initial import

cronjob.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: distributor
+  namespace: wildcard-tls
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wildcard-tls:distributor
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: wildcard-tls:distributor
+subjects:
+- kind: ServiceAccount
+  name: distributor
+  namespace: wildcard-tls
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: wildcard-tls:distributor
+---
+apiVersion: argoproj.io/v1alpha1
+kind: CronWorkflow
+metadata:
+  name: wildcard-tls-distributor
+  namespace: wildcard-tls
+spec:
+  schedules:
+    - "* * * * *"
+  concurrencyPolicy: "Replace"
+  startingDeadlineSeconds: 0
+  workflowSpec:
+    entrypoint: distribute
+    serviceAccountName: distributor
+    templates:
+    - name: distribute
+      script:
+        image: git.strudelline.net/cascade/tools:latest
+        command: ["bash"]
+        imagePullPolicy: Always
+        source: |
+          NEWSECRET="$(kubectl -o yaml get secret wildcard-tls | yq '
+            .metadata |= del(.labels, .creationTimestamp, .resourceVersion, .uid, .namespace)
+          ')"
+          kubectl get namespace -l 'x-wildcard-tls/copy notin (no)' -o name |
+          while read -r namespace;do
+            echo "$NEWSECRET" | kubectl apply --force -n "${namespace#namespace/}" -f -
+          done