mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-18 19:31:43 -05:00
968cdc1a38
* cli: move internal packages Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * cli: fix buildfiles Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * bazel: fix exclude dir Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * cli: move back libraries that will not be used by TF provider Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
266 lines
9.8 KiB
YAML
266 lines
9.8 KiB
YAML
{{- if and .Values.envoy.enabled (not .Values.preflight.enabled) }}
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: cilium-envoy
|
|
namespace: {{ .Release.Namespace }}
|
|
{{- with .Values.envoy.annotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
labels:
|
|
k8s-app: cilium-envoy
|
|
app.kubernetes.io/part-of: cilium
|
|
app.kubernetes.io/name: cilium-envoy
|
|
name: cilium-envoy
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: cilium-envoy
|
|
{{- with .Values.envoy.updateStrategy }}
|
|
updateStrategy:
|
|
{{- toYaml . | trim | nindent 4 }}
|
|
{{- end }}
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.prometheus.serviceMonitor.enabled) }}
|
|
prometheus.io/port: "{{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}"
|
|
prometheus.io/scrape: "true"
|
|
{{- end }}
|
|
{{- if .Values.envoy.rollOutPods }}
|
|
# ensure pods roll when configmap updates
|
|
cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }}
|
|
{{- end }}
|
|
{{- if not .Values.envoy.securityContext.privileged }}
|
|
# Set app AppArmor's profile to "unconfined". The value of this annotation
|
|
# can be modified as long users know which profiles they have available
|
|
# in AppArmor.
|
|
container.apparmor.security.beta.kubernetes.io/cilium-envoy: "unconfined"
|
|
{{- end }}
|
|
{{- with .Values.envoy.podAnnotations }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
k8s-app: cilium-envoy
|
|
name: cilium-envoy
|
|
app.kubernetes.io/name: cilium-envoy
|
|
app.kubernetes.io/part-of: cilium
|
|
{{- with .Values.envoy.podLabels }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.podSecurityContext }}
|
|
securityContext:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: cilium-envoy
|
|
image: {{ include "cilium.image" .Values.envoy.image | quote }}
|
|
imagePullPolicy: {{ .Values.envoy.image.pullPolicy }}
|
|
command:
|
|
- /usr/bin/cilium-envoy-starter
|
|
args:
|
|
- '-c /var/run/cilium/envoy/bootstrap-config.json'
|
|
- '--base-id 0'
|
|
{{- if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "envoy" ( splitList " " .Values.debug.verbose )) }}
|
|
- '--log-level trace'
|
|
{{- else if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "flow" ( splitList " " .Values.debug.verbose )) }}
|
|
- '--log-level debug'
|
|
{{- else }}
|
|
- '--log-level info'
|
|
{{- end }}
|
|
- '--log-format {{ .Values.envoy.log.format }}'
|
|
{{- if .Values.envoy.log.path }}
|
|
- '--log-path {{ .Values.envoy.log.path }}'
|
|
{{- end }}
|
|
{{- with .Values.envoy.extraArgs }}
|
|
{{- toYaml . | trim | nindent 8 }}
|
|
{{- end }}
|
|
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
|
|
startupProbe:
|
|
httpGet:
|
|
host: "localhost"
|
|
path: /healthz
|
|
port: {{ .Values.envoy.healthPort }}
|
|
scheme: HTTP
|
|
failureThreshold: {{ .Values.envoy.startupProbe.failureThreshold }}
|
|
periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }}
|
|
successThreshold: 1
|
|
{{- end }}
|
|
livenessProbe:
|
|
httpGet:
|
|
host: "localhost"
|
|
path: /healthz
|
|
port: {{ .Values.envoy.healthPort }}
|
|
scheme: HTTP
|
|
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
|
# The initial delay for the liveness probe is intentionally large to
|
|
# avoid an endless kill & restart cycle if in the event that the initial
|
|
# bootstrapping takes longer than expected.
|
|
# Starting from Kubernetes 1.20, we are using startupProbe instead
|
|
# of this field.
|
|
initialDelaySeconds: 120
|
|
{{- end }}
|
|
periodSeconds: {{ .Values.envoy.livenessProbe.periodSeconds }}
|
|
successThreshold: 1
|
|
failureThreshold: {{ .Values.envoy.livenessProbe.failureThreshold }}
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
host: "localhost"
|
|
path: /healthz
|
|
port: {{ .Values.envoy.healthPort }}
|
|
scheme: HTTP
|
|
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
|
|
initialDelaySeconds: 5
|
|
{{- end }}
|
|
periodSeconds: {{ .Values.envoy.readinessProbe.periodSeconds }}
|
|
successThreshold: 1
|
|
failureThreshold: {{ .Values.envoy.readinessProbe.failureThreshold }}
|
|
timeoutSeconds: 5
|
|
env:
|
|
- name: K8S_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: spec.nodeName
|
|
- name: CILIUM_K8S_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.namespace
|
|
{{- if .Values.k8sServiceHost }}
|
|
- name: KUBERNETES_SERVICE_HOST
|
|
value: {{ .Values.k8sServiceHost | quote }}
|
|
{{- end }}
|
|
{{- if .Values.k8sServicePort }}
|
|
- name: KUBERNETES_SERVICE_PORT
|
|
value: {{ .Values.k8sServicePort | quote }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.extraEnv }}
|
|
{{- toYaml . | trim | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.resources }}
|
|
resources:
|
|
{{- toYaml . | trim | nindent 10 }}
|
|
{{- end }}
|
|
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled }}
|
|
ports:
|
|
- name: envoy-metrics
|
|
containerPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
|
|
hostPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
|
|
protocol: TCP
|
|
{{- end }}
|
|
securityContext:
|
|
{{- if .Values.envoy.securityContext.privileged }}
|
|
privileged: true
|
|
{{- else }}
|
|
seLinuxOptions:
|
|
{{- with .Values.envoy.securityContext.seLinuxOptions }}
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
capabilities:
|
|
add:
|
|
{{- with .Values.envoy.securityContext.capabilities.envoy }}
|
|
{{- toYaml . | nindent 14 }}
|
|
{{- end }}
|
|
drop:
|
|
- ALL
|
|
{{- end }}
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- name: envoy-sockets
|
|
mountPath: /var/run/cilium/envoy/sockets
|
|
readOnly: false
|
|
- name: envoy-artifacts
|
|
mountPath: /var/run/cilium/envoy/artifacts
|
|
readOnly: true
|
|
- name: envoy-config
|
|
mountPath: /var/run/cilium/envoy/
|
|
readOnly: true
|
|
{{- if .Values.bpf.autoMount.enabled }}
|
|
- name: bpf-maps
|
|
mountPath: /sys/fs/bpf
|
|
mountPropagation: HostToContainer
|
|
{{- end }}
|
|
{{- range .Values.envoy.extraHostPathMounts }}
|
|
- name: {{ .name }}
|
|
mountPath: {{ .mountPath }}
|
|
readOnly: {{ .readOnly }}
|
|
{{- if .mountPropagation }}
|
|
mountPropagation: {{ .mountPropagation }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.extraVolumeMounts }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.envoy.extraContainers }}
|
|
{{- toYaml .Values.envoy.extraContainers | nindent 6 }}
|
|
{{- end }}
|
|
restartPolicy: Always
|
|
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.envoy.priorityClassName "system-node-critical") }}
|
|
serviceAccount: {{ .Values.serviceAccounts.envoy.name | quote }}
|
|
serviceAccountName: {{ .Values.serviceAccounts.envoy.name | quote }}
|
|
automountServiceAccountToken: {{ .Values.serviceAccounts.envoy.automount }}
|
|
terminationGracePeriodSeconds: {{ .Values.envoy.terminationGracePeriodSeconds }}
|
|
hostNetwork: true
|
|
{{- if .Values.envoy.dnsPolicy }}
|
|
dnsPolicy: {{ .Values.envoy.dnsPolicy }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | trim | nindent 8 }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: envoy-sockets
|
|
hostPath:
|
|
path: "{{ .Values.daemon.runPath }}/envoy/sockets"
|
|
type: DirectoryOrCreate
|
|
- name: envoy-artifacts
|
|
hostPath:
|
|
path: "{{ .Values.daemon.runPath }}/envoy/artifacts"
|
|
type: DirectoryOrCreate
|
|
- name: envoy-config
|
|
configMap:
|
|
name: cilium-envoy-config
|
|
# note: the leading zero means this number is in octal representation: do not remove it
|
|
defaultMode: 0400
|
|
items:
|
|
- key: bootstrap-config.json
|
|
path: bootstrap-config.json
|
|
# To keep state between restarts / upgrades
|
|
{{- if and .Values.bpf.autoMount.enabled }}
|
|
# To keep state between restarts / upgrades for bpf maps
|
|
- name: bpf-maps
|
|
hostPath:
|
|
path: /sys/fs/bpf
|
|
type: DirectoryOrCreate
|
|
{{- end }}
|
|
{{- range .Values.envoy.extraHostPathMounts }}
|
|
- name: {{ .name }}
|
|
hostPath:
|
|
path: {{ .hostPath }}
|
|
{{- if .hostPathType }}
|
|
type: {{ .hostPathType }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.envoy.extraVolumes }}
|
|
{{- toYaml . | nindent 6 }}
|
|
{{- end }}
|
|
{{- end }}
|