kind: Deployment apiVersion: apps/v1 metadata: name: {{ template "rancher.fullname" . }} annotations: {{- if (lt (int .Values.replicas) 0) }} management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}" {{- end }} labels: {{ include "rancher.labels" . | indent 4 }} spec: {{- if (gt (int .Values.replicas) 0) }} replicas: {{ .Values.replicas }} {{- end }} selector: matchLabels: app: {{ template "rancher.fullname" . }} strategy: rollingUpdate: maxSurge: 1 {{- if (eq (int .Values.replicas) 1) }} maxUnavailable: 0 {{- else }} maxUnavailable: 1 {{- end }} type: RollingUpdate template: metadata: labels: app: {{ template "rancher.fullname" . }} release: {{ .Release.Name }} spec: priorityClassName: {{ .Values.priorityClassName }} serviceAccountName: {{ template "rancher.fullname" . }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 6 }} {{- end }} affinity: podAntiAffinity: {{- if eq .Values.antiAffinity "required" }} requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - {{ template "rancher.fullname" . }} topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }} {{- else }} preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - {{ template "rancher.fullname" . }} topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }} {{- end }} nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: {{ include "linux-node-selector-terms" . | nindent 14 }} tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} containers: - image: {{ .Values.rancherImage }}:{{ default .Chart.AppVersion .Values.rancherImageTag }} imagePullPolicy: {{ default "IfNotPresent" .Values.rancherImagePullPolicy }} name: {{ template "rancher.name" . }} ports: - containerPort: 80 protocol: TCP {{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }} - containerPort: 444 hostPort: {{ int .Values.hostPort }} protocol: TCP {{- end}} args: {{- if .Values.debug }} - "--debug" {{- end }} {{- if .Values.privateCA }} # Private CA - don't clear ca certs {{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }} # Rancher self-signed - don't clear ca certs {{- else }} # Public trusted CA - clear ca certs - "--no-cacerts" {{- end }} - "--http-listen-port=80" - "--https-listen-port=443" - "--add-local={{ .Values.addLocal }}" env: - name: CATTLE_NAMESPACE value: {{ .Release.Namespace }} - name: CATTLE_PEER_SERVICE value: {{ template "rancher.fullname" . }} {{- if .Values.features }} - name: CATTLE_FEATURES value: "{{ .Values.features }}" {{- end}} {{- if .Values.noDefaultAdmin }} - name: CATTLE_NO_DEFAULT_ADMIN value: "{{ .Values.noDefaultAdmin }}" {{- end}} {{- if gt (int .Values.auditLog.level) 0 }} - name: AUDIT_LEVEL value: {{ .Values.auditLog.level | quote }} - name: AUDIT_LOG_MAXAGE value: {{ .Values.auditLog.maxAge | quote }} - name: AUDIT_LOG_MAXBACKUP value: {{ .Values.auditLog.maxBackup | quote }} - name: AUDIT_LOG_MAXSIZE value: {{ .Values.auditLog.maxSize | quote }} {{- end }} {{- if .Values.proxy }} - name: HTTP_PROXY value: {{ .Values.proxy }} - name: HTTPS_PROXY value: {{ .Values.proxy }} - name: NO_PROXY value: {{ .Values.noProxy }} {{- end }} {{- if .Values.systemDefaultRegistry }} - name: CATTLE_SYSTEM_DEFAULT_REGISTRY value: {{ .Values.systemDefaultRegistry }} {{- end }} {{- if .Values.useBundledSystemChart }} - name: CATTLE_SYSTEM_CATALOG value: bundled {{- end }} {{- if .Values.restrictedAdmin }} - name: CATTLE_RESTRICTED_DEFAULT_ADMIN value: "true" {{- end}} {{- if .Values.bootstrapPassword }} - name: CATTLE_BOOTSTRAP_PASSWORD valueFrom: secretKeyRef: name: "bootstrap-secret" key: "bootstrapPassword" {{- end }} {{- if .Values.extraEnv }} {{ toYaml .Values.extraEnv | indent 8}} {{- end }} livenessProbe: httpGet: path: /healthz port: 80 initialDelaySeconds: {{.Values.livenessProbe.initialDelaySeconds | default 60 }} periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 30 }} readinessProbe: httpGet: path: /healthz port: 80 initialDelaySeconds: {{.Values.readinessProbe.initialDelaySeconds | default 5}} periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 30}} {{- if .Values.startupProbe }} startupProbe: httpGet: path: /healthz port: 80 failureThreshold: {{.Values.startupProbe.failureThreshold | default 1}} periodSeconds: {{ .Values.startupProbe.periodSeconds | default 30}} {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: {{- if .Values.additionalTrustedCAs }} - mountPath: /etc/pki/trust/anchors/ca-additional.pem name: tls-ca-additional-volume subPath: ca-additional.pem readOnly: true - mountPath: /etc/rancher/ssl/ca-additional.pem name: tls-ca-additional-volume subPath: ca-additional.pem readOnly: true {{- end }} {{- if .Values.privateCA }} # Pass CA cert into rancher for private CA - mountPath: /etc/rancher/ssl/cacerts.pem name: tls-ca-volume subPath: cacerts.pem readOnly: true {{- end }} {{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }} # Mount rancher custom-logos volume - mountPath: /usr/share/rancher/ui/assets/images/logos name: custom-logos subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }} - mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl name: custom-logos subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }} {{- end }} {{- if gt (int .Values.auditLog.level) 0 }} - mountPath: /var/log/auditlog name: audit-log {{- end }} {{- if eq .Values.auditLog.destination "sidecar" }} {{- if gt (int .Values.auditLog.level) 0 }} # Make audit logs available for Rancher log collector tools. {{- if .Values.busyboxImage }} - image: {{ .Values.busyboxImage}} {{- else }} - image: {{ .Values.auditLog.image.repository }}:{{.Values.auditLog.image.tag}} {{- end }} {{- if .Values.busyboxImagePullPolicy }} imagePullPolicy: {{ .Values.busyboxImagePullPolicy }} {{- else }} imagePullPolicy: {{ .Values.auditLog.image.pullPolicy }} {{- end }} name: {{ template "rancher.name" . }}-audit-log command: ["tail"] args: ["-F", "/var/log/auditlog/rancher-api-audit.log"] volumeMounts: - mountPath: /var/log/auditlog name: audit-log {{- end }} {{- end }} volumes: {{- if .Values.additionalTrustedCAs }} - name: tls-ca-additional-volume secret: defaultMode: 0400 secretName: tls-ca-additional {{- end }} {{- if .Values.privateCA }} - name: tls-ca-volume secret: defaultMode: 0400 secretName: tls-ca {{- end }} {{- if gt (int .Values.auditLog.level) 0 }} {{- if eq .Values.auditLog.destination "hostPath" }} - name: audit-log hostPath: path: {{ .Values.auditLog.hostPath }} type: DirectoryOrCreate {{- else }} - name: audit-log emptyDir: {} {{- end }} {{- end }} {{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }} - name: custom-logos {{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }} persistentVolumeClaim: claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }} {{- else if (eq .Values.customLogos.volumeKind "configMap") }} configMap: name: {{ .Values.customLogos.volumeName }} {{- end }} {{- end }}