infra/stacks/k8s-version-upgrade/job-template.yaml

# k8s-upgrade-chain Job template.
#
# Rendered by `envsubst` inside upgrade-step.sh (and the detection CronJob)
# before `kubectl apply`. All ${VAR} placeholders are envsubst-side; this file
# is NOT processed by Terraform.
#
# Required environment for envsubst:
#   JOB_NAME            unique-per-(phase, target_version[, target_node])
#   PHASE_NEXT          phase the Job runs (preflight|master|worker|postflight)
#   TARGET_NODE_NEXT    node the Job operates on (empty for preflight/postflight)
#   TARGET_VERSION      X.Y.Z
#   TARGET_VERSION_LABEL  X-Y-Z (label-safe)
#   KIND                patch | minor
#   IMAGE               container image to run upgrade-step.sh
#   SCHEDULING_BLOCK    YAML fragment with nodeSelector/tolerations (may be empty)
#
# Idempotency: name is deterministic per (phase, target_version[, target_node])
# so `kubectl apply` reconciles to a single Job per run.
apiVersion: batch/v1
kind: Job
metadata:
  name: ${JOB_NAME}
  namespace: k8s-upgrade
  labels:
    app: k8s-upgrade-chain
    phase: ${PHASE_NEXT}
    target-version: "${TARGET_VERSION_LABEL}"
spec:
  ttlSecondsAfterFinished: 604800   # 7 days for postmortem review
  backoffLimit: 1
  template:
    metadata:
      labels:
        app: k8s-upgrade-chain
        phase: ${PHASE_NEXT}
    spec:
      serviceAccountName: k8s-upgrade-job
      restartPolicy: Never
${SCHEDULING_BLOCK}
      imagePullSecrets:
        - name: registry-credentials
      containers:
        - name: upgrade-step
          image: ${IMAGE}
          env:
            - name: PHASE
              value: "${PHASE_NEXT}"
            - name: TARGET_NODE
              value: "${TARGET_NODE_NEXT}"
            - name: TARGET_VERSION
              value: "${TARGET_VERSION}"
            - name: KIND
              value: "${KIND}"
            - name: IMAGE
              value: "${IMAGE}"
            - name: HOME
              value: "/tmp"
          command: ["/bin/bash", "/scripts/upgrade-step.sh"]
          volumeMounts:
            - name: creds
              mountPath: /secrets/k8s-upgrade
              readOnly: true
            - name: scripts
              mountPath: /scripts
              readOnly: true
            - name: template
              mountPath: /template
              readOnly: true
          resources:
            requests:
              cpu: "100m"
              memory: "256Mi"
            limits:
              memory: "512Mi"
      volumes:
        - name: creds
          secret:
            secretName: k8s-upgrade-creds
            # 0444 so the non-root container can read; upgrade-step.sh copies
            # the SSH key to /tmp/ssh_key with mode 0400 for openssh.
            defaultMode: 0444
        - name: scripts
          configMap:
            name: k8s-upgrade-scripts
            defaultMode: 0755
        - name: template
          configMap:
            name: k8s-upgrade-job-template
fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip] 6d224861 came from a --no-checkout worktree whose empty index made the commit drop every file except two. This restores 05b50d2b's full tree and correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the live infra was never applied from the broken commit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-09 08:45:33 +00:00			`# k8s-upgrade-chain Job template.`
			`#`
			# Rendered by `envsubst` inside upgrade-step.sh (and the detection CronJob)
			# before `kubectl apply`. All ${VAR} placeholders are envsubst-side; this file
			`# is NOT processed by Terraform.`
			`#`
			`# Required environment for envsubst:`
			`# JOB_NAME unique-per-(phase, target_version[, target_node])`
			`# PHASE_NEXT phase the Job runs (preflight\|master\|worker\|postflight)`
			`# TARGET_NODE_NEXT node the Job operates on (empty for preflight/postflight)`
			`# TARGET_VERSION X.Y.Z`
			`# TARGET_VERSION_LABEL X-Y-Z (label-safe)`
			`# KIND patch \| minor`
			`# IMAGE container image to run upgrade-step.sh`
			`# SCHEDULING_BLOCK YAML fragment with nodeSelector/tolerations (may be empty)`
			`#`
			`# Idempotency: name is deterministic per (phase, target_version[, target_node])`
			# so `kubectl apply` reconciles to a single Job per run.
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: ${JOB_NAME}`
			`namespace: k8s-upgrade`
			`labels:`
			`app: k8s-upgrade-chain`
			`phase: ${PHASE_NEXT}`
			`target-version: "${TARGET_VERSION_LABEL}"`
			`spec:`
			`ttlSecondsAfterFinished: 604800 # 7 days for postmortem review`
			`backoffLimit: 1`
			`template:`
			`metadata:`
			`labels:`
			`app: k8s-upgrade-chain`
			`phase: ${PHASE_NEXT}`
			`spec:`
			`serviceAccountName: k8s-upgrade-job`
			`restartPolicy: Never`
			`${SCHEDULING_BLOCK}`
			`imagePullSecrets:`
			`- name: registry-credentials`
			`containers:`
			`- name: upgrade-step`
			`image: ${IMAGE}`
			`env:`
			`- name: PHASE`
			`value: "${PHASE_NEXT}"`
			`- name: TARGET_NODE`
			`value: "${TARGET_NODE_NEXT}"`
			`- name: TARGET_VERSION`
			`value: "${TARGET_VERSION}"`
			`- name: KIND`
			`value: "${KIND}"`
			`- name: IMAGE`
			`value: "${IMAGE}"`
			`- name: HOME`
			`value: "/tmp"`
			`command: ["/bin/bash", "/scripts/upgrade-step.sh"]`
			`volumeMounts:`
			`- name: creds`
			`mountPath: /secrets/k8s-upgrade`
			`readOnly: true`
			`- name: scripts`
			`mountPath: /scripts`
			`readOnly: true`
			`- name: template`
			`mountPath: /template`
			`readOnly: true`
			`resources:`
			`requests:`
			`cpu: "100m"`
			`memory: "256Mi"`
			`limits:`
			`memory: "512Mi"`
			`volumes:`
			`- name: creds`
			`secret:`
			`secretName: k8s-upgrade-creds`
			`# 0444 so the non-root container can read; upgrade-step.sh copies`
			`# the SSH key to /tmp/ssh_key with mode 0400 for openssh.`
			`defaultMode: 0444`
			`- name: scripts`
			`configMap:`
			`name: k8s-upgrade-scripts`
			`defaultMode: 0755`
			`- name: template`
			`configMap:`
			`name: k8s-upgrade-job-template`