andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml

298 lines
14 KiB
YAML
Raw Blame History

{{- if .Values.meshGateway.enabled }}
{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}}
{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}}
{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }}
{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }}
{{ template "consul.validateRequiredCloudSecretsExist" . }}
{{ template "consul.validateCloudSecretKeys" . }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "consul.fullname" . }}-mesh-gateway
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: mesh-gateway
spec:
replicas: {{ .Values.meshGateway.replicas }}
selector:
matchLabels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: mesh-gateway
template:
metadata:
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
release: {{ .Release.Name }}
component: mesh-gateway
consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller
annotations:
"consul.hashicorp.com/connect-inject": "false"
"consul.hashicorp.com/gateway-kind": "mesh-gateway"
"consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}"
"consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}"
"consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}"
"consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}"
{{- if eq .Values.meshGateway.wanAddress.source "Service" }}
{{- if eq .Values.meshGateway.service.type "NodePort" }}
"consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}"
{{- else }}
"consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}"
{{- end }}
{{- else }}
"consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}"
{{- end }}
{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }}
"vault.hashicorp.com/agent-init-first": "true"
"vault.hashicorp.com/agent-inject": "true"
"vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
"vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}"
{{- end }}
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
{{- end }}
{{- end }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }}
"prometheus.io/scrape": "true"
"prometheus.io/path": "/metrics"
"prometheus.io/port": "20200"
{{- end }}
{{- if .Values.meshGateway.annotations }}
{{- tpl .Values.meshGateway.annotations . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.meshGateway.affinity }}
affinity:
{{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }}
{{- end }}
{{- if .Values.meshGateway.tolerations }}
tolerations:
{{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }}
{{- end }}
{{- if .Values.meshGateway.topologySpreadConstraints }}
topologySpreadConstraints:
{{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }}
{{- end }}
terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway
volumes:
- name: consul-service
emptyDir:
medium: "Memory"
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
secretName: {{ .Values.global.tls.caCert.secretName }}
{{- else }}
secretName: {{ template "consul.fullname" . }}-ca-cert
{{- end }}
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- end }}
{{- end }}
{{- if .Values.meshGateway.hostNetwork }}
hostNetwork: {{ .Values.meshGateway.hostNetwork }}
{{- end }}
{{- if .Values.meshGateway.dnsPolicy }}
dnsPolicy: {{ .Values.meshGateway.dnsPolicy }}
{{- end }}
initContainers:
- name: mesh-gateway-init
image: {{ .Values.global.imageK8S }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_LOGIN_AUTH_METHOD
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }}
{{- else }}
value: {{ template "consul.fullname" . }}-k8s-component-auth-method
{{- end }}
- name: CONSUL_LOGIN_DATACENTER
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
value: {{ .Values.global.federation.primaryDatacenter }}
{{- else }}
value: {{ .Values.global.datacenter }}
{{- end }}
- name: CONSUL_LOGIN_META
value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)"
{{- end }}
- name: CONSUL_NODE_NAME
value: $(NODE_NAME)-virtual
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \
-gateway-kind="mesh-gateway" \
-proxy-id-file=/consul/service/proxy-id \
-service-name={{ .Values.meshGateway.consulServiceName }} \
-log-level={{ default .Values.global.logLevel }} \
-log-json={{ .Values.global.logJSON }}
volumeMounts:
- name: consul-service
mountPath: /consul/service
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
{{- if .Values.meshGateway.initServiceInitContainer.resources }}
resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }}
{{- end }}
containers:
- name: mesh-gateway
image: {{ .Values.global.imageConsulDataplane | quote }}
{{- if .Values.meshGateway.resources }}
resources:
{{- if eq (typeOf .Values.meshGateway.resources) "string" }}
{{ tpl .Values.meshGateway.resources . | nindent 12 | trim }}
{{- else }}
{{- toYaml .Values.meshGateway.resources | nindent 12 }}
{{- end }}
{{- end }}
volumeMounts:
- mountPath: /consul/service
name: consul-service
readOnly: true
{{- if .Values.global.tls.enabled }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: DP_CREDENTIAL_LOGIN_META1
value: pod=$(NAMESPACE)/$(POD_NAME)
- name: DP_CREDENTIAL_LOGIN_META2
value: component=mesh-gateway
- name: DP_SERVICE_NODE_NAME
value: $(NODE_NAME)-virtual
command:
- consul-dataplane
args:
{{- if .Values.externalServers.enabled }}
- -addresses={{ .Values.externalServers.hosts | first }}
{{- else }}
- -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc
{{- end }}
{{- if .Values.externalServers.enabled }}
- -grpc-port={{ .Values.externalServers.grpcPort }}
{{- else }}
- -grpc-port=8502
{{- end }}
- -proxy-service-id-path=/consul/service/proxy-id
{{- if .Values.global.tls.enabled }}
{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }}
{{- if .Values.global.secretsBackend.vault.enabled }}
- -ca-certs=/vault/secrets/serverca.crt
{{- else }}
- -ca-certs=/consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }}
- -tls-server-name={{.Values.externalServers.tlsServerName }}
{{- else if .Values.global.cloud.enabled }}
- -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}}
{{- end }}
{{- else }}
- -tls-disabled
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- -credential-type=login
- -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }}
- -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }}
- -login-datacenter={{ .Values.global.federation.primaryDatacenter }}
{{- else }}
- -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
- -login-partition={{ .Values.global.adminPartitions.name }}
{{- end }}
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
- -service-partition={{ .Values.global.adminPartitions.name }}
{{- end }}
- -log-level={{ default .Values.global.logLevel }}
- -log-json={{ .Values.global.logJSON }}
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }}
- -telemetry-prom-scrape-path=/metrics
{{- end }}
{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }}
- -server-watch-disabled=true
{{- end }}
livenessProbe:
tcpSocket:
port: {{ .Values.meshGateway.containerPort }}
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
tcpSocket:
port: {{ .Values.meshGateway.containerPort }}
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
ports:
- name: gateway
containerPort: {{ .Values.meshGateway.containerPort }}
{{- if .Values.meshGateway.hostPort }}
hostPort: {{ .Values.meshGateway.hostPort }}
{{- end }}
{{- if .Values.meshGateway.priorityClassName }}
priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }}
{{- end }}
{{- if .Values.meshGateway.nodeSelector }}
nodeSelector:
{{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink