github.com/kubevela/workflow@v0.6.0/charts/vela-workflow/templates/workflow-controller.yaml

{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "kubevela.serviceAccountName" . }}
  labels:
    {{- include "kubevela.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
  {{- toYaml . | nindent 4 }}
  {{- end }}
{{- end }}

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "kubevela.fullname" . }}:manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: "cluster-admin"
subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}
    namespace: {{ .Release.Namespace }}

---

# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "kubevela.fullname" . }}:leader-election-role
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - configmaps/status
    verbs:
      - get
      - update
      - patch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "kubevela.fullname" . }}:leader-election-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "kubevela.fullname" . }}:leader-election-role
subjects:
  - kind: ServiceAccount
    name: {{ include "kubevela.serviceAccountName" . }}

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "kubevela.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    controller.oam.dev/name: vela-workflow
  {{- include "kubevela.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
  {{- include "kubevela.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
    {{- include "kubevela.selectorLabels" . | nindent 8 }}
      annotations:
          prometheus.io/path: /metrics
          prometheus.io/port: "8080"
          prometheus.io/scrape: "true"
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
      {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
      securityContext:
      {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
        - name: {{ .Release.Name }}
          securityContext:
          {{- toYaml .Values.securityContext | nindent 12 }}
          args:
            - "-test.coverprofile=/workspace/data/e2e-profile.out"
            - "__DEVEL__E2E"
            - "-test.run=E2EMain"
            - "-test.coverpkg=$(go list ./pkg/...| tr '
' ','| sed 's/,$//g')"
            {{ if .Values.admissionWebhooks.enabled }}
            - "--use-webhook=true"
            - "--webhook-port={{ .Values.webhookService.port }}"
            - "--webhook-cert-dir={{ .Values.admissionWebhooks.certificate.mountPath }}"
            {{ end }}
            {{ if ne .Values.logFilePath "" }}
            - "--log-file-path={{ .Values.logFilePath }}"
            - "--log-file-max-size={{ .Values.logFileMaxSize }}"
            {{ end }}
            {{ if .Values.logDebug }}
            - "--log-debug=true"
            {{ end }}
            - "--metrics-bind-address=:8080"
            - "--leader-elect"
            - "--health-probe-bind-address=:{{ .Values.healthCheck.port }}"
            - "--concurrent-reconciles={{ .Values.concurrentReconciles }}"
            - "--ignore-workflow-without-controller-requirement={{ .Values.ignoreWorkflowWithoutControllerRequirement }}"
            - "--kube-api-qps={{ .Values.kubeClient.qps }}"
            - "--kube-api-burst={{ .Values.kubeClient.burst }}"
            - "--user-agent={{ .Values.kubeClient.userAgent }}"
            - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
            - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
            - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
            - "--feature-gates=EnableWatchEventListener={{- .Values.workflow.enableWatchEventListener | toString -}}"
            - "--feature-gates=EnablePatchStatusAtOnce={{- .Values.workflow.enablePatchStatusAtOnce | toString -}}"
            - "--feature-gates=EnableSuspendOnFailure={{- .Values.workflow.enableSuspendOnFailure | toString -}}"
            - "--feature-gates=EnableBackupWorkflowRecord={{- .Values.backup.enabled | toString -}}"
            - "--group-by-label={{ .Values.workflow.groupByLabel }}"
            {{ if .Values.backup.enable }}
            - "--backup-strategy={{ .Values.backup.strategy }}"
            - "--backup-ignore-strategy={{ .Values.backup.ignoreStrategy }}"
            - "--backup-clean-on-backup={{ .Values.backup.cleanOnBackup }}"
            - "--backup-persist-type={{ .Values.backup.persisType }}"
            - "--backup-config-secret-name={{ .Values.backup.configSecretName }}"
            - "--backup-config-secret-namespace={{ .Values.backup.configSecretNamespace }}"
            {{ end }}
          image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
          imagePullPolicy: {{ quote .Values.image.pullPolicy }}
          resources:
          {{- toYaml .Values.resources | nindent 12 }}
          {{ if .Values.admissionWebhooks.enabled }}
          ports:
            - containerPort: {{ .Values.webhookService.port }}
              name: webhook-server
              protocol: TCP
            - containerPort: {{ .Values.healthCheck.port }}
              name: healthz
              protocol: TCP
          readinessProbe:
            httpGet:
              path: /readyz
              port: healthz
            initialDelaySeconds: 30
            periodSeconds: 5
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 90
            periodSeconds: 5
          volumeMounts:
            - mountPath: {{ .Values.admissionWebhooks.certificate.mountPath }}
              name: tls-cert-vol
              readOnly: true
          {{ end }}
      {{ if .Values.admissionWebhooks.enabled }}
      volumes:
        - name: tls-cert-vol
          secret:
            defaultMode: 420
            secretName: {{ template "kubevela.fullname" . }}-admission
      {{ end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
      {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
      {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
    {{- toYaml . | nindent 8 }}
  {{- end }}