{{- $_ := required "Namespace is required" .Release.Namespace }} {{- $_ := required "Name of operator is required." .Values.name }} apiVersion: apps/v1 kind: Deployment metadata: labels: app: {{ include "confluent-operator.name" . }} app.kubernetes.io/name: {{ include "confluent-operator.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/component: "confluent-operator" helm.sh/chart: {{ include "confluent-operator.chart" . }} version: {{ .Values.image.tag }} name: {{ .Values.name }} namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.replicas }} selector: matchLabels: app.kubernetes.io/name: "confluent-operator" app.kubernetes.io/instance: {{ .Release.Name }} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate template: metadata: annotations: {{- range $key, $value := .Values.pod.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} labels: app: "confluent-operator" app.kubernetes.io/name: "confluent-operator" app.kubernetes.io/instance: {{ .Release.Name }} confluent-platform: "true" version: {{ .Values.image.tag }} {{- range $key, $value := .Values.pod.labels }} {{ $key }}: {{ $value | quote }} {{- end }} spec: {{- if not (empty $.Values.affinity) }} affinity: {{ toYaml .Values.affinity | trim | indent 8 }} {{- end }} {{- if not (empty $.Values.tolerations) }} tolerations: {{ toYaml .Values.tolerations | trim | indent 6 }} {{- end }} {{- if .Values.podSecurity.enabled }} securityContext: {{ toYaml .Values.podSecurity.securityContext | indent 8 }} {{- end }} containers: - args: - --debug={{.Values.debug}} {{- if gt (int (.Values.replicas)) 1 }} - --enable-leader-election {{- end }} {{- if .Values.namespaced }} {{- if empty .Values.namespaceList }} - --namespaces={{ .Release.Namespace }} {{- else}} {{- $ns := "" }} {{- range $i, $v := .Values.namespaceList }} {{- $ns = printf "%s,%s" $ns (trim $v) }} {{- end }} - --namespaces={{ substr 1 (len $ns) $ns }} {{- end }} {{- end }} name: {{ .Values.name }} image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{.Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File readinessProbe: httpGet: port: 8080 path: /readyz livenessProbe: httpGet: port: 8080 path: /healthz resources: {{ toYaml .Values.resources | trim | indent 10 }} env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: NODEIP valueFrom: fieldRef: fieldPath: status.hostIP - name: DD_ENTITY_ID valueFrom: fieldRef: fieldPath: metadata.uid {{- if .Values.managedCerts.enabled }} {{- if and (empty .Values.managedCerts.caCertificate.secretRef) (empty .Values.managedCerts.caCertificate.directoryPathInContainer) }} {{- $_ := required "secretRef or directoryPathInContainer must be configured when managedCerts is enabled" .Values.managedCerts.secretRef }} {{- end }} {{- if ge (.Values.managedCerts.renewBeforeInDays) (.Values.managedCerts.certDurationInDays) }} {{- $_ := required "managedCerts.certDurationInDays for managed certs should be greater than managedCerts.renewBeforeInDays" "" }} {{- end }} {{- if .Values.managedCerts.certDurationInDays }} - name: CONFLUENT_MANAGED_CERTS_DURATION_DAYS value: "{{ .Values.managedCerts.certDurationInDays }}" {{- end }} {{- if .Values.managedCerts.renewBeforeInDays }} - name: CONFLUENT_MANAGED_CERTS_RENEW_BEFORE_DAYS value: "{{ .Values.managedCerts.renewBeforeInDays }}" {{- end }} {{- if .Values.managedCerts.sans }} {{- if not (regexMatch "[ -~]" .Values.managedCerts.sans) }} {{- $_ := required "invalid characters in managedCerts.sans. Only first 128 ASCII characters are allowed" "" }} {{- end }} - name: CONFLUENT_MANAGED_CERTS_SANS value: "{{ .Values.managedCerts.sans }}" {{- end }} {{- if .Values.managedCerts.caCertificate.secretRef }} - name: CONFLUENT_MANAGED_CERTS_SECRET_NAME value: {{ .Values.managedCerts.caCertificate.secretRef }} {{- end }} {{- if .Values.managedCerts.caCertificate.directoryPathInContainer }} - name: CONFLUENT_MANAGED_CERTS_DIRECTORY_PATH value: {{ .Values.managedCerts.caCertificate.directoryPathInContainer }} {{- end }} {{- end }} {{- if .Values.licenseSecretRef }} - name: CONFLUENT_LICENSE_SECRET_NAME value: {{ .Values.licenseSecretRef }} {{- else if .Values.license.secretRef }} - name: CONFLUENT_LICENSE_SECRET_NAME value: {{ .Values.license.secretRef }} {{- end }} {{- if .Values.license.directoryPathInContainer }} - name: CONFLUENT_LICENSE_DIRECTORY_PATH value: {{ .Values.license.directoryPathInContainer }} {{- end }} {{- if .Values.telemetry.enabled }} {{- if and (empty .Values.telemetry.secretRef) (empty .Values.telemetry.directoryPathInContainer) }} {{- $_ := required "secretRef or directoryPathInContainer must be configured when telemetry is enabled" .Values.telemetry.secretRef }} {{- end }} {{- if .Values.telemetry.secretRef }} - name: CONFLUENT_TELEMETRY_SECRET_NAME value: {{ .Values.telemetry.secretRef }} {{- end }} {{- if .Values.telemetry.directoryPathInContainer }} - name: CONFLUENT_TELEMETRY_DIRECTORY_PATH value: {{ .Values.telemetry.directoryPathInContainer }} {{- end }} {{- if .Values.telemetry.proxy.enabled }} - name: CONFLUENT_TELEMETRY_PROXY_ENABLED value: "true" {{- end }} {{- if .Values.telemetry.proxy.credentialRequired }} - name: CONFLUENT_TELEMETRY_PROXY_CREDENTIAL_REQUIRED value: "true" {{- end }} {{- end }} {{- if .Values.webhooks.enabled }} {{- if and (empty .Values.webhooks.tls.secretRef) (empty .Values.webhooks.tls.directoryPathInContainer) }} {{- $_ := required "secretRef or directoryPathInContainer must be configured when webhooks are enabled" .Values.webhooks.tls.secretRef }} {{- end }} {{- if .Values.webhooks.tls.secretRef }} - name: CONFLUENT_WEBHOOKS_SECRET_NAME value: {{ .Values.webhooks.tls.secretRef }} {{- end }} {{- if .Values.webhooks.tls.directoryPathInContainer }} - name: CONFLUENT_WEBHOOKS_DIRECTORY_PATH value: {{ .Values.webhooks.tls.directoryPathInContainer }} {{- end }} - name: CONFLUENT_WEBHOOKS_PORT value: {{ quote .Values.webhooks.port }} {{- end }} {{- if .Values.containerSecurity.enabled }} securityContext: {{ toYaml .Values.containerSecurity.securityContext | indent 10 }} {{- end }} {{- if or (not (empty .Values.mountedVolumes.volumeMounts)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }} volumeMounts: {{- end }} {{- if not (empty .Values.mountedVolumes.volumeMounts) }} {{- range .Values.mountedVolumes.volumeMounts }} {{- if and ($.Values.webhooks.enabled) (or (eq .mountPath "/mnt/sslcerts/webhook") (eq .name "webhook-certs")) }} {{- $_ := fail "mount path \"/mnt/sslcerts/webhook\" and name \"webhook-certs\" are reserved for webhooks" }} {{- end }} - {{ toYaml . | indent 12 | trim }} {{- end }} {{- end }} {{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }} - mountPath: /mnt/sslcerts/webhook name: webhook-certs readOnly: true {{- end }} {{- if or (not (empty .Values.mountedVolumes.volumes)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }} volumes: {{- end }} {{- if not (empty .Values.mountedVolumes.volumes ) }} {{- range .Values.mountedVolumes.volumes }} {{- if and ($.Values.webhooks.enabled) (eq .name "webhook-certs") }} {{- $_ := fail "name \"webhook-certs\" is reserved for webhooks" }} {{- end }} - {{ toYaml . | indent 10 | trim }} {{- end }} {{- end }} {{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }} - name: webhook-certs secret: defaultMode: 420 secretName: {{ .Values.webhooks.tls.secretRef }} {{- end }} {{- if and .Values.imagePullSecretRef (not .Values.serviceAccount.create) }} imagePullSecrets: - name: {{ .Values.imagePullSecretRef }} {{- end }} serviceAccountName: {{ template "confluent-operator.service-account" . }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName | quote }} {{- end }} restartPolicy: Always terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}