237 lines
8.1 KiB
YAML
237 lines
8.1 KiB
YAML
kind: Deployment
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: {{ template "rancher.fullname" . }}
|
|
annotations:
|
|
{{- if (lt (int .Values.replicas) 0) }}
|
|
management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}"
|
|
{{- end }}
|
|
labels:
|
|
{{ include "rancher.labels" . | indent 4 }}
|
|
spec:
|
|
{{- if (gt (int .Values.replicas) 0) }}
|
|
replicas: {{ .Values.replicas }}
|
|
{{- end }}
|
|
selector:
|
|
matchLabels:
|
|
app: {{ template "rancher.fullname" . }}
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
{{- if (eq (int .Values.replicas) 1) }}
|
|
maxUnavailable: 0
|
|
{{- else }}
|
|
maxUnavailable: 1
|
|
{{- end }}
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: {{ template "rancher.fullname" . }}
|
|
release: {{ .Release.Name }}
|
|
spec:
|
|
serviceAccountName: {{ template "rancher.fullname" . }}
|
|
{{- if .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{ toYaml .Values.imagePullSecrets | indent 6 }}
|
|
{{- end }}
|
|
affinity:
|
|
podAntiAffinity:
|
|
{{- if eq .Values.antiAffinity "required" }}
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values:
|
|
- {{ template "rancher.fullname" . }}
|
|
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
|
|
{{- else }}
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app
|
|
operator: In
|
|
values:
|
|
- {{ template "rancher.fullname" . }}
|
|
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
|
|
{{- end }}
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms: {{ include "linux-node-selector-terms" . | nindent 14 }}
|
|
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
|
|
containers:
|
|
- image: {{ .Values.rancherImage }}:{{ default .Chart.AppVersion .Values.rancherImageTag }}
|
|
imagePullPolicy: {{ default "IfNotPresent" .Values.rancherImagePullPolicy }}
|
|
name: {{ template "rancher.name" . }}
|
|
ports:
|
|
- containerPort: 80
|
|
protocol: TCP
|
|
{{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }}
|
|
- containerPort: 444
|
|
hostPort: {{ int .Values.hostPort }}
|
|
protocol: TCP
|
|
{{- end}}
|
|
args:
|
|
{{- if .Values.debug }}
|
|
- "--debug"
|
|
{{- end }}
|
|
{{- if .Values.privateCA }}
|
|
# Private CA - don't clear ca certs
|
|
{{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }}
|
|
# Rancher self-signed - don't clear ca certs
|
|
{{- else }}
|
|
# Public trusted CA - clear ca certs
|
|
- "--no-cacerts"
|
|
{{- end }}
|
|
- "--http-listen-port=80"
|
|
- "--https-listen-port=443"
|
|
- "--add-local={{ .Values.addLocal }}"
|
|
env:
|
|
- name: CATTLE_NAMESPACE
|
|
value: {{ .Release.Namespace }}
|
|
- name: CATTLE_PEER_SERVICE
|
|
value: {{ template "rancher.fullname" . }}
|
|
{{- if .Values.features }}
|
|
- name: CATTLE_FEATURES
|
|
value: "{{ .Values.features }}"
|
|
{{- end}}
|
|
{{- if .Values.noDefaultAdmin }}
|
|
- name: CATTLE_NO_DEFAULT_ADMIN
|
|
value: "{{ .Values.noDefaultAdmin }}"
|
|
{{- end}}
|
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
|
- name: AUDIT_LEVEL
|
|
value: {{ .Values.auditLog.level | quote }}
|
|
- name: AUDIT_LOG_MAXAGE
|
|
value: {{ .Values.auditLog.maxAge | quote }}
|
|
- name: AUDIT_LOG_MAXBACKUP
|
|
value: {{ .Values.auditLog.maxBackup | quote }}
|
|
- name: AUDIT_LOG_MAXSIZE
|
|
value: {{ .Values.auditLog.maxSize | quote }}
|
|
{{- end }}
|
|
{{- if .Values.proxy }}
|
|
- name: HTTP_PROXY
|
|
value: {{ .Values.proxy }}
|
|
- name: HTTPS_PROXY
|
|
value: {{ .Values.proxy }}
|
|
- name: NO_PROXY
|
|
value: {{ .Values.noProxy }}
|
|
{{- end }}
|
|
{{- if .Values.systemDefaultRegistry }}
|
|
- name: CATTLE_SYSTEM_DEFAULT_REGISTRY
|
|
value: {{ .Values.systemDefaultRegistry }}
|
|
{{- end }}
|
|
{{- if .Values.useBundledSystemChart }}
|
|
- name: CATTLE_SYSTEM_CATALOG
|
|
value: bundled
|
|
{{- end }}
|
|
{{- if .Values.restrictedAdmin }}
|
|
- name: CATTLE_RESTRICTED_DEFAULT_ADMIN
|
|
value: "true"
|
|
{{- end}}
|
|
{{- if .Values.bootstrapPassword }}
|
|
- name: CATTLE_BOOTSTRAP_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "bootstrap-secret"
|
|
key: "bootstrapPassword"
|
|
{{- end }}
|
|
{{- if .Values.extraEnv }}
|
|
{{ toYaml .Values.extraEnv | indent 8}}
|
|
{{- end }}
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 80
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 30
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 80
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 30
|
|
resources:
|
|
{{ toYaml .Values.resources | indent 10 }}
|
|
volumeMounts:
|
|
{{- if .Values.additionalTrustedCAs }}
|
|
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
|
|
name: tls-ca-additional-volume
|
|
subPath: ca-additional.pem
|
|
readOnly: true
|
|
- mountPath: /etc/rancher/ssl/ca-additional.pem
|
|
name: tls-ca-additional-volume
|
|
subPath: ca-additional.pem
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if .Values.privateCA }}
|
|
# Pass CA cert into rancher for private CA
|
|
- mountPath: /etc/rancher/ssl/cacerts.pem
|
|
name: tls-ca-volume
|
|
subPath: cacerts.pem
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
|
|
# Mount rancher custom-logos volume
|
|
- mountPath: /usr/share/rancher/ui/assets/images/logos
|
|
name: custom-logos
|
|
subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }}
|
|
- mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl
|
|
name: custom-logos
|
|
subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }}
|
|
{{- end }}
|
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
|
- mountPath: /var/log/auditlog
|
|
name: audit-log
|
|
{{- end }}
|
|
{{- if eq .Values.auditLog.destination "sidecar" }}
|
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
|
# Make audit logs available for Rancher log collector tools.
|
|
- image: {{ .Values.busyboxImage }}:{{.Values.busyboxImageTag}}
|
|
imagePullPolicy: {{ default "IfNotPresent" .Values.busyboxImagePullPolicy }}
|
|
name: {{ template "rancher.name" . }}-audit-log
|
|
command: ["tail"]
|
|
args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]
|
|
volumeMounts:
|
|
- mountPath: /var/log/auditlog
|
|
name: audit-log
|
|
{{- end }}
|
|
{{- end }}
|
|
volumes:
|
|
{{- if .Values.additionalTrustedCAs }}
|
|
- name: tls-ca-additional-volume
|
|
secret:
|
|
defaultMode: 0400
|
|
secretName: tls-ca-additional
|
|
{{- end }}
|
|
{{- if .Values.privateCA }}
|
|
- name: tls-ca-volume
|
|
secret:
|
|
defaultMode: 0400
|
|
secretName: tls-ca
|
|
{{- end }}
|
|
{{- if gt (int .Values.auditLog.level) 0 }}
|
|
{{- if eq .Values.auditLog.destination "hostPath" }}
|
|
- name: audit-log
|
|
hostPath:
|
|
path: {{ .Values.auditLog.hostPath }}
|
|
type: DirectoryOrCreate
|
|
{{- else }}
|
|
- name: audit-log
|
|
emptyDir: {}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
|
|
- name: custom-logos
|
|
{{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }}
|
|
persistentVolumeClaim:
|
|
claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }}
|
|
{{- else if (eq .Values.customLogos.volumeKind "configMap") }}
|
|
configMap:
|
|
name: {{ .Values.customLogos.volumeName }}
|
|
{{- end }}
|
|
{{- end }}
|