{{ if .Values.cluster_config.nodes }}

---
apiVersion: batch/v1
kind: Job
metadata:
  name: label-and-taint-nodes
  namespace: kube-system
spec:
  backoffLimit: 1
  template:
    metadata:
      annotations:
        linkerd.io/inject: disable
    spec:
      restartPolicy: Never
      serviceAccountName: label-and-taint-nodes
      securityContext:
        runAsUser: 12000
        runAsGroup: 13000
        fsGroup: 10000
      affinity:
      tolerations:
      - key: unschedulable
        value: "true"
        effect: NoSchedule
      containers:
      - image: bitnami/kubectl:1.24
        name: kubectl
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
        command:
        - "/bin/sh"
        - -c
        - /tmp/scripts/script.sh
        volumeMounts:
          - name: scripts
            mountPath: /tmp/scripts
      volumes:
        - name: scripts
          configMap:
            name: label-and-taint-scripts
            defaultMode: 0755
---
apiVersion: v1
data:
  script.sh: |
    #! /bin/bash
{{- range $node := .Values.cluster_config.nodes }}
  {{- range .labels }}
    kubectl label nodes --overwrite=true {{ $node.name }} {{ . | quote }}
  {{- end }}
  {{- range .taints }}
    kubectl taint nodes --overwrite=true {{ $node.name }} {{ . | quote }}
  {{- end }}
{{- end }}
kind: ConfigMap
metadata:
  name: label-and-taint-scripts
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: label-and-taint-nodes
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: label-and-taint-nodes
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - update
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: label-and-taint-nodes
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: label-and-taint-nodes
subjects:
- kind: ServiceAccount
  name: label-and-taint-nodes
  namespace: kube-system
{{ end }}