231 lines
9.9 KiB
YAML
231 lines
9.9 KiB
YAML
{{- $_ := required "Namespace is required" .Release.Namespace }}
|
|
{{- $_ := required "Name of operator is required." .Values.name }}
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: {{ include "confluent-operator.name" . }}
|
|
app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
app.kubernetes.io/component: "confluent-operator"
|
|
helm.sh/chart: {{ include "confluent-operator.chart" . }}
|
|
version: {{ .Values.image.tag }}
|
|
name: {{ .Values.name }}
|
|
namespace: {{ .Release.Namespace }}
|
|
spec:
|
|
replicas: {{ .Values.replicas }}
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: "confluent-operator"
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 0
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
{{- range $key, $value := .Values.pod.annotations }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
labels:
|
|
app: "confluent-operator"
|
|
app.kubernetes.io/name: "confluent-operator"
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
confluent-platform: "true"
|
|
version: {{ .Values.image.tag }}
|
|
{{- range $key, $value := .Values.pod.labels }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if not (empty $.Values.affinity) }}
|
|
affinity:
|
|
{{ toYaml .Values.affinity | trim | indent 8 }}
|
|
{{- end }}
|
|
{{- if not (empty $.Values.tolerations) }}
|
|
tolerations:
|
|
{{ toYaml .Values.tolerations | trim | indent 6 }}
|
|
{{- end }}
|
|
{{- if .Values.podSecurity.enabled }}
|
|
securityContext:
|
|
{{ toYaml .Values.podSecurity.securityContext | indent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- args:
|
|
- --debug={{.Values.debug}}
|
|
{{- if gt (int (.Values.replicas)) 1 }}
|
|
- --enable-leader-election
|
|
{{- end }}
|
|
{{- if .Values.namespaced }}
|
|
{{- if empty .Values.namespaceList }}
|
|
- --namespaces={{ .Release.Namespace }}
|
|
{{- else}}
|
|
{{- $ns := "" }}
|
|
{{- range $i, $v := .Values.namespaceList }}
|
|
{{- $ns = printf "%s,%s" $ns (trim $v) }}
|
|
{{- end }}
|
|
- --namespaces={{ substr 1 (len $ns) $ns }}
|
|
{{- end }}
|
|
{{- end }}
|
|
name: {{ .Values.name }}
|
|
image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{.Values.image.tag }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
terminationMessagePath: /dev/termination-log
|
|
terminationMessagePolicy: File
|
|
readinessProbe:
|
|
httpGet:
|
|
port: 8080
|
|
path: /readyz
|
|
livenessProbe:
|
|
httpGet:
|
|
port: 8080
|
|
path: /healthz
|
|
resources:
|
|
{{ toYaml .Values.resources | trim | indent 10 }}
|
|
env:
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: NODEIP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
- name: DD_ENTITY_ID
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.uid
|
|
- name: DEPLOYMENT_NAME
|
|
value: {{ .Values.name }}
|
|
{{- if .Values.managedCerts.enabled }}
|
|
{{- if and (empty .Values.managedCerts.caCertificate.secretRef) (empty .Values.managedCerts.caCertificate.directoryPathInContainer) }}
|
|
{{- $_ := required "secretRef or directoryPathInContainer must be configured when managedCerts is enabled" .Values.managedCerts.secretRef }}
|
|
{{- end }}
|
|
{{- if ge (.Values.managedCerts.renewBeforeInDays) (.Values.managedCerts.certDurationInDays) }}
|
|
{{- $_ := required "managedCerts.certDurationInDays for managed certs should be greater than managedCerts.renewBeforeInDays" "" }}
|
|
{{- end }}
|
|
{{- if .Values.managedCerts.certDurationInDays }}
|
|
- name: CONFLUENT_MANAGED_CERTS_DURATION_DAYS
|
|
value: "{{ .Values.managedCerts.certDurationInDays }}"
|
|
{{- end }}
|
|
{{- if .Values.managedCerts.renewBeforeInDays }}
|
|
- name: CONFLUENT_MANAGED_CERTS_RENEW_BEFORE_DAYS
|
|
value: "{{ .Values.managedCerts.renewBeforeInDays }}"
|
|
{{- end }}
|
|
{{- if .Values.managedCerts.sans }}
|
|
{{- if not (regexMatch "[ -~]" .Values.managedCerts.sans) }}
|
|
{{- $_ := required "invalid characters in managedCerts.sans. Only first 128 ASCII characters are allowed" "" }}
|
|
{{- end }}
|
|
- name: CONFLUENT_MANAGED_CERTS_SANS
|
|
value: "{{ .Values.managedCerts.sans }}"
|
|
{{- end }}
|
|
{{- if .Values.managedCerts.caCertificate.secretRef }}
|
|
- name: CONFLUENT_MANAGED_CERTS_SECRET_NAME
|
|
value: {{ .Values.managedCerts.caCertificate.secretRef }}
|
|
{{- end }}
|
|
{{- if .Values.managedCerts.caCertificate.directoryPathInContainer }}
|
|
- name: CONFLUENT_MANAGED_CERTS_DIRECTORY_PATH
|
|
value: {{ .Values.managedCerts.caCertificate.directoryPathInContainer }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.licenseSecretRef }}
|
|
- name: CONFLUENT_LICENSE_SECRET_NAME
|
|
value: {{ .Values.licenseSecretRef }}
|
|
{{- else if .Values.license.secretRef }}
|
|
- name: CONFLUENT_LICENSE_SECRET_NAME
|
|
value: {{ .Values.license.secretRef }}
|
|
{{- end }}
|
|
{{- if .Values.license.directoryPathInContainer }}
|
|
- name: CONFLUENT_LICENSE_DIRECTORY_PATH
|
|
value: {{ .Values.license.directoryPathInContainer }}
|
|
{{- end }}
|
|
{{- if or (.Values.telemetry.enabled) (.Values.telemetry.operator.enabled) }}
|
|
{{- if and (empty .Values.telemetry.secretRef) (empty .Values.telemetry.directoryPathInContainer) }}
|
|
{{- $_ := required "secretRef or directoryPathInContainer must be configured when telemetry is enabled" .Values.telemetry.secretRef }}
|
|
{{- end }}
|
|
- name: CP_TELEMETRY_ENABLED
|
|
value: {{ quote .Values.telemetry.enabled }}
|
|
- name: OPERATOR_TELEMETRY_ENABLED
|
|
value: {{ quote .Values.telemetry.operator.enabled }}
|
|
{{- if .Values.telemetry.secretRef }}
|
|
- name: CONFLUENT_TELEMETRY_SECRET_NAME
|
|
value: {{ .Values.telemetry.secretRef }}
|
|
{{- end }}
|
|
{{- if .Values.telemetry.directoryPathInContainer }}
|
|
- name: CONFLUENT_TELEMETRY_DIRECTORY_PATH
|
|
value: {{ .Values.telemetry.directoryPathInContainer }}
|
|
{{- end }}
|
|
{{- if .Values.telemetry.proxy.enabled }}
|
|
- name: CONFLUENT_TELEMETRY_PROXY_ENABLED
|
|
value: "true"
|
|
{{- end }}
|
|
{{- if .Values.telemetry.proxy.credentialRequired }}
|
|
- name: CONFLUENT_TELEMETRY_PROXY_CREDENTIAL_REQUIRED
|
|
value: "true"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.webhooks.enabled }}
|
|
{{- if and (empty .Values.webhooks.tls.secretRef) (empty .Values.webhooks.tls.directoryPathInContainer) }}
|
|
{{- $_ := required "secretRef or directoryPathInContainer must be configured when webhooks are enabled" .Values.webhooks.tls.secretRef }}
|
|
{{- end }}
|
|
{{- if .Values.webhooks.tls.secretRef }}
|
|
- name: CONFLUENT_WEBHOOKS_SECRET_NAME
|
|
value: {{ .Values.webhooks.tls.secretRef }}
|
|
{{- end }}
|
|
{{- if .Values.webhooks.tls.directoryPathInContainer }}
|
|
- name: CONFLUENT_WEBHOOKS_DIRECTORY_PATH
|
|
value: {{ .Values.webhooks.tls.directoryPathInContainer }}
|
|
{{- end }}
|
|
- name: CONFLUENT_WEBHOOKS_PORT
|
|
value: {{ quote .Values.webhooks.port }}
|
|
{{- end }}
|
|
{{- if .Values.containerSecurity.enabled }}
|
|
securityContext:
|
|
{{ toYaml .Values.containerSecurity.securityContext | indent 10 }}
|
|
{{- end }}
|
|
{{- if or (not (empty .Values.mountedVolumes.volumeMounts)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }}
|
|
volumeMounts:
|
|
{{- end }}
|
|
{{- if not (empty .Values.mountedVolumes.volumeMounts) }}
|
|
{{- range .Values.mountedVolumes.volumeMounts }}
|
|
{{- if and ($.Values.webhooks.enabled) (or (eq .mountPath "/mnt/sslcerts/webhook") (eq .name "webhook-certs")) }}
|
|
{{- $_ := fail "mount path \"/mnt/sslcerts/webhook\" and name \"webhook-certs\" are reserved for webhooks" }}
|
|
{{- end }}
|
|
- {{ toYaml . | indent 12 | trim }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }}
|
|
- mountPath: /mnt/sslcerts/webhook
|
|
name: webhook-certs
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if or (not (empty .Values.mountedVolumes.volumes)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }}
|
|
volumes:
|
|
{{- end }}
|
|
{{- if not (empty .Values.mountedVolumes.volumes ) }}
|
|
{{- range .Values.mountedVolumes.volumes }}
|
|
{{- if and ($.Values.webhooks.enabled) (eq .name "webhook-certs") }}
|
|
{{- $_ := fail "name \"webhook-certs\" is reserved for webhooks" }}
|
|
{{- end }}
|
|
- {{ toYaml . | indent 10 | trim }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }}
|
|
- name: webhook-certs
|
|
secret:
|
|
defaultMode: 420
|
|
secretName: {{ .Values.webhooks.tls.secretRef }}
|
|
{{- end }}
|
|
{{- if and .Values.imagePullSecretRef (not .Values.serviceAccount.create) }}
|
|
imagePullSecrets:
|
|
- name: {{ .Values.imagePullSecretRef }}
|
|
{{- end }}
|
|
serviceAccountName: {{ template "confluent-operator.service-account" . }}
|
|
{{- if .Values.priorityClassName }}
|
|
priorityClassName: {{ .Values.priorityClassName | quote }}
|
|
{{- end }}
|
|
restartPolicy: Always
|
|
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|