{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} kind: Deployment apiVersion: apps/v1 metadata: name: hubble-ui namespace: {{ .Release.Namespace }} {{- with .Values.hubble.ui.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} labels: k8s-app: hubble-ui app.kubernetes.io/name: hubble-ui app.kubernetes.io/part-of: cilium spec: replicas: {{ .Values.hubble.ui.replicas }} selector: matchLabels: k8s-app: hubble-ui {{- with .Values.hubble.ui.updateStrategy }} strategy: {{- toYaml . | trim | nindent 4 }} {{- end }} template: metadata: annotations: {{- if .Values.hubble.ui.rollOutPods }} # ensure pods roll when configmap updates cilium.io/hubble-ui-nginx-configmap-checksum: {{ include (print $.Template.BasePath "/hubble-ui/configmap.yaml") . | sha256sum | quote }} {{- end }} {{- with .Values.hubble.ui.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: k8s-app: hubble-ui app.kubernetes.io/name: hubble-ui app.kubernetes.io/part-of: cilium {{- with .Values.hubble.ui.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.hubble.ui.securityContext }} {{- if .enabled }} securityContext: {{- omit . "enabled" | toYaml | nindent 8 }} {{- end}} {{- end }} priorityClassName: {{ .Values.hubble.ui.priorityClassName }} serviceAccount: {{ .Values.serviceAccounts.ui.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.ui.name | quote }} automountServiceAccountToken: {{ .Values.serviceAccounts.ui.automount }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: frontend image: {{ include "cilium.image" .Values.hubble.ui.frontend.image | quote }} imagePullPolicy: {{ .Values.hubble.ui.frontend.image.pullPolicy }} ports: - name: http containerPort: 8081 {{- with .Values.hubble.ui.frontend.extraEnv }} env: {{- toYaml . | trim | nindent 12 }} {{- end }} livenessProbe: httpGet: path: /healthz port: 8081 readinessProbe: httpGet: path: / port: 8081 {{- with .Values.hubble.ui.frontend.resources }} resources: {{- toYaml . | trim | nindent 10 }} {{- end }} volumeMounts: - name: hubble-ui-nginx-conf mountPath: /etc/nginx/conf.d/default.conf subPath: nginx.conf - name: tmp-dir mountPath: /tmp {{- with .Values.hubble.ui.frontend.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.hubble.ui.frontend.securityContext }} securityContext: {{- toYaml . | trim | nindent 10 }} {{- end }} - name: backend image: {{ include "cilium.image" .Values.hubble.ui.backend.image | quote }} imagePullPolicy: {{ .Values.hubble.ui.backend.image.pullPolicy }} env: - name: EVENTS_SERVER_PORT value: "8090" {{- if .Values.hubble.relay.tls.server.enabled }} - name: FLOWS_API_ADDR value: "hubble-relay:443" - name: TLS_TO_RELAY_ENABLED value: "true" - name: TLS_RELAY_SERVER_NAME value: {{ .Values.hubble.relay.tls.server.relayName }} - name: TLS_RELAY_CA_CERT_FILES value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt - name: TLS_RELAY_CLIENT_CERT_FILE value: /var/lib/hubble-ui/certs/client.crt - name: TLS_RELAY_CLIENT_KEY_FILE value: /var/lib/hubble-ui/certs/client.key {{- else }} - name: FLOWS_API_ADDR value: "hubble-relay:80" {{- end }} {{- with .Values.hubble.ui.backend.extraEnv }} {{- toYaml . | trim | nindent 8 }} {{- end }} {{- if .Values.hubble.ui.backend.livenessProbe.enabled }} livenessProbe: httpGet: path: /healthz port: 8090 {{- end }} {{- if .Values.hubble.ui.backend.readinessProbe.enabled }} readinessProbe: httpGet: path: /healthz port: 8090 {{- end }} ports: - name: grpc containerPort: 8090 {{- with .Values.hubble.ui.backend.resources }} resources: {{- toYaml . | trim | nindent 10 }} {{- end }} volumeMounts: {{- if .Values.hubble.relay.tls.server.enabled }} - name: hubble-ui-client-certs mountPath: /var/lib/hubble-ui/certs readOnly: true {{- end }} {{- with .Values.hubble.ui.backend.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.hubble.ui.backend.securityContext }} securityContext: {{- toYaml . | trim | nindent 10 }} {{- end }} {{- with .Values.hubble.ui.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.hubble.ui.topologySpreadConstraints }} topologySpreadConstraints: {{- range $constraint := . }} - {{ toYaml $constraint | nindent 8 | trim }} {{- if not $constraint.labelSelector }} labelSelector: matchLabels: k8s-app: hubble-ui {{- end }} {{- end }} {{- end }} {{- with .Values.hubble.ui.nodeSelector }} nodeSelector: {{- toYaml . | trim | nindent 8 }} {{- end }} {{- with .Values.hubble.ui.tolerations }} tolerations: {{- toYaml . | trim | nindent 8 }} {{- end }} volumes: - configMap: defaultMode: 420 name: hubble-ui-nginx name: hubble-ui-nginx-conf - emptyDir: {} name: tmp-dir {{- if .Values.hubble.relay.tls.server.enabled }} - name: hubble-ui-client-certs {{- if .Values.hubble.ui.standalone.enabled }} {{- toYaml .Values.hubble.ui.standalone.tls.certsVolume | nindent 8 }} {{- else }} projected: # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 sources: - secret: name: hubble-ui-client-certs items: - key: tls.crt path: client.crt - key: tls.key path: client.key {{- if not .Values.tls.caBundle.enabled }} - key: ca.crt path: hubble-relay-ca.crt {{- else }} - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}: name: {{ .Values.tls.caBundle.name }} items: - key: {{ .Values.tls.caBundle.key }} path: hubble-relay-ca.crt {{- end }} {{- end }} {{- end }} {{- with .Values.hubble.ui.frontend.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} {{- with .Values.hubble.ui.backend.extraVolumes }} {{- toYaml . | nindent 6 }} {{- end }} {{- end }}