853cb06842
* Initial commit * Added openshift flag * added self signed certificate for service annotation * added OpenShift flag * Added OpenShift flag * cleanup * Cleanup * Further cleanup * Further cleanup * reverted security context on injector * Extra corrections * cleanup * Removed Raft config for OpenShift, removed generated certs for ha and standby services * Add openshift flag to global block, route disabled by default, condition for injector in network policy * Added Unit tests for OpenShift * Fixed unit test for HA statefulset for OpenShift * Removed debug log level from stateful set * Added port 8201 to networkpolicy * Updated injector image * Add openshift beta support * Add openshift beta support * Remove comments from configs * Remove vault-k8s note from values * Change route to use active service when HA Co-authored-by: Radu Domnu <radu.domnu@sixdx.com> Co-authored-by: Radu Domnu <radu.domnu@gmail.com>
117 lines
4.8 KiB
YAML
117 lines
4.8 KiB
YAML
{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
|
|
# Deployment for the injector
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ template "vault.fullname" . }}-agent-injector
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
component: webhook
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
component: webhook
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
component: webhook
|
|
spec:
|
|
{{ template "injector.affinity" . }}
|
|
{{ template "injector.tolerations" . }}
|
|
{{ template "injector.nodeselector" . }}
|
|
{{- if .Values.injector.priorityClassName }}
|
|
priorityClassName: {{ .Values.injector.priorityClassName }}
|
|
{{- end }}
|
|
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
|
|
{{- if not .Values.global.openshift }}
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsGroup: {{ .Values.injector.gid | default 1000 }}
|
|
runAsUser: {{ .Values.injector.uid | default 100 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: sidecar-injector
|
|
{{ template "injector.resources" . }}
|
|
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
|
|
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
|
|
env:
|
|
- name: AGENT_INJECT_LISTEN
|
|
value: ":8080"
|
|
- name: AGENT_INJECT_LOG_LEVEL
|
|
value: {{ .Values.injector.logLevel | default "info" }}
|
|
- name: AGENT_INJECT_VAULT_ADDR
|
|
{{- if .Values.injector.externalVaultAddr }}
|
|
value: "{{ .Values.injector.externalVaultAddr }}"
|
|
{{- else }}
|
|
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
|
|
{{- end }}
|
|
- name: AGENT_INJECT_VAULT_AUTH_PATH
|
|
value: {{ .Values.injector.authPath }}
|
|
- name: AGENT_INJECT_VAULT_IMAGE
|
|
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
|
|
{{- if .Values.injector.certs.secretName }}
|
|
- name: AGENT_INJECT_TLS_CERT_FILE
|
|
value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}"
|
|
- name: AGENT_INJECT_TLS_KEY_FILE
|
|
value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}"
|
|
{{- else }}
|
|
- name: AGENT_INJECT_TLS_AUTO
|
|
value: {{ template "vault.fullname" . }}-agent-injector-cfg
|
|
- name: AGENT_INJECT_TLS_AUTO_HOSTS
|
|
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
|
|
{{- end }}
|
|
- name: AGENT_INJECT_LOG_FORMAT
|
|
value: {{ .Values.injector.logFormat | default "standard" }}
|
|
- name: AGENT_INJECT_REVOKE_ON_SHUTDOWN
|
|
value: "{{ .Values.injector.revokeOnShutdown | default false }}"
|
|
{{- if .Values.global.openshift }}
|
|
- name: AGENT_INJECT_SET_SECURITY_CONTEXT
|
|
value: "false"
|
|
{{- end }}
|
|
{{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }}
|
|
args:
|
|
- agent-inject
|
|
- 2>&1
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health/ready
|
|
port: 8080
|
|
scheme: HTTPS
|
|
failureThreshold: 2
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 2
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health/ready
|
|
port: 8080
|
|
scheme: HTTPS
|
|
failureThreshold: 2
|
|
initialDelaySeconds: 2
|
|
periodSeconds: 2
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
{{- if .Values.injector.certs.secretName }}
|
|
volumeMounts:
|
|
- name: webhook-certs
|
|
mountPath: /etc/webhook/certs
|
|
readOnly: true
|
|
volumes:
|
|
- name: webhook-certs
|
|
secret:
|
|
secretName: "{{ .Values.injector.certs.secretName }}"
|
|
{{- end }}
|
|
{{- if .Values.global.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml .Values.global.imagePullSecrets | nindent 8 }}
|
|
{{- end }}
|
|
{{ end }}
|