{{- if (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) }} apiVersion: apps/v1 kind: Deployment metadata: name: clustermesh-apiserver namespace: {{ .Release.Namespace }} labels: k8s-app: clustermesh-apiserver spec: replicas: {{ .Values.clustermesh.apiserver.replicas }} selector: matchLabels: k8s-app: clustermesh-apiserver {{- with .Values.clustermesh.apiserver.updateStrategy }} strategy: {{- toYaml . | nindent 4 }} {{- end }} template: metadata: annotations: {{- with .Values.clustermesh.apiserver.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: k8s-app: clustermesh-apiserver {{- with .Values.clustermesh.apiserver.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} initContainers: - name: etcd-init image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} command: ["/bin/sh", "-c"] args: - | rm -rf /var/run/etcd/*; /usr/local/bin/etcd --data-dir=/var/run/etcd --name=clustermesh-apiserver --listen-client-urls=http://127.0.0.1:2379 --advertise-client-urls=http://127.0.0.1:2379 --initial-cluster-token=clustermesh-apiserver --initial-cluster-state=new --auto-compaction-retention=1 & export rootpw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo $rootpw | etcdctl --interactive=false user add root; etcdctl user grant-role root root; export vmpw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo $vmpw | etcdctl --interactive=false user add externalworkload; etcdctl role add externalworkload; etcdctl role grant-permission externalworkload --from-key read ''; etcdctl role grant-permission externalworkload readwrite --prefix cilium/state/noderegister/v1/; etcdctl role grant-permission externalworkload readwrite --prefix cilium/.initlock/; etcdctl user grant-role externalworkload externalworkload; export remotepw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo $remotepw | etcdctl --interactive=false user add remote; etcdctl role add remote; etcdctl role grant-permission remote --from-key read ''; etcdctl user grant-role remote remote; etcdctl auth enable; exit env: - name: ETCDCTL_API value: "3" - name: HOSTNAME_IP valueFrom: fieldRef: fieldPath: status.podIP volumeMounts: - name: etcd-data-dir mountPath: /var/run/etcd containers: - name: etcd image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} command: - /usr/local/bin/etcd args: - --data-dir=/var/run/etcd - --name=clustermesh-apiserver - --client-cert-auth - --trusted-ca-file=/var/lib/etcd-secrets/ca.crt - --cert-file=/var/lib/etcd-secrets/tls.crt - --key-file=/var/lib/etcd-secrets/tls.key - --listen-client-urls=https://127.0.0.1:2379,https://$(HOSTNAME_IP):2379 - --advertise-client-urls=https://$(HOSTNAME_IP):2379 - --initial-cluster-token=clustermesh-apiserver - --auto-compaction-retention=1 env: - name: ETCDCTL_API value: "3" - name: HOSTNAME_IP valueFrom: fieldRef: fieldPath: status.podIP volumeMounts: - name: etcd-server-secrets mountPath: /var/lib/etcd-secrets readOnly: true - name: etcd-data-dir mountPath: /var/run/etcd - name: apiserver image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} command: - /usr/bin/clustermesh-apiserver args: {{- if .Values.debug.enabled }} - --debug {{- end }} - --cluster-name=$(CLUSTER_NAME) - --cluster-id=$(CLUSTER_ID) - --kvstore-opt - etcd.config=/var/lib/cilium/etcd-config.yaml env: - name: CLUSTER_NAME valueFrom: configMapKeyRef: name: cilium-config key: cluster-name - name: CLUSTER_ID valueFrom: configMapKeyRef: name: cilium-config key: cluster-id optional: true - name: IDENTITY_ALLOCATION_MODE valueFrom: configMapKeyRef: name: cilium-config key: identity-allocation-mode - name: ENABLE_K8S_ENDPOINT_SLICE valueFrom: configMapKeyRef: name: cilium-config key: enable-k8s-endpoint-slice optional: true {{- with .Values.clustermesh.apiserver.extraEnv }} {{- toYaml . | trim | nindent 8 }} {{- end }} {{- with .Values.clustermesh.apiserver.resources }} resources: {{- toYaml . | nindent 10 }} {{- end }} volumeMounts: - name: etcd-admin-client mountPath: /var/lib/cilium/etcd-secrets readOnly: true volumes: - name: etcd-server-secrets secret: secretName: clustermesh-apiserver-server-cert # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 - name: etcd-admin-client secret: secretName: clustermesh-apiserver-admin-cert # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 - name: etcd-data-dir emptyDir: {} restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }} serviceAccount: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} {{- with .Values.clustermesh.apiserver.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.clustermesh.apiserver.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.clustermesh.apiserver.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} {{- end }}