cec9f3c4d7
Fixes #801. The solution is complicated by the fact that the Selector field of Deployments is immutable. It would have been easy to just make the Selectors of the main Concierge Deployment, the Kube cert agent Deployment, and the various Services use more specific labels, but that would break upgrades. Instead, we make the Pod template labels and the Service selectors more specific, because those not immutable, and then handle the Deployment selectors in a special way. For the main Concierge and Supervisor Deployments, we cannot change their selectors, so they remain "app: app_name", and we make other changes to ensure that only the intended pods are selected. We keep the original "app" label on those pods and remove the "app" label from the pods of the Kube cert agent Deployment. By removing it from the Kube cert agent pods, there is no longer any chance that they will accidentally get selected by the main Concierge Deployment. For the Kube cert agent Deployment, we can change the immutable selector by deleting and recreating the Deployment. The new selector uses only the unique label that has always been applied to the pods of that deployment. Upon recreation, these pods no longer have the "app" label, so they will not be selected by the main Concierge Deployment's selector. The selector of all Services have been updated to use new labels to more specifically target the intended pods. For the Concierge Services, this will prevent them from accidentally including the Kube cert agent pods. For the Supervisor Services, we follow the same convention just to be consistent and to help future-proof the Supervisor app in case it ever has a second Deployment added to it. The selector of the auto-created impersonation proxy Service was also previously using the "app" label. There is no change to this Service because that label will now select the correct pods, since the Kube cert agent pods no longer have that label. It would be possible to update that selector to use the new more specific label, but then we would need to invent a way to pass that label into the controller, so it seemed like more work than was justified.
168 lines
5.4 KiB
YAML
168 lines
5.4 KiB
YAML
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
#@ load("@ytt:data", "data")
|
|
#@ load("@ytt:json", "json")
|
|
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel")
|
|
#@ load("@ytt:template", "template")
|
|
|
|
#@ if not data.values.into_namespace:
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: #@ data.values.namespace
|
|
labels: #@ labels()
|
|
#@ end
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("static-config")
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
data:
|
|
#@yaml/text-templated-strings
|
|
pinniped.yaml: |
|
|
apiGroupSuffix: (@= data.values.api_group_suffix @)
|
|
names:
|
|
defaultTLSCertificateSecret: (@= defaultResourceNameWithSuffix("default-tls-certificate") @)
|
|
labels: (@= json.encode(labels()).rstrip() @)
|
|
(@ if data.values.log_level: @)
|
|
logLevel: (@= getAndValidateLogLevel() @)
|
|
(@ end @)
|
|
---
|
|
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: image-pull-secret
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
type: kubernetes.io/dockerconfigjson
|
|
data:
|
|
.dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
|
|
#@ end
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
spec:
|
|
replicas: #@ data.values.replicas
|
|
selector:
|
|
#! In hindsight, this should have been deploymentPodLabel(), but this field is immutable so changing it would break upgrades.
|
|
matchLabels: #@ defaultLabel()
|
|
template:
|
|
metadata:
|
|
labels:
|
|
#! This has always included defaultLabel(), which is used by this Deployment's selector.
|
|
_: #@ template.replace(defaultLabel())
|
|
#! More recently added the more unique deploymentPodLabel() so Services can select these Pods more specifically
|
|
#! without accidentally selecting pods from any future Deployments which might also want to use the defaultLabel().
|
|
_: #@ template.replace(deploymentPodLabel())
|
|
spec:
|
|
securityContext:
|
|
runAsUser: #@ data.values.run_as_user
|
|
runAsGroup: #@ data.values.run_as_group
|
|
serviceAccountName: #@ defaultResourceName()
|
|
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
|
|
imagePullSecrets:
|
|
- name: image-pull-secret
|
|
#@ end
|
|
containers:
|
|
- name: #@ defaultResourceName()
|
|
#@ if data.values.image_digest:
|
|
image: #@ data.values.image_repo + "@" + data.values.image_digest
|
|
#@ else:
|
|
image: #@ data.values.image_repo + ":" + data.values.image_tag
|
|
#@ end
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- pinniped-supervisor
|
|
- /etc/podinfo
|
|
- /etc/config/pinniped.yaml
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
resources:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
volumeMounts:
|
|
- name: config-volume
|
|
mountPath: /etc/config
|
|
readOnly: true
|
|
- name: podinfo
|
|
mountPath: /etc/podinfo
|
|
readOnly: true
|
|
ports:
|
|
- containerPort: 8080
|
|
protocol: TCP
|
|
- containerPort: 8443
|
|
protocol: TCP
|
|
env:
|
|
#@ if data.values.https_proxy:
|
|
- name: HTTPS_PROXY
|
|
value: #@ data.values.https_proxy
|
|
#@ end
|
|
#@ if data.values.https_proxy and data.values.no_proxy:
|
|
- name: NO_PROXY
|
|
value: #@ data.values.no_proxy
|
|
#@ end
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8080
|
|
scheme: HTTP
|
|
initialDelaySeconds: 2
|
|
timeoutSeconds: 15
|
|
periodSeconds: 10
|
|
failureThreshold: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8080
|
|
scheme: HTTP
|
|
initialDelaySeconds: 2
|
|
timeoutSeconds: 3
|
|
periodSeconds: 10
|
|
failureThreshold: 3
|
|
volumes:
|
|
- name: config-volume
|
|
configMap:
|
|
name: #@ defaultResourceNameWithSuffix("static-config")
|
|
- name: podinfo
|
|
downwardAPI:
|
|
items:
|
|
- path: "labels"
|
|
fieldRef:
|
|
fieldPath: metadata.labels
|
|
- path: "namespace"
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- path: "name"
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
#! This will help make sure our multiple pods run on different nodes, making
|
|
#! our deployment "more" "HA".
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 50
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels: #@ deploymentPodLabel()
|
|
topologyKey: kubernetes.io/hostname
|