{{- if and (or .Values.hubble.enabled .Values.hubble.ui.standalone.enabled) .Values.hubble.ui.enabled }} kind: Deployment apiVersion: apps/v1 metadata: name: hubble-ui namespace: {{ .Release.Namespace }} labels: k8s-app: hubble-ui spec: replicas: {{ .Values.hubble.ui.replicas }} selector: matchLabels: k8s-app: hubble-ui template: metadata: annotations: {{- if .Values.hubble.ui.rollOutPods }} # ensure pods roll when configmap updates cilium.io/hubble-ui-nginx-configmap-checksum: {{ include (print $.Template.BasePath "/hubble-ui/configmap.yaml") . | sha256sum | quote }} {{- end }} {{- with .Values.hubble.ui.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: k8s-app: hubble-ui {{- with .Values.hubble.ui.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.hubble.ui.securityContext }} {{- if .enabled }} securityContext: {{- omit . "enabled" | toYaml | nindent 8 }} {{- end}} {{- end }} priorityClassName: {{ .Values.hubble.ui.priorityClassName }} serviceAccount: {{ .Values.serviceAccounts.ui.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.ui.name | quote }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: frontend image: {{ include "cilium.image" .Values.hubble.ui.frontend.image | quote }} imagePullPolicy: {{ .Values.hubble.ui.frontend.image.pullPolicy }} ports: - name: http containerPort: 8081 {{- with .Values.hubble.ui.frontend.extraEnv }} env: {{- toYaml . | trim | nindent 12 }} {{- end }} {{- with .Values.hubble.ui.frontend.resources }} resources: {{- toYaml . | trim | nindent 10 }} {{- end }} volumeMounts: - name: hubble-ui-nginx-conf mountPath: /etc/nginx/conf.d/default.conf subPath: nginx.conf - name: tmp-dir mountPath: /tmp - name: backend image: {{ include "cilium.image" .Values.hubble.ui.backend.image | quote }} imagePullPolicy: {{ .Values.hubble.ui.backend.image.pullPolicy }} env: - name: EVENTS_SERVER_PORT value: "8090" {{- if .Values.hubble.relay.tls.server.enabled }} - name: FLOWS_API_ADDR value: "hubble-relay:443" - name: TLS_TO_RELAY_ENABLED value: "true" - name: TLS_RELAY_SERVER_NAME value: ui.hubble-relay.cilium.io - name: TLS_RELAY_CA_CERT_FILES value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt - name: TLS_RELAY_CLIENT_CERT_FILE value: /var/lib/hubble-ui/certs/client.crt - name: TLS_RELAY_CLIENT_KEY_FILE value: /var/lib/hubble-ui/certs/client.key {{- else }} - name: FLOWS_API_ADDR value: "hubble-relay:80" {{- end }} {{- with .Values.hubble.ui.backend.extraEnv }} {{- toYaml . | trim | nindent 10 }} {{- end }} ports: - name: grpc containerPort: 8090 {{- with .Values.hubble.ui.backend.resources }} resources: {{- toYaml . | trim | nindent 10 }} {{- end }} volumeMounts: {{- if .Values.hubble.relay.tls.server.enabled }} - name: hubble-ui-client-certs mountPath: /var/lib/hubble-ui/certs readOnly: true {{- end }} {{- with .Values.hubble.ui.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.hubble.ui.nodeSelector }} nodeSelector: {{- toYaml . | trim | nindent 8 }} {{- end }} {{- with .Values.hubble.ui.tolerations }} tolerations: {{- toYaml . | trim | nindent 8 }} {{- end }} volumes: - configMap: defaultMode: 420 name: hubble-ui-nginx name: hubble-ui-nginx-conf - emptyDir: {} name: tmp-dir {{- if .Values.hubble.relay.tls.server.enabled }} - name: hubble-ui-client-certs {{- if .Values.hubble.ui.standalone.enabled }} {{- toYaml .Values.hubble.ui.standalone.tls.certsVolume | nindent 8 }} {{- else }} projected: # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 sources: - secret: name: hubble-ui-client-certs items: - key: ca.crt path: hubble-relay-ca.crt - key: tls.crt path: client.crt - key: tls.key path: client.key {{- end }} {{- end }} {{- end }}