rancher-partner-charts/charts/confluent/confluent-for-kubernetes/templates/deployment.yaml

225 lines
9.6 KiB
YAML

{{- $_ := required "Namespace is required" .Release.Namespace }}
{{- $_ := required "Name of operator is required." .Values.name }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ include "confluent-operator.name" . }}
app.kubernetes.io/name: {{ include "confluent-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/component: "confluent-operator"
helm.sh/chart: {{ include "confluent-operator.chart" . }}
version: {{ .Values.image.tag }}
name: {{ .Values.name }}
namespace: {{ .Release.Namespace }}
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: "confluent-operator"
app.kubernetes.io/instance: {{ .Release.Name }}
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
annotations:
{{- range $key, $value := .Values.pod.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
app: "confluent-operator"
app.kubernetes.io/name: "confluent-operator"
app.kubernetes.io/instance: {{ .Release.Name }}
confluent-platform: "true"
version: {{ .Values.image.tag }}
{{- range $key, $value := .Values.pod.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if not (empty $.Values.affinity) }}
affinity:
{{ toYaml .Values.affinity | trim | indent 8 }}
{{- end }}
{{- if not (empty $.Values.tolerations) }}
tolerations:
{{ toYaml .Values.tolerations | trim | indent 6 }}
{{- end }}
{{- if .Values.podSecurity.enabled }}
securityContext:
{{ toYaml .Values.podSecurity.securityContext | indent 8 }}
{{- end }}
containers:
- args:
- --debug={{.Values.debug}}
{{- if gt (int (.Values.replicas)) 1 }}
- --enable-leader-election
{{- end }}
{{- if .Values.namespaced }}
{{- if empty .Values.namespaceList }}
- --namespaces={{ .Release.Namespace }}
{{- else}}
{{- $ns := "" }}
{{- range $i, $v := .Values.namespaceList }}
{{- $ns = printf "%s,%s" $ns (trim $v) }}
{{- end }}
- --namespaces={{ substr 1 (len $ns) $ns }}
{{- end }}
{{- end }}
name: {{ .Values.name }}
image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{.Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
readinessProbe:
httpGet:
port: 8080
path: /readyz
livenessProbe:
httpGet:
port: 8080
path: /healthz
resources:
{{ toYaml .Values.resources | trim | indent 10 }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODEIP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: DD_ENTITY_ID
valueFrom:
fieldRef:
fieldPath: metadata.uid
{{- if .Values.managedCerts.enabled }}
{{- if and (empty .Values.managedCerts.caCertificate.secretRef) (empty .Values.managedCerts.caCertificate.directoryPathInContainer) }}
{{- $_ := required "secretRef or directoryPathInContainer must be configured when managedCerts is enabled" .Values.managedCerts.secretRef }}
{{- end }}
{{- if ge (.Values.managedCerts.renewBeforeInDays) (.Values.managedCerts.certDurationInDays) }}
{{- $_ := required "managedCerts.certDurationInDays for managed certs should be greater than managedCerts.renewBeforeInDays" "" }}
{{- end }}
{{- if .Values.managedCerts.certDurationInDays }}
- name: CONFLUENT_MANAGED_CERTS_DURATION_DAYS
value: "{{ .Values.managedCerts.certDurationInDays }}"
{{- end }}
{{- if .Values.managedCerts.renewBeforeInDays }}
- name: CONFLUENT_MANAGED_CERTS_RENEW_BEFORE_DAYS
value: "{{ .Values.managedCerts.renewBeforeInDays }}"
{{- end }}
{{- if .Values.managedCerts.sans }}
{{- if not (regexMatch "[ -~]" .Values.managedCerts.sans) }}
{{- $_ := required "invalid characters in managedCerts.sans. Only first 128 ASCII characters are allowed" "" }}
{{- end }}
- name: CONFLUENT_MANAGED_CERTS_SANS
value: "{{ .Values.managedCerts.sans }}"
{{- end }}
{{- if .Values.managedCerts.caCertificate.secretRef }}
- name: CONFLUENT_MANAGED_CERTS_SECRET_NAME
value: {{ .Values.managedCerts.caCertificate.secretRef }}
{{- end }}
{{- if .Values.managedCerts.caCertificate.directoryPathInContainer }}
- name: CONFLUENT_MANAGED_CERTS_DIRECTORY_PATH
value: {{ .Values.managedCerts.caCertificate.directoryPathInContainer }}
{{- end }}
{{- end }}
{{- if .Values.licenseSecretRef }}
- name: CONFLUENT_LICENSE_SECRET_NAME
value: {{ .Values.licenseSecretRef }}
{{- else if .Values.license.secretRef }}
- name: CONFLUENT_LICENSE_SECRET_NAME
value: {{ .Values.license.secretRef }}
{{- end }}
{{- if .Values.license.directoryPathInContainer }}
- name: CONFLUENT_LICENSE_DIRECTORY_PATH
value: {{ .Values.license.directoryPathInContainer }}
{{- end }}
{{- if .Values.telemetry.enabled }}
{{- if and (empty .Values.telemetry.secretRef) (empty .Values.telemetry.directoryPathInContainer) }}
{{- $_ := required "secretRef or directoryPathInContainer must be configured when telemetry is enabled" .Values.telemetry.secretRef }}
{{- end }}
{{- if .Values.telemetry.secretRef }}
- name: CONFLUENT_TELEMETRY_SECRET_NAME
value: {{ .Values.telemetry.secretRef }}
{{- end }}
{{- if .Values.telemetry.directoryPathInContainer }}
- name: CONFLUENT_TELEMETRY_DIRECTORY_PATH
value: {{ .Values.telemetry.directoryPathInContainer }}
{{- end }}
{{- if .Values.telemetry.proxy.enabled }}
- name: CONFLUENT_TELEMETRY_PROXY_ENABLED
value: "true"
{{- end }}
{{- if .Values.telemetry.proxy.credentialRequired }}
- name: CONFLUENT_TELEMETRY_PROXY_CREDENTIAL_REQUIRED
value: "true"
{{- end }}
{{- end }}
{{- if .Values.webhooks.enabled }}
{{- if and (empty .Values.webhooks.tls.secretRef) (empty .Values.webhooks.tls.directoryPathInContainer) }}
{{- $_ := required "secretRef or directoryPathInContainer must be configured when webhooks are enabled" .Values.webhooks.tls.secretRef }}
{{- end }}
{{- if .Values.webhooks.tls.secretRef }}
- name: CONFLUENT_WEBHOOKS_SECRET_NAME
value: {{ .Values.webhooks.tls.secretRef }}
{{- end }}
{{- if .Values.webhooks.tls.directoryPathInContainer }}
- name: CONFLUENT_WEBHOOKS_DIRECTORY_PATH
value: {{ .Values.webhooks.tls.directoryPathInContainer }}
{{- end }}
- name: CONFLUENT_WEBHOOKS_PORT
value: {{ quote .Values.webhooks.port }}
{{- end }}
{{- if .Values.containerSecurity.enabled }}
securityContext:
{{ toYaml .Values.containerSecurity.securityContext | indent 10 }}
{{- end }}
{{- if or (not (empty .Values.mountedVolumes.volumeMounts)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }}
volumeMounts:
{{- end }}
{{- if not (empty .Values.mountedVolumes.volumeMounts) }}
{{- range .Values.mountedVolumes.volumeMounts }}
{{- if and ($.Values.webhooks.enabled) (or (eq .mountPath "/mnt/sslcerts/webhook") (eq .name "webhook-certs")) }}
{{- $_ := fail "mount path \"/mnt/sslcerts/webhook\" and name \"webhook-certs\" are reserved for webhooks" }}
{{- end }}
- {{ toYaml . | indent 12 | trim }}
{{- end }}
{{- end }}
{{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }}
- mountPath: /mnt/sslcerts/webhook
name: webhook-certs
readOnly: true
{{- end }}
{{- if or (not (empty .Values.mountedVolumes.volumes)) (and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef)) }}
volumes:
{{- end }}
{{- if not (empty .Values.mountedVolumes.volumes ) }}
{{- range .Values.mountedVolumes.volumes }}
{{- if and ($.Values.webhooks.enabled) (eq .name "webhook-certs") }}
{{- $_ := fail "name \"webhook-certs\" is reserved for webhooks" }}
{{- end }}
- {{ toYaml . | indent 10 | trim }}
{{- end }}
{{- end }}
{{- if and (.Values.webhooks.enabled) (.Values.webhooks.tls.secretRef) }}
- name: webhook-certs
secret:
defaultMode: 420
secretName: {{ .Values.webhooks.tls.secretRef }}
{{- end }}
{{- if and .Values.imagePullSecretRef (not .Values.serviceAccount.create) }}
imagePullSecrets:
- name: {{ .Values.imagePullSecretRef }}
{{- end }}
serviceAccountName: {{ template "confluent-operator.service-account" . }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
restartPolicy: Always
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}