ea619ba456
All checks were successful
Build and Publish TechDocs (Helm Chart Resource) / build-and-publish-helm-chart (push) Successful in 1m12s
Change-Id: If67c32e979b6d03a135072c836ca54ee01c99e66
319 lines
13 KiB
YAML
319 lines
13 KiB
YAML
{{/*
|
|
Copyright 2019 HAProxy Technologies LLC
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{- if eq .Values.controller.kind "Deployment" }}
|
|
{{- $useHostNetwork := .Values.controller.deployment.useHostNetwork -}}
|
|
{{- $useHostPort := .Values.controller.deployment.useHostPort -}}
|
|
{{- $hostPorts := .Values.controller.deployment.hostPorts -}}
|
|
{{- $hostIP := .Values.controller.deployment.hostIP -}}
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "kubernetes-ingress.fullname" . }}
|
|
namespace: {{ include "kubernetes-ingress.namespace" . }}
|
|
{{- with .Values.controller.annotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "kubernetes-ingress.labels" . | nindent 4 }}
|
|
{{- if .Values.controller.extraLabels }}
|
|
{{ toYaml .Values.controller.extraLabels | indent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }}
|
|
replicas: {{ .Values.controller.replicaCount }}
|
|
{{- end }}
|
|
minReadySeconds: {{ .Values.controller.minReadySeconds }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
|
|
{{- with .Values.controller.strategy }}
|
|
strategy:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "kubernetes-ingress.selectorLabels" . | nindent 8 }}
|
|
{{- if .Values.controller.podLabels }}
|
|
{{ toYaml .Values.controller.podLabels | indent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.controller.podAnnotations }}
|
|
annotations:
|
|
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
|
|
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
|
|
{{- else }}
|
|
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
spec:
|
|
enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
|
|
serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
|
|
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
|
|
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
|
{{- end }}
|
|
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
|
|
{{- if $useHostNetwork }}
|
|
hostNetwork: true
|
|
{{- end }}
|
|
{{- with .Values.controller.topologySpreadConstraints }}
|
|
topologySpreadConstraints:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.controller.dnsConfig }}
|
|
dnsConfig:
|
|
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
|
|
{{- end }}
|
|
dnsPolicy: {{ .Values.controller.dnsPolicy }}
|
|
{{- if .Values.controller.imageCredentials.registry }}
|
|
imagePullSecrets:
|
|
- name: {{ include "kubernetes-ingress.fullname" . }}
|
|
{{- else if .Values.controller.existingImagePullSecret }}
|
|
imagePullSecrets:
|
|
- name: {{ .Values.controller.existingImagePullSecret }}
|
|
{{- end }}
|
|
{{- if .Values.controller.priorityClassName }}
|
|
priorityClassName: {{ .Values.controller.priorityClassName }}
|
|
{{- end }}
|
|
{{- if .Values.controller.runtimeClassName }}
|
|
runtimeClassName: {{ .Values.controller.runtimeClassName }}
|
|
{{- end }}
|
|
{{- if or .Values.controller.unprivileged (gt (len (.Values.controller.sysctls | default dict)) 0) }}
|
|
securityContext:
|
|
{{- if .Values.controller.unprivileged }}
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
{{- end }}
|
|
{{ include "kubernetes-ingress.controller.sysctls" . | nindent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
|
|
image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
|
|
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
|
|
args:
|
|
{{- if .Values.controller.defaultTLSSecret.enabled -}}
|
|
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
|
|
- --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
|
|
{{- else }}
|
|
- --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
- --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
|
|
- --http-bind-port={{ .Values.controller.containerPort.http }}
|
|
- --https-bind-port={{ .Values.controller.containerPort.https }}
|
|
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
|
|
- --quic-bind-port={{ .Values.controller.containerPort.https }}
|
|
- --quic-announce-port={{ .Values.controller.service.ports.https }}
|
|
{{- end }}
|
|
{{- if .Values.controller.ingressClass }}
|
|
- --ingress.class={{ .Values.controller.ingressClass }}
|
|
{{- end }}
|
|
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
|
|
- --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
|
|
{{- end }}
|
|
{{- if .Values.controller.publishService.enabled }}
|
|
- --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
|
|
{{- end }}
|
|
{{- if .Values.controller.logging.level }}
|
|
- --log={{ .Values.controller.logging.level }}
|
|
{{- end }}
|
|
{{- if .Values.controller.service.enablePorts.admin }}
|
|
- --prometheus
|
|
- --pprof
|
|
{{- end }}
|
|
{{- if eq .Values.controller.sync.mode "fetch" }}
|
|
{{- if .Values.controller.sync.fetchParams.period }}
|
|
- --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }}
|
|
{{- end }}
|
|
{{- if eq .Values.controller.sync.fetchParams.source "k8s" }}
|
|
- --k8s-api-sync-type=k8s
|
|
{{- else if eq .Values.controller.sync.fetchParams.source "proxy" }}
|
|
- --k8s-api-sync-type=proxy
|
|
- --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range .Values.controller.extraArgs }}
|
|
- {{ . }}
|
|
{{- end }}
|
|
{{- if .Values.controller.unprivileged }}
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
add:
|
|
- NET_BIND_SERVICE
|
|
{{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
{{- end }}
|
|
{{- end }}
|
|
ports:
|
|
{{- range $key, $value := .Values.controller.containerPort }}
|
|
- name: {{ $key }}
|
|
containerPort: {{ $value }}
|
|
protocol: TCP
|
|
{{- if and $useHostPort (index $hostPorts $key) }}
|
|
hostPort: {{ index $hostPorts $key }}
|
|
{{- end }}
|
|
{{- if $hostIP }}
|
|
hostIP: {{ $hostIP }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
|
|
- name: quic
|
|
containerPort: {{ .Values.controller.containerPort.https }}
|
|
protocol: UDP
|
|
{{- if $useHostPort }}
|
|
hostPort: {{ .Values.controller.deployment.hostPorts.https }}
|
|
{{- end }}
|
|
{{- if $hostIP }}
|
|
hostIP: {{ $hostIP }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- range .Values.controller.service.tcpPorts }}
|
|
- name: {{ .name | trunc 15 | trimSuffix "-" }}
|
|
containerPort: {{ .targetPort }}
|
|
protocol: TCP
|
|
{{- if $useHostPort }}
|
|
hostPort: {{ .port }}
|
|
{{- end }}
|
|
{{- if $hostIP }}
|
|
hostIP: {{ $hostIP }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.controller.livenessProbe }}
|
|
livenessProbe:
|
|
{{- toYaml . | trim | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.controller.readinessProbe }}
|
|
readinessProbe:
|
|
{{- toYaml . | trim | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.controller.startupProbe }}
|
|
startupProbe:
|
|
{{- toYaml . | trim | nindent 12 }}
|
|
{{- end }}
|
|
env:
|
|
{{- if .Values.aws.licenseConfigSecretName }}
|
|
- name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
|
|
value: "/var/run/secrets/product-license/license_token"
|
|
- name: AWS_ROLE_ARN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.aws.licenseConfigSecretName }}
|
|
key: iam_role
|
|
{{- end }}
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: POD_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
{{- if .Values.controller.extraEnvs -}}
|
|
{{- toYaml .Values.controller.extraEnvs | nindent 10 }}
|
|
{{- end }}
|
|
{{- with .Values.controller.extraEnvFrom }}
|
|
envFrom:
|
|
{{- toYaml . | trim | nindent 12 }}
|
|
{{- end }}
|
|
resources:
|
|
{{- toYaml .Values.controller.resources | nindent 12 }}
|
|
{{- if .Values.controller.lifecycle }}
|
|
lifecycle:
|
|
{{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
|
|
{{ tpl .Values.controller.lifecycle . | indent 12 }}
|
|
{{- else }}
|
|
{{ toYaml .Values.controller.lifecycle | indent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: tmp
|
|
mountPath: /tmp
|
|
subPath: tmp
|
|
- name: tmp
|
|
mountPath: /run
|
|
subPath: run
|
|
{{- if .Values.aws.licenseConfigSecretName }}
|
|
- name: aws-product-license
|
|
readOnly: true
|
|
mountPath: /var/run/secrets/product-license
|
|
{{- end }}
|
|
{{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
|
|
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
|
|
{{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
|
|
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.controller.extraContainers }}
|
|
{{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
|
|
{{ tpl .Values.controller.extraContainers . | indent 8 }}
|
|
{{- else }}
|
|
{{ toYaml .Values.controller.extraContainers | indent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: tmp
|
|
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
|
|
emptyDir:
|
|
medium: Memory
|
|
sizeLimit: 64Mi
|
|
{{- else }}
|
|
emptyDir: {}
|
|
{{- end }}
|
|
{{- if .Values.aws.licenseConfigSecretName }}
|
|
- name: aws-product-license
|
|
secret:
|
|
secretName: {{ .Values.aws.licenseConfigSecretName }}
|
|
optional: true
|
|
{{- end }}
|
|
{{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
|
|
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
|
|
{{- else if gt (len .Values.controller.extraVolumes) 0 }}
|
|
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.controller.initContainers }}
|
|
initContainers:
|
|
{{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
|
|
{{ tpl .Values.controller.initContainers . | indent 8 }}
|
|
{{- else }}
|
|
{{ toYaml .Values.controller.initContainers | indent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.controller.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.controller.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.controller.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|