apiVersion: apps/v1 kind: Deployment metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: {{ include "externalip-webhook.labels" . | indent 4 }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} name: {{ template "externalip-webhook.fullname" . }} namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.replicas }} selector: matchLabels: app: {{ template "externalip-webhook.name" . }} template: metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: {{ include "externalip-webhook.labels" . | indent 8 }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} spec: containers: {{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }} - name: {{ template "externalip-webhook.fullname" . }}-auth-proxy args: - --secure-listen-address=0.0.0.0:{{ .Values.metrics.port }} - --upstream=http://127.0.0.1:{{ .Values.metrics.authProxy.port }}/ - --logtostderr=true - --v=10 image: {{ template "system_default_registry" . }}{{ .Values.metrics.authProxy.image.repository}}:{{ .Values.metrics.authProxy.image.tag }} imagePullPolicy: "{{ .Values.metrics.authProxy.image.pullPolicy }}" ports: - containerPort: {{ .Values.metrics.port }} name: webhook-metrics protocol: TCP resources: {{ toYaml .Values.metrics.authProxy.resources | indent 10 }} readinessProbe: tcpSocket: port: webhook-metrics initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: tcpSocket: port: webhook-metrics initialDelaySeconds: 5 failureThreshold: 10 periodSeconds: 30 {{- end }} - name: {{ template "externalip-webhook.fullname" . }} image: {{ template "system_default_registry" . }}{{ .Values.image.repository}}:{{ default .Chart.AppVersion .Values.image.tag }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" command: - /webhook args: - --webhook-port={{ .Values.webhookPort }} {{- if .Values.allowedExternalIPCidrs }} - --allowed-external-ip-cidrs={{ .Values.allowedExternalIPCidrs }} {{- end }} {{- if .Values.metrics.enabled }} {{- if .Values.metrics.authProxy.enabled }} - --metrics-addr=127.0.0.1:{{ .Values.metrics.authProxy.port }} {{- else }} - --metrics-addr=0.0.0.0:{{ .Values.metrics.port }} {{- end }} {{- end }} ports: - containerPort: {{ .Values.webhookPort }} name: webhook-server protocol: TCP {{- if and (.Values.metrics.enabled) (not (.Values.metrics.authProxy.enabled)) }} - containerPort: {{ .Values.metrics.port }} name: webhook-metrics protocol: TCP {{- end }} volumeMounts: - name: server-cert mountPath: /tmp/k8s-webhook-server/serving-certs readOnly: true resources: {{ toYaml .Values.resources | indent 10 }} readinessProbe: tcpSocket: port: webhook-server initialDelaySeconds: 5 failureThreshold: 10 periodSeconds: 30 livenessProbe: tcpSocket: port: webhook-server initialDelaySeconds: 5 failureThreshold: 10 periodSeconds: 30 nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} {{- if .Values.nodeSelector }} {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} tolerations: {{ include "linux-node-tolerations" . | nindent 6}} {{- if .Values.tolerations }} {{ toYaml .Values.tolerations | indent 6 }} {{- end }} serviceAccountName: {{ template "externalip-webhook.fullname" . }} volumes: - name: server-cert secret: defaultMode: 420 secretName: {{ .Values.certificates.secretName }}