apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "k8s-triliovault-operator.fullname" . }} namespace: {{ .Release.Namespace }} labels: app: {{ template "k8s-triliovault-operator.fullname" . }} release: "{{ .Release.Name }}" app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} spec: strategy: type: RollingUpdate rollingUpdate: maxSurge: 25% maxUnavailable: 25% selector: matchLabels: app: {{ template "k8s-triliovault-operator.fullname" . }} release: "{{ .Release.Name }}" replicas: {{ .Values.replicaCount }} template: metadata: labels: app: {{ template "k8s-triliovault-operator.fullname" . }} release: "{{ .Release.Name }}" app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} spec: hostNetwork: {{ .Values.podSpec.hostNetwork }} hostIPC: {{ .Values.podSpec.hostIPC }} hostPID: {{ .Values.podSpec.hostPID }} {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.podSpec.securityContext | nindent 8 }} {{- end }} containers: - name: k8s-triliovault-operator image: {{ .Values.registry }}/{{ index .Values "k8s-triliovault-operator" "repository" }}:{{ .Values.tag }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.proxySettings.PROXY_ENABLED }} envFrom: - secretRef: name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy {{- end }} env: {{- if .Values.proxySettings.PROXY_ENABLED }} - name: PROXY_SETTINGS_SECRET value: {{ template "k8s-triliovault-operator.fullname" . }}-proxy {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} - name: PROXY_CA_CONFIGMAP value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} {{- end }} {{- end }} {{- if .Values.tvkEnv }} - name: TVK_ENV value: {{ .Values.tvkEnv }} {{- end}} {{- if .Values.tvkHelmRepo }} - name: TVK_HELM_REPO value: {{ .Values.tvkHelmRepo }} {{- end }} - name: INSTALL_NAMESPACE value: {{ .Release.Namespace }} - name: REGISTRY value: {{ .Values.registry }} - name: ADMISSION_MUTATION_CONFIG value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration - name: ADMISSION_VALIDATION_CONFIG value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration - name: NAMESPACE_VALIDATION_CONFIG value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration livenessProbe: httpGet: path: /healthz port: 8081 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 30 timeoutSeconds: 2 successThreshold: 1 failureThreshold: 3 readinessProbe: httpGet: path: /readyz port: 8081 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 volumeMounts: {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} - name: proxy-ca-cert mountPath: /proxy-certs readOnly: true {{- end }} {{- if .Values.tls.enable }} - name: helm-tls-certs mountPath: /root/.helm readOnly: true {{- if .Values.tls.verify }} - name: helm-tls-ca mountPath: /root/.helm/ca.crt readOnly: true {{- end }} {{- end }} - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-certs readOnly: true {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} resources: limits: cpu: 200m memory: 512Mi requests: cpu: 10m memory: 10Mi initContainers: - name: webhook-init image: {{ .Values.registry }}/{{ index .Values "operator-webhook-init" "repository" }}:{{ .Values.tag }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} {{- if .Values.proxySettings.PROXY_ENABLED }} envFrom: - secretRef: name: {{ template "k8s-triliovault-operator.fullname" . }}-proxy {{- end }} env: {{- if .Values.proxySettings.PROXY_ENABLED }} - name: PROXY_SETTINGS_SECRET value: {{ template "k8s-triliovault-operator.fullname" . }}-proxy {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} - name: PROXY_CA_CONFIGMAP value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} {{- end }} {{- end }} - name: TVK_ENV value: {{ .Values.tvkEnv }} - name: TVK_HELM_REPO value: {{ .Values.tvkHelmRepo }} - name: RELEASE_VERSION value: {{ .Chart.AppVersion }} - name: ADMISSION_MUTATION_CONFIG value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration - name: ADMISSION_VALIDATION_CONFIG value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration - name: NAMESPACE_VALIDATION_CONFIG value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration - name: WEBHOOK_SERVICE value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service - name: WEBHOOK_NAMESPACE value: {{ .Release.Namespace }} - name: SECRET_NAME value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} volumeMounts: - name: proxy-ca-cert mountPath: /proxy-certs readOnly: true {{- end }} serviceAccountName: {{ template "k8s-triliovault-operator.fullname" . }}-service-account {{- if .Values.nodeSelector }} nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} {{- end }} {{- if .Values.affinity }} affinity: {{- toYaml .Values.affinity | nindent 8 }} {{- end }} volumes: {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} - name: proxy-ca-cert configMap: name: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} {{- end }} {{- if .Values.tls.enable }} - name: helm-tls-certs secret: secretName: {{ .Values.tls.secretName }} defaultMode: 0400 {{- if .Values.tls.verify }} - name: helm-tls-ca configMap: name: {{ template "helm-operator.fullname" . }}-helm-tls-ca-config defaultMode: 0600 {{- end }} {{- end }} - name: webhook-certs secret: defaultMode: 420 secretName: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs