# The deployment for running the Connect sidecar injector {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled for connect injection" }}{{ end }} {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for connect injection" }}{{ end }} apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "consul.fullname" . }}-connect-injector-webhook-deployment namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: replicas: 1 selector: matchLabels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} release: {{ .Release.Name }} component: connect-injector template: metadata: labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} release: {{ .Release.Name }} component: connect-injector annotations: "consul.hashicorp.com/connect-inject": "false" spec: {{- if not .Values.connectInject.certs.secretName }} serviceAccountName: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account {{- end }} containers: - name: sidecar-injector image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace {{- /* A Consul client and ACL token is only necessary for the connect injector if namespaces are enabled */}} {{- if .Values.global.enableConsulNamespaces }} - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} - name: CONSUL_HTTP_TOKEN valueFrom: secretKeyRef: name: {{ .Values.connectInject.aclInjectToken.secretName }} key: {{ .Values.connectInject.aclInjectToken.secretKey }} {{- else if .Values.global.bootstrapACLs }} - name: CONSUL_HTTP_TOKEN valueFrom: secretKeyRef: name: "{{ template "consul.fullname" . }}-connect-inject-acl-token" key: "token" {{- end }} {{- if .Values.global.tls.enabled }} - name: CONSUL_HTTP_ADDR value: https://$(HOST_IP):8501 - name: CONSUL_CACERT value: /consul/tls/ca/tls.crt {{- else }} - name: CONSUL_HTTP_ADDR value: http://$(HOST_IP):8500 {{- end }} {{- end }} command: - "/bin/sh" - "-ec" - | CONSUL_FULLNAME="{{template "consul.fullname" . }}" consul-k8s inject-connect \ -default-inject={{ .Values.connectInject.default }} \ -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ {{ if .Values.connectInject.imageEnvoy -}} -envoy-image="{{ .Values.connectInject.imageEnvoy }}" \ {{ end -}} -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ -listen=:8080 \ {{- if .Values.connectInject.overrideAuthMethodName }} -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ {{- else if .Values.global.bootstrapACLs }} -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ {{- end }} {{- if .Values.global.tls.enabled }} -consul-ca-cert=/consul/tls/ca/tls.crt \ {{- end }} {{- if .Values.connectInject.centralConfig.enabled }} -enable-central-config=true \ {{- end }} {{- if (and .Values.connectInject.centralConfig.enabled .Values.connectInject.centralConfig.defaultProtocol) }} -default-protocol="{{ .Values.connectInject.centralConfig.defaultProtocol }}" \ {{- end }} {{- range $value := .Values.connectInject.k8sAllowNamespaces }} -allow-k8s-namespace="{{ $value }}" \ {{- end }} {{- range $value := .Values.connectInject.k8sDenyNamespaces }} -deny-k8s-namespace="{{ $value }}" \ {{- end }} {{- if .Values.global.enableConsulNamespaces }} -enable-namespaces=true \ {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ {{- end }} {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} -enable-k8s-namespace-mirroring=true \ {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ {{- end }} {{- end }} {{- if .Values.global.bootstrapACLs }} -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} {{- if .Values.connectInject.certs.secretName }} -tls-cert-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.certName }} \ -tls-key-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.keyName }} {{- else }} -tls-auto=${CONSUL_FULLNAME}-connect-injector-cfg \ -tls-auto-hosts=${CONSUL_FULLNAME}-connect-injector-svc,${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE},${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE}.svc {{- end }} livenessProbe: httpGet: path: /health/ready port: 8080 scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 readinessProbe: httpGet: path: /health/ready port: 8080 scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 2 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 {{- if (or .Values.connectInject.certs.secretName .Values.global.tls.enabled) }} volumeMounts: {{- if .Values.connectInject.certs.secretName }} - name: certs mountPath: /etc/connect-injector/certs readOnly: true {{- end }} {{- if .Values.global.tls.enabled }} - name: consul-ca-cert mountPath: /consul/tls/ca readOnly: true {{- end }} {{- end }} {{- if (or .Values.connectInject.certs.secretName .Values.global.tls.enabled) }} volumes: {{- if .Values.connectInject.certs.secretName }} - name: certs secret: secretName: {{ .Values.connectInject.certs.secretName }} {{- end }} {{- if .Values.global.tls.enabled }} - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} secretName: {{ .Values.global.tls.caCert.secretName }} {{- else }} secretName: {{ template "consul.fullname" . }}-ca-cert {{- end }} items: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} {{- end }} {{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }} initContainers: - name: injector-acl-init image: {{ .Values.global.imageK8S }} command: - "/bin/sh" - "-ec" - | consul-k8s acl-init \ -secret-name="{{ template "consul.fullname" . }}-connect-inject-acl-token" \ -k8s-namespace={{ .Release.Namespace }} \ -init-type="sync" {{- end }} {{- if .Values.connectInject.nodeSelector }} nodeSelector: {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} {{- end }} {{- end }}