174 lines
6.4 KiB
YAML
174 lines
6.4 KiB
YAML
{{- if not .Values.templating.debug -}}
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ template "kyverno.fullname" . }}
|
|
labels:
|
|
{{- include "kyverno.labels" . | nindent 4 }}
|
|
namespace: {{ template "kyverno.namespace" . }}
|
|
spec:
|
|
{{- with .Values.replicaCount }}
|
|
replicas: {{ . }}
|
|
{{- end }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "kyverno.matchLabels" . | nindent 6 }}
|
|
{{- if .Values.updateStrategy }}
|
|
strategy:
|
|
{{ toYaml .Values.updateStrategy | nindent 4 | trim }}
|
|
{{- end }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "kyverno.labels" . | nindent 8 }}
|
|
{{- range $key, $value := .Values.podLabels }}
|
|
{{ $key }}: {{ $value }}
|
|
{{- end }}
|
|
{{- with .Values.podAnnotations }}
|
|
annotations: {{ tpl (toYaml .) $ | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- with .Values.image.pullSecrets }}
|
|
imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.podSecurityContext }}
|
|
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
|
|
{{- end }}
|
|
{{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
|
|
affinity:
|
|
{{- if .Values.antiAffinity.enable }}
|
|
{{- with .Values.podAntiAffinity }}
|
|
podAntiAffinity:
|
|
{{- tpl (toYaml .) $ | nindent 10 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.podAffinity }}
|
|
podAffinity:
|
|
{{- tpl (toYaml .) $ | nindent 10 }}
|
|
{{- end }}
|
|
{{- with .Values.nodeAffinity }}
|
|
nodeAffinity:
|
|
{{- tpl (toYaml .) $ | nindent 10 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.nodeSelector }}
|
|
nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.tolerations }}
|
|
tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.topologySpreadConstraints }}
|
|
topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
|
|
{{- if .Values.priorityClassName }}
|
|
priorityClassName: {{ .Values.priorityClassName | quote }}
|
|
{{- end }}
|
|
{{- if .Values.hostNetwork }}
|
|
hostNetwork: {{ .Values.hostNetwork }}
|
|
{{- end }}
|
|
{{- if .Values.dnsPolicy }}
|
|
dnsPolicy: {{ .Values.dnsPolicy }}
|
|
{{- end }}
|
|
initContainers:
|
|
{{- if .Values.extraInitContainers }}
|
|
{{- toYaml .Values.extraInitContainers | nindent 8 }}
|
|
{{- end }}
|
|
- name: kyverno-pre
|
|
image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
|
|
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
|
|
{{- if .Values.initContainer.extraArgs }}
|
|
args:
|
|
{{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.initResources }}
|
|
resources: {{ tpl (toYaml .) $ | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.securityContext }}
|
|
securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
|
|
{{- end }}
|
|
env:
|
|
- name: METRICS_CONFIG
|
|
value: {{ template "kyverno.metricsConfigMapName" . }}
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: {{ template "kyverno.fullname" . }}
|
|
{{- with .Values.envVarsInit }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
containers:
|
|
{{- if .Values.extraContainers }}
|
|
{{- toYaml .Values.extraContainers | nindent 8 }}
|
|
{{- end }}
|
|
- name: kyverno
|
|
image: {{ include "kyverno.image" (dict "image" .Values.image "defaultTag" .Chart.AppVersion) | quote }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
{{- if or .Values.extraArgs .Values.imagePullSecrets }}
|
|
args:
|
|
{{- if .Values.extraArgs -}}
|
|
{{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
|
|
{{- end }}
|
|
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
|
|
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.resources }}
|
|
resources: {{ tpl (toYaml .) $ | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.securityContext }}
|
|
securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
|
|
{{- end }}
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics-port
|
|
protocol: TCP
|
|
env:
|
|
- name: INIT_CONFIG
|
|
value: {{ template "kyverno.configMapName" . }}
|
|
- name: METRICS_CONFIG
|
|
value: {{ template "kyverno.metricsConfigMapName" . }}
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: {{ template "kyverno.serviceAccountName" . }}
|
|
- name: KYVERNO_SVC
|
|
value: {{ template "kyverno.serviceName" . }}
|
|
- name: TUF_ROOT
|
|
value: {{ .Values.tufRootMountPath }}
|
|
{{- with .Values.envVars }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: {{ template "kyverno.fullname" . }}
|
|
{{- with .Values.startupProbe }}
|
|
startupProbe: {{ tpl (toYaml .) $ | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.livenessProbe }}
|
|
livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
|
|
{{- end }}
|
|
{{- with .Values.readinessProbe }}
|
|
readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- mountPath: {{ .Values.tufRootMountPath }}
|
|
name: sigstore
|
|
volumes:
|
|
- name: sigstore
|
|
emptyDir: {}
|
|
{{- end -}}
|