{{- if and .Values.hubble.enabled .Values.hubble.relay.enabled }} {{- $mountSocket := not .Values.hubble.peerService.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: name: hubble-relay namespace: {{ .Release.Namespace }} labels: k8s-app: hubble-relay spec: replicas: {{ .Values.hubble.relay.replicas }} selector: matchLabels: k8s-app: hubble-relay {{- with .Values.hubble.relay.updateStrategy }} strategy: {{- toYaml . | trim | nindent 4 }} {{- end }} template: metadata: annotations: {{- if .Values.hubble.relay.rollOutPods }} # ensure pods roll when configmap updates cilium.io/hubble-relay-configmap-checksum: {{ include (print $.Template.BasePath "/hubble-relay/configmap.yaml") . | sha256sum | quote }} {{- end }} {{- with .Values.hubble.relay.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: k8s-app: hubble-relay {{- with .Values.hubble.relay.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.hubble.relay.securityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: hubble-relay image: {{ include "cilium.image" .Values.hubble.relay.image | quote }} imagePullPolicy: {{ .Values.hubble.relay.image.pullPolicy }} command: - hubble-relay args: - serve {{- if .Values.debug.enabled }} - --debug {{- end }} ports: - name: grpc containerPort: {{ .Values.hubble.relay.listenPort }} {{- if .Values.hubble.relay.prometheus.enabled }} - name: prometheus containerPort: {{ .Values.hubble.relay.prometheus.port }} protocol: TCP {{- end }} readinessProbe: tcpSocket: port: grpc livenessProbe: tcpSocket: port: grpc {{- with .Values.hubble.relay.extraEnv }} env: {{- toYaml . | trim | nindent 12 }} {{- end }} {{- with .Values.hubble.relay.resources }} resources: {{- toYaml . | trim | nindent 12 }} {{- end }} volumeMounts: {{- if $mountSocket }} - name: hubble-sock-dir mountPath: {{ dir .Values.hubble.socketPath }} readOnly: true {{- end }} - name: config mountPath: /etc/hubble-relay readOnly: true {{- if .Values.hubble.tls.enabled }} - name: tls mountPath: /var/lib/hubble-relay/tls readOnly: true {{- end }} restartPolicy: Always priorityClassName: {{ .Values.hubble.relay.priorityClassName }} serviceAccount: {{ .Values.serviceAccounts.relay.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.relay.name | quote }} automountServiceAccountToken: false terminationGracePeriodSeconds: {{ .Values.hubble.relay.terminationGracePeriodSeconds }} {{- with .Values.hubble.relay.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.hubble.relay.nodeSelector }} nodeSelector: {{- toYaml . | trim | nindent 8 }} {{- end }} {{- with .Values.hubble.relay.tolerations }} tolerations: {{- toYaml . | trim | nindent 8 }} {{- end }} volumes: - name: config configMap: name: hubble-relay-config items: - key: config.yaml path: config.yaml {{- if $mountSocket }} - name: hubble-sock-dir hostPath: path: {{ dir .Values.hubble.socketPath }} type: Directory {{- end }} {{- if .Values.hubble.tls.enabled }} - name: tls projected: # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 sources: - secret: name: hubble-relay-client-certs items: - key: ca.crt path: hubble-server-ca.crt - key: tls.crt path: client.crt - key: tls.key path: client.key {{- if .Values.hubble.relay.tls.server.enabled }} - secret: name: hubble-relay-server-certs items: - key: tls.crt path: server.crt - key: tls.key path: server.key {{- end }} {{- end }} {{- end }}