apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "kuma.name" . }}-control-plane namespace: {{ .Release.Namespace }} labels: {{- include "kuma.labels" . | nindent 4 }} app: {{ include "kuma.name" . }}-control-plane spec: replicas: {{ .Values.controlPlane.replicas }} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 selector: matchLabels: {{- include "kuma.selectorLabels" . | nindent 6 }} app: {{ include "kuma.name" . }}-control-plane template: metadata: annotations: checksum/config: {{ include (print $.Template.BasePath "/cp-configmap.yaml") . | sha256sum }} checksum/tls-secrets: {{ include (print $.Template.BasePath "/cp-webhooks-and-secrets.yaml") . | sha256sum }} labels: {{- include "kuma.selectorLabels" . | nindent 8 }} app: {{ include "kuma.name" . }}-control-plane spec: {{- with .Values.controlPlane.affinity }} affinity: {{ toYaml . | nindent 8 }} {{- else }} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - {{ include "kuma.name" . }}-control-plane topologyKey: kubernetes.io/hostname {{- end }} serviceAccountName: {{ include "kuma.name" . }}-control-plane {{- with .Values.controlPlane.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} containers: - name: control-plane image: {{ include "kuma.formatImage" (dict "image" .Values.controlPlane.image "root" $) | quote }} imagePullPolicy: {{ .Values.controlPlane.image.pullPolicy }} env: {{- $defaultEnv := include "kuma.defaultEnv" . | fromYaml | pluck "env" | first }} {{- $defaultEnvDict := dict }} {{- range $index, $item := $defaultEnv }} {{- $name := $item.name | upper }} {{- $defaultEnvDict := set $defaultEnvDict $name $item.value }} {{- end }} {{- $envVarsCopy := deepCopy .Values.controlPlane.envVars }} {{- $mergedEnv := merge $envVarsCopy $defaultEnvDict }} {{- range $key, $value := $mergedEnv }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} {{- range $element := .Values.controlPlane.secrets }} - name: {{ $element.Env }} valueFrom: secretKeyRef: name: {{ $element.Secret }} key: {{ $element.Key }} {{- end }} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: - run - --log-level={{ .Values.controlPlane.logLevel }} - --config-file=/etc/kuma.io/kuma-control-plane/config.yaml ports: - containerPort: 5681 - containerPort: 5682 - containerPort: 5443 {{- if ne .Values.controlPlane.mode "global" }} - containerPort: 5678 - containerPort: 5653 protocol: UDP {{- end }} livenessProbe: httpGet: path: /healthy port: 5680 readinessProbe: httpGet: path: /ready port: 5680 resources: {{- if .Values.controlPlane.resources }} {{ .Values.controlPlane.resources | toYaml | nindent 12 }} {{- else if eq .Values.controlPlane.mode "global" }} requests: cpu: 500m memory: 256Mi {{- else }} requests: cpu: 100m memory: 256Mi {{- end }} volumeMounts: - name: general-tls-cert mountPath: /var/run/secrets/kuma.io/tls-cert readOnly: true - name: {{ include "kuma.name" . }}-control-plane-config mountPath: /etc/kuma.io/kuma-control-plane readOnly: true {{- if .Values.controlPlane.tls.apiServer.secretName }} - name: api-server-tls-cert mountPath: /var/run/secrets/kuma.io/api-server-tls-cert readOnly: true {{- end }} {{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }} - name: api-server-client-certs mountPath: /var/run/secrets/kuma.io/api-server-client-certs readOnly: true {{- end }} {{- if .Values.controlPlane.tls.kdsGlobalServer.secretName }} - name: kds-server-tls-cert mountPath: /var/run/secrets/kuma.io/kds-server-tls-cert readOnly: true {{- end }} {{- if .Values.controlPlane.tls.kdsZoneClient.secretName }} - name: kds-client-tls-cert mountPath: /var/run/secrets/kuma.io/kds-client-tls-cert readOnly: true {{- end }} volumes: {{- if .Values.controlPlane.tls.general.secretName }} - name: general-tls-cert secret: secretName: {{ .Values.controlPlane.tls.general.secretName }} {{- else }} - name: general-tls-cert secret: secretName: {{ include "kuma.name" . }}-tls-cert {{- end }} {{- if .Values.controlPlane.tls.apiServer.secretName }} - name: api-server-tls-cert secret: secretName: {{ .Values.controlPlane.tls.apiServer.secretName }} {{- end }} {{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }} - name: api-server-client-certs secret: secretName: {{ .Values.controlPlane.tls.apiServer.clientCertsSecretName }} {{- end }} {{- if .Values.controlPlane.tls.kdsGlobalServer.secretName }} - name: kds-server-tls-cert secret: secretName: {{ .Values.controlPlane.tls.kdsGlobalServer.secretName }} {{- end }} {{- if .Values.controlPlane.tls.kdsZoneClient.secretName }} - name: kds-client-tls-cert secret: secretName: {{ .Values.controlPlane.tls.kdsZoneClient.secretName }} {{- end }} - name: {{ include "kuma.name" . }}-control-plane-config configMap: name: {{ include "kuma.name" . }}-control-plane-config