2b2b0dd2fa
Uses Values.injector.externalVaultAddr to control the vault address env variable and server yaml rendering. If injector.externalVaultAddr is empty, both the injector and vault are deployed, with the injector using the local vault. If injector.externalVaultAddr is not empty, only the injector is deployed, and it uses the vault at the address specified in injector.externalVaultAddr.
94 lines
3.8 KiB
YAML
94 lines
3.8 KiB
YAML
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
|
|
# Deployment for the injector
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ template "vault.fullname" . }}-agent-injector
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
component: webhook
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
component: webhook
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
component: webhook
|
|
spec:
|
|
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsGroup: {{ .Values.injector.gid | default 1000 }}
|
|
runAsUser: {{ .Values.injector.uid | default 100 }}
|
|
containers:
|
|
- name: sidecar-injector
|
|
{{ template "injector.resources" . }}
|
|
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
|
|
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
|
|
env:
|
|
- name: AGENT_INJECT_LISTEN
|
|
value: ":8080"
|
|
- name: AGENT_INJECT_LOG_LEVEL
|
|
value: {{ .Values.injector.logLevel | default "info" }}
|
|
- name: AGENT_INJECT_VAULT_ADDR
|
|
{{- if .Values.injector.externalVaultAddr }}
|
|
value: "{{ .Values.injector.externalVaultAddr }}"
|
|
{{- else }}
|
|
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
|
|
{{- end }}
|
|
- name: AGENT_INJECT_VAULT_IMAGE
|
|
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
|
|
{{- if .Values.injector.certs.secretName }}
|
|
- name: AGENT_INJECT_TLS_CERT_FILE
|
|
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
|
|
- name: AGENT_INJECT_TLS_KEY_FILE
|
|
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
|
|
{{- else }}
|
|
- name: AGENT_INJECT_TLS_AUTO
|
|
value: {{ template "vault.fullname" . }}-agent-injector-cfg
|
|
- name: AGENT_INJECT_TLS_AUTO_HOSTS
|
|
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
|
|
{{- end }}
|
|
args:
|
|
- agent-inject
|
|
- 2>&1
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health/ready
|
|
port: 8080
|
|
scheme: HTTPS
|
|
failureThreshold: 2
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 2
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health/ready
|
|
port: 8080
|
|
scheme: HTTPS
|
|
failureThreshold: 2
|
|
initialDelaySeconds: 2
|
|
periodSeconds: 2
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
{{- if .Values.injector.certs.secretName }}
|
|
volumeMounts:
|
|
- name: webhook-certs
|
|
mountPath: /etc/webhook/certs
|
|
readOnly: true
|
|
volumes:
|
|
- name: webhook-certs
|
|
secret:
|
|
secretName: "{{ .Values.injector.certs.secretName }}"
|
|
{{- end }}
|
|
{{ end }}
|