--- apiVersion: v1 kind: ServiceAccount metadata: name: epinio-server namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: epinio-server-cluster-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: epinio-server namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: epinio-server rules: - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - create - delete - list - apiGroups: - "" resources: - nodes verbs: - list - apiGroups: - "" resources: - services verbs: - create - get - update - delete - apiGroups: - "" resources: - pods/exec verbs: - create - get - post - apiGroups: - "" resources: - pods/portforward verbs: - get - apiGroups: - "" resources: - pods/log verbs: - get - list - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - create - update - delete - get - list - apiGroups: - "" resources: - secrets verbs: - create - delete - get - list - patch - update - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - update - patch - apiGroups: - servicecatalog.k8s.io resources: - servicebindings verbs: - create - get - delete - list - apiGroups: - servicecatalog.k8s.io resources: - serviceinstances verbs: - create - delete - get - list - apiGroups: - "" resources: - namespaces verbs: - get - list - create - delete - apiGroups: - "" resources: - serviceaccounts verbs: - create - delete - apiGroups: - "cert-manager.io" resources: - certificates verbs: - create - apiGroups: - application.epinio.io resources: - apps verbs: - get - list - create - delete - patch - update - apiGroups: - "metrics.k8s.io" resources: - pods verbs: - list - apiGroups: - apps resources: - replicasets verbs: - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: epinio-server-cluster-role roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: epinio-server subjects: - kind: ServiceAccount name: epinio-server namespace: {{ .Release.Namespace }} --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: epinio-server namespace: {{ .Release.Namespace }} rules: - apiGroups: - batch resources: - jobs verbs: - get - create - delete - list - apiGroups: - "" resources: - configmaps verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: epinio-server-role namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: epinio-server subjects: - kind: ServiceAccount name: epinio-server namespace: {{ .Release.Namespace }} --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: epinio app.kubernetes.io/instance: default app.kubernetes.io/name: epinio-server app.kubernetes.io/part-of: epinio app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }} name: epinio-server namespace: {{ .Release.Namespace }} spec: replicas: 1 selector: matchLabels: app.kubernetes.io/component: epinio-server app.kubernetes.io/instance: default app.kubernetes.io/name: epinio-server app.kubernetes.io/part-of: epinio template: metadata: labels: app.kubernetes.io/component: epinio-server app.kubernetes.io/instance: default app.kubernetes.io/name: epinio-server app.kubernetes.io/part-of: epinio app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }} name: epinio-server spec: tolerations: {{- include "linux-node-tolerations" . | nindent 8 }} nodeSelector: {{- include "linux-node-selector" . | nindent 8 }} serviceAccountName: epinio-server volumes: - name: tmp-volume emptyDir: {} - name: asset-volume secret: secretName: epinio-assets containers: - command: ["/epinio", "server"] args: ["--port", "8030"] env: - name: EPINIO_SETTINGS value: /tmp/settings.yaml - name: NAMESPACE value: "{{ .Release.Namespace }}" - name: ACCESS_CONTROL_ALLOW_ORIGIN value: "{{ .Values.server.accessControlAllowOrigin }}" - name: EPINIO_TIMEOUT_MULTIPLIER value: "{{ .Values.server.timeoutMultiplier }}" - name: TLS_ISSUER value: "{{ .Values.global.tlsIssuer }}" - name: TRACE_LEVEL value: "{{ .Values.server.traceLevel }}" {{- if or .Values.s3.certificateSecret .Values.minio.enabled }} - name: S3_CERTIFICATE_SECRET value: {{ default "minio-tls" .Values.s3.certificateSecret }} {{- end }} {{- if .Values.containerregistry.enabled }} - name: REGISTRY_CERTIFICATE_SECRET value: "epinio-registry-tls" {{- end }} {{- if .Values.ingress.ingressClassName }} - name: INGRESS_CLASS_NAME value: "{{ .Values.ingress.ingressClassName }}" {{- end }} {{- if .Values.extraEnv }} {{- toYaml .Values.extraEnv | nindent 12 -}} {{- end }} image: "{{ default .Values.image.epinio.registry (include "registry-url" .) }}{{ .Values.image.epinio.repository }}:{{ default .Chart.AppVersion .Values.image.epinio.tag }}" livenessProbe: httpGet: path: /ready port: 8030 name: epinio-server ports: - containerPort: 8030 volumeMounts: - name: tmp-volume mountPath: /tmp - name: asset-volume mountPath: /assets readinessProbe: httpGet: path: /ready port: 8030 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 3000 --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: epinio app.kubernetes.io/instance: default app.kubernetes.io/name: epinio-server app.kubernetes.io/part-of: epinio app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }} name: epinio-server namespace: {{ .Release.Namespace }} spec: ports: - name: http port: 80 protocol: TCP targetPort: 8030 selector: app.kubernetes.io/name: epinio-server