{{- $auth := .Values.auth | default dict }} apiVersion: apps/v1 kind: Deployment metadata: name: rancher-webhook spec: selector: matchLabels: app: rancher-webhook template: metadata: labels: app: rancher-webhook spec: {{- if $auth.clientCA }} volumes: - name: client-ca secret: secretName: client-ca {{- end }} {{- if .Values.global.hostNetwork }} hostNetwork: true {{- end }} nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} {{- if .Values.nodeSelector }} {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} tolerations: {{ include "linux-node-tolerations" . | nindent 6 }} {{- if .Values.tolerations }} {{ toYaml .Values.tolerations | indent 6 }} {{- end }} containers: - env: - name: STAMP value: "{{.Values.stamp}}" - name: ENABLE_MCM value: "{{.Values.mcm.enabled}}" - name: CATTLE_PORT value: {{.Values.port | default 9443 | quote}} - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace {{- if $auth.allowedCNs }} - name: ALLOWED_CNS value: '{{ join "," $auth.allowedCNs }}' {{- end }} image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' name: rancher-webhook imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" ports: - name: https containerPort: {{ .Values.port | default 9443 }} startupProbe: httpGet: path: "/healthz" port: "https" scheme: "HTTPS" failureThreshold: 60 periodSeconds: 5 livenessProbe: httpGet: path: "/healthz" port: "https" scheme: "HTTPS" periodSeconds: 5 {{- if $auth.clientCA }} volumeMounts: - name: client-ca mountPath: /tmp/k8s-webhook-server/client-ca readOnly: true {{- end }} {{- if .Values.capNetBindService }} securityContext: capabilities: add: - NET_BIND_SERVICE {{- end }} serviceAccountName: rancher-webhook {{- if .Values.priorityClassName }} priorityClassName: "{{.Values.priorityClassName}}" {{- end }}