mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-06 05:08:03 -05:00
bdd9dd922b
* Only deploy operators on GCP/Azure. * cert-manager is now deployed by default (GCP/Azure) * remove OLM
173 lines
6.6 KiB
YAML
173 lines
6.6 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "webhook.fullname" . }}
|
|
namespace: {{ include "cert-manager.namespace" . }}
|
|
labels:
|
|
app: {{ include "webhook.name" . }}
|
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "webhook"
|
|
{{- include "labels" . | nindent 4 }}
|
|
{{- with .Values.webhook.deploymentAnnotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
replicas: {{ .Values.webhook.replicaCount }}
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "webhook"
|
|
{{- with .Values.webhook.strategy }}
|
|
strategy:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: {{ include "webhook.name" . }}
|
|
app.kubernetes.io/name: {{ include "webhook.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/component: "webhook"
|
|
{{- include "labels" . | nindent 8 }}
|
|
{{- with .Values.webhook.podLabels }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.webhook.podAnnotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
serviceAccountName: {{ template "webhook.serviceAccountName" . }}
|
|
{{- if hasKey .Values.webhook "automountServiceAccountToken" }}
|
|
automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
|
|
{{- end }}
|
|
{{- with .Values.global.priorityClassName }}
|
|
priorityClassName: {{ . | quote }}
|
|
{{- end }}
|
|
{{- with .Values.webhook.securityContext }}
|
|
securityContext:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.webhook.hostNetwork }}
|
|
hostNetwork: true
|
|
{{- end }}
|
|
containers:
|
|
- name: {{ .Chart.Name }}-webhook
|
|
{{- with .Values.webhook.image }}
|
|
image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}"
|
|
{{- end }}
|
|
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
|
|
args:
|
|
{{- if .Values.global.logLevel }}
|
|
- --v={{ .Values.global.logLevel }}
|
|
{{- end }}
|
|
{{- if .Values.webhook.config }}
|
|
- --config=/var/cert-manager/config/config.yaml
|
|
{{- end }}
|
|
{{- $config := default .Values.webhook.config "" }}
|
|
{{ if not $config.securePort -}}
|
|
- --secure-port={{ .Values.webhook.securePort }}
|
|
{{- end }}
|
|
{{- $tlsConfig := default $config.tlsConfig "" }}
|
|
{{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
|
|
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
|
- --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
|
|
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
|
|
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
|
|
- --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
|
|
{{ if .Values.webhook.url.host }}
|
|
- --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.webhook.extraArgs }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
ports:
|
|
- name: https
|
|
protocol: TCP
|
|
{{- if $config.securePort }}
|
|
containerPort: {{ $config.securePort }}
|
|
{{- else if .Values.webhook.securePort }}
|
|
containerPort: {{ .Values.webhook.securePort }}
|
|
{{- else }}
|
|
containerPort: 6443
|
|
{{- end }}
|
|
- name: healthcheck
|
|
protocol: TCP
|
|
{{- if $config.healthzPort }}
|
|
containerPort: {{ $config.healthzPort }}
|
|
{{- else }}
|
|
containerPort: 6080
|
|
{{- end }}
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /livez
|
|
{{- if $config.healthzPort }}
|
|
port: {{ $config.healthzPort }}
|
|
{{- else }}
|
|
port: 6080
|
|
{{- end }}
|
|
scheme: HTTP
|
|
initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
{{- if $config.healthzPort }}
|
|
port: {{ $config.healthzPort }}
|
|
{{- else }}
|
|
port: 6080
|
|
{{- end }}
|
|
scheme: HTTP
|
|
initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
|
|
{{- with .Values.webhook.containerSecurityContext }}
|
|
securityContext:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
env:
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
{{- with .Values.webhook.resources }}
|
|
resources:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.webhook.config }}
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /var/cert-manager/config
|
|
{{- end }}
|
|
{{- with .Values.webhook.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.webhook.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.webhook.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.webhook.topologySpreadConstraints }}
|
|
topologySpreadConstraints:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.webhook.config }}
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: {{ include "webhook.fullname" . }}
|
|
{{- end }}
|