rancher-partner-charts/charts/f5/nginx-ingress/templates/controller-deployment.yaml

{{- if eq .Values.controller.kind "deployment" }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "nginx-ingress.controller.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "nginx-ingress.labels" . | nindent 4 }}
{{- if .Values.controller.annotations }}
  annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}
spec:
  {{- if not .Values.controller.autoscaling.enabled }}
  replicas: {{ .Values.controller.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "nginx-ingress.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "nginx-ingress.selectorLabels" . | nindent 8 }}
{{- if .Values.nginxServiceMesh.enable }}
        nsm.nginx.com/enable-ingress: "true"
        nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}"
        nsm.nginx.com/deployment: {{ include "nginx-ingress.controller.fullname" . }}
{{- end }}
{{- if .Values.controller.pod.extraLabels }}
{{ toYaml .Values.controller.pod.extraLabels | indent 8 }}
{{- end }}
{{- if or .Values.prometheus.create .Values.controller.pod.annotations }}
      annotations:
{{- if .Values.prometheus.create }}
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ .Values.prometheus.port }}"
        prometheus.io/scheme: "{{ .Values.prometheus.scheme }}"
{{- end }}
{{- if .Values.controller.pod.annotations }}
{{ toYaml .Values.controller.pod.annotations | indent 8 }}
{{- end }}
{{- end }}
    spec:
{{- if .Values.controller.nodeSelector }}
      nodeSelector:
{{ toYaml .Values.controller.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
      tolerations:
{{ toYaml .Values.controller.tolerations | indent 6 }}
{{- end }}
{{- if .Values.controller.affinity }}
      affinity:
{{ toYaml .Values.controller.affinity | indent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
      topologySpreadConstraints:
{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }}
{{- end }}
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }}
      volumes:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
      - name: nginx-etc
        emptyDir: {}
      - name: nginx-cache
        emptyDir: {}
      - name: nginx-lib
        emptyDir: {}
      - name: nginx-log
        emptyDir: {}
{{- end }}
{{- if .Values.controller.volumes }}
{{ toYaml .Values.controller.volumes | indent 6 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
      priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
      serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
      automountServiceAccountToken: true
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
      hostNetwork: {{ .Values.controller.hostNetwork }}
      dnsPolicy: {{ .Values.controller.dnsPolicy }}
      {{- if .Values.controller.shareProcessNamespace }}
      shareProcessNamespace: true
      {{- end }}
      containers:
      - image: {{ include "nginx-ingress.image" . }}
        name: {{ include "nginx-ingress.name" . }}
        imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
{{- if .Values.controller.lifecycle }}
        lifecycle:
{{ toYaml .Values.controller.lifecycle | indent 10 }}
{{- end }}
        ports:
{{- range $key, $value := .Values.controller.containerPort }}
        - name: {{ $key }}
          containerPort: {{ $value }}
          protocol: TCP
          {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }}
          hostPort: {{ index $.Values.controller.hostPort $key }}
          {{- end }}
{{- end }}
{{- if .Values.controller.customPorts }}
{{ toYaml .Values.controller.customPorts | indent 8 }}
{{- end }}
{{- if .Values.prometheus.create }}
        - name: prometheus
          containerPort: {{ .Values.prometheus.port }}
{{- end }}
{{- if .Values.serviceInsight.create }}
        - name: service-insight
          containerPort: {{ .Values.serviceInsight.port }}
{{- end }}
{{- if .Values.controller.readyStatus.enable }}
        - name: readiness-port
          containerPort: {{ .Values.controller.readyStatus.port }}
        readinessProbe:
          httpGet:
            path: /nginx-ready
            port: readiness-port
          periodSeconds: 1
          initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }}
{{- end }}
        resources:
{{ toYaml .Values.controller.resources | indent 10 }}
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }}
          runAsUser: 101 #nginx
          runAsNonRoot: true
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }}
        volumeMounts:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
        - mountPath: /etc/nginx
          name: nginx-etc
        - mountPath: /var/cache/nginx
          name: nginx-cache
        - mountPath: /var/lib/nginx
          name: nginx-lib
        - mountPath: /var/log/nginx
          name: nginx-log
{{- end }}
{{- if .Values.controller.volumeMounts}}
{{ toYaml .Values.controller.volumeMounts | indent 8 }}
{{- end }}
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
{{- if .Values.controller.env }}
{{ toYaml .Values.controller.env | indent 8 }}
{{- end }}
{{- if .Values.nginxServiceMesh.enable }}
        - name: POD_SERVICEACCOUNT
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
{{- end }}
        args:
{{- include "nginx-ingress.args" . | nindent 10 }}
{{- if .Values.controller.extraContainers }}
      {{ toYaml .Values.controller.extraContainers | nindent 6 }}
{{- end }}
{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }}
      initContainers:
{{- end }}
{{- if .Values.controller.readOnlyRootFilesystem }}
      - name: init-{{ include "nginx-ingress.name" . }}
        image: {{ include "nginx-ingress.image" . }}
        imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
{{- if .Values.controller.initContainerResources }}
        resources:
{{ toYaml .Values.controller.initContainerResources | indent 10 }}
{{- end }}
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsUser: 101 #nginx
          runAsNonRoot: true
          capabilities:
            drop:
            - ALL
        volumeMounts:
        - mountPath: /mnt/etc
          name: nginx-etc
{{- end }}
{{- if .Values.controller.initContainers }}
{{ toYaml .Values.controller.initContainers | indent 6 }}
{{- end }}
{{- if .Values.controller.strategy }}
  strategy:
{{ toYaml .Values.controller.strategy | indent 4 }}
{{- end }}
{{- if .Values.controller.minReadySeconds }}
  minReadySeconds: {{ .Values.controller.minReadySeconds }}
{{- end }}
{{- end }}