fix: properly checks presence of mounted secrets

removes ns from kustomize resources as it will be anyway replaced when running the job

service-mesh/control-plane/base/init-job-rbac/job-rolebinding.yaml

@@ -2,26 +2,34 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: init-job-creator
-  namespace: istio-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: init-job-create
 subjects:
   - kind: ServiceAccount
     name: init-job-executor
-    namespace: istio-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: init-job-reader
-  namespace: istio-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: init-job-read
 subjects:
   - kind: ServiceAccount
     name: init-job-executor
-    namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: init-job-pod-executor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: init-job-pod-operations
+subjects:
+  - kind: ServiceAccount
+    name: init-job-executor

service-mesh/control-plane/base/init-job-rbac/job-sa.yaml

@@ -2,4 +2,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: init-job-executor
-  namespace: istio-system

service-mesh/control-plane/base/init-job-rbac/pod-executor-roles.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: init-job-pod-operations
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods/log
+      - pods/exec
+    verbs:
+      - get
+      - list
+      - create
+      - delete

service-mesh/control-plane/base/init-job-rbac/resource-create-roles.yaml

@@ -45,4 +45,4 @@ rules:
     verbs:
       - create
       - update
-      - patch
+      - patch

service-mesh/control-plane/base/init-job-rbac/resource-read-roles.yaml

@@ -72,4 +72,4 @@ rules:
     verbs:
       - get
       - watch
-      - list
+      - list

service-mesh/control-plane/base/init-job.yaml

@@ -74,14 +74,18 @@ spec:
             # Ensure secrets are mounted in ingress-gateway. If not, restart the pod.
             kubectl wait pods -l app=istio-ingressgateway --for condition=ready -n ${ISTIO_NAMESPACE}
 
-            if kubectl exec $(kubectl get pods -n ${ISTIO_NAMESPACE} \
-              -l app=istio-egressgateway \
-              -o jsonpath='{.items[*].metadata.name}') \
-              -n ${ISTIO_NAMESPACE} \
-              -c istio-proxy -- ls -al /etc/istio/odh-oauth2 2>&1 | grep -q 'No such file or directory'; then
+            INGRESS_POD=$(kubectl get pods -n ${ISTIO_NAMESPACE} -l app=istio-ingressgateway -o jsonpath='{.items[0].metadata.name}')
+            EXEC_OUTPUT=$(kubectl exec $INGRESS_POD -n ${ISTIO_NAMESPACE} -c istio-proxy -- ls -al /etc/istio/odh-oauth2/{token-secret.yaml,hmac-secret.yaml} 2>&1)
+            EXEC_EXIT_STATUS=$?
+
+            if echo $EXEC_OUTPUT | grep -q 'No such file or directory'; then
               # If we don't see the secrets mounted, restart deployment.
               kubectl rollout restart deployment -n ${ISTIO_NAMESPACE} istio-ingressgateway
+            elif [[ $EXEC_EXIT_STATUS -ne 0 ]]; then
+              echo "Failed with: $EXEC_OUTPUT"
+              exit 1
             fi
+
             exit 0
             
         volumeMounts:

service-mesh/control-plane/base/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
 - init-job.yaml
 - init-job-rbac/resource-read-roles.yaml
 - init-job-rbac/resource-create-roles.yaml
+- init-job-rbac/pod-executor-roles.yaml
 - init-job-rbac/job-rolebinding.yaml
 - init-job-rbac/job-sa.yaml
 - cert-secret.yaml