mirror of
https://github.com/bvanroll/cicdTest.git
synced 2025-08-29 20:12:43 +00:00
201 lines
8.8 KiB
YAML
201 lines
8.8 KiB
YAML
# The deployment for running the Connect sidecar injector
|
|
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
|
|
{{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled for connect injection" }}{{ end }}
|
|
{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for connect injection" }}{{ end }}
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ template "consul.fullname" . }}-connect-injector-webhook-deployment
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
heritage: {{ .Release.Service }}
|
|
release: {{ .Release.Name }}
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
release: {{ .Release.Name }}
|
|
component: connect-injector
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: {{ template "consul.name" . }}
|
|
chart: {{ template "consul.chart" . }}
|
|
release: {{ .Release.Name }}
|
|
component: connect-injector
|
|
annotations:
|
|
"consul.hashicorp.com/connect-inject": "false"
|
|
spec:
|
|
{{- if not .Values.connectInject.certs.secretName }}
|
|
serviceAccountName: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account
|
|
{{- end }}
|
|
containers:
|
|
- name: sidecar-injector
|
|
image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}"
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
{{- /* A Consul client and ACL token is only necessary for the connect injector if namespaces are enabled */}}
|
|
{{- if .Values.global.enableConsulNamespaces }}
|
|
- name: HOST_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
{{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }}
|
|
- name: CONSUL_HTTP_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.connectInject.aclInjectToken.secretName }}
|
|
key: {{ .Values.connectInject.aclInjectToken.secretKey }}
|
|
{{- else if .Values.global.bootstrapACLs }}
|
|
- name: CONSUL_HTTP_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "{{ template "consul.fullname" . }}-connect-inject-acl-token"
|
|
key: "token"
|
|
{{- end }}
|
|
{{- if .Values.global.tls.enabled }}
|
|
- name: CONSUL_HTTP_ADDR
|
|
value: https://$(HOST_IP):8501
|
|
- name: CONSUL_CACERT
|
|
value: /consul/tls/ca/tls.crt
|
|
{{- else }}
|
|
- name: CONSUL_HTTP_ADDR
|
|
value: http://$(HOST_IP):8500
|
|
{{- end }}
|
|
{{- end }}
|
|
command:
|
|
- "/bin/sh"
|
|
- "-ec"
|
|
- |
|
|
CONSUL_FULLNAME="{{template "consul.fullname" . }}"
|
|
|
|
consul-k8s inject-connect \
|
|
-default-inject={{ .Values.connectInject.default }} \
|
|
-consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \
|
|
{{ if .Values.connectInject.imageEnvoy -}}
|
|
-envoy-image="{{ .Values.connectInject.imageEnvoy }}" \
|
|
{{ end -}}
|
|
-consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \
|
|
-listen=:8080 \
|
|
{{- if .Values.connectInject.overrideAuthMethodName }}
|
|
-acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \
|
|
{{- else if .Values.global.bootstrapACLs }}
|
|
-acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \
|
|
{{- end }}
|
|
|
|
{{- if .Values.global.tls.enabled }}
|
|
-consul-ca-cert=/consul/tls/ca/tls.crt \
|
|
{{- end }}
|
|
{{- if .Values.connectInject.centralConfig.enabled }}
|
|
-enable-central-config=true \
|
|
{{- end }}
|
|
{{- if (and .Values.connectInject.centralConfig.enabled .Values.connectInject.centralConfig.defaultProtocol) }}
|
|
-default-protocol="{{ .Values.connectInject.centralConfig.defaultProtocol }}" \
|
|
{{- end }}
|
|
{{- range $value := .Values.connectInject.k8sAllowNamespaces }}
|
|
-allow-k8s-namespace="{{ $value }}" \
|
|
{{- end }}
|
|
{{- range $value := .Values.connectInject.k8sDenyNamespaces }}
|
|
-deny-k8s-namespace="{{ $value }}" \
|
|
{{- end }}
|
|
{{- if .Values.global.enableConsulNamespaces }}
|
|
-enable-namespaces=true \
|
|
{{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }}
|
|
-consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \
|
|
{{- end }}
|
|
{{- if .Values.connectInject.consulNamespaces.mirroringK8S }}
|
|
-enable-k8s-namespace-mirroring=true \
|
|
{{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}
|
|
-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.global.bootstrapACLs }}
|
|
-consul-cross-namespace-acl-policy=cross-namespace-policy \
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.connectInject.certs.secretName }}
|
|
-tls-cert-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.certName }} \
|
|
-tls-key-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.keyName }}
|
|
{{- else }}
|
|
-tls-auto=${CONSUL_FULLNAME}-connect-injector-cfg \
|
|
-tls-auto-hosts=${CONSUL_FULLNAME}-connect-injector-svc,${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE},${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE}.svc
|
|
{{- end }}
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health/ready
|
|
port: 8080
|
|
scheme: HTTPS
|
|
failureThreshold: 2
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 2
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health/ready
|
|
port: 8080
|
|
scheme: HTTPS
|
|
failureThreshold: 2
|
|
initialDelaySeconds: 2
|
|
periodSeconds: 2
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
{{- if (or .Values.connectInject.certs.secretName .Values.global.tls.enabled) }}
|
|
volumeMounts:
|
|
{{- if .Values.connectInject.certs.secretName }}
|
|
- name: certs
|
|
mountPath: /etc/connect-injector/certs
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if .Values.global.tls.enabled }}
|
|
- name: consul-ca-cert
|
|
mountPath: /consul/tls/ca
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if (or .Values.connectInject.certs.secretName .Values.global.tls.enabled) }}
|
|
volumes:
|
|
{{- if .Values.connectInject.certs.secretName }}
|
|
- name: certs
|
|
secret:
|
|
secretName: {{ .Values.connectInject.certs.secretName }}
|
|
{{- end }}
|
|
{{- if .Values.global.tls.enabled }}
|
|
- name: consul-ca-cert
|
|
secret:
|
|
{{- if .Values.global.tls.caCert.secretName }}
|
|
secretName: {{ .Values.global.tls.caCert.secretName }}
|
|
{{- else }}
|
|
secretName: {{ template "consul.fullname" . }}-ca-cert
|
|
{{- end }}
|
|
items:
|
|
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
|
|
path: tls.crt
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }}
|
|
initContainers:
|
|
- name: injector-acl-init
|
|
image: {{ .Values.global.imageK8S }}
|
|
command:
|
|
- "/bin/sh"
|
|
- "-ec"
|
|
- |
|
|
consul-k8s acl-init \
|
|
-secret-name="{{ template "consul.fullname" . }}-connect-inject-acl-token" \
|
|
-k8s-namespace={{ .Release.Namespace }} \
|
|
-init-type="sync"
|
|
{{- end }}
|
|
{{- if .Values.connectInject.nodeSelector }}
|
|
nodeSelector:
|
|
{{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }}
|
|
{{- end }}
|
|
{{- end }}
|