---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cronjob-serviceaccount
  namespace: ara
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-patch-role
  namespace: ara
rules:
  - apiGroups: ["", "extensions", "networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-patch-rolebinding
  namespace: ara
subjects:
  - kind: ServiceAccount
    name: cronjob-serviceaccount
    namespace: ara
roleRef:
  kind: Role
  name: ingress-patch-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: update-ingress-whitelist
  namespace: ara
spec:
  schedule: '@hourly'
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: cronjob-serviceaccount
          restartPolicy: Never
          containers:
            - name: update-ingress-whitelist
              image: portainer/kubectl-shell
              command:
                - /bin/bash
                - -c
                - |
                  date
                  DOMAIN=smark.ddns.net
                  while true; do
                    IP=$(nslookup $DOMAIN | grep -A1 $DOMAIN | awk 'END {print $NF}')
                    [[ -n "$IP" ]] && break
                    sleep 10
                  done
                  set -x
                  kubectl -n ara patch ingress ara-ara-server-ingress --type='json' --patch='[
                    {
                      "op": "replace",
                      "path": "/metadata/annotations/nginx.ingress.kubernetes.io~1whitelist-source-range",
                      "value":"'$IP'"
                    }
                  ]'