fix(nautobot): multiple corrections to nautobot sync job

cardoe · cardoe · commit a03435882182 · 2025-10-16T09:29:36.000-05:00
The nautobot sync job never had a TTL set to clean up after it ran so
now we clean up 5 minutes after it runs. It should also have a safety
that it should not run for longer than 20 minutes so this defines that
limit. Added a few more helm annotations for cleanup of the job and for
being able to lookup the jobs by labels.

Ensure the container runs securely by specifying a permission limited
security context.

Lastly fix the device-types role by mounting the data that the role
needs into the container.
diff --git a/components/nautobot/values.yaml b/components/nautobot/values.yaml
@@ -107,16 +107,45 @@ extraObjects:
     metadata:
       generateName: sync-nautobot-ansible-
       namespace: nautobot
+      labels:
+        app.kubernetes.io/name: nautobot
+        app.kubernetes.io/component: sync-job
+        app.kubernetes.io/managed-by: Helm
       annotations:
         "helm.sh/hook": post-install,post-upgrade
+        "helm.sh/hook-weight": "1"
+        "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     spec:
+      ttlSecondsAfterFinished: 300
+      # allow the ansible container to run for 20 minutes
+      activeDeadlineSeconds: 1200
+      backoffLimit: 1
       template:
         spec:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            fsGroup: 1000
+            seccompProfile:
+              type: RuntimeDefault
           containers:
             - name: ansible-runner
               image: ghcr.io/rackerlabs/understack/ansible:latest
               imagePullPolicy: Always
               command: ["ansible-runner", "run", "/runner", "--playbook", "nautobot-initial-setup.yaml"]
+              resources:
+                requests:
+                  cpu: "100m"
+                  memory: "512Mi"
+                limits:
+                  cpu: "500m"
+                  memory: "512Mi"
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: false
               env:
                 - name: NAUTOBOT_TOKEN
                   valueFrom:
@@ -130,6 +159,8 @@ extraObjects:
                   mountPath: /runner/inventory/
                 - name: ansible-group-vars
                   mountPath: /runner/inventory/group_vars/
+                - name: device-types
+                  mountPath: /runner/data/device-types/
           restartPolicy: Never
           volumes:
             - name: runner-data
@@ -140,4 +171,6 @@ extraObjects:
             - name: ansible-group-vars
               configMap:
                 name: ansible-group-vars
-      backoffLimit: 1
+            - name: device-types
+              configMap:
+                name: device-types
