mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-29 01:16:12 -05:00
189 lines
6.5 KiB
YAML
189 lines
6.5 KiB
YAML
{{- if .Values.preflight.enabled }}
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: cilium-pre-flight-check
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: cilium-pre-flight-check
|
|
kubernetes.io/cluster-service: "true"
|
|
template:
|
|
metadata:
|
|
{{- with .Values.preflight.podAnnotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
k8s-app: cilium-pre-flight-check
|
|
kubernetes.io/cluster-service: "true"
|
|
{{- with .Values.preflight.podLabels }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 6 }}
|
|
{{- end }}
|
|
initContainers:
|
|
- name: clean-cilium-state
|
|
image: {{ include "cilium.image" .Values.preflight.image | quote }}
|
|
imagePullPolicy: {{ .Values.preflight.image.pullPolicy }}
|
|
command: ["/bin/echo"]
|
|
args:
|
|
- "hello"
|
|
containers:
|
|
- name: cilium-pre-flight-check
|
|
image: {{ include "cilium.image" .Values.preflight.image | quote }}
|
|
imagePullPolicy: {{ .Values.preflight.image.pullPolicy }}
|
|
command: ["/bin/sh"]
|
|
args:
|
|
- -c
|
|
- "touch /tmp/ready; sleep 1h"
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- cat
|
|
- /tmp/ready
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- cat
|
|
- /tmp/ready
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
{{- with .Values.preflight.extraEnv }}
|
|
env:
|
|
{{- toYaml . | trim | nindent 12 }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: cilium-run
|
|
mountPath: /var/run/cilium
|
|
{{- if .Values.etcd.enabled }}
|
|
- name: etcd-config-path
|
|
mountPath: /var/lib/etcd-config
|
|
readOnly: true
|
|
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
|
|
- name: etcd-secrets
|
|
mountPath: /var/lib/etcd-secrets
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.preflight.resources }}
|
|
resources:
|
|
{{- toYaml . | trim | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.preflight.securityContext }}
|
|
securityContext:
|
|
{{- toYaml . | trim | nindent 14 }}
|
|
{{- end }}
|
|
{{- if ne .Values.preflight.tofqdnsPreCache "" }}
|
|
- name: cilium-pre-flight-fqdn-precache
|
|
image: {{ include "cilium.image" .Values.preflight.image | quote }}
|
|
imagePullPolicy: {{ .Values.preflight.image.pullPolicy }}
|
|
name: cilium-pre-flight-fqdn-precache
|
|
command: ["/bin/sh"]
|
|
args:
|
|
- -ec
|
|
- |
|
|
cilium preflight fqdn-poller --tofqdns-pre-cache {{ .Values.preflight.tofqdnsPreCache }};
|
|
touch /tmp/ready-tofqdns-precache;
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- cat
|
|
- /tmp/read-tofqdns-precachey
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- cat
|
|
- /tmp/read-tofqdns-precachey
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
env:
|
|
{{- if .Values.k8sServiceHost }}
|
|
- name: KUBERNETES_SERVICE_HOST
|
|
value: {{ .Values.k8sServiceHost | quote }}
|
|
{{- end }}
|
|
{{- if .Values.k8sServicePort }}
|
|
- name: KUBERNETES_SERVICE_PORT
|
|
value: {{ .Values.k8sServicePort | quote }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: cilium-run
|
|
mountPath: /var/run/cilium
|
|
{{- if .Values.etcd.enabled }}
|
|
- name: etcd-config-path
|
|
mountPath: /var/lib/etcd-config
|
|
readOnly: true
|
|
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
|
|
- name: etcd-secrets
|
|
mountPath: /var/lib/etcd-secrets
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.preflight.extraEnv }}
|
|
{{- toYaml . | trim | nindent 10 }}
|
|
{{- end }}
|
|
{{- with .Values.preflight.resources }}
|
|
resources:
|
|
{{- toYaml . | trim | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.preflight.securityContext }}
|
|
securityContext:
|
|
{{- toYaml . | trim | nindent 14 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
hostNetwork: true
|
|
# This is here to seamlessly allow migrate-identity to work with
|
|
# etcd-operator setups. The assumption is that other cases would also
|
|
# work since the cluster DNS would forward the request on.
|
|
# This differs from the cilium-agent daemonset, where this is only
|
|
# enabled when etcd.managed=true
|
|
dnsPolicy: ClusterFirstWithHostNet
|
|
restartPolicy: Always
|
|
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-node-critical") }}
|
|
serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }}
|
|
serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }}
|
|
terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }}
|
|
{{- with .Values.preflight.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | trim | nindent 8 }}
|
|
{{- end }}
|
|
volumes:
|
|
# To keep state between restarts / upgrades
|
|
- name: cilium-run
|
|
hostPath:
|
|
path: /var/run/cilium
|
|
type: DirectoryOrCreate
|
|
- name: bpf-maps
|
|
hostPath:
|
|
path: /sys/fs/bpf
|
|
type: DirectoryOrCreate
|
|
{{- if .Values.etcd.enabled }}
|
|
# To read the etcd config stored in config maps
|
|
- name: etcd-config-path
|
|
configMap:
|
|
name: cilium-config
|
|
# note: the leading zero means this number is in octal representation: do not remove it
|
|
defaultMode: 0400
|
|
items:
|
|
- key: etcd-config
|
|
path: etcd.config
|
|
# To read the k8s etcd secrets in case the user might want to use TLS
|
|
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
|
|
- name: etcd-secrets
|
|
secret:
|
|
secretName: cilium-etcd-secrets
|
|
# note: the leading zero means this number is in octal representation: do not remove it
|
|
defaultMode: 0400
|
|
optional: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|