github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/charts/kvisor/templates/controller.yaml

{{- if .Values.controller.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "kvisor.controller.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kvisor.controller.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.controller.replicas }}
  selector:
    matchLabels:
      {{- include "kvisor.controller.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
      {{- if .Values.controller.prometheusScrape.enabled }}
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{.Values.controller.httpListenPort}}"
      {{- end }}
      {{- if .Values.pyroscope.enabled }}
        phlare.grafana.com/scrape: "true"
        phlare.grafana.com/port: "{{ .Values.controller.httpListenPort }}"
        profiles.grafana.com/memory.scrape: "true"
        profiles.grafana.com/memory.port: "{{ .Values.controller.httpListenPort }}"
        profiles.grafana.com/cpu.scrape: "true"
        profiles.grafana.com/cpu.port: "{{ .Values.controller.httpListenPort }}"
        profiles.grafana.com/goroutine.scrape: "true"
        profiles.grafana.com/goroutine.port: "{{ .Values.controller.httpListenPort }}"
      {{- end }}
      {{- with .Values.controller.podAnnotations }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "kvisor.controller.selectorLabels" . | nindent 8 }}
        {{- include "kvisor.commonLabels" . | nindent 8 }}
    spec:
      serviceAccountName: {{ include "kvisor.controller.serviceAccountName" . }}
      dnsPolicy: {{.Values.controller.dnsPolicy}}
      securityContext:
        {{- toYaml .Values.controller.securityContext | nindent 8 }}
      containers:
        - name: controller
          image: "{{ .Values.image.repository }}-controller:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{.Values.image.pullPolicy}}
          securityContext:
            {{- toYaml .Values.controller.containerSecurityContext | nindent 12 }}
          args:
            - "--http-listen-port={{.Values.controller.httpListenPort}}"
            - "--kube-server-listen-port={{.Values.controller.kubeAPIListenPort}}"
            - "--metrics-http-listen-port={{.Values.controller.metricsHTTPListenPort}}"
            - "--castai-secret-ref-name={{ include "kvisor.castaiSecretName" . }}"
            - "--image-scan-blobs-cache-url=http://{{ include "kvisor.controller.fullname" . }}.{{.Release.Namespace}}"
            - "--chart-version={{.Chart.Version}}"
          {{- if eq .Values.mockServer.enabled true }}
            - "--castai-server-insecure=true"
          {{- end }}
          {{- if eq .Values.agent.enabled true }}
            - "--agent-enabled=true"
          {{- end }}
        {{- range $key, $value := .Values.controller.extraArgs }}
            - "--{{ $key }}={{ $value }}"
        {{- end }}
          resources:
            {{- toYaml .Values.controller.resources | nindent 12 }}
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: CASTAI_API_GRPC_ADDR
              value: {{ if .Values.mockServer.enabled -}}
                       {{ (printf "%s:8443" (include "kvisor.castaiMockServer.service" .)) | quote }}
                     {{- else -}}
                       {{ .Values.castai.grpcAddr | quote }}
                     {{- end }}
            - name: CASTAI_CLUSTER_ID
              value: {{  .Values.castai.clusterID | quote }}
        {{- range $key, $value := .Values.controller.extraEnv }}
            - name: {{ $key }}
              value: {{ $value }}
        {{- end }}
        {{- if .Values.castai.enabled }}
          envFrom:
            - secretRef:
                name: {{ include "kvisor.castaiSecretName" . }}
        {{- end }}
          ports:
            - name: http-server
              containerPort: {{ .Values.controller.httpListenPort }}
              protocol: TCP
            - name: kube-server
              containerPort: {{ .Values.controller.kubeAPIListenPort }}
              protocol: TCP
            - name: metrics
              containerPort: {{ .Values.controller.metricsHTTPListenPort }}
              protocol: TCP
          startupProbe:
            httpGet:
              path: /healthz
              port: http-server
            failureThreshold: 6
            periodSeconds: 10
          livenessProbe:
            httpGet:
              port: http-server
              path: /healthz
            periodSeconds: 5
          readinessProbe:
            httpGet:
              port: http-server
              path: /healthz
            periodSeconds: 5
      terminationGracePeriodSeconds: 10
      {{- with .Values.controller.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}

{{- end }}
---
{{- if .Values.controller.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "kvisor.controller.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kvisor.controller.labels" . | nindent 4 }}
  {{- with .Values.controller.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "kvisor.controller.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kvisor.controller.labels" . | nindent 4 }}
  {{- with .Values.commonAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
rules:
  # Access to manage jobs in castai-sec namespace.
  - apiGroups:
      - "batch"
    resources:
      - jobs
    verbs:
      - create
      - get
      - list
      - watch
      - delete
  - apiGroups:
      - ""
    resources:
      - pods/log
    verbs:
      - get
  - apiGroups:
      - "coordination.k8s.io"
    resources:
      - leases
    verbs:
      - get
      - create
      - update
      - list
      - watch
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ include "kvisor.controller.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
      {{- include "kvisor.controller.labels" . | nindent 4 }}
  {{- with .Values.commonAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "kvisor.controller.fullname" . }}
subjects:
  - kind: ServiceAccount
    name: {{ include "kvisor.controller.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "kvisor.controller.fullname" . }}
  labels:
    {{- include "kvisor.controller.labels" . | nindent 4 }}
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
      - pods
      - events
      - namespaces
      - services
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "apps"
    resources:
      - deployments
      - replicasets
      - daemonsets
      - statefulsets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "batch"
    resources:
      - jobs
      - cronjobs
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "networking.k8s.io"
    resources:
      - networkpolicies
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "kvisor.controller.fullname" . }}
  labels:
    {{- include "kvisor.controller.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "kvisor.controller.fullname" . }}
subjects:
  - kind: ServiceAccount
    name: {{ include "kvisor.controller.serviceAccountName" . }}
    namespace: {{.Release.Namespace}}
{{- end }}
---
apiVersion: v1
kind: Service
metadata:
  name: {{ include "kvisor.controller.fullname" . }}
  namespace: {{ .Release.Namespace }}
spec:
  ports:
    - port: 80
      name: http
      targetPort: http-server
      protocol: TCP
    - port: {{ .Values.controller.kubeAPIListenPort }}
      name: kube
      targetPort: kube-server
      protocol: TCP
  selector:
    {{- include "kvisor.controller.selectorLabels" . | nindent 6 }}
  type: ClusterIP