mirror of
https://github.com/bvanroll/cicdTest.git
synced 2025-08-29 12:02:47 +00:00
205 lines
8.1 KiB
YAML
205 lines
8.1 KiB
YAML
{{- if .Values.meshGateway.enabled }}
|
|
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
|
|
{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true" }}{{ end -}}
|
|
{{- /* The below test checks if clients are disabled (and if so, fails). We use the conditional from other client files and prepend 'not' */ -}}
|
|
{{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled" }}{{ end -}}
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ template "consul.fullname" . }}-mesh-gateway
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
heritage: {{ .Release.Service }}
|
|
release: {{ .Release.Name }}
|
|
component: mesh-gateway
|
|
spec:
|
|
replicas: {{ .Values.meshGateway.replicas }}
|
|
selector:
|
|
matchLabels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
release: {{ .Release.Name }}
|
|
component: mesh-gateway
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
release: {{ .Release.Name }}
|
|
component: mesh-gateway
|
|
annotations:
|
|
"consul.hashicorp.com/connect-inject": "false"
|
|
{{- if .Values.meshGateway.annotations }}
|
|
{{- tpl .Values.meshGateway.annotations . | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if .Values.meshGateway.affinity }}
|
|
affinity:
|
|
{{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }}
|
|
{{- end }}
|
|
{{- if .Values.meshGateway.tolerations }}
|
|
tolerations:
|
|
{{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }}
|
|
{{- end }}
|
|
terminationGracePeriodSeconds: 10
|
|
serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway
|
|
volumes:
|
|
- name: consul-bin
|
|
emptyDir: {}
|
|
{{- if .Values.global.tls.enabled }}
|
|
- name: consul-ca-cert
|
|
secret:
|
|
{{- if .Values.global.tls.caCert.secretName }}
|
|
secretName: {{ .Values.global.tls.caCert.secretName }}
|
|
{{- else }}
|
|
secretName: {{ template "consul.fullname" . }}-ca-cert
|
|
{{- end }}
|
|
items:
|
|
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
|
|
path: tls.crt
|
|
{{- end }}
|
|
{{- if .Values.meshGateway.hostNetwork }}
|
|
hostNetwork: {{ .Values.meshGateway.hostNetwork }}
|
|
{{- end }}
|
|
{{- if .Values.meshGateway.dnsPolicy }}
|
|
dnsPolicy: {{ .Values.meshGateway.dnsPolicy }}
|
|
{{- end }}
|
|
initContainers:
|
|
# We use the Envoy image as our base image so we use an init container to
|
|
# copy the Consul binary to a shared directory that can be used when
|
|
# starting Envoy.
|
|
- name: copy-consul-bin
|
|
image: {{ .Values.global.image | quote }}
|
|
command:
|
|
- cp
|
|
- /bin/consul
|
|
- /consul-bin/consul
|
|
volumeMounts:
|
|
- name: consul-bin
|
|
mountPath: /consul-bin
|
|
{{- if .Values.global.bootstrapACLs }}
|
|
# Wait for secret containing acl token to be ready.
|
|
# Doesn't do anything with it but when the main container starts we
|
|
# know that it's been created.
|
|
- name: mesh-gateway-acl-init
|
|
image: {{ .Values.global.imageK8S }}
|
|
command:
|
|
- "/bin/sh"
|
|
- "-ec"
|
|
- |
|
|
consul-k8s acl-init \
|
|
-secret-name="{{ template "consul.fullname" . }}-mesh-gateway-acl-token" \
|
|
-k8s-namespace={{ .Release.Namespace }} \
|
|
-init-type="sync"
|
|
{{- end }}
|
|
containers:
|
|
- name: mesh-gateway
|
|
image: {{ .Values.meshGateway.imageEnvoy | quote }}
|
|
{{- if .Values.meshGateway.resources }}
|
|
resources:
|
|
{{ tpl .Values.meshGateway.resources . | nindent 12 | trim }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: consul-bin
|
|
mountPath: /consul-bin
|
|
{{- if .Values.global.tls.enabled }}
|
|
- name: consul-ca-cert
|
|
mountPath: /consul/tls/ca
|
|
readOnly: true
|
|
{{- end }}
|
|
env:
|
|
- name: HOST_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
- name: POD_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
{{- if .Values.meshGateway.wanAddress.useNodeName }}
|
|
- name: NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
{{- end }}
|
|
{{- if .Values.global.bootstrapACLs }}
|
|
- name: CONSUL_HTTP_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "{{ template "consul.fullname" . }}-mesh-gateway-acl-token"
|
|
key: "token"
|
|
{{- end}}
|
|
{{- if .Values.global.tls.enabled }}
|
|
- name: CONSUL_HTTP_ADDR
|
|
value: https://$(HOST_IP):8501
|
|
- name: CONSUL_GRPC_ADDR
|
|
value: https://$(HOST_IP):8502
|
|
- name: CONSUL_CACERT
|
|
value: /consul/tls/ca/tls.crt
|
|
{{- else }}
|
|
- name: CONSUL_HTTP_ADDR
|
|
value: http://$(HOST_IP):8500
|
|
- name: CONSUL_GRPC_ADDR
|
|
value: $(HOST_IP):8502
|
|
{{- end }}
|
|
command:
|
|
# /bin/sh -c is needed so we can use the pod-specific environment
|
|
# variables.
|
|
- "/bin/sh"
|
|
- "-ec"
|
|
- |
|
|
exec /consul-bin/consul connect envoy \
|
|
-mesh-gateway \
|
|
-register \
|
|
-address="${POD_IP}:{{ .Values.meshGateway.containerPort }}" \
|
|
{{- if .Values.meshGateway.wanAddress.host }}
|
|
-wan-address="{{ .Values.meshGateway.wanAddress.host }}:{{ .Values.meshGateway.wanAddress.port }}" \
|
|
{{- else if .Values.meshGateway.wanAddress.useNodeName }}
|
|
-wan-address="${NODE_NAME}:{{ .Values.meshGateway.wanAddress.port }}" \
|
|
{{- else if .Values.meshGateway.wanAddress.useNodeIP }}
|
|
-wan-address="${HOST_IP}:{{ .Values.meshGateway.wanAddress.port }}" \
|
|
{{- end }}
|
|
{{- if and .Values.meshGateway.consulServiceName }}
|
|
{{- if and .Values.global.bootstrapACLs (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.bootstrapACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end }}
|
|
-service={{ .Values.meshGateway.consulServiceName | quote }} \
|
|
{{- end }}
|
|
{{- if .Values.meshGateway.enableHealthChecks }}
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: {{ .Values.meshGateway.containerPort }}
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
tcpSocket:
|
|
port: {{ .Values.meshGateway.containerPort }}
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
{{- end }}
|
|
ports:
|
|
- name: gateway
|
|
containerPort: {{ .Values.meshGateway.containerPort }}
|
|
{{- if .Values.meshGateway.hostPort }}
|
|
hostPort: {{ .Values.meshGateway.hostPort }}
|
|
{{- end }}
|
|
lifecycle:
|
|
preStop:
|
|
exec:
|
|
command: ["/bin/sh", "-ec", "/consul-bin/consul services deregister -id=\"{{ default "mesh-gateway" .Values.meshGateway.consulServiceName }}\""]
|
|
|
|
{{- if .Values.meshGateway.priorityClassName }}
|
|
priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }}
|
|
{{- end }}
|
|
{{- if .Values.meshGateway.nodeSelector }}
|
|
nodeSelector:
|
|
{{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }}
|
|
{{- end }}
|
|
{{- end }}
|