From 39db8186564608f0fa9b0d5392a64a2f79c751b0 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 7 Jun 2021 15:50:05 -0400
Subject: [PATCH 01/36] No-op migration test capability

---
 charts/rawls/templates/migration/job.yaml     | 66 +++++++++++++++++++
 charts/rawls/templates/migration/role.yaml    | 14 ++++
 .../templates/migration/roleBinding.yaml      | 15 +++++
 .../templates/migration/secretDefinition.yaml | 19 ++++++
 .../templates/migration/serviceAccount.yaml   |  8 +++
 charts/rawls/values.yaml                      | 25 ++++++-
 6 files changed, 146 insertions(+), 1 deletion(-)
 create mode 100644 charts/rawls/templates/migration/job.yaml
 create mode 100644 charts/rawls/templates/migration/role.yaml
 create mode 100644 charts/rawls/templates/migration/roleBinding.yaml
 create mode 100644 charts/rawls/templates/migration/secretDefinition.yaml
 create mode 100644 charts/rawls/templates/migration/serviceAccount.yaml

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
new file mode 100644
index 000000000..c49f6d024
--- /dev/null
+++ b/charts/rawls/templates/migration/job.yaml
@@ -0,0 +1,66 @@
+{{- if .Values.migration.enabled }}
+{{- $imageTag := .Values.migration.imageTag | default .Values.global.applicationVersion -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rawls-liquibase-migration
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+  labels: 
+    {{- include "rawls.labels" . | indent 4 }}
+spec:
+  template:
+    metadata:
+      name: rawls-liquibase-migration
+      labels:
+        {{- include "rawls.labels" . | indent 8 }}
+    spec:
+      restartPolicy: Never
+      serviceAccountName: rawls-migration-sa
+      volumes:
+      - name: sqlproxy-ctmpls
+        secret:
+          secretName: {{ .Values.migration.sqlProxySecretPrefix }}-sqlproxy-ctmpls
+      containers:
+      - name: migration-liquibase
+        image: "gcr.io/broad-dsp-gcr-public/rawls:{{ $imageTag }}"
+        command: ['bash', '-c']
+        # The `find /rawls -name 'rawls*.jar'` is from Rawls's own Dockerfile CMD
+        # The `--driver` is the underlying JDBC driver, e.g. not Slick, see https://doc.akka.io/docs/alpakka/current/slick.html#artifacts
+        # The `--url` is hardcoded pending DDO-1297
+        # Command is a no-op `updateSQL` during development
+        args:
+        - |-
+          java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
+            --driver='com.mysql.jdbc.Driver' \
+            --classpath="$(find /rawls -name 'rawls*.jar')" \
+            --changeLogFile='org/broadinstitute/dsde/rawls/liquibase/changelog.xml' \
+            --url="$DB_URL" \
+            --username="$DB_USERNAME" \
+            --password="$DB_PASSWORD" \
+            updateSQL
+        env:
+        - name: DB_URL
+          value: {{ .Values.migration.dbUrl }}
+        - name: DB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: rawls-sql-secrets
+              key: db-username
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: rawls-sql-secrets
+              key: db-password
+      - name: migration-sqlproxy
+        image: broadinstitute/cloudsqlproxy:1.11_20180808
+        envFrom:
+        - secretRef:
+            name: {{ .Values.migration.sqlProxySecretPrefix }}-sqlproxy-env
+        volumeMounts:
+        - mountPath: /etc/sqlproxy-service-account.json
+          subPath: sqlproxy-service-account.json
+          name: sqlproxy-ctmpls
+          readOnly: true
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
new file mode 100644
index 000000000..d8c4f0e1f
--- /dev/null
+++ b/charts/rawls/templates/migration/role.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.migration.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: rawls-migration-role
+  labels:
+    {{- include "rawls.labels" . | indent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - terra-default-psp
+{{- end -}}
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
new file mode 100644
index 000000000..d9e4b4369
--- /dev/null
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.migration.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: rawls-migration-sa-binding
+  labels:
+    {{- include "rawls.labels" . | indent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: rawls-migration-sa
+roleRef:
+  kind: Role
+  name: rawls-migration-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
new file mode 100644
index 000000000..10c7b6dbf
--- /dev/null
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.migration.enabled }}
+apiVersion: secrets-manager.tuenti.io/v1alpha1
+kind: SecretDefinition
+metadata:
+  name: rawls-migration-secretdef
+  labels: 
+    {{- include "dsp-atlantis.labels" . | nindent 4 }}
+spec:
+  name: rawls-sql-secrets
+  keysMap:
+    db-username:
+      key: {{ .Values.vault.migration.dbUsernameKey }}
+      path: {{ required "A valid vault.migration.path is required" .Values.vault.migration.path }}
+      encoding: text
+    db-password:
+      key: {{ .Values.vault.migration.dbPasswordKey }}
+      path: {{ required "A valid vault.migration.path is required" .Values.vault.migration.path }}
+      encoding: text
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
new file mode 100644
index 000000000..106892efb
--- /dev/null
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.migration.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rawls-migration-sa
+  labels:
+    {{- include "rawls.labels" . | indent 4 }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/rawls/values.yaml b/charts/rawls/values.yaml
index 69fd4861c..e482a98e8 100644
--- a/charts/rawls/values.yaml
+++ b/charts/rawls/values.yaml
@@ -41,7 +41,7 @@ deploymentDefaults:
   # Example: `"rawls1-reader"`
   name: null
   # deploymentDefaults.imageTag -- Image tag to be used when deploying Pods
-  # @defautl global.applicationVersion
+  # @default global.applicationVersion
   imageTag: null
   # deploymentDefaults.replicas -- Number of replicas for the deployment
   replicas: 0
@@ -92,3 +92,26 @@ deploymentDefaults:
         periodSeconds: 10
         failureThreshold: 1080 # 3 hours before restarted, to prevent liveness probes from interrupting long-running liquibase migrations
         successThreshold: 1
+
+vault:
+  # Migration credentials only referenced if migration.enabled == true
+  migration:
+    # vault.migration.path -- Vault path to secret containing DB credentials
+    path: null
+    # vault.migration.dbUsernameKey -- Key in Vault secret to DB username
+    dbUsernameKey: "slick_db_user"
+    # vault.migration.DbPasswordKey -- Key in Vault secret to DB password
+    dbPasswordKey: "slick_db_password"
+
+migration:
+  # migration.enabled -- Whether to run a Liquibase migration job pre-sync
+  enabled: false
+  # migration.dbUrl -- JDBC URL to connect to local CloudSQL proxy
+  dbUrl: "jdbc:mysql://sqlproxy:3306/rawls?requireSSL=false&useSSL=false&rewriteBatchedStatements=true"
+  # migration.imageTag -- Override the image tag to run the migration on
+  # @default global.applicationVersion
+  # WARNING: App may behave unexpectedly if its database has been migrated to a different version than the app
+  imageTag: null
+  # migration.sqlProxySecretPrefix -- Prefix for ctmpl and env secrets necessary for the desired Cloud SQL connection
+  # NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace
+  sqlProxySecretPrefix: "rawls-backend"

From 92a77c86bed89600d9021addfb6b758cb6138b56 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 7 Jun 2021 15:51:43 -0400
Subject: [PATCH 02/36] newlines

---
 charts/rawls/templates/migration/job.yaml              | 2 +-
 charts/rawls/templates/migration/roleBinding.yaml      | 2 +-
 charts/rawls/templates/migration/secretDefinition.yaml | 2 +-
 charts/rawls/templates/migration/serviceAccount.yaml   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index c49f6d024..88612f232 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -63,4 +63,4 @@ spec:
           subPath: sqlproxy-service-account.json
           name: sqlproxy-ctmpls
           readOnly: true
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index d9e4b4369..1a74f464d 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -12,4 +12,4 @@ roleRef:
   kind: Role
   name: rawls-migration-role
   apiGroup: rbac.authorization.k8s.io
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index 10c7b6dbf..cbea90b33 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -16,4 +16,4 @@ spec:
       key: {{ .Values.vault.migration.dbPasswordKey }}
       path: {{ required "A valid vault.migration.path is required" .Values.vault.migration.path }}
       encoding: text
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index 106892efb..a86b8426a 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -5,4 +5,4 @@ metadata:
   name: rawls-migration-sa
   labels:
     {{- include "rawls.labels" . | indent 4 }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}

From 1af932225ea507a3fec159dc08d513440cec9c2f Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 7 Jun 2021 16:16:42 -0400
Subject: [PATCH 03/36] bump minor

---
 charts/rawls/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/rawls/Chart.yaml b/charts/rawls/Chart.yaml
index 67cecd69a..89644350b 100644
--- a/charts/rawls/Chart.yaml
+++ b/charts/rawls/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: rawls
-version: 0.8.0
+version: 0.8.1
 appVersion: latest
 description: Chart for Rawls service in Terra
 type: application

From 0d4848d98f36e15b3b9db2a89c44f1b81e0e963e Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 7 Jun 2021 16:19:05 -0400
Subject: [PATCH 04/36] update boilerplate

---
 charts/rawls/templates/migration/secretDefinition.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index cbea90b33..a766921b2 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -4,7 +4,7 @@ kind: SecretDefinition
 metadata:
   name: rawls-migration-secretdef
   labels: 
-    {{- include "dsp-atlantis.labels" . | nindent 4 }}
+    {{- include "rawls.labels" . | nindent 4 }}
 spec:
   name: rawls-sql-secrets
   keysMap:

From f581aeeef727cc2d642f5ea9bd8beb6a68df1917 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 7 Jun 2021 16:22:43 -0400
Subject: [PATCH 05/36] nindent

---
 charts/rawls/templates/migration/job.yaml            | 4 ++--
 charts/rawls/templates/migration/role.yaml           | 2 +-
 charts/rawls/templates/migration/roleBinding.yaml    | 2 +-
 charts/rawls/templates/migration/serviceAccount.yaml | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 88612f232..6d391bce2 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -8,13 +8,13 @@ metadata:
     argocd.argoproj.io/hook: PreSync
     argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
   labels: 
-    {{- include "rawls.labels" . | indent 4 }}
+    {{- include "rawls.labels" . | nindent 4 }}
 spec:
   template:
     metadata:
       name: rawls-liquibase-migration
       labels:
-        {{- include "rawls.labels" . | indent 8 }}
+        {{- include "rawls.labels" . | nindent 8 }}
     spec:
       restartPolicy: Never
       serviceAccountName: rawls-migration-sa
diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index d8c4f0e1f..16584fa7b 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -4,7 +4,7 @@ kind: Role
 metadata:
   name: rawls-migration-role
   labels:
-    {{- include "rawls.labels" . | indent 4 }}
+    {{- include "rawls.labels" . | nindent 4 }}
 rules:
 - apiGroups: ['policy']
   resources: ['podsecuritypolicies']
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index 1a74f464d..c93f12bd4 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -4,7 +4,7 @@ kind: RoleBinding
 metadata:
   name: rawls-migration-sa-binding
   labels:
-    {{- include "rawls.labels" . | indent 4 }}
+    {{- include "rawls.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   name: rawls-migration-sa
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index a86b8426a..8a67a276a 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -4,5 +4,5 @@ kind: ServiceAccount
 metadata:
   name: rawls-migration-sa
   labels:
-    {{- include "rawls.labels" . | indent 4 }}
+    {{- include "rawls.labels" . | nindent 4 }}
 {{- end -}}

From cd23d17ff3f863948185b96d5f91f323cad0a047 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 7 Jun 2021 16:50:41 -0400
Subject: [PATCH 06/36] resources in earlier wave

---
 charts/rawls/templates/migration/role.yaml             | 4 ++++
 charts/rawls/templates/migration/roleBinding.yaml      | 4 ++++
 charts/rawls/templates/migration/secretDefinition.yaml | 4 ++++
 charts/rawls/templates/migration/serviceAccount.yaml   | 4 ++++
 4 files changed, 16 insertions(+)

diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index 16584fa7b..4f0be0555 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -5,6 +5,10 @@ metadata:
   name: rawls-migration-role
   labels:
     {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
 rules:
 - apiGroups: ['policy']
   resources: ['podsecuritypolicies']
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index c93f12bd4..298858bd5 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -5,6 +5,10 @@ metadata:
   name: rawls-migration-sa-binding
   labels:
     {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
 subjects:
 - kind: ServiceAccount
   name: rawls-migration-sa
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index a766921b2..4bff392ea 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -5,6 +5,10 @@ metadata:
   name: rawls-migration-secretdef
   labels: 
     {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
 spec:
   name: rawls-sql-secrets
   keysMap:
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index 8a67a276a..f6dfcad4e 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -5,4 +5,8 @@ metadata:
   name: rawls-migration-sa
   labels:
     {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
 {{- end -}}

From 808c6164b40a893a854821539a85ef26e7563902 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:06:58 -0400
Subject: [PATCH 07/36] shareProcessNamespace

---
 charts/rawls/templates/migration/job.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 6d391bce2..c1a22374c 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -16,6 +16,7 @@ spec:
       labels:
         {{- include "rawls.labels" . | nindent 8 }}
     spec:
+      shareProcessNamespace: true
       restartPolicy: Never
       serviceAccountName: rawls-migration-sa
       volumes:

From d25b2fa4e372a77c7dc465d623b73d226dc61db0 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:14:27 -0400
Subject: [PATCH 08/36] Add cloudsql sleep

---
 charts/rawls/templates/migration/job.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index c1a22374c..7d8b7a057 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -27,12 +27,14 @@ spec:
       - name: migration-liquibase
         image: "gcr.io/broad-dsp-gcr-public/rawls:{{ $imageTag }}"
         command: ['bash', '-c']
+        # Sleep for 30s to allow CloudSQL proxy time to start up. See DDO-1284 / BT-296
         # The `find /rawls -name 'rawls*.jar'` is from Rawls's own Dockerfile CMD
         # The `--driver` is the underlying JDBC driver, e.g. not Slick, see https://doc.akka.io/docs/alpakka/current/slick.html#artifacts
         # The `--url` is hardcoded pending DDO-1297
         # Command is a no-op `updateSQL` during development
         args:
         - |-
+          sleep 30 && \
           java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
             --driver='com.mysql.jdbc.Driver' \
             --classpath="$(find /rawls -name 'rawls*.jar')" \

From 46c3e64c801dc31cca4aeaebce6511ccf99661ce Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:16:36 -0400
Subject: [PATCH 09/36] Sleep for 15s

---
 charts/rawls/templates/migration/job.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 7d8b7a057..a73d5efa3 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -27,14 +27,14 @@ spec:
       - name: migration-liquibase
         image: "gcr.io/broad-dsp-gcr-public/rawls:{{ $imageTag }}"
         command: ['bash', '-c']
-        # Sleep for 30s to allow CloudSQL proxy time to start up. See DDO-1284 / BT-296
+        # Sleep for 15s to allow CloudSQL proxy time to start up. See DDO-1284 / BT-296
         # The `find /rawls -name 'rawls*.jar'` is from Rawls's own Dockerfile CMD
         # The `--driver` is the underlying JDBC driver, e.g. not Slick, see https://doc.akka.io/docs/alpakka/current/slick.html#artifacts
         # The `--url` is hardcoded pending DDO-1297
         # Command is a no-op `updateSQL` during development
         args:
         - |-
-          sleep 30 && \
+          sleep 15 && \
           java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
             --driver='com.mysql.jdbc.Driver' \
             --classpath="$(find /rawls -name 'rawls*.jar')" \

From 26a39b833990e300c0f99dfbfde205397fd60409 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:21:07 -0400
Subject: [PATCH 10/36] fix hostname

---
 charts/rawls/templates/migration/job.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index a73d5efa3..e3fca1498 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -19,6 +19,10 @@ spec:
       shareProcessNamespace: true
       restartPolicy: Never
       serviceAccountName: rawls-migration-sa
+      hostAliases:
+      - ip: 127.0.0.1
+        hostnames:
+        - sqlproxy
       volumes:
       - name: sqlproxy-ctmpls
         secret:

From 23f17db4e671a213e5353bb1dd8961205196b9ff Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:36:54 -0400
Subject: [PATCH 11/36] liquibase kill cloudsql proxy

---
 charts/rawls/templates/migration/job.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index e3fca1498..b6891a592 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -16,6 +16,7 @@ spec:
       labels:
         {{- include "rawls.labels" . | nindent 8 }}
     spec:
+      # Allow migration-liquibase to kill migration-sqlproxy's process
       shareProcessNamespace: true
       restartPolicy: Never
       serviceAccountName: rawls-migration-sa
@@ -46,7 +47,10 @@ spec:
             --url="$DB_URL" \
             --username="$DB_USERNAME" \
             --password="$DB_PASSWORD" \
-            updateSQL
+            updateSQL; \
+          EXIT=$?; \
+          pkill -SIGTERM cloud_sql_proxy; \
+          return $EXIT
         env:
         - name: DB_URL
           value: {{ .Values.migration.dbUrl }}

From 76c2d679360c0d333711c71a07c8304641815b4e Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:41:37 -0400
Subject: [PATCH 12/36] Exit instead of return

---
 charts/rawls/templates/migration/job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index b6891a592..72fe32409 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -50,7 +50,7 @@ spec:
             updateSQL; \
           EXIT=$?; \
           pkill -SIGTERM cloud_sql_proxy; \
-          return $EXIT
+          exit $EXIT
         env:
         - name: DB_URL
           value: {{ .Values.migration.dbUrl }}

From 7fa6fbc63e43046314058c4a2557ed817e37bc6e Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:43:15 -0400
Subject: [PATCH 13/36] Don't retry so many times

---
 charts/rawls/templates/migration/job.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 72fe32409..8695546b4 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -18,6 +18,7 @@ spec:
     spec:
       # Allow migration-liquibase to kill migration-sqlproxy's process
       shareProcessNamespace: true
+      backoffLimit: 2
       restartPolicy: Never
       serviceAccountName: rawls-migration-sa
       hostAliases:

From 0c4cd87d2eb34cbd1cdd4c42f1572a4bcadfb0f0 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 8 Jun 2021 17:48:12 -0400
Subject: [PATCH 14/36] the other spec

---
 charts/rawls/templates/migration/job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 8695546b4..38f26f68e 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -10,6 +10,7 @@ metadata:
   labels: 
     {{- include "rawls.labels" . | nindent 4 }}
 spec:
+  backoffLimit: 2
   template:
     metadata:
       name: rawls-liquibase-migration
@@ -18,7 +19,6 @@ spec:
     spec:
       # Allow migration-liquibase to kill migration-sqlproxy's process
       shareProcessNamespace: true
-      backoffLimit: 2
       restartPolicy: Never
       serviceAccountName: rawls-migration-sa
       hostAliases:

From 7154600f1e67930337db48b40e19a4b5042d3a76 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Wed, 9 Jun 2021 11:29:51 -0400
Subject: [PATCH 15/36] Control no-op and failure behavior via values

---
 charts/rawls/templates/migration/job.yaml | 4 ++--
 charts/rawls/values.yaml                  | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 38f26f68e..f379bf055 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -48,8 +48,8 @@ spec:
             --url="$DB_URL" \
             --username="$DB_USERNAME" \
             --password="$DB_PASSWORD" \
-            updateSQL; \
-          EXIT=$?; \
+            {{ .Values.migration.dryRun | ternary "updateSQL" "update" }}; \
+          EXIT={{ .Values.migration.failBasedOnLiquibase | ternary "$?" "0" }}; \
           pkill -SIGTERM cloud_sql_proxy; \
           exit $EXIT
         env:
diff --git a/charts/rawls/values.yaml b/charts/rawls/values.yaml
index e482a98e8..4ac9b57db 100644
--- a/charts/rawls/values.yaml
+++ b/charts/rawls/values.yaml
@@ -106,6 +106,10 @@ vault:
 migration:
   # migration.enabled -- Whether to run a Liquibase migration job pre-sync
   enabled: false
+  # migration.dryRun -- When true, merely print migration SQL; when false, execute it
+  dryRun: true
+  # migration.failBasedOnLiquibase -- When true, fail the job (and ArgoCD sync!) if the Liquibase command fails
+  failBasedOnLiquibase: true
   # migration.dbUrl -- JDBC URL to connect to local CloudSQL proxy
   dbUrl: "jdbc:mysql://sqlproxy:3306/rawls?requireSSL=false&useSSL=false&rewriteBatchedStatements=true"
   # migration.imageTag -- Override the image tag to run the migration on

From a9f6786f7f8fe2b480d62793e8893ce72f15f9c4 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Thu, 10 Jun 2021 15:08:12 -0400
Subject: [PATCH 16/36] Bring in the new liquibase.properties

---
 charts/rawls/templates/migration/job.yaml | 18 ++++++++++++------
 charts/rawls/values.yaml                  |  4 ++--
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index f379bf055..bc8f61314 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -26,9 +26,12 @@ spec:
         hostnames:
         - sqlproxy
       volumes:
+      - name: app-ctmpls
+        secret:
+          secretName: {{ .Values.migration.secretPrefix }}-app-ctmpls
       - name: sqlproxy-ctmpls
         secret:
-          secretName: {{ .Values.migration.sqlProxySecretPrefix }}-sqlproxy-ctmpls
+          secretName: {{ .Values.migration.secretPrefix }}-sqlproxy-ctmpls
       containers:
       - name: migration-liquibase
         image: "gcr.io/broad-dsp-gcr-public/rawls:{{ $imageTag }}"
@@ -42,10 +45,8 @@ spec:
         - |-
           sleep 15 && \
           java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
-            --driver='com.mysql.jdbc.Driver' \
-            --classpath="$(find /rawls -name 'rawls*.jar')" \
-            --changeLogFile='org/broadinstitute/dsde/rawls/liquibase/changelog.xml' \
-            --url="$DB_URL" \
+            --defaultsFile='/etc/liquibase.properties'
+            --classpath="$(find /rawls -name 'rawls*.jar')"
             --username="$DB_USERNAME" \
             --password="$DB_PASSWORD" \
             {{ .Values.migration.dryRun | ternary "updateSQL" "update" }}; \
@@ -65,11 +66,16 @@ spec:
             secretKeyRef:
               name: rawls-sql-secrets
               key: db-password
+        volumeMounts:
+        - mountPath: /etc/liquibase.properties
+          subPath: liquibase.properties
+          name: app-ctmpls
+          readOnly: true
       - name: migration-sqlproxy
         image: broadinstitute/cloudsqlproxy:1.11_20180808
         envFrom:
         - secretRef:
-            name: {{ .Values.migration.sqlProxySecretPrefix }}-sqlproxy-env
+            name: {{ .Values.migration.secretPrefix }}-sqlproxy-env
         volumeMounts:
         - mountPath: /etc/sqlproxy-service-account.json
           subPath: sqlproxy-service-account.json
diff --git a/charts/rawls/values.yaml b/charts/rawls/values.yaml
index 4ac9b57db..5b348bb1c 100644
--- a/charts/rawls/values.yaml
+++ b/charts/rawls/values.yaml
@@ -116,6 +116,6 @@ migration:
   # @default global.applicationVersion
   # WARNING: App may behave unexpectedly if its database has been migrated to a different version than the app
   imageTag: null
-  # migration.sqlProxySecretPrefix -- Prefix for ctmpl and env secrets necessary for the desired Cloud SQL connection
+  # migration.secretPrefix -- Prefix for ctmpl and env secrets
   # NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace
-  sqlProxySecretPrefix: "rawls-backend"
+  secretPrefix: "rawls-backend"

From 67ad0538a43a4ae20e2acd6bbe0bd431e54f845d Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Thu, 10 Jun 2021 15:08:46 -0400
Subject: [PATCH 17/36] Merge branch 'master' of
 github.com:broadinstitute/terra-helm into DDO-1292-liquibase-presync-job


From 93c6348142a182a0c1cc429e3c21822c6333ede9 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Thu, 10 Jun 2021 15:11:09 -0400
Subject: [PATCH 18/36] clean up

---
 charts/rawls/templates/migration/job.yaml | 6 +-----
 charts/rawls/values.yaml                  | 2 --
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index bc8f61314..0dd1dace9 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -38,9 +38,7 @@ spec:
         command: ['bash', '-c']
         # Sleep for 15s to allow CloudSQL proxy time to start up. See DDO-1284 / BT-296
         # The `find /rawls -name 'rawls*.jar'` is from Rawls's own Dockerfile CMD
-        # The `--driver` is the underlying JDBC driver, e.g. not Slick, see https://doc.akka.io/docs/alpakka/current/slick.html#artifacts
-        # The `--url` is hardcoded pending DDO-1297
-        # Command is a no-op `updateSQL` during development
+        # References templated liquibase.properties, see https://docs.google.com/document/d/19ethQWyH29H-jUWwgFoCxKfjmzcG-NCmSgXNAUJAYaU/edit#
         args:
         - |-
           sleep 15 && \
@@ -54,8 +52,6 @@ spec:
           pkill -SIGTERM cloud_sql_proxy; \
           exit $EXIT
         env:
-        - name: DB_URL
-          value: {{ .Values.migration.dbUrl }}
         - name: DB_USERNAME
           valueFrom:
             secretKeyRef:
diff --git a/charts/rawls/values.yaml b/charts/rawls/values.yaml
index 5b348bb1c..634b0f1e7 100644
--- a/charts/rawls/values.yaml
+++ b/charts/rawls/values.yaml
@@ -110,8 +110,6 @@ migration:
   dryRun: true
   # migration.failBasedOnLiquibase -- When true, fail the job (and ArgoCD sync!) if the Liquibase command fails
   failBasedOnLiquibase: true
-  # migration.dbUrl -- JDBC URL to connect to local CloudSQL proxy
-  dbUrl: "jdbc:mysql://sqlproxy:3306/rawls?requireSSL=false&useSSL=false&rewriteBatchedStatements=true"
   # migration.imageTag -- Override the image tag to run the migration on
   # @default global.applicationVersion
   # WARNING: App may behave unexpectedly if its database has been migrated to a different version than the app

From 2bc9e755c5720a1bb54965cb1c701db52284b039 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 12:29:14 -0400
Subject: [PATCH 19/36] line continuation

---
 charts/rawls/templates/migration/job.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 0dd1dace9..b46aaaaa6 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -43,8 +43,8 @@ spec:
         - |-
           sleep 15 && \
           java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
-            --defaultsFile='/etc/liquibase.properties'
-            --classpath="$(find /rawls -name 'rawls*.jar')"
+            --defaultsFile='/etc/liquibase.properties' \
+            --classpath="$(find /rawls -name 'rawls*.jar')" \
             --username="$DB_USERNAME" \
             --password="$DB_PASSWORD" \
             {{ .Values.migration.dryRun | ternary "updateSQL" "update" }}; \

From 8d086c6f137f3429477249a5f78550b22487181f Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 14:38:43 -0400
Subject: [PATCH 20/36] Use official google image

---
 charts/rawls/templates/migration/job.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index b46aaaaa6..841afb883 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -68,7 +68,7 @@ spec:
           name: app-ctmpls
           readOnly: true
       - name: migration-sqlproxy
-        image: broadinstitute/cloudsqlproxy:1.11_20180808
+        image: gcr.io/cloudsql-docker/gce-proxy:1.23
         envFrom:
         - secretRef:
             name: {{ .Values.migration.secretPrefix }}-sqlproxy-env
@@ -77,4 +77,11 @@ spec:
           subPath: sqlproxy-service-account.json
           name: sqlproxy-ctmpls
           readOnly: true
+        command: ['bash', '-c']
+        args:
+        - |-
+          exec /cloud_sql_proxy ${CLOUDSQL_LOGGING:-"-verbose"} \
+            -max_connections=${CLOUDSQL_MAXCONNS:-0} \
+            -instances="${CLOUDSQL_CONNECTION_LIST:-${GOOGLE_PROJECT}:${CLOUDSQL_ZONE}:${CLOUDSQL_INSTANCE}=tcp:0.0.0.0:${PORT:-3306}}" \
+            -credential_file=${CLOUDSQL_CREDENTIAL_FILE:-"/etc/sqlproxy-service-account.json"}
 {{- end -}}

From 48407c596da31d4dbff7150b9339c44f7f116062 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 14:50:38 -0400
Subject: [PATCH 21/36] Sleep forever so I can see the pod

---
 charts/rawls/templates/migration/job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 841afb883..186583260 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -41,7 +41,7 @@ spec:
         # References templated liquibase.properties, see https://docs.google.com/document/d/19ethQWyH29H-jUWwgFoCxKfjmzcG-NCmSgXNAUJAYaU/edit#
         args:
         - |-
-          sleep 15 && \
+          sleep 15m && \
           java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
             --defaultsFile='/etc/liquibase.properties' \
             --classpath="$(find /rawls -name 'rawls*.jar')" \

From d3f562f2303590dcd3f89b0df6455efd3cdb346c Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 15:01:57 -0400
Subject: [PATCH 22/36] Fix version, normal sleep

---
 charts/rawls/templates/migration/job.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 186583260..be8c146a4 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -41,7 +41,7 @@ spec:
         # References templated liquibase.properties, see https://docs.google.com/document/d/19ethQWyH29H-jUWwgFoCxKfjmzcG-NCmSgXNAUJAYaU/edit#
         args:
         - |-
-          sleep 15m && \
+          sleep 15s && \
           java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
             --defaultsFile='/etc/liquibase.properties' \
             --classpath="$(find /rawls -name 'rawls*.jar')" \
@@ -68,7 +68,7 @@ spec:
           name: app-ctmpls
           readOnly: true
       - name: migration-sqlproxy
-        image: gcr.io/cloudsql-docker/gce-proxy:1.23
+        image: gcr.io/cloudsql-docker/gce-proxy:1.23.0
         envFrom:
         - secretRef:
             name: {{ .Values.migration.secretPrefix }}-sqlproxy-env

From d9a1b08b6266929d0b8e02e9ee0f7d9834f39957 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 15:08:25 -0400
Subject: [PATCH 23/36] No exec

---
 charts/rawls/templates/migration/job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index be8c146a4..936592a53 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -80,7 +80,7 @@ spec:
         command: ['bash', '-c']
         args:
         - |-
-          exec /cloud_sql_proxy ${CLOUDSQL_LOGGING:-"-verbose"} \
+          /cloud_sql_proxy ${CLOUDSQL_LOGGING:-"-verbose"} \
             -max_connections=${CLOUDSQL_MAXCONNS:-0} \
             -instances="${CLOUDSQL_CONNECTION_LIST:-${GOOGLE_PROJECT}:${CLOUDSQL_ZONE}:${CLOUDSQL_INSTANCE}=tcp:0.0.0.0:${PORT:-3306}}" \
             -credential_file=${CLOUDSQL_CREDENTIAL_FILE:-"/etc/sqlproxy-service-account.json"}

From 1baf129642b617f3b44f92cc7e1a89f064b53b55 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 15:17:06 -0400
Subject: [PATCH 24/36] alpine for sh

---
 charts/rawls/templates/migration/job.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 936592a53..9124b89b3 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -68,7 +68,8 @@ spec:
           name: app-ctmpls
           readOnly: true
       - name: migration-sqlproxy
-        image: gcr.io/cloudsql-docker/gce-proxy:1.23.0
+        # alpine provides `sh`
+        image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine
         envFrom:
         - secretRef:
             name: {{ .Values.migration.secretPrefix }}-sqlproxy-env
@@ -77,7 +78,7 @@ spec:
           subPath: sqlproxy-service-account.json
           name: sqlproxy-ctmpls
           readOnly: true
-        command: ['bash', '-c']
+        command: ['sh', '-c']
         args:
         - |-
           /cloud_sql_proxy ${CLOUDSQL_LOGGING:-"-verbose"} \

From c0b105fdaa3204bfe6f5fb957ad16be43e4f82d0 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 17:12:42 -0400
Subject: [PATCH 25/36] labels

---
 charts/rawls/templates/migration/job.yaml              | 6 ++----
 charts/rawls/templates/migration/role.yaml             | 3 +--
 charts/rawls/templates/migration/roleBinding.yaml      | 3 +--
 charts/rawls/templates/migration/secretDefinition.yaml | 3 +--
 charts/rawls/templates/migration/serviceAccount.yaml   | 3 +--
 5 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 9124b89b3..5b0acc0c4 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -7,15 +7,13 @@ metadata:
   annotations:
     argocd.argoproj.io/hook: PreSync
     argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
-  labels: 
-    {{- include "rawls.labels" . | nindent 4 }}
+  labels: {{- include "rawls.labels" . | nindent 4 }}
 spec:
   backoffLimit: 2
   template:
     metadata:
       name: rawls-liquibase-migration
-      labels:
-        {{- include "rawls.labels" . | nindent 8 }}
+      labels: {{- include "rawls.labels" . | nindent 8 }}
     spec:
       # Allow migration-liquibase to kill migration-sqlproxy's process
       shareProcessNamespace: true
diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index 4f0be0555..63d10043b 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -3,8 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: rawls-migration-role
-  labels:
-    {{- include "rawls.labels" . | nindent 4 }}
+  labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
     argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index 298858bd5..4d0c9c373 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -3,8 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: rawls-migration-sa-binding
-  labels:
-    {{- include "rawls.labels" . | nindent 4 }}
+  labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
     argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index 4bff392ea..bc179ee2a 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -3,8 +3,7 @@ apiVersion: secrets-manager.tuenti.io/v1alpha1
 kind: SecretDefinition
 metadata:
   name: rawls-migration-secretdef
-  labels: 
-    {{- include "rawls.labels" . | nindent 4 }}
+  labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
     argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index f6dfcad4e..654416af7 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: rawls-migration-sa
-  labels:
-    {{- include "rawls.labels" . | nindent 4 }}
+  labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
     argocr.argoproj.io/hook-delete-policy: BeforeHookCreation

From 77588ea1f0b00be55924d954b73088a0605b3976 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 17:13:09 -0400
Subject: [PATCH 26/36] delete on succeeded

---
 charts/rawls/templates/migration/role.yaml             | 2 +-
 charts/rawls/templates/migration/roleBinding.yaml      | 2 +-
 charts/rawls/templates/migration/secretDefinition.yaml | 2 +-
 charts/rawls/templates/migration/serviceAccount.yaml   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index 63d10043b..e90a1c025 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 rules:
 - apiGroups: ['policy']
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index 4d0c9c373..330bc8cfc 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 subjects:
 - kind: ServiceAccount
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index bc179ee2a..a4d57e11e 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 spec:
   name: rawls-sql-secrets
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index 654416af7..f1b7918c3 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -6,6 +6,6 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 {{- end -}}

From 12a09f860834f4dcec15e875e615b6e5e1cfde27 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 17:19:53 -0400
Subject: [PATCH 27/36] Different syntax

---
 charts/rawls/templates/migration/role.yaml             | 2 +-
 charts/rawls/templates/migration/roleBinding.yaml      | 2 +-
 charts/rawls/templates/migration/secretDefinition.yaml | 2 +-
 charts/rawls/templates/migration/serviceAccount.yaml   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index e90a1c025..9c90fa308 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 rules:
 - apiGroups: ['policy']
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index 330bc8cfc..d31dad90c 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 subjects:
 - kind: ServiceAccount
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index a4d57e11e..d9c7b26d6 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 spec:
   name: rawls-sql-secrets
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index f1b7918c3..27acfc446 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -6,6 +6,6 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation, HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 {{- end -}}

From fc611252a17bd3beee701842ac0839cda5cfab8a Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 17:23:27 -0400
Subject: [PATCH 28/36] No extra deletion policy

---
 charts/rawls/templates/migration/role.yaml             | 2 +-
 charts/rawls/templates/migration/roleBinding.yaml      | 2 +-
 charts/rawls/templates/migration/secretDefinition.yaml | 2 +-
 charts/rawls/templates/migration/serviceAccount.yaml   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index 9c90fa308..63d10043b 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
     argocd.argoproj.io/sync-wave: "-1"
 rules:
 - apiGroups: ['policy']
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index d31dad90c..4d0c9c373 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
     argocd.argoproj.io/sync-wave: "-1"
 subjects:
 - kind: ServiceAccount
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index d9c7b26d6..bc179ee2a 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
     argocd.argoproj.io/sync-wave: "-1"
 spec:
   name: rawls-sql-secrets
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index 27acfc446..654416af7 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -6,6 +6,6 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
     argocd.argoproj.io/sync-wave: "-1"
 {{- end -}}

From c96ba5234ac8b16b09c87eca88c4b9c0b2f5eeb2 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 17:23:53 -0400
Subject: [PATCH 29/36] prefix with rawls

---
 charts/rawls/templates/migration/job.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 5b0acc0c4..105813f55 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -31,7 +31,7 @@ spec:
         secret:
           secretName: {{ .Values.migration.secretPrefix }}-sqlproxy-ctmpls
       containers:
-      - name: migration-liquibase
+      - name: rawls-migration-liquibase
         image: "gcr.io/broad-dsp-gcr-public/rawls:{{ $imageTag }}"
         command: ['bash', '-c']
         # Sleep for 15s to allow CloudSQL proxy time to start up. See DDO-1284 / BT-296
@@ -65,7 +65,7 @@ spec:
           subPath: liquibase.properties
           name: app-ctmpls
           readOnly: true
-      - name: migration-sqlproxy
+      - name: rawls-migration-sqlproxy
         # alpine provides `sh`
         image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine
         envFrom:

From b4b586b87ff5ceb4d8ba1aaac3a809e6f5a4ad2b Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Mon, 14 Jun 2021 17:25:18 -0400
Subject: [PATCH 30/36] New readme

---
 charts/rawls/README.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/charts/rawls/README.md b/charts/rawls/README.md
index 98137b627..521f65729 100644
--- a/charts/rawls/README.md
+++ b/charts/rawls/README.md
@@ -1,6 +1,6 @@
 # rawls
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 Chart for Rawls service in Terra
 
@@ -15,7 +15,7 @@ Chart for Rawls service in Terra
 |-----|------|---------|-------------|
 | deploymentDefaults.enabled | bool | `true` | Whether a declared deployment is enabled. If false, no resources will be created |
 | deploymentDefaults.expose | bool | `false` | Whether to create a Service for this deployment |
-| deploymentDefaults.imageTag | string | `nil` | Image tag to be used when deploying Pods @defautl global.applicationVersion |
+| deploymentDefaults.imageTag | string | `nil` | Image tag to be used when deploying Pods @default global.applicationVersion |
 | deploymentDefaults.legacyResourcePrefix | string | `nil` | What prefix to use to refer to secrets rendered from firecloud-develop @default deploymentDefaults.name |
 | deploymentDefaults.name | string | `nil` | A name for the deployment that will be substituted into resuorce definitions. Example: `"rawls1-reader"` |
 | deploymentDefaults.probes.liveness.enabled | bool | `true` |  |
@@ -38,10 +38,18 @@ Chart for Rawls service in Terra
 | ingress.sslPolicy | string | `"tls12-ssl-policy"` | (string) Name of an existing google ssl policy to associate with an ingress frontend-config |
 | ingress.staticIpName | string | `nil` | Required. GCP resource name for ingress static ip |
 | ingress.timeoutSec | int | `120` | Number of seconds to timeout on requests to the ingress |
+| migration.dryRun | bool | `true` | When true, merely print migration SQL; when false, execute it |
+| migration.enabled | bool | `false` | Whether to run a Liquibase migration job pre-sync |
+| migration.failBasedOnLiquibase | bool | `true` | When true, fail the job (and ArgoCD sync!) if the Liquibase command fails |
+| migration.imageTag | string | `nil` | Override the image tag to run the migration on @default global.applicationVersion WARNING: App may behave unexpectedly if its database has been migrated to a different version than the app |
+| migration.secretPrefix | string | `"rawls-backend"` | Prefix for ctmpl and env secrets NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace |
 | resources.limits.cpu | int | `8` | Number of CPU units to limit the deployment to |
 | resources.limits.memory | string | `"16Gi"` | Memory to limit the deployment to |
 | resources.requests.cpu | int | `8` | Number of CPU units to request for the deployment |
 | resources.requests.memory | string | `"16Gi"` | Memory to request for the deployment |
+| vault.migration.dbPasswordKey | string | `"slick_db_password"` |  |
+| vault.migration.dbUsernameKey | string | `"slick_db_user"` | Key in Vault secret to DB username |
+| vault.migration.path | string | `nil` | Vault path to secret containing DB credentials |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

From 4348a39292999787b9fe5a676d27dca16694e906 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 15 Jun 2021 10:49:30 -0400
Subject: [PATCH 31/36] Put rbac behind flag, disable by default

---
 charts/rawls/README.md                               | 2 ++
 charts/rawls/templates/migration/job.yaml            | 2 +-
 charts/rawls/templates/migration/role.yaml           | 4 +++-
 charts/rawls/templates/migration/roleBinding.yaml    | 6 ++++--
 charts/rawls/templates/migration/serviceAccount.yaml | 4 +++-
 charts/rawls/values.yaml                             | 4 ++++
 6 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/charts/rawls/README.md b/charts/rawls/README.md
index 521f65729..572cb8296 100644
--- a/charts/rawls/README.md
+++ b/charts/rawls/README.md
@@ -42,7 +42,9 @@ Chart for Rawls service in Terra
 | migration.enabled | bool | `false` | Whether to run a Liquibase migration job pre-sync |
 | migration.failBasedOnLiquibase | bool | `true` | When true, fail the job (and ArgoCD sync!) if the Liquibase command fails |
 | migration.imageTag | string | `nil` | Override the image tag to run the migration on @default global.applicationVersion WARNING: App may behave unexpectedly if its database has been migrated to a different version than the app |
+| migration.rbacEnabled | bool | `false` | Whether to create SA/RBAC for the migration.serviceAccount at pre-sync (otherwise, assume it exists) |
 | migration.secretPrefix | string | `"rawls-backend"` | Prefix for ctmpl and env secrets NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace |
+| migration.serviceAccount | string | `"rawls-sa"` | Name of the k8s SA to use for the job |
 | resources.limits.cpu | int | `8` | Number of CPU units to limit the deployment to |
 | resources.limits.memory | string | `"16Gi"` | Memory to limit the deployment to |
 | resources.requests.cpu | int | `8` | Number of CPU units to request for the deployment |
diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 105813f55..355364f19 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -18,7 +18,7 @@ spec:
       # Allow migration-liquibase to kill migration-sqlproxy's process
       shareProcessNamespace: true
       restartPolicy: Never
-      serviceAccountName: rawls-migration-sa
+      serviceAccountName: {{ .Values.migration.serviceAccount }}
       hostAliases:
       - ip: 127.0.0.1
         hostnames:
diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index 63d10043b..c68a960e8 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -1,8 +1,9 @@
 {{- if .Values.migration.enabled }}
+{{- if .Values.migration.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: rawls-migration-role
+  name: {{ .Values.migration.serviceAccount }}-role
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
@@ -15,3 +16,4 @@ rules:
   resourceNames:
   - terra-default-psp
 {{- end -}}
+{{- end -}}
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index 4d0c9c373..545512f2d 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.migration.enabled }}
+{{- if .Values.migration.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -10,9 +11,10 @@ metadata:
     argocd.argoproj.io/sync-wave: "-1"
 subjects:
 - kind: ServiceAccount
-  name: rawls-migration-sa
+  name: {{ .Values.migration.serviceAccount }}
 roleRef:
   kind: Role
-  name: rawls-migration-role
+  name: {{ .Values.migration.serviceAccount }}-role
   apiGroup: rbac.authorization.k8s.io
 {{- end -}}
+{{- end -}}
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index 654416af7..88910c2d6 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -1,11 +1,13 @@
 {{- if .Values.migration.enabled }}
+{{- if .Values.migration.rbacEnabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: rawls-migration-sa
+  name: {{ .Values.migration.serviceAccount }}
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
     argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
     argocd.argoproj.io/sync-wave: "-1"
 {{- end -}}
+{{- end -}}
diff --git a/charts/rawls/values.yaml b/charts/rawls/values.yaml
index 634b0f1e7..820ff7877 100644
--- a/charts/rawls/values.yaml
+++ b/charts/rawls/values.yaml
@@ -117,3 +117,7 @@ migration:
   # migration.secretPrefix -- Prefix for ctmpl and env secrets
   # NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace
   secretPrefix: "rawls-backend"
+  # migration.serviceAccount -- Name of the k8s SA to use for the job
+  serviceAccount: "rawls-sa"
+  # migration.rbacEnabled -- Whether to create SA/RBAC for the migration.serviceAccount at pre-sync (otherwise, assume it exists)
+  rbacEnabled: false

From 7d48165e698a4c07409915fea0092be29dac1f98 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 15 Jun 2021 12:08:18 -0400
Subject: [PATCH 32/36] spell the deletion policy field correctly :(

---
 charts/rawls/templates/migration/role.yaml             | 2 +-
 charts/rawls/templates/migration/roleBinding.yaml      | 2 +-
 charts/rawls/templates/migration/secretDefinition.yaml | 2 +-
 charts/rawls/templates/migration/serviceAccount.yaml   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index c68a960e8..364d077dc 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -7,7 +7,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 rules:
 - apiGroups: ['policy']
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index 545512f2d..7f77bae31 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -7,7 +7,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 subjects:
 - kind: ServiceAccount
diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index bc179ee2a..631f05a17 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 spec:
   name: rawls-sql-secrets
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index 88910c2d6..464a47f6c 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -7,7 +7,7 @@ metadata:
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 {{- end -}}
 {{- end -}}

From e39fd66cc3824092bf10635fc6064fbf0d532be6 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 15 Jun 2021 12:09:21 -0400
Subject: [PATCH 33/36] enable rbac

---
 charts/rawls/templates/migration/role.yaml           | 2 --
 charts/rawls/templates/migration/roleBinding.yaml    | 2 --
 charts/rawls/templates/migration/serviceAccount.yaml | 2 --
 charts/rawls/values.yaml                             | 2 +-
 4 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
index 364d077dc..62e9a3719 100644
--- a/charts/rawls/templates/migration/role.yaml
+++ b/charts/rawls/templates/migration/role.yaml
@@ -1,5 +1,4 @@
 {{- if .Values.migration.enabled }}
-{{- if .Values.migration.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -16,4 +15,3 @@ rules:
   resourceNames:
   - terra-default-psp
 {{- end -}}
-{{- end -}}
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
index 7f77bae31..4d89fbf8b 100644
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ b/charts/rawls/templates/migration/roleBinding.yaml
@@ -1,5 +1,4 @@
 {{- if .Values.migration.enabled }}
-{{- if .Values.migration.rbacEnabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -17,4 +16,3 @@ roleRef:
   name: {{ .Values.migration.serviceAccount }}-role
   apiGroup: rbac.authorization.k8s.io
 {{- end -}}
-{{- end -}}
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
index 464a47f6c..73afeb384 100644
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ b/charts/rawls/templates/migration/serviceAccount.yaml
@@ -1,5 +1,4 @@
 {{- if .Values.migration.enabled }}
-{{- if .Values.migration.rbacEnabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -10,4 +9,3 @@ metadata:
     argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
     argocd.argoproj.io/sync-wave: "-1"
 {{- end -}}
-{{- end -}}
diff --git a/charts/rawls/values.yaml b/charts/rawls/values.yaml
index 820ff7877..39199209f 100644
--- a/charts/rawls/values.yaml
+++ b/charts/rawls/values.yaml
@@ -118,6 +118,6 @@ migration:
   # NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace
   secretPrefix: "rawls-backend"
   # migration.serviceAccount -- Name of the k8s SA to use for the job
-  serviceAccount: "rawls-sa"
+  serviceAccount: "rawls-migration-sa"
   # migration.rbacEnabled -- Whether to create SA/RBAC for the migration.serviceAccount at pre-sync (otherwise, assume it exists)
   rbacEnabled: false

From 7c859415908f91a14e81c6387268ae8d8a1a11c9 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 15 Jun 2021 12:20:52 -0400
Subject: [PATCH 34/36] reuse rbac, move it to earlier wave

---
 charts/rawls/README.md                         |  2 +-
 charts/rawls/templates/migration/job.yaml      |  5 +++--
 charts/rawls/templates/migration/role.yaml     | 17 -----------------
 .../rawls/templates/migration/roleBinding.yaml | 18 ------------------
 .../templates/migration/serviceAccount.yaml    | 11 -----------
 charts/rawls/templates/role.yaml               |  2 ++
 charts/rawls/templates/roleBinding.yaml        |  2 ++
 charts/rawls/templates/serviceAccount.yaml     |  2 ++
 charts/rawls/values.yaml                       |  7 ++++---
 9 files changed, 14 insertions(+), 52 deletions(-)
 delete mode 100644 charts/rawls/templates/migration/role.yaml
 delete mode 100644 charts/rawls/templates/migration/roleBinding.yaml
 delete mode 100644 charts/rawls/templates/migration/serviceAccount.yaml

diff --git a/charts/rawls/README.md b/charts/rawls/README.md
index 572cb8296..0563cf75a 100644
--- a/charts/rawls/README.md
+++ b/charts/rawls/README.md
@@ -42,9 +42,9 @@ Chart for Rawls service in Terra
 | migration.enabled | bool | `false` | Whether to run a Liquibase migration job pre-sync |
 | migration.failBasedOnLiquibase | bool | `true` | When true, fail the job (and ArgoCD sync!) if the Liquibase command fails |
 | migration.imageTag | string | `nil` | Override the image tag to run the migration on @default global.applicationVersion WARNING: App may behave unexpectedly if its database has been migrated to a different version than the app |
-| migration.rbacEnabled | bool | `false` | Whether to create SA/RBAC for the migration.serviceAccount at pre-sync (otherwise, assume it exists) |
 | migration.secretPrefix | string | `"rawls-backend"` | Prefix for ctmpl and env secrets NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace |
 | migration.serviceAccount | string | `"rawls-sa"` | Name of the k8s SA to use for the job |
+| migration.syncWave | string | `"-1"` | Wave to run migration as a sync hook (presumably after SA's RBAC wave) NOTE: Sync hook, not PreSync, so that SA/RBAC can be made normally via an earlier wave |
 | resources.limits.cpu | int | `8` | Number of CPU units to limit the deployment to |
 | resources.limits.memory | string | `"16Gi"` | Memory to limit the deployment to |
 | resources.requests.cpu | int | `8` | Number of CPU units to request for the deployment |
diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 355364f19..7259add0b 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -5,8 +5,9 @@ kind: Job
 metadata:
   name: rawls-liquibase-migration
   annotations:
-    argocd.argoproj.io/hook: PreSync
-    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: {{ .Values.migration.syncWave }}
   labels: {{- include "rawls.labels" . | nindent 4 }}
 spec:
   backoffLimit: 2
diff --git a/charts/rawls/templates/migration/role.yaml b/charts/rawls/templates/migration/role.yaml
deleted file mode 100644
index 62e9a3719..000000000
--- a/charts/rawls/templates/migration/role.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{- if .Values.migration.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Values.migration.serviceAccount }}-role
-  labels: {{- include "rawls.labels" . | nindent 4 }}
-  annotations:
-    argocd.argoproj.io/hook: PreSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
-    argocd.argoproj.io/sync-wave: "-1"
-rules:
-- apiGroups: ['policy']
-  resources: ['podsecuritypolicies']
-  verbs:     ['use']
-  resourceNames:
-  - terra-default-psp
-{{- end -}}
diff --git a/charts/rawls/templates/migration/roleBinding.yaml b/charts/rawls/templates/migration/roleBinding.yaml
deleted file mode 100644
index 4d89fbf8b..000000000
--- a/charts/rawls/templates/migration/roleBinding.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{- if .Values.migration.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: rawls-migration-sa-binding
-  labels: {{- include "rawls.labels" . | nindent 4 }}
-  annotations:
-    argocd.argoproj.io/hook: PreSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
-    argocd.argoproj.io/sync-wave: "-1"
-subjects:
-- kind: ServiceAccount
-  name: {{ .Values.migration.serviceAccount }}
-roleRef:
-  kind: Role
-  name: {{ .Values.migration.serviceAccount }}-role
-  apiGroup: rbac.authorization.k8s.io
-{{- end -}}
diff --git a/charts/rawls/templates/migration/serviceAccount.yaml b/charts/rawls/templates/migration/serviceAccount.yaml
deleted file mode 100644
index 73afeb384..000000000
--- a/charts/rawls/templates/migration/serviceAccount.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-{{- if .Values.migration.enabled }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.migration.serviceAccount }}
-  labels: {{- include "rawls.labels" . | nindent 4 }}
-  annotations:
-    argocd.argoproj.io/hook: PreSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
-    argocd.argoproj.io/sync-wave: "-1"
-{{- end -}}
diff --git a/charts/rawls/templates/role.yaml b/charts/rawls/templates/role.yaml
index 6fe61031a..5829eb265 100644
--- a/charts/rawls/templates/role.yaml
+++ b/charts/rawls/templates/role.yaml
@@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: rawls-role
+  annotations:
+    argocd.argoproj.io/sync-wave: "-2"
   labels:
 {{ include "rawls.labels" . | indent 4 }}
 rules:
diff --git a/charts/rawls/templates/roleBinding.yaml b/charts/rawls/templates/roleBinding.yaml
index 05d83af13..421e6dd79 100644
--- a/charts/rawls/templates/roleBinding.yaml
+++ b/charts/rawls/templates/roleBinding.yaml
@@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: rawls-sa-binding
+  annotations:
+    argocd.argoproj.io/sync-wave: "-2"
   labels:
 {{ include "rawls.labels" . | indent 4 }}
 subjects:
diff --git a/charts/rawls/templates/serviceAccount.yaml b/charts/rawls/templates/serviceAccount.yaml
index 93750fa72..66cb6106d 100644
--- a/charts/rawls/templates/serviceAccount.yaml
+++ b/charts/rawls/templates/serviceAccount.yaml
@@ -2,5 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: rawls-sa
+  annotations:
+    argocd.argoproj.io/sync-wave: "-2"
   labels:
 {{ include "rawls.labels" . | indent 4 }}
\ No newline at end of file
diff --git a/charts/rawls/values.yaml b/charts/rawls/values.yaml
index 39199209f..80feae294 100644
--- a/charts/rawls/values.yaml
+++ b/charts/rawls/values.yaml
@@ -118,6 +118,7 @@ migration:
   # NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace
   secretPrefix: "rawls-backend"
   # migration.serviceAccount -- Name of the k8s SA to use for the job
-  serviceAccount: "rawls-migration-sa"
-  # migration.rbacEnabled -- Whether to create SA/RBAC for the migration.serviceAccount at pre-sync (otherwise, assume it exists)
-  rbacEnabled: false
+  serviceAccount: "rawls-sa"
+  # migration.syncWave -- Wave to run migration as a sync hook (presumably after SA's RBAC wave)
+  # NOTE: Sync hook, not PreSync, so that SA/RBAC can be made normally via an earlier wave
+  syncWave: "-1"

From abe00649fe4624dc292991eca95bc4bc2e56337f Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 15 Jun 2021 12:26:03 -0400
Subject: [PATCH 35/36] quotes

---
 charts/rawls/templates/migration/job.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/rawls/templates/migration/job.yaml b/charts/rawls/templates/migration/job.yaml
index 7259add0b..101cb4291 100644
--- a/charts/rawls/templates/migration/job.yaml
+++ b/charts/rawls/templates/migration/job.yaml
@@ -7,7 +7,7 @@ metadata:
   annotations:
     argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
-    argocd.argoproj.io/sync-wave: {{ .Values.migration.syncWave }}
+    argocd.argoproj.io/sync-wave: "{{ .Values.migration.syncWave }}"
   labels: {{- include "rawls.labels" . | nindent 4 }}
 spec:
   backoffLimit: 2

From fa53069e16854772049b88f341a5dc9b4989ca62 Mon Sep 17 00:00:00 2001
From: Jack Warren <jack@jackwarren.info>
Date: Tue, 15 Jun 2021 12:30:23 -0400
Subject: [PATCH 36/36] secretdef in same wave

---
 charts/rawls/templates/migration/secretDefinition.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/charts/rawls/templates/migration/secretDefinition.yaml b/charts/rawls/templates/migration/secretDefinition.yaml
index 631f05a17..5271f5c7b 100644
--- a/charts/rawls/templates/migration/secretDefinition.yaml
+++ b/charts/rawls/templates/migration/secretDefinition.yaml
@@ -5,9 +5,7 @@ metadata:
   name: rawls-migration-secretdef
   labels: {{- include "rawls.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/hook: PreSync
-    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded
-    argocd.argoproj.io/sync-wave: "-1"
+    argocd.argoproj.io/sync-wave: "{{ .Values.migration.syncWave }}"
 spec:
   name: rawls-sql-secrets
   keysMap: