andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/hashicorp/consul/templates/connect-inject-deployment.yaml

333 lines
18 KiB
YAML
Raw Blame History

{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }}
{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }}
{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }}
{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
{{ template "consul.validateVaultWebhookCertConfiguration" . }}
{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }}
{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}}
{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}}
{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}}
{{ template "consul.validateRequiredCloudSecretsExist" . }}
{{ template "consul.validateCloudSecretKeys" . }}
# The deployment for running the Connect sidecar injector
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: connect-injector
spec:
replicas: {{ .Values.connectInject.replicas }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: connect-injector
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: connect-injector
{{- if .Values.connectInject.extraLabels }}
{{- toYaml .Values.connectInject.extraLabels | nindent 8 }}
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
{{- if .Values.connectInject.annotations }}
{{- tpl .Values.connectInject.annotations . | nindent 8 }}
{{- end }}
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
{{- if .Values.global.secretsBackend.vault.connectInjectRole }}
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }}
{{ else }}
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
{{ end }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }}
{{- with .Values.global.secretsBackend.vault.connectInject.caCert }}
"vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }}
"vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }}
"vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs"
{{- end }}
{{- end }}
{{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
"vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
"vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }}
"vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs"
"vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
"vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }}
"vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs"
{{- end }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- end }}
spec:
serviceAccountName: {{ template "consul.fullname" . }}-connect-injector
containers:
- name: sidecar-injector
image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}"
ports:
- containerPort: 8080
name: webhook-server
protocol: TCP
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_LOGIN_AUTH_METHOD
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }}
{{- else }}
value: {{ template "consul.fullname" . }}-k8s-component-auth-method
{{- end }}
- name: CONSUL_LOGIN_DATACENTER
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
value: {{ .Values.global.federation.primaryDatacenter }}
{{- else }}
value: {{ .Values.global.datacenter }}
{{- end }}
- name: CONSUL_LOGIN_META
value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)"
{{- end }}
{{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }}
- name: CONSUL_ACL_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.connectInject.aclInjectToken.secretName }}
key: {{ .Values.connectInject.aclInjectToken.secretKey }}
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane inject-connect \
{{- if .Values.global.federation.enabled }}
-enable-federation \
{{- end }}
-log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \
-log-json={{ .Values.global.logJSON }} \
-default-inject={{ .Values.connectInject.default }} \
-consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \
-consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \
-consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \
-release-name="{{ .Release.Name }}" \
-release-namespace="{{ .Release.Namespace }}" \
-resource-prefix={{ template "consul.fullname" . }} \
-listen=:8080 \
{{- range $k, $v := .Values.connectInject.consulNode.meta }}
-node-meta={{ $k }}={{ $v }} \
{{- end }}
{{- if .Values.connectInject.transparentProxy.defaultEnabled }}
-default-enable-transparent-proxy=true \
{{- else }}
-default-enable-transparent-proxy=false \
{{- end }}
-enable-cni={{ .Values.connectInject.cni.enabled }} \
{{- if .Values.global.peering.enabled }}
-enable-peering=true \
{{- end }}
{{- if .Values.global.openshift.enabled }}
-enable-openshift \
{{- end }}
{{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }}
-transparent-proxy-default-overwrite-probes=true \
{{- else }}
-transparent-proxy-default-overwrite-probes=false \
{{- end }}
{{- if (and $dnsEnabled $dnsRedirectionEnabled) }}
-enable-consul-dns=true \
{{- end }}
{{- if .Values.global.openshift.enabled }}
-enable-openshift \
{{- end }}
{{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }}
-default-enable-metrics=true \
{{- else }}
-default-enable-metrics=false \
{{- end }}
-enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \
-default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \
-default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \
-default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \
-default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \
{{- if .Values.connectInject.envoyExtraArgs }}
-envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \
{{- end }}
{{- if .Values.connectInject.overrideAuthMethodName }}
-acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \
{{- else if .Values.global.acls.manageSystemACLs }}
-acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \
{{- end }}
{{- range $value := .Values.connectInject.k8sAllowNamespaces }}
-allow-k8s-namespace="{{ $value }}" \
{{- end }}
{{- range $value := .Values.connectInject.k8sDenyNamespaces }}
-deny-k8s-namespace="{{ $value }}" \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-enable-partitions=true \
{{- end }}
{{- if .Values.global.enableConsulNamespaces }}
-enable-namespaces=true \
{{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }}
-consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \
{{- end }}
{{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }}
-enable-k8s-namespace-mirroring=true \
{{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}
-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \
{{- end }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
-consul-cross-namespace-acl-policy=cross-namespace-policy \
{{- end }}
{{- end }}
{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}
-tls-cert-dir=/vault/secrets/connect-injector/certs \
-enable-webhook-ca-update \
{{- else }}
-tls-cert-dir=/etc/connect-injector/certs \
{{- end }}
{{- $resources := .Values.connectInject.sidecarProxy.resources }}
{{- /* kindIs is used here to differentiate between null and 0 */}}
{{- if not (kindIs "invalid" $resources.limits.memory) }}
-default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $resources.requests.memory) }}
-default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $resources.limits.cpu) }}
-default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \
{{- end }}
{{- if not (kindIs "invalid" $resources.requests.cpu) }}
-default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \
{{- end }}
-default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \
{{- if .Values.connectInject.initContainer }}
{{- $initResources := .Values.connectInject.initContainer.resources }}
{{- if not (kindIs "invalid" $initResources.limits.memory) }}
-init-container-memory-limit={{ $initResources.limits.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $initResources.requests.memory) }}
-init-container-memory-request={{ $initResources.requests.memory }} \
{{- end }}
{{- if not (kindIs "invalid" $initResources.limits.cpu) }}
-init-container-cpu-limit={{ $initResources.limits.cpu }} \
{{- end }}
{{- if not (kindIs "invalid" $initResources.requests.cpu) }}
-init-container-cpu-request={{ $initResources.requests.cpu }} \
{{- end }}
{{- end }}
{{- if .Values.global.cloud.enabled }}
-tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \
{{- end }}
{{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }}
-enable-auto-encrypt \
{{- end }}
startupProbe:
httpGet:
path: /readyz/ready
port: 9445
scheme: HTTP
initialDelaySeconds: 30
failureThreshold: 15
periodSeconds: 2
timeoutSeconds: 5
livenessProbe:
httpGet:
path: /readyz/ready
port: 9445
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 1
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /readyz/ready
port: 9445
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 2
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
{{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
- name: certs
mountPath: /etc/connect-injector/certs
readOnly: true
{{- end }}
{{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- with .Values.connectInject.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
{{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }}
- name: certs
secret:
defaultMode: 420
secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- end }}
{{- if .Values.connectInject.priorityClassName }}
priorityClassName: {{ .Values.connectInject.priorityClassName | quote }}
{{- end }}
{{- if .Values.connectInject.nodeSelector }}
nodeSelector:
{{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- if .Values.connectInject.affinity }}
affinity:
{{ tpl .Values.connectInject.affinity . | indent 8 | trim }}
{{- end }}
{{- if .Values.connectInject.tolerations }}
tolerations:
{{ tpl .Values.connectInject.tolerations . | indent 8 | trim }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink