ssl-hep · MattShirley · Nov 17, 2025 · Nov 18, 2025
diff --git a/helm/servicex/templates/x509-secrets/cronjob.yaml b/helm/servicex/templates/x509-secrets/cronjob.yaml
@@ -0,0 +1,69 @@
+{{- if not .Values.noCerts }}
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: x509-secrets
+spec:
+  schedule: "0 */6 * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: x509-secrets
+        spec:
+          serviceAccountName: {{ template "servicex.fullname" . }}
+          restartPolicy: OnFailure
+          # Before launching the main container, copy the certs and set their permissions accordingly
+          initContainers:
+            - name: take-data-dir-ownership
+              image: {{ .Values.x509Secrets.initImage }}
+              command: ["/bin/sh","-c"]
+              args: ["cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs; chmod 600 /etc/grid-certs/usercert.pem; cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs; chmod 400 /etc/grid-certs/userkey.pem"]
+              env:
+                - name: INSTANCE_NAME
+                  value: {{ .Release.Name }}
+              volumeMounts:
+              - name: grid-certs-rw-copy
+                mountPath: /etc/grid-certs/
+              - name: grid-secret
+                mountPath: /etc/grid-certs-ro/
+          containers:
+          - name: x509-secrets
+            image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }}
+            command: ["bash","-c"]
+            args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"]
+            env:
+              - name: MY_POD_NAME
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.name
+              - name: MY_POD_NAMESPACE
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.namespace
+            tty: true
+            stdin: true
+            imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }}
+            volumeMounts:
+              - name: grid-certs-rw-copy
+                mountPath: /etc/grid-certs/
+              - name: grid-secret
+                mountPath: /etc/grid-certs-ro/
+
+          volumes:
+            # Mount the usercert, userkey, and passphrase file. These will have the
+            # wrong permissions to be used for generating the voms proxy
+            - name: grid-secret
+              secret:
+                secretName: grid-certs-secret  # Installed via servicex command line
+
+            # Create an empty dir to share between the init container and the main
+            # container. The init container will copy the certs from grid-secret
+            # to this dir and set the correct permissions
+            - name: grid-certs-rw-copy
+              emptyDir: {}
+
+{{- end }}
diff --git a/helm/servicex/templates/x509-secrets/deployment.yaml b/helm/servicex/templates/x509-secrets/deployment.yaml
diff --git a/helm/servicex/templates/x509-secrets/install-job.yaml b/helm/servicex/templates/x509-secrets/install-job.yaml
@@ -0,0 +1,74 @@
+{{- if not .Values.noCerts }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: x509-secrets-init
+  labels:
+    app: x509-secrets
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      labels:
+        app: x509-secrets
+    spec:
+      serviceAccountName: {{ template "servicex.fullname" . }}
+      restartPolicy: OnFailure
+
+      initContainers:
+        - name: take-data-dir-ownership
+          image: {{ .Values.x509Secrets.initImage }}
+          command: ["/bin/sh","-c"]
+          args:
+            - >
+              cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs;
+              chmod 600 /etc/grid-certs/usercert.pem;
+              cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs;
+              chmod 400 /etc/grid-certs/userkey.pem
+          env:
+            - name: INSTANCE_NAME
+              value: {{ .Release.Name }}
+          volumeMounts:
+            - name: grid-certs-rw-copy
+              mountPath: /etc/grid-certs/
+            - name: grid-secret
+              mountPath: /etc/grid-certs-ro/
+
+      containers:
+        - name: x509-secrets
+          image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }}
+          command: ["bash","-c"]
+          args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"]
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          tty: true
+          stdin: true
+          imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }}
+          volumeMounts:
+            - name: grid-certs-rw-copy
+              mountPath: /etc/grid-certs/
+            - name: grid-secret
+              mountPath: /etc/grid-certs-ro/
+
+      volumes:
+        - name: grid-secret
+          secret:
+            secretName: grid-certs-secret
+
+        - name: grid-certs-rw-copy
+          emptyDir: {}
+
+{{- end }}