag -- php /var/www/wallabag/bin/console wallabag:clean-duplicates --env=prod
 kubectl exec "$WALLABAG_POD_NAME" -c wallabag -- php /var/www/wallabag/bin/console wallabag:clean-downloaded-images --env=prod
 kubectl exec "$WALLABAG_STATEFULSET_POD_NAME" -c postgres -- psql -U wallabag -d wallabag -c "DELETE FROM wallabag_entry WHERE is_archived = 't' AND is_starred = 'f';"
-
-# ------- livegrep -------
-kubectl config use-context snikt
-kubectl config set-context --current --namespace=tools
-kubectl rollout restart deploy livegrep-backend