254 lines
8.9 KiB
YAML
254 lines
8.9 KiB
YAML
|
kind: Deployment
|
||
|
apiVersion: apps/v1
|
||
|
metadata:
|
||
|
name: {{ template "rancher.fullname" . }}
|
||
|
annotations:
|
||
|
{{- if (lt (int .Values.replicas) 0) }}
|
||
|
management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}"
|
||
|
{{- end }}
|
||
|
labels:
|
||
|
{{ include "rancher.labels" . | indent 4 }}
|
||
|
spec:
|
||
|
{{- if (gt (int .Values.replicas) 0) }}
|
||
|
replicas: {{ .Values.replicas }}
|
||
|
{{- end }}
|
||
|
selector:
|
||
|
matchLabels:
|
||
|
app: {{ template "rancher.fullname" . }}
|
||
|
strategy:
|
||
|
rollingUpdate:
|
||
|
maxSurge: 1
|
||
|
{{- if (eq (int .Values.replicas) 1) }}
|
||
|
maxUnavailable: 0
|
||
|
{{- else }}
|
||
|
maxUnavailable: 1
|
||
|
{{- end }}
|
||
|
type: RollingUpdate
|
||
|
template:
|
||
|
metadata:
|
||
|
labels:
|
||
|
app: {{ template "rancher.fullname" . }}
|
||
|
release: {{ .Release.Name }}
|
||
|
spec:
|
||
|
priorityClassName: {{ .Values.priorityClassName }}
|
||
|
serviceAccountName: {{ template "rancher.fullname" . }}
|
||
|
{{- if .Values.imagePullSecrets }}
|
||
|
imagePullSecrets:
|
||
|
{{ toYaml .Values.imagePullSecrets | indent 6 }}
|
||
|
{{- end }}
|
||
|
affinity:
|
||
|
podAntiAffinity:
|
||
|
{{- if eq .Values.antiAffinity "required" }}
|
||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
- labelSelector:
|
||
|
matchExpressions:
|
||
|
- key: app
|
||
|
operator: In
|
||
|
values:
|
||
|
- {{ template "rancher.fullname" . }}
|
||
|
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
|
||
|
{{- else }}
|
||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||
|
- weight: 100
|
||
|
podAffinityTerm:
|
||
|
labelSelector:
|
||
|
matchExpressions:
|
||
|
- key: app
|
||
|
operator: In
|
||
|
values:
|
||
|
- {{ template "rancher.fullname" . }}
|
||
|
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
|
||
|
{{- end }}
|
||
|
nodeAffinity:
|
||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||
|
nodeSelectorTerms: {{ include "linux-node-selector-terms" . | nindent 14 }}
|
||
|
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
|
||
|
containers:
|
||
|
- image: {{ .Values.rancherImage }}:{{ default .Chart.AppVersion .Values.rancherImageTag }}
|
||
|
imagePullPolicy: {{ default "IfNotPresent" .Values.rancherImagePullPolicy }}
|
||
|
name: {{ template "rancher.name" . }}
|
||
|
ports:
|
||
|
- containerPort: 80
|
||
|
protocol: TCP
|
||
|
{{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }}
|
||
|
- containerPort: 444
|
||
|
hostPort: {{ int .Values.hostPort }}
|
||
|
protocol: TCP
|
||
|
{{- end}}
|
||
|
args:
|
||
|
{{- if .Values.debug }}
|
||
|
- "--debug"
|
||
|
{{- end }}
|
||
|
{{- if .Values.privateCA }}
|
||
|
# Private CA - don't clear ca certs
|
||
|
{{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }}
|
||
|
# Rancher self-signed - don't clear ca certs
|
||
|
{{- else }}
|
||
|
# Public trusted CA - clear ca certs
|
||
|
- "--no-cacerts"
|
||
|
{{- end }}
|
||
|
- "--http-listen-port=80"
|
||
|
- "--https-listen-port=443"
|
||
|
- "--add-local={{ .Values.addLocal }}"
|
||
|
env:
|
||
|
- name: CATTLE_NAMESPACE
|
||
|
value: {{ .Release.Namespace }}
|
||
|
- name: CATTLE_PEER_SERVICE
|
||
|
value: {{ template "rancher.fullname" . }}
|
||
|
{{- if .Values.features }}
|
||
|
- name: CATTLE_FEATURES
|
||
|
value: "{{ .Values.features }}"
|
||
|
{{- end}}
|
||
|
{{- if .Values.noDefaultAdmin }}
|
||
|
- name: CATTLE_NO_DEFAULT_ADMIN
|
||
|
value: "{{ .Values.noDefaultAdmin }}"
|
||
|
{{- end}}
|
||
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
||
|
- name: AUDIT_LEVEL
|
||
|
value: {{ .Values.auditLog.level | quote }}
|
||
|
- name: AUDIT_LOG_MAXAGE
|
||
|
value: {{ .Values.auditLog.maxAge | quote }}
|
||
|
- name: AUDIT_LOG_MAXBACKUP
|
||
|
value: {{ .Values.auditLog.maxBackup | quote }}
|
||
|
- name: AUDIT_LOG_MAXSIZE
|
||
|
value: {{ .Values.auditLog.maxSize | quote }}
|
||
|
{{- end }}
|
||
|
{{- if .Values.proxy }}
|
||
|
- name: HTTP_PROXY
|
||
|
value: {{ .Values.proxy }}
|
||
|
- name: HTTPS_PROXY
|
||
|
value: {{ .Values.proxy }}
|
||
|
- name: NO_PROXY
|
||
|
value: {{ .Values.noProxy }}
|
||
|
{{- end }}
|
||
|
{{- if .Values.systemDefaultRegistry }}
|
||
|
- name: CATTLE_SYSTEM_DEFAULT_REGISTRY
|
||
|
value: {{ .Values.systemDefaultRegistry }}
|
||
|
{{- end }}
|
||
|
{{- if .Values.useBundledSystemChart }}
|
||
|
- name: CATTLE_SYSTEM_CATALOG
|
||
|
value: bundled
|
||
|
{{- end }}
|
||
|
{{- if .Values.restrictedAdmin }}
|
||
|
- name: CATTLE_RESTRICTED_DEFAULT_ADMIN
|
||
|
value: "true"
|
||
|
{{- end}}
|
||
|
{{- if .Values.bootstrapPassword }}
|
||
|
- name: CATTLE_BOOTSTRAP_PASSWORD
|
||
|
valueFrom:
|
||
|
secretKeyRef:
|
||
|
name: "bootstrap-secret"
|
||
|
key: "bootstrapPassword"
|
||
|
{{- end }}
|
||
|
{{- if .Values.extraEnv }}
|
||
|
{{ toYaml .Values.extraEnv | indent 8}}
|
||
|
{{- end }}
|
||
|
livenessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 80
|
||
|
initialDelaySeconds: {{.Values.livenessProbe.initialDelaySeconds | default 60 }}
|
||
|
periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 30 }}
|
||
|
readinessProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 80
|
||
|
initialDelaySeconds: {{.Values.readinessProbe.initialDelaySeconds | default 5}}
|
||
|
periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 30}}
|
||
|
{{- if .Values.startupProbe }}
|
||
|
startupProbe:
|
||
|
httpGet:
|
||
|
path: /healthz
|
||
|
port: 80
|
||
|
failureThreshold: {{.Values.startupProbe.failureThreshold | default 1}}
|
||
|
periodSeconds: {{ .Values.startupProbe.periodSeconds | default 30}}
|
||
|
{{- end }}
|
||
|
resources:
|
||
|
{{ toYaml .Values.resources | indent 10 }}
|
||
|
volumeMounts:
|
||
|
{{- if .Values.additionalTrustedCAs }}
|
||
|
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
|
||
|
name: tls-ca-additional-volume
|
||
|
subPath: ca-additional.pem
|
||
|
readOnly: true
|
||
|
- mountPath: /etc/rancher/ssl/ca-additional.pem
|
||
|
name: tls-ca-additional-volume
|
||
|
subPath: ca-additional.pem
|
||
|
readOnly: true
|
||
|
{{- end }}
|
||
|
{{- if .Values.privateCA }}
|
||
|
# Pass CA cert into rancher for private CA
|
||
|
- mountPath: /etc/rancher/ssl/cacerts.pem
|
||
|
name: tls-ca-volume
|
||
|
subPath: cacerts.pem
|
||
|
readOnly: true
|
||
|
{{- end }}
|
||
|
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
|
||
|
# Mount rancher custom-logos volume
|
||
|
- mountPath: /usr/share/rancher/ui/assets/images/logos
|
||
|
name: custom-logos
|
||
|
subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }}
|
||
|
- mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl
|
||
|
name: custom-logos
|
||
|
subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }}
|
||
|
{{- end }}
|
||
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
||
|
- mountPath: /var/log/auditlog
|
||
|
name: audit-log
|
||
|
{{- end }}
|
||
|
{{- if eq .Values.auditLog.destination "sidecar" }}
|
||
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
||
|
# Make audit logs available for Rancher log collector tools.
|
||
|
{{- if .Values.busyboxImage }}
|
||
|
- image: {{ .Values.busyboxImage}}
|
||
|
{{- else }}
|
||
|
- image: {{ .Values.auditLog.image.repository }}:{{.Values.auditLog.image.tag}}
|
||
|
{{- end }}
|
||
|
{{- if .Values.busyboxImagePullPolicy }}
|
||
|
imagePullPolicy: {{ .Values.busyboxImagePullPolicy }}
|
||
|
{{- else }}
|
||
|
imagePullPolicy: {{ .Values.auditLog.image.pullPolicy }}
|
||
|
{{- end }}
|
||
|
name: {{ template "rancher.name" . }}-audit-log
|
||
|
command: ["tail"]
|
||
|
args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]
|
||
|
volumeMounts:
|
||
|
- mountPath: /var/log/auditlog
|
||
|
name: audit-log
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
volumes:
|
||
|
{{- if .Values.additionalTrustedCAs }}
|
||
|
- name: tls-ca-additional-volume
|
||
|
secret:
|
||
|
defaultMode: 0400
|
||
|
secretName: tls-ca-additional
|
||
|
{{- end }}
|
||
|
{{- if .Values.privateCA }}
|
||
|
- name: tls-ca-volume
|
||
|
secret:
|
||
|
defaultMode: 0400
|
||
|
secretName: tls-ca
|
||
|
{{- end }}
|
||
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
||
|
{{- if eq .Values.auditLog.destination "hostPath" }}
|
||
|
- name: audit-log
|
||
|
hostPath:
|
||
|
path: {{ .Values.auditLog.hostPath }}
|
||
|
type: DirectoryOrCreate
|
||
|
{{- else }}
|
||
|
- name: audit-log
|
||
|
emptyDir: {}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
|
||
|
- name: custom-logos
|
||
|
{{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }}
|
||
|
persistentVolumeClaim:
|
||
|
claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }}
|
||
|
{{- else if (eq .Values.customLogos.volumeKind "configMap") }}
|
||
|
configMap:
|
||
|
name: {{ .Values.customLogos.volumeName }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|