#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") #@ load("@ytt:json", "json") #@ load("helpers.lib.yaml", "defaultLabel", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel") #@ if not data.values.into_namespace: --- apiVersion: v1 kind: Namespace metadata: name: #@ data.values.namespace labels: #@ labels() #@ end --- apiVersion: v1 kind: ServiceAccount metadata: name: #@ defaultResourceName() namespace: #@ namespace() labels: #@ labels() --- apiVersion: v1 kind: ConfigMap metadata: name: #@ defaultResourceNameWithSuffix("static-config") namespace: #@ namespace() labels: #@ labels() data: #@yaml/text-templated-strings pinniped.yaml: | apiGroupSuffix: (@= data.values.api_group_suffix @) names: defaultTLSCertificateSecret: (@= defaultResourceNameWithSuffix("default-tls-certificate") @) labels: (@= json.encode(labels()).rstrip() @) (@ if data.values.log_level: @) logLevel: (@= getAndValidateLogLevel() @) (@ end @) --- #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": apiVersion: v1 kind: Secret metadata: name: image-pull-secret namespace: #@ namespace() labels: #@ labels() type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson #@ end --- apiVersion: apps/v1 kind: Deployment metadata: name: #@ defaultResourceName() namespace: #@ namespace() labels: #@ labels() spec: replicas: #@ data.values.replicas selector: matchLabels: #@ defaultLabel() template: metadata: labels: #@ defaultLabel() spec: securityContext: readOnlyRootFilesystem: true runAsUser: #@ data.values.run_as_user runAsGroup: #@ data.values.run_as_group serviceAccountName: #@ defaultResourceName() #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": imagePullSecrets: - name: image-pull-secret #@ end containers: - name: #@ defaultResourceName() #@ if data.values.image_digest: image: #@ data.values.image_repo + "@" + data.values.image_digest #@ else: image: #@ data.values.image_repo + ":" + data.values.image_tag #@ end imagePullPolicy: IfNotPresent command: - pinniped-supervisor - /etc/podinfo - /etc/config/pinniped.yaml resources: requests: cpu: "100m" memory: "128Mi" limits: cpu: "100m" memory: "128Mi" volumeMounts: - name: config-volume mountPath: /etc/config - name: podinfo mountPath: /etc/podinfo ports: - containerPort: 8080 protocol: TCP - containerPort: 8443 protocol: TCP env: #@ if data.values.https_proxy: - name: HTTPS_PROXY value: #@ data.values.https_proxy #@ end #@ if data.values.https_proxy and data.values.no_proxy: - name: NO_PROXY value: #@ data.values.no_proxy #@ end livenessProbe: httpGet: path: /healthz port: 8080 scheme: HTTP initialDelaySeconds: 2 timeoutSeconds: 15 periodSeconds: 10 failureThreshold: 5 readinessProbe: httpGet: path: /healthz port: 8080 scheme: HTTP initialDelaySeconds: 2 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 3 volumes: - name: config-volume readOnly: true configMap: name: #@ defaultResourceNameWithSuffix("static-config") - name: podinfo readOnly: true downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "namespace" fieldRef: fieldPath: metadata.namespace - path: "name" fieldRef: fieldPath: metadata.name #! This will help make sure our multiple pods run on different nodes, making #! our deployment "more" "HA". affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 podAffinityTerm: labelSelector: matchLabels: #@ defaultLabel() topologyKey: kubernetes.io/hostname