1070 lines
42 KiB
Smarty
1070 lines
42 KiB
Smarty
{{- define "k10-containers" }}
|
|
{{- $pod := .k10_pod }}
|
|
{{- with .main }}
|
|
{{- $main_context := . }}
|
|
{{- $colocatedList := include "get.enabledColocatedServices" . | fromYaml }}
|
|
{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }}
|
|
containers:
|
|
{{- range $skip, $container := $containerList }}
|
|
{{- $port := default $main_context.Values.service.externalPort (index $colocatedList $container).port }}
|
|
{{- $serviceStateful := has $container (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }}
|
|
{{- dict "main" $main_context "k10_pod" $pod "k10_container" $container "externalPort" $port "stateful" $serviceStateful | include "k10-container" }}
|
|
{{- end }}
|
|
{{- end }}{{/* with .main */}}
|
|
{{- end }}{{/* define "k10-containers" */}}
|
|
|
|
{{- define "k10-container" }}
|
|
{{- $pod := .k10_pod }}
|
|
{{- $service := .k10_container }}
|
|
{{- $externalPort := .externalPort }}
|
|
{{- with .main }}
|
|
- name: {{ $service }}-svc
|
|
{{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }}
|
|
imagePullPolicy: {{ .Values.global.image.pullPolicy }}
|
|
{{- if eq $service "aggregatedapis" }}
|
|
args:
|
|
- "--secure-port={{ .Values.service.aggregatedApiPort }}"
|
|
- "--cert-dir=/tmp/apiserver.local.config/certificates/"
|
|
{{- if include "k10.siemEnabled" . }}
|
|
- "--audit-policy-file=/etc/kubernetes/{{ include "k10.aggAuditPolicyFile" .}}"
|
|
{{/* SIEM cloud logging */}}
|
|
- "--enable-k10-audit-cloud-aws-s3={{ .Values.siem.logging.cloud.awsS3.enabled }}"
|
|
- "--audit-cloud-path={{ .Values.siem.logging.cloud.path }}"
|
|
{{/* SIEM cluster logging */}}
|
|
- "--enable-k10-audit-cluster={{ .Values.siem.logging.cluster.enabled }}"
|
|
- "--audit-log-file={{ include "k10.siemLoggingClusterFile" . | default (include "k10.siemAuditLogFilePath" .) }}"
|
|
- "--audit-log-file-size={{ include "k10.siemLoggingClusterFileSize" . | default (include "k10.siemAuditLogFileSize" .) }}"
|
|
{{- end }}
|
|
{{- if .Values.useNamespacedAPI }}
|
|
- "--k10-api-domain={{ template "apiDomain" . }}"
|
|
{{- end }}{{/* .Values.useNamespacedAPI */}}
|
|
{{/*
|
|
We need this explicit conversion because installation using operator hub was failing
|
|
stating that types are not same for the equality check
|
|
*/}}
|
|
{{- else if not (eq (int .Values.service.externalPort) (int $externalPort) ) }}
|
|
args:
|
|
- "--port={{ $externalPort }}"
|
|
- "--host=0.0.0.0"
|
|
{{- end }}{{/* eq $service "aggregatedapis" */}}
|
|
{{- $podName := (printf "%s-svc" $pod) }}
|
|
{{- $containerName := (printf "%s-svc" $service) }}
|
|
{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}}
|
|
ports:
|
|
{{- if eq $service "aggregatedapis" }}
|
|
- containerPort: {{ .Values.service.aggregatedApiPort }}
|
|
{{- else }}
|
|
- containerPort: {{ $externalPort }}
|
|
{{- if eq $service "controllermanager" }}
|
|
- containerPort: {{ include "k10.mcExternalPort" nil }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if eq $service "logging" }}
|
|
- containerPort: 24224
|
|
protocol: TCP
|
|
- containerPort: 24225
|
|
protocol: TCP
|
|
{{- end }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
livenessProbe:
|
|
{{- if eq $service "aggregatedapis" }}
|
|
tcpSocket:
|
|
port: {{ .Values.service.aggregatedApiPort }}
|
|
timeoutSeconds: 5
|
|
{{- else }}
|
|
httpGet:
|
|
path: /v0/healthz
|
|
port: {{ $externalPort }}
|
|
timeoutSeconds: 1
|
|
{{- end }}
|
|
initialDelaySeconds: 300
|
|
{{- if ne $service "aggregatedapis" }}
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /v0/healthz
|
|
port: {{ $externalPort }}
|
|
initialDelaySeconds: 3
|
|
{{- end }}
|
|
env:
|
|
{{- if eq $service "dashboardbff" }}
|
|
- name: {{ include "k10.disabledServicesEnvVar" . }}
|
|
value: {{ include "get.disabledServices" . | quote }}
|
|
{{- end -}}
|
|
{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "kanister" | has $service}}
|
|
{{- if not (eq (include "check.googleproject" . ) "true") -}}
|
|
{{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}}
|
|
{{- end -}}
|
|
{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }}
|
|
{{- $gkeProjectId := "kasten-gke-project" }}
|
|
{{- $gkeApiKey := "/var/run/secrets/kasten.io/kasten-gke-sa.json"}}
|
|
{{- if eq (include "check.googleCredsSecret" .) "true" }}
|
|
{{- $gkeProjectId = "google-project-id" }}
|
|
{{- $gkeApiKey = "/var/run/secrets/kasten.io/google-api-key" }}
|
|
{{- end }}
|
|
{{- if eq (include "check.googleCredsOrSecret" .) "true" }}
|
|
- name: GOOGLE_APPLICATION_CREDENTIALS
|
|
value: {{ $gkeApiKey }}
|
|
{{- end }}
|
|
{{- if eq (include "check.googleCredsOrSecret" .) "true" }}
|
|
- name: projectID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $gkeSecret }}
|
|
key: {{ $gkeProjectId }}
|
|
optional: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "kanister" | has $service}}
|
|
{{- if or (eq (include "check.azuresecret" .) "true") (eq (include "check.azurecreds" .) "true" ) }}
|
|
{{- if eq (include "check.azuresecret" .) "true" }}
|
|
- name: {{ include "k10.azureClientIDEnvVar" . }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.secrets.azureClientSecretName }}
|
|
key: azure_client_id
|
|
- name: {{ include "k10.azureTenantIDEnvVar" . }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.secrets.azureClientSecretName }}
|
|
key: azure_tenant_id
|
|
- name: {{ include "k10.azureClientSecretEnvVar" . }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.secrets.azureClientSecretName }}
|
|
key: azure_client_secret
|
|
{{- else }}
|
|
{{- if or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureClientSecretCreds" .) "true") }}
|
|
- name: {{ include "k10.azureClientIDEnvVar" . }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: azure_client_id
|
|
{{- end }}
|
|
{{- if eq (include "check.azureClientSecretCreds" .) "true" }}
|
|
- name: {{ include "k10.azureTenantIDEnvVar" . }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: azure_tenant_id
|
|
- name: {{ include "k10.azureClientSecretEnvVar" . }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: azure_client_secret
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.secrets.azureResourceGroup }}
|
|
- name: AZURE_RESOURCE_GROUP
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: azure_resource_group
|
|
{{- end }}
|
|
{{- if .Values.secrets.azureSubscriptionID }}
|
|
- name: AZURE_SUBSCRIPTION_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: azure_subscription_id
|
|
{{- end }}
|
|
{{- if .Values.secrets.azureResourceMgrEndpoint }}
|
|
- name: AZURE_RESOURCE_MANAGER_ENDPOINT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: azure_resource_manager_endpoint
|
|
{{- end }}
|
|
{{- if or .Values.secrets.azureADEndpoint .Values.secrets.microsoftEntraIDEndpoint }}
|
|
- name: AZURE_AD_ENDPOINT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: entra_id_endpoint
|
|
{{- end }}
|
|
{{- if or .Values.secrets.azureADResourceID .Values.secrets.microsoftEntraIDResourceID }}
|
|
- name: AZURE_AD_RESOURCE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: entra_id_resource_id
|
|
{{- end }}
|
|
{{- if .Values.secrets.azureCloudEnvID }}
|
|
- name: AZURE_CLOUD_ENV_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: azure-creds
|
|
key: azure_cloud_env_id
|
|
{{- end }}
|
|
{{- if eq (include "check.azureMSIWithDefaultID" .) "true" }}
|
|
- name: USE_AZURE_DEFAULT_MSI
|
|
value: "{{ .Values.azure.useDefaultMSI }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- /*
|
|
There are 3 valid states of the secret provided by customer:
|
|
1. Only role set
|
|
2. Both aws_access_key_id and aws_secret_access_key are set
|
|
3. All of role, aws_access_key_id and aws_secret_access_key are set.
|
|
*/}}
|
|
{{- if eq (include "check.awsSecretName" .) "true" }}
|
|
{{- $customerSecret := (lookup "v1" "Secret" .Release.Namespace .Values.secrets.awsClientSecretName )}}
|
|
{{- if $customerSecret }}
|
|
{{- if and (not $customerSecret.data.role) (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key) }}
|
|
{{ fail "Provided secret must contain at least AWS IAM Role or AWS access key ID together with AWS secret access key"}}
|
|
{{- end }}
|
|
{{- if not (or (and $customerSecret.data.aws_access_key_id $customerSecret.data.aws_secret_access_key) (and (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key))) }}
|
|
{{ fail "Provided secret lacks aws_access_key_id or aws_secret_access_key" }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "metering" "kanister" | has $service}}
|
|
{{- $awsSecretName := default "aws-creds" .Values.secrets.awsClientSecretName }}
|
|
- name: AWS_ACCESS_KEY_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $awsSecretName }}
|
|
key: aws_access_key_id
|
|
optional: true
|
|
- name: AWS_SECRET_ACCESS_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $awsSecretName }}
|
|
key: aws_secret_access_key
|
|
optional: true
|
|
- name: K10_AWS_IAM_ROLE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $awsSecretName }}
|
|
key: role
|
|
optional: true
|
|
{{- end }}
|
|
{{- if list "controllermanager" "executor" "catalog" | has $service}}
|
|
{{- if eq (include "check.gwifenabled" .) "true"}}
|
|
- name: GOOGLE_WORKLOAD_IDENTITY_FEDERATION_ENABLED
|
|
value: "true"
|
|
{{- if eq (include "check.gwifidptype" .) "true"}}
|
|
- name: GOOGLE_WORKLOAD_IDENTITY_FEDERATION_IDP
|
|
value: {{ .Values.google.workloadIdentityFederation.idp.type }}
|
|
{{- end }}
|
|
{{- if eq (include "check.gwifidpaud" .) "true"}}
|
|
- name: GOOGLE_WORKLOAD_IDENTITY_FEDERATION_AUD
|
|
value: {{ .Values.google.workloadIdentityFederation.idp.aud }}
|
|
{{- end }}
|
|
{{- end }} {{/* if eq (include "check.gwifenabled" .) "true" */}}
|
|
{{- end }} {{/* list "controllermanager" "executor" "catalog" | has $service */}}
|
|
{{- if or (eq $service "crypto") (eq $service "executor") (eq $service "dashboardbff") (eq $service "repositories") }}
|
|
{{- if eq (include "check.vaultcreds" .) "true" }}
|
|
- name: VAULT_ADDR
|
|
value: {{ .Values.vault.address }}
|
|
{{- if eq (include "check.vaultk8sauth" .) "true" }}
|
|
- name: VAULT_AUTH_ROLE
|
|
value: {{ .Values.vault.role }}
|
|
- name: VAULT_K8S_SERVICE_ACCOUNT_TOKEN_PATH
|
|
value: {{ .Values.vault.serviceAccountTokenPath }}
|
|
{{- end }}
|
|
{{- if (eq (include "check.vaulttokenauth" .) "true") }}
|
|
- name: VAULT_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{.Values.vault.secretName }}
|
|
key: vault_token
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" | has $service}}
|
|
{{- if or (eq (include "check.vspherecreds" .) "true") (eq (include "check.vsphereClientSecret" .) "true") }}
|
|
{{- $vsphereSecretName := default "vsphere-creds" .Values.secrets.vsphereClientSecretName }}
|
|
- name: VSPHERE_ENDPOINT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $vsphereSecretName }}
|
|
key: vsphere_endpoint
|
|
- name: VSPHERE_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $vsphereSecretName }}
|
|
key: vsphere_username
|
|
- name: VSPHERE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $vsphereSecretName }}
|
|
key: vsphere_password
|
|
{{- end }}
|
|
{{- end }}
|
|
- name: VERSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: version
|
|
{{- if .Values.clusterName }}
|
|
- name: CLUSTER_NAME
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: clustername
|
|
{{- end }}
|
|
{{- if .Values.fips.enabled }}
|
|
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
|
|
{{- end }}
|
|
{{- with $capabilities := include "k10.capabilities" . }}
|
|
- name: K10_CAPABILITIES
|
|
value: {{ $capabilities | quote }}
|
|
{{- end }}
|
|
{{- with $capabilities_mask := include "k10.capabilities_mask" . }}
|
|
- name: K10_CAPABILITIES_MASK
|
|
value: {{ $capabilities_mask | quote }}
|
|
{{- end }}
|
|
- name: K10_HOST_SVC
|
|
value: {{ $pod }}
|
|
{{- if eq $service "controllermanager" }}
|
|
- name: K10_STATEFUL
|
|
value: "{{ .Values.global.persistence.enabled }}"
|
|
{{- end }}
|
|
{{- if eq $service "executor" }}
|
|
- name: KUBEVIRT_VM_UNFREEZE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: kubeVirtVMsUnFreezeTimeout
|
|
{{- end }}
|
|
{{- if eq $service "executor" }}
|
|
- name: QUICK_DISASTER_RECOVERY_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: quickDisasterRecoveryEnabled
|
|
{{- end }}
|
|
{{- if or (eq $service "executor") (eq $service "controllermanager") }}
|
|
{{- if or .Values.global.imagePullSecret (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) }}
|
|
- name: IMAGE_PULL_SECRET_NAMES
|
|
value: {{ (trimSuffix " " (include "k10.imagePullSecretNames" .)) | toJson }}
|
|
{{- end }}
|
|
{{- end }}
|
|
- name: MODEL_STORE_DIR
|
|
{{- if or (eq $service "state") (not .Values.global.persistence.enabled) }}
|
|
value: "/tmp/k10store"
|
|
{{- else }}
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: modelstoredirname
|
|
{{- end }}
|
|
{{- if or (eq $service "kanister") (eq $service "executor")}}
|
|
- name: DATA_MOVER_IMAGE
|
|
value: {{ include "get.datamoverImage" . }}
|
|
|
|
{{- end }}
|
|
{{- if eq $service "executor"}}
|
|
- name: DATA_STORE_LOG_LEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: DataStoreLogLevel
|
|
- name: DATA_STORE_FILE_LOG_LEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: DataStoreFileLogLevel
|
|
{{- end }}
|
|
- name: LOG_LEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: loglevel
|
|
{{- if .Values.kanisterPodCustomLabels }}
|
|
- name: KANISTER_POD_CUSTOM_LABELS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodCustomLabels
|
|
{{- end }}
|
|
{{- if .Values.kanisterPodCustomAnnotations }}
|
|
- name: KANISTER_POD_CUSTOM_ANNOTATIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodCustomAnnotations
|
|
{{- end }}
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: CONCURRENT_SNAP_CONVERSIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: concurrentSnapConversions
|
|
- name: CONCURRENT_WORKLOAD_SNAPSHOTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: concurrentWorkloadSnapshots
|
|
- name: K10_DATA_STORE_PARALLEL_UPLOAD
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10DataStoreParallelUpload
|
|
- name: K10_DATA_STORE_PARALLEL_DOWNLOAD
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10DataStoreParallelDownload
|
|
- name: K10_DATA_STORE_GENERAL_CONTENT_CACHE_SIZE_MB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10DataStoreGeneralContentCacheSizeMB
|
|
- name: K10_DATA_STORE_GENERAL_METADATA_CACHE_SIZE_MB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10DataStoreGeneralMetadataCacheSizeMB
|
|
- name: K10_DATA_STORE_RESTORE_CONTENT_CACHE_SIZE_MB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10DataStoreRestoreContentCacheSizeMB
|
|
- name: K10_DATA_STORE_RESTORE_METADATA_CACHE_SIZE_MB
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10DataStoreRestoreMetadataCacheSizeMB
|
|
- name: K10_LIMITER_GENERIC_VOLUME_SNAPSHOTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10LimiterGenericVolumeSnapshots
|
|
- name: K10_LIMITER_GENERIC_VOLUME_COPIES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10LimiterGenericVolumeCopies
|
|
- name: K10_LIMITER_GENERIC_VOLUME_RESTORES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10LimiterGenericVolumeRestores
|
|
- name: K10_LIMITER_CSI_SNAPSHOTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10LimiterCsiSnapshots
|
|
- name: K10_LIMITER_PROVIDER_SNAPSHOTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10LimiterProviderSnapshots
|
|
- name: K10_LIMITER_IMAGE_COPIES
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10LimiterImageCopies
|
|
- name: K10_EPHEMERAL_PVC_OVERHEAD
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10EphemeralPVCOverhead
|
|
- name: K10_PERSISTENCE_STORAGE_CLASS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10PersistenceStorageClass
|
|
- name: AWS_ASSUME_ROLE_DURATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: AWSAssumeRoleDuration
|
|
{{- if (list "kanister" "executor" "repositories" | has $service) }}
|
|
- name: K10_DATA_STORE_DISABLE_COMPRESSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10DataStoreDisableCompression
|
|
|
|
- name: K10_KANISTER_POD_METRICS_IMAGE
|
|
value: {{ include "get.metricSidecarImage" . }}
|
|
|
|
- name: KANISTER_POD_READY_WAIT_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodReadyWaitTimeout
|
|
|
|
- name: K10_KANISTER_POD_METRICS_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodMetricSidecarEnabled
|
|
- name: PUSHGATEWAY_METRICS_INTERVAL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodPushgatewayMetricsInterval
|
|
{{- if .Values.kanisterPodMetricSidecar.resources.requests.memory }}
|
|
- name: K10_KANISTER_POD_METRIC_SIDECAR_MEMORY_REQUEST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodMetricSidecarMemoryRequest
|
|
{{- end }}
|
|
{{- if .Values.kanisterPodMetricSidecar.resources.requests.cpu }}
|
|
- name: K10_KANISTER_POD_METRIC_SIDECAR_CPU_REQUEST
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodMetricSidecarCPURequest
|
|
{{- end }}
|
|
{{- if .Values.kanisterPodMetricSidecar.resources.limits.memory }}
|
|
- name: K10_KANISTER_POD_METRIC_SIDECAR_MEMORY_LIMIT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodMetricSidecarMemoryLimit
|
|
{{- end }}
|
|
{{- if .Values.kanisterPodMetricSidecar.resources.limits.cpu }}
|
|
- name: K10_KANISTER_POD_METRIC_SIDECAR_CPU_LIMIT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterPodMetricSidecarCPULimit
|
|
{{- end }}
|
|
|
|
{{- end }}
|
|
{{- if (list "dashboardbff" "catalog" "executor" "crypto" | has $service) }}
|
|
{{- if .Values.metering.mode }}
|
|
- name: K10REPORTMODE
|
|
value: {{ .Values.metering.mode }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if eq $service "garbagecollector" }}
|
|
- name: K10_GC_DAEMON_PERIOD
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10GCDaemonPeriod
|
|
- name: K10_GC_KEEP_MAX_ACTIONS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10GCKeepMaxActions
|
|
- name: K10_GC_ACTIONS_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10GCActionsEnabled
|
|
{{- end }}
|
|
{{- if (eq $service "executor") }}
|
|
- name: K10_EXECUTOR_WORKER_COUNT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10ExecutorWorkerCount
|
|
- name: K10_EXECUTOR_MAX_CONCURRENT_RESTORE_CSI_SNAPSHOTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10ExecutorMaxConcurrentRestoreCsiSnapshots
|
|
- name: K10_EXECUTOR_MAX_CONCURRENT_RESTORE_GENERIC_VOLUME_SNAPSHOTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10ExecutorMaxConcurrentRestoreGenericVolumeSnapshots
|
|
- name: K10_EXECUTOR_MAX_CONCURRENT_RESTORE_WORKLOADS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10ExecutorMaxConcurrentRestoreWorkloads
|
|
- name: KANISTER_BACKUP_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterBackupTimeout
|
|
- name: KANISTER_RESTORE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterRestoreTimeout
|
|
- name: KANISTER_DELETE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterDeleteTimeout
|
|
- name: KANISTER_HOOK_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterHookTimeout
|
|
- name: KANISTER_CHECKREPO_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterCheckRepoTimeout
|
|
- name: KANISTER_STATS_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterStatsTimeout
|
|
- name: KANISTER_EFSPOSTRESTORE_TIMEOUT
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterEFSPostRestoreTimeout
|
|
- name: KANISTER_MANAGED_DATA_SERVICES_BLUEPRINTS_ENABLED
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterManagedDataServicesBlueprintsEnabled
|
|
{{- if .Values.maxJobWaitDuration }}
|
|
- name: K10_JOB_MAX_WAIT_DURATION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10JobMaxWaitDuration
|
|
{{- end }}
|
|
- name: K10_FORCE_ROOT_IN_KANISTER_HOOKS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: k10ForceRootInKanisterHooks
|
|
{{- end }}
|
|
{{- if and (eq $service "executor") (.Values.awsConfig.efsBackupVaultName) }}
|
|
- name: EFS_BACKUP_VAULT_NAME
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: efsBackupVaultName
|
|
{{- end }}
|
|
{{- if and (eq $service "executor") (.Values.genericStorageBackup.token) }}
|
|
- name: K10_GVS_ACTIVATION_TOKEN
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: GVSActivationToken
|
|
{{- end }}
|
|
{{- if and (eq $service "executor") (.Values.genericStorageBackup.overridepubkey) }}
|
|
- name: OVERRIDE_GVS_TOKEN_VERIFICATION_KEY
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: overridePublicKeyForGVS
|
|
{{- end }}
|
|
{{- if and (eq $service "executor") (.Values.vmWare.taskTimeoutMin) }}
|
|
- name: VMWARE_GOM_TIMEOUT_MIN
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: vmWareTaskTimeoutMin
|
|
{{- end }}
|
|
{{- if .Values.useNamespacedAPI }}
|
|
- name: K10_API_DOMAIN
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: apiDomain
|
|
{{- end }}
|
|
{{- if .Values.jaeger.enabled }}
|
|
- name: JAEGER_AGENT_HOST
|
|
value: {{ .Values.jaeger.agentDNS }}
|
|
{{- end }}
|
|
{{- if .Values.auth.tokenAuth.enabled }}
|
|
- name: TOKEN_AUTH
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: k10-token-auth
|
|
key: auth
|
|
{{- end }}
|
|
- name: KANISTER_TOOLS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterToolsImage
|
|
{{- with (include "k10.cacertconfigmapname" .) }}
|
|
- name: CACERT_CONFIGMAP_NAME
|
|
value: {{ . }}
|
|
{{- end }}
|
|
- name: K10_RELEASE_NAME
|
|
value: {{ .Release.Name }}
|
|
- name: KANISTER_FUNCTION_VERSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: kanisterFunctionVersion
|
|
{{- if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }}
|
|
- name: K10_MUTATING_WEBHOOK_ENABLED
|
|
value: "true"
|
|
- name: K10_MUTATING_WEBHOOK_TLS_CERT_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10MutatingWebhookTLSCertDir
|
|
- name: K10_MUTATING_WEBHOOK_PORT
|
|
value: {{ .Values.injectKanisterSidecar.webhookServer.port | quote }}
|
|
{{- end }}
|
|
{{- if (list "controllermanager" "kanister" "executor" "dashboardbff" "repositories" | has $service) }}
|
|
- name: K10_DEFAULT_PRIORITY_CLASS_NAME
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: K10DefaultPriorityClassName
|
|
{{- if .Values.genericVolumeSnapshot.resources.requests.memory }}
|
|
- name: KANISTER_TOOLS_MEMORY_REQUESTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterToolsMemoryRequests
|
|
{{- end }}
|
|
{{- if .Values.genericVolumeSnapshot.resources.requests.cpu }}
|
|
- name: KANISTER_TOOLS_CPU_REQUESTS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterToolsCPURequests
|
|
{{- end }}
|
|
{{- if .Values.genericVolumeSnapshot.resources.limits.memory }}
|
|
- name: KANISTER_TOOLS_MEMORY_LIMITS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterToolsMemoryLimits
|
|
{{- end }}
|
|
{{- if .Values.genericVolumeSnapshot.resources.limits.cpu }}
|
|
- name: KANISTER_TOOLS_CPU_LIMITS
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: KanisterToolsCPULimits
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if (list "dashboardbff" "controllermanager" "executor" | has $service) }}
|
|
{{- if .Values.prometheus.server.enabled }}
|
|
- name: K10_PROMETHEUS_HOST
|
|
value: {{ include "k10.prometheus.service.name" . }}-exp
|
|
- name: K10_PROMETHEUS_PORT
|
|
value: {{ .Values.prometheus.server.service.servicePort | quote }}
|
|
- name: K10_PROMETHEUS_BASE_URL
|
|
value: {{ .Values.prometheus.server.baseURL }}
|
|
{{- else -}}
|
|
{{- if and .Values.global.prometheus.external.host .Values.global.prometheus.external.port}}
|
|
- name: K10_PROMETHEUS_HOST
|
|
value: {{ .Values.global.prometheus.external.host }}
|
|
- name: K10_PROMETHEUS_PORT
|
|
value: {{ .Values.global.prometheus.external.port | quote }}
|
|
- name: K10_PROMETHEUS_BASE_URL
|
|
value: {{ .Values.global.prometheus.external.baseURL }}
|
|
{{- end -}}
|
|
{{- end }}
|
|
{{- if or (.Values.grafana.enabled) (.Values.grafana.external.url) }}
|
|
- name: GRAFANA_URL
|
|
value: {{ include "k10.grafanaUrl" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if eq $service "dashboardbff" }}
|
|
{{- if ne .Values.global.persistence.diskSpaceAlertPercent nil }}
|
|
- name: K10_DISK_SPACE_ALERT_PERCENT
|
|
value: {{ .Values.global.persistence.diskSpaceAlertPercent | quote }}
|
|
{{- end -}}
|
|
{{- end -}}
|
|
{{- if eq $service "controllermanager" }}
|
|
{{- if .Values.multicluster.primary.create }}
|
|
{{- if not .Values.multicluster.enabled }}
|
|
{{- fail "Cannot setup cluster as primary without enabling feature with multicluster.enabled=true" -}}
|
|
{{- end }}
|
|
{{- if not .Values.multicluster.primary.name }}
|
|
{{- fail "Cannot setup cluster as primary without setting cluster name with multicluster.primary.name" -}}
|
|
{{- end }}
|
|
{{- if not .Values.multicluster.primary.ingressURL }}
|
|
{{- fail "Cannot setup cluster as primary without providing an ingress with multicluster.primary.ingressURL" -}}
|
|
{{- end }}
|
|
- name: K10_MC_CREATE_PRIMARY
|
|
value: "true"
|
|
- name: K10_MC_PRIMARY_NAME
|
|
value: {{ .Values.multicluster.primary.name | quote }}
|
|
- name: K10_MC_PRIMARY_INGRESS_URL
|
|
value: {{ .Values.multicluster.primary.ingressURL | quote }}
|
|
{{- end }}
|
|
{{- end -}}
|
|
{{- if or $.stateful (or (eq (include "check.googleCredsOrSecret" .) "true") (eq $service "auth" "logging")) }}
|
|
volumeMounts:
|
|
{{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }}
|
|
volumeMounts:
|
|
{{- else if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }}
|
|
volumeMounts:
|
|
{{- else if or (eq (include "check.cacertconfigmap" .) "true") (include "k10.ocpcacertsautoextraction" .) }}
|
|
volumeMounts:
|
|
{{- else if eq $service "frontend" }}
|
|
volumeMounts:
|
|
{{- else if and (list "controllermanager" "executor" | has $pod) (eq (include "check.projectSAToken" .) "true")}}
|
|
volumeMounts:
|
|
{{- else if and (eq $service "aggregatedapis") (include "k10.siemEnabled" .) }}
|
|
volumeMounts:
|
|
{{- end }}
|
|
{{- if $.stateful }}
|
|
- name: {{ $service }}-persistent-storage
|
|
mountPath: {{ .Values.global.persistence.mountPath | quote }}
|
|
{{- end }}
|
|
{{- if .Values.features }}
|
|
- name: k10-features
|
|
mountPath: "/mnt/k10-features"
|
|
{{- end }}
|
|
{{- if eq $service "logging" }}
|
|
- name: logging-configmap-storage
|
|
mountPath: "/mnt/conf"
|
|
{{- end }}
|
|
{{- if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }}
|
|
- name: mutating-webhook-certs
|
|
mountPath: /etc/ssl/certs/webhook
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if list "dashboardbff" "auth" "controllermanager" | has $service}}
|
|
{{- if eq (include "basicauth.check" .) "true" }}
|
|
- name: k10-basic-auth
|
|
mountPath: "/var/run/secrets/kasten.io/k10-basic-auth"
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true")) }}
|
|
- name: {{ include "k10.oidcSecretName" .}}
|
|
mountPath: {{ printf "%s/%s" (include "k10.secretsDir" .) (include "k10.oidcSecretName" .) }}
|
|
readOnly: true
|
|
{{- if .Values.auth.oidcAuth.clientSecretName }}
|
|
- name: {{ include "k10.oidcCustomerSecretName" .}}
|
|
mountPath: {{ printf "%s/%s" (include "k10.secretsDir" .) (include "k10.oidcCustomerSecretName" .) }}
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if eq (include "check.googleCredsOrSecret" .) "true"}}
|
|
- name: service-account
|
|
mountPath: {{ include "k10.secretsDir" .}}
|
|
{{- end }}
|
|
{{- if and (list "controllermanager" "executor" | has $pod) (eq (include "check.projectSAToken" .) "true")}}
|
|
- name: bound-sa-token
|
|
mountPath: "/var/run/secrets/kasten.io/serviceaccount/GWIF"
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- with (include "k10.cacertconfigmapname" .) }}
|
|
- name: {{ . }}
|
|
mountPath: "/etc/ssl/certs/custom-ca-bundle.pem"
|
|
subPath: custom-ca-bundle.pem
|
|
{{- end }}
|
|
{{- if eq $service "frontend" }}
|
|
- name: frontend-config
|
|
mountPath: /etc/nginx/nginx.conf
|
|
subPath: nginx.conf
|
|
readOnly: true
|
|
- name: frontend-config
|
|
mountPath: /etc/nginx/conf.d/frontend.conf
|
|
subPath: frontend.conf
|
|
readOnly: true
|
|
{{- end}}
|
|
{{- if and (eq $service "aggregatedapis") (include "k10.siemEnabled" .) }}
|
|
- name: aggauditpolicy-config
|
|
mountPath: /etc/kubernetes/{{ include "k10.aggAuditPolicyFile" .}}
|
|
subPath: {{ include "k10.aggAuditPolicyFile" .}}
|
|
readOnly: true
|
|
{{- end}}
|
|
{{- if and (eq $service "catalog") $.stateful }}
|
|
- name: kanister-sidecar
|
|
image: {{ include "get.kanisterToolsImage" .}}
|
|
imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }}
|
|
{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}}
|
|
env:
|
|
{{- with $capabilities := include "k10.capabilities" . }}
|
|
- name: K10_CAPABILITIES
|
|
value: {{ $capabilities | quote }}
|
|
{{- end }}
|
|
{{- with $capabilities_mask := include "k10.capabilities_mask" . }}
|
|
- name: K10_CAPABILITIES_MASK
|
|
value: {{ $capabilities_mask | quote }}
|
|
{{- end }}
|
|
{{- if .Values.fips.enabled }}
|
|
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: {{ $service }}-persistent-storage
|
|
mountPath: {{ .Values.global.persistence.mountPath | quote }}
|
|
{{- with (include "k10.cacertconfigmapname" .) }}
|
|
- name: {{ . }}
|
|
mountPath: "/etc/ssl/certs/custom-ca-bundle.pem"
|
|
subPath: custom-ca-bundle.pem
|
|
{{- end }}
|
|
{{- if eq (include "check.projectSAToken" .) "true" }}
|
|
- name: bound-sa-token
|
|
mountPath: "/var/run/secrets/kasten.io/serviceaccount/GWIF"
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- end }} {{/* and (eq $service "catalog") $.stateful */}}
|
|
{{- if and ( eq $service "auth" ) ( eq (include "check.dexAuth" .) "true" ) }}
|
|
- name: dex
|
|
image: {{ include "get.dexImage" . }}
|
|
{{- if .Values.auth.ldap.enabled }}
|
|
command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"]
|
|
{{- if .Values.fips.enabled }}
|
|
env:
|
|
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
|
|
{{- end }}
|
|
{{- else if .Values.auth.openshift.enabled }}
|
|
{{- /*
|
|
In the case of OpenShift, a template config is used instead of a plain config for Dex.
|
|
It requires a different command to be processed correctly.
|
|
*/}}
|
|
command: ["/usr/local/bin/docker-entrypoint", "dex", "serve", "/etc/dex/cfg/config.yaml"]
|
|
env:
|
|
- name: {{ include "k10.openShiftClientSecretEnvVar" . }}
|
|
{{- if and (not .Values.auth.openshift.clientSecretName) (not .Values.auth.openshift.clientSecret) }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "get.openshiftServiceAccountSecretName" . }}
|
|
key: token
|
|
{{- else if .Values.auth.openshift.clientSecretName }}
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.auth.openshift.clientSecretName }}
|
|
key: token
|
|
{{- else }}
|
|
value: {{ .Values.auth.openshift.clientSecret }}
|
|
{{- end }}
|
|
{{- if .Values.fips.enabled }}
|
|
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
ports:
|
|
- name: http
|
|
containerPort: 8080
|
|
volumeMounts:
|
|
{{- if .Values.auth.ldap.enabled }}
|
|
- name: dex-config
|
|
mountPath: /dex-config
|
|
- name: k10-logos-dex
|
|
mountPath: {{ include "k10.dexFrontendDir" . }}/themes/custom/
|
|
{{- else }}
|
|
- name: config
|
|
mountPath: /etc/dex/cfg
|
|
{{- end }}
|
|
{{- with (include "k10.cacertconfigmapname" .) }}
|
|
- name: {{ . }}
|
|
mountPath: "/etc/ssl/certs/custom-ca-bundle.pem"
|
|
subPath: custom-ca-bundle.pem
|
|
{{- end }}
|
|
{{- end }} {{/* end of dex check */}}
|
|
{{- end }}{{/* with .main */}}
|
|
{{- end }}{{/* define "k10-container" */}}
|
|
|
|
{{- define "k10-init-container-header" }}
|
|
{{- $pod := .k10_pod }}
|
|
{{- with .main }}
|
|
{{- $main_context := . }}
|
|
{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }}
|
|
{{- $needsInitContainersHeader := false }}
|
|
{{- range $skip, $service := $containerList }}
|
|
{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }}
|
|
{{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }}
|
|
{{- $needsInitContainersHeader = true }}
|
|
{{- else if $serviceStateful }}
|
|
{{- $needsInitContainersHeader = true }}
|
|
{{- end }}{{/* initContainers header needed check */}}
|
|
{{- end }}{{/* range $skip, $service := $containerList */}}
|
|
{{- if $needsInitContainersHeader }}
|
|
initContainers:
|
|
{{- end }}
|
|
{{- end }}{{/* with .main */}}
|
|
{{- end }}{{/* define "k10-init-container-header" */}}
|
|
|
|
{{- define "k10-init-container" }}
|
|
{{- $pod := .k10_pod }}
|
|
{{- $podName := (printf "%s-svc" $pod) }}
|
|
{{- with .main }}
|
|
{{- $main_context := . }}
|
|
{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }}
|
|
{{- range $skip, $service := $containerList }}
|
|
{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }}
|
|
{{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }}
|
|
- name: dex-init
|
|
command:
|
|
- /dex/dexconfigmerge
|
|
args:
|
|
- --config-path=/etc/dex/cfg/config.yaml
|
|
- --secret-path=/var/run/secrets/kasten.io/bind-secret/bindPW
|
|
- --new-config-path=/dex-config/config.yaml
|
|
- --secret-field=bindPW
|
|
{{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }}
|
|
{{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "dex-init" | include "k10.resource.request" | indent 8}}
|
|
volumeMounts:
|
|
- mountPath: /etc/dex/cfg
|
|
name: config
|
|
- mountPath: /dex-config
|
|
name: dex-config
|
|
- name: bind-secret
|
|
mountPath: "/var/run/secrets/kasten.io/bind-secret"
|
|
readOnly: true
|
|
{{- else if $serviceStateful }}
|
|
- name: upgrade-init
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- FOWNER
|
|
- CHOWN
|
|
runAsUser: 1000
|
|
allowPrivilegeEscalation: false
|
|
{{- dict "main" $main_context "k10_service" "upgrade" | include "serviceImage" | indent 8 }}
|
|
imagePullPolicy: {{ $main_context.Values.global.image.pullPolicy }}
|
|
{{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "upgrade-init" | include "k10.resource.request" | indent 8}}
|
|
env:
|
|
- name: MODEL_STORE_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: modelstoredirname
|
|
volumeMounts:
|
|
- name: {{ $service }}-persistent-storage
|
|
mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }}
|
|
{{- if eq $service "catalog" }}
|
|
- name: schema-upgrade-check
|
|
{{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }}
|
|
imagePullPolicy: {{ $main_context.Values.global.image.pullPolicy }}
|
|
{{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "schema-upgrade-check" | include "k10.resource.request" | indent 8}}
|
|
env:
|
|
{{- if $main_context.Values.clusterName }}
|
|
- name: CLUSTER_NAME
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: clustername
|
|
{{- end }}
|
|
- name: INIT_CONTAINER
|
|
value: "true"
|
|
- name: K10_RELEASE_NAME
|
|
value: {{ $main_context.Release.Name }}
|
|
- name: LOG_LEVEL
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: loglevel
|
|
- name: MODEL_STORE_DIR
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: modelstoredirname
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: VERSION
|
|
valueFrom:
|
|
configMapKeyRef:
|
|
name: k10-config
|
|
key: version
|
|
volumeMounts:
|
|
- name: {{ $service }}-persistent-storage
|
|
mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }}
|
|
{{- end }}{{/* eq $service "catalog" */}}
|
|
{{- end }}{{/* initContainers definitions */}}
|
|
{{- end }}{{/* range $skip, $service := $containerList */}}
|
|
{{- end }}{{/* with .main */}}
|
|
{{- end }}{{/* define "k10-init-container" */}}
|