{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} {{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} {{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{ template "consul.validateVaultWebhookCertConfiguration" . }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} {{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} {{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} {{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} component: connect-injector spec: replicas: {{ .Values.connectInject.replicas }} selector: matchLabels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} release: {{ .Release.Name }} component: connect-injector template: metadata: labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} release: {{ .Release.Name }} component: connect-injector {{- if .Values.connectInject.extraLabels }} {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" {{- if .Values.connectInject.annotations }} {{- tpl .Values.connectInject.annotations . | nindent 8 }} {{- end }} {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} "vault.hashicorp.com/agent-init-first": "true" "vault.hashicorp.com/agent-inject": "true" {{- if .Values.global.secretsBackend.vault.connectInjectRole }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} {{ else }} "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} {{ end }} "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" {{- end }} {{- end }} {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" {{- end }} {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" {{- end }} {{- if .Values.global.secretsBackend.vault.agentAnnotations }} {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} {{- end }} {{- end }} spec: serviceAccountName: {{ template "consul.fullname" . }}-connect-injector containers: - name: sidecar-injector image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" ports: - containerPort: 8080 name: webhook-server protocol: TCP env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} {{- if .Values.global.acls.manageSystemACLs }} - name: CONSUL_LOGIN_AUTH_METHOD {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} {{- else }} value: {{ template "consul.fullname" . }}-k8s-component-auth-method {{- end }} - name: CONSUL_LOGIN_DATACENTER {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} value: {{ .Values.global.federation.primaryDatacenter }} {{- else }} value: {{ .Values.global.datacenter }} {{- end }} - name: CONSUL_LOGIN_META value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" {{- end }} {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} - name: CONSUL_ACL_TOKEN valueFrom: secretKeyRef: name: {{ .Values.connectInject.aclInjectToken.secretName }} key: {{ .Values.connectInject.aclInjectToken.secretKey }} {{- end }} command: - "/bin/sh" - "-ec" - | consul-k8s-control-plane inject-connect \ {{- if .Values.global.federation.enabled }} -enable-federation \ {{- end }} -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ -default-inject={{ .Values.connectInject.default }} \ -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ -release-name="{{ .Release.Name }}" \ -release-namespace="{{ .Release.Namespace }}" \ -resource-prefix={{ template "consul.fullname" . }} \ -listen=:8080 \ {{- range $k, $v := .Values.connectInject.consulNode.meta }} -node-meta={{ $k }}={{ $v }} \ {{- end }} {{- if .Values.connectInject.transparentProxy.defaultEnabled }} -default-enable-transparent-proxy=true \ {{- else }} -default-enable-transparent-proxy=false \ {{- end }} -enable-cni={{ .Values.connectInject.cni.enabled }} \ {{- if .Values.global.peering.enabled }} -enable-peering=true \ {{- end }} {{- if .Values.global.openshift.enabled }} -enable-openshift \ {{- end }} {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} -transparent-proxy-default-overwrite-probes=true \ {{- else }} -transparent-proxy-default-overwrite-probes=false \ {{- end }} {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} -enable-consul-dns=true \ {{- end }} {{- if .Values.global.openshift.enabled }} -enable-openshift \ {{- end }} {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} -default-enable-metrics=true \ {{- else }} -default-enable-metrics=false \ {{- end }} -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ {{- if .Values.connectInject.envoyExtraArgs }} -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ {{- end }} {{- if .Values.connectInject.overrideAuthMethodName }} -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ {{- else if .Values.global.acls.manageSystemACLs }} -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ {{- end }} {{- range $value := .Values.connectInject.k8sAllowNamespaces }} -allow-k8s-namespace="{{ $value }}" \ {{- end }} {{- range $value := .Values.connectInject.k8sDenyNamespaces }} -deny-k8s-namespace="{{ $value }}" \ {{- end }} {{- if .Values.global.adminPartitions.enabled }} -enable-partitions=true \ {{- end }} {{- if .Values.global.enableConsulNamespaces }} -enable-namespaces=true \ {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ {{- end }} {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} -enable-k8s-namespace-mirroring=true \ {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ {{- end }} {{- end }} {{- if .Values.global.acls.manageSystemACLs }} -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} -tls-cert-dir=/vault/secrets/connect-injector/certs \ -enable-webhook-ca-update \ {{- else }} -tls-cert-dir=/etc/connect-injector/certs \ {{- end }} {{- $resources := .Values.connectInject.sidecarProxy.resources }} {{- /* kindIs is used here to differentiate between null and 0 */}} {{- if not (kindIs "invalid" $resources.limits.memory) }} -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ {{- end }} {{- if not (kindIs "invalid" $resources.requests.memory) }} -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ {{- end }} {{- if not (kindIs "invalid" $resources.limits.cpu) }} -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ {{- end }} {{- if not (kindIs "invalid" $resources.requests.cpu) }} -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ {{- end }} -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ {{- if .Values.connectInject.initContainer }} {{- $initResources := .Values.connectInject.initContainer.resources }} {{- if not (kindIs "invalid" $initResources.limits.memory) }} -init-container-memory-limit={{ $initResources.limits.memory }} \ {{- end }} {{- if not (kindIs "invalid" $initResources.requests.memory) }} -init-container-memory-request={{ $initResources.requests.memory }} \ {{- end }} {{- if not (kindIs "invalid" $initResources.limits.cpu) }} -init-container-cpu-limit={{ $initResources.limits.cpu }} \ {{- end }} {{- if not (kindIs "invalid" $initResources.requests.cpu) }} -init-container-cpu-request={{ $initResources.requests.cpu }} \ {{- end }} {{- end }} {{- if .Values.global.cloud.enabled }} -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ {{- end }} {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} -enable-auto-encrypt \ {{- end }} startupProbe: httpGet: path: /readyz/ready port: 9445 scheme: HTTP initialDelaySeconds: 30 failureThreshold: 15 periodSeconds: 2 timeoutSeconds: 5 livenessProbe: httpGet: path: /readyz/ready port: 9445 scheme: HTTP failureThreshold: 2 initialDelaySeconds: 1 successThreshold: 1 timeoutSeconds: 5 readinessProbe: httpGet: path: /readyz/ready port: 9445 scheme: HTTP failureThreshold: 2 initialDelaySeconds: 2 successThreshold: 1 timeoutSeconds: 5 volumeMounts: {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} - name: certs mountPath: /etc/connect-injector/certs readOnly: true {{- end }} {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} - name: consul-ca-cert mountPath: /consul/tls/ca readOnly: true {{- end }} {{- with .Values.connectInject.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} volumes: {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} - name: certs secret: defaultMode: 420 secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert {{- end }} {{- if .Values.global.tls.enabled }} {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} secretName: {{ .Values.global.tls.caCert.secretName }} {{- else }} secretName: {{ template "consul.fullname" . }}-ca-cert {{- end }} items: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} {{- end }} {{- if .Values.connectInject.priorityClassName }} priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} {{- end }} {{- if .Values.connectInject.nodeSelector }} nodeSelector: {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} {{- end }} {{- if .Values.connectInject.affinity }} affinity: {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} {{- end }} {{- if .Values.connectInject.tolerations }} tolerations: {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} {{- end }} {{- end }}