142 lines
3.6 KiB
YAML
142 lines
3.6 KiB
YAML
---
|
|
{{- if .Values.serviceAccount.create -}}
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ include "oam-core-resources.serviceAccountName" . }}
|
|
labels:
|
|
{{ include "oam-core-resources.labels" . | nindent 4 }}
|
|
{{- end }}
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: manager-rolebinding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: "cluster-admin"
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "oam-core-resources.serviceAccountName" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
|
|
---
|
|
# permissions to do leader election.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: leader-election-role
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- patch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: leader-election-rolebinding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: leader-election-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "oam-core-resources.serviceAccountName" . }}
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "oam-core-resources.fullname" . }}
|
|
labels:
|
|
{{- include "oam-core-resources.labels" . | nindent 4 }}
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
{{- include "oam-core-resources.selectorLabels" . | nindent 6 }}
|
|
replicas: {{ .Values.replicaCount }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "oam-core-resources.selectorLabels" . | nindent 8 }}
|
|
spec:
|
|
serviceAccountName: {{ include "oam-core-resources.serviceAccountName" . }}
|
|
securityContext:
|
|
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
|
containers:
|
|
- name: {{ .Release.Name }}
|
|
securityContext:
|
|
{{- toYaml .Values.securityContext | nindent 12 }}
|
|
args:
|
|
- "--metrics-addr=:8080"
|
|
- "--enable-leader-election"
|
|
- {{ include "oam-core-resources.use-webhook" . | quote }}
|
|
image: {{ .Values.image.repository }}
|
|
imagePullPolicy: {{ quote .Values.image.pullPolicy }}
|
|
resources:
|
|
{{- toYaml .Values.resources | nindent 12 }}
|
|
{{ if .Values.useWebhook }}
|
|
ports:
|
|
- containerPort: 9443
|
|
name: webhook-server
|
|
protocol: TCP
|
|
volumeMounts:
|
|
- mountPath: {{ .Values.certificate.mountPath }}
|
|
name: tls-cert
|
|
readOnly: true
|
|
{{ end }}
|
|
- name: kube-rbac-proxy
|
|
image: jimmysong/kubebuilder-kube-rbac-proxy:v0.4.1
|
|
args:
|
|
- "--secure-listen-address=0.0.0.0:8443"
|
|
- "--upstream=http://127.0.0.1:8080/"
|
|
- "--logtostderr=true"
|
|
- "--v=10"
|
|
ports:
|
|
- containerPort: 8443
|
|
name: https
|
|
volumes:
|
|
- name: tls-cert
|
|
secret:
|
|
defaultMode: 420
|
|
secretName: {{ .Values.certificate.secretName | quote }}
|
|
terminationGracePeriodSeconds: 10
|
|
{{- with .Values.nodeSelector }}
|
|
nodeSelector:
|
|
{{ toYaml . | indent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|