github.com/kyma-project/kyma-environment-broker@v0.0.1/resources/kcp/charts/kyma-environment-broker/templates/deployment.yaml (about) 1 apiVersion: apps/v1 2 kind: Deployment 3 metadata: 4 name: {{ include "kyma-env-broker.fullname" . }} 5 labels: 6 {{ include "kyma-env-broker.labels" . | indent 4 }} 7 annotations: 8 argocd.argoproj.io/sync-options: Prune=false 9 spec: 10 replicas: {{ .Values.deployment.replicaCount }} 11 selector: 12 matchLabels: 13 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 14 app.kubernetes.io/instance: {{ .Release.Name }} 15 strategy: 16 {{- toYaml .Values.deployment.strategy | nindent 4 }} 17 template: 18 metadata: 19 labels: 20 app.kubernetes.io/name: {{ include "kyma-env-broker.name" . }} 21 app.kubernetes.io/instance: {{ .Release.Name }} 22 annotations: 23 checksum/config: {{ include (print $.Template.BasePath "/app-config.yaml") . | sha256sum }} 24 spec: 25 {{ if .Values.global.isLocalEnv }} 26 # HostAliases are used by Pod to resolve kyma.local domain 27 hostAliases: 28 - ip: {{ .Values.global.minikubeIP }} 29 hostnames: 30 # Used for calls to Director 31 - "{{ .Values.global.compass.tls.secure.oauth.host }}.{{ .Values.global.compass.domain | default .Values.global.ingress.domainName }}" 32 # Used for calls for oauth token 33 - "{{ .Values.global.oauth2.host }}.{{ .Values.global.compass.domain | default .Values.global.ingress.domainName }}" 34 {{ end }} 35 serviceAccountName: {{ .Values.global.kyma_environment_broker.serviceAccountName }} 36 {{- with .Values.deployment.securityContext }} 37 securityContext: 38 {{ toYaml . | indent 8 }} 39 {{- end }} 40 {{- with .Values.imagePullSecrets }} 41 imagePullSecrets: 42 {{- toYaml . | nindent 8 }} 43 {{- end }} 44 nodeSelector: 45 {{- toYaml .Values.deployment.nodeSelector | nindent 8 }} 46 containers: 47 {{- if .Values.broker.profiler.memory }} 48 - name: profiler 49 command: 50 - bash 51 - -c 52 - chmod 777 /tmp/profiler && sleep inf 53 securityContext: 54 runAsUser: 0 55 image: ubuntu:20.04 56 imagePullPolicy: Always 57 volumeMounts: 58 - name: keb-memory-profile 59 mountPath: /tmp/profiler 60 readOnly: false 61 {{- end }} 62 - name: {{ .Chart.Name }} 63 image: "{{ .Values.global.images.container_registry.path }}/{{ .Values.global.images.kyma_environment_broker.dir }}kyma-environment-broker:{{ .Values.global.images.kyma_environment_broker.version }}" 64 imagePullPolicy: {{ .Values.deployment.image.pullPolicy }} 65 env: 66 - name: APP_BROKER_REGION_PARAMETER_IS_REQUIRED 67 value: "{{ .Values.regionParameterIsRequired }}" 68 - name: APP_BROKER_ALLOW_NETWORKING_PARAMETERS 69 value: "{{ .Values.allowNetworkingParameters }}" 70 - name: APP_BROKER_ALLOW_MODULES_PARAMETERS 71 value: "{{ .Values.allowModulesParameters }}" 72 - name: APP_DISABLE_PROCESS_OPERATIONS_IN_PROGRESS 73 value: "{{ .Values.disableProcessOperationsInProgress }}" 74 - name: APP_BROKER_ENABLE_PLANS 75 value: "{{ .Values.enablePlans }}" 76 - name: APP_BROKER_ONLY_SINGLE_TRIAL_PER_GA 77 value: "{{ .Values.onlySingleTrialPerGA }}" 78 - name: APP_BROKER_URL 79 value: {{ .Values.host }}.{{ .Values.global.ingress.domainName }} 80 - name: APP_BROKER_ENABLE_KUBECONFIG_URL_LABEL 81 value: "{{ .Values.enableKubeconfigURLLabel }}" 82 - name: APP_BROKER_INCLUDE_ADDITIONAL_PARAMS_IN_SCHEMA 83 value: "{{ .Values.includeAdditionalParamsInSchema }}" 84 - name: APP_BROKER_SHOW_TRIAL_EXPIRATION_INFO 85 value: "{{ .Values.showTrialExpirationInfo }}" 86 - name: APP_BROKER_SUBACCOUNTS_IDS_TO_SHOW_TRIAL_EXPIRATION_INFO 87 value: "{{ .Values.subaccountsIdsToShowTrialExpirationInfo }}" 88 - name: APP_BROKER_TRIAL_DOCS_URL 89 value: "{{ .Values.trialDocsURL }}" 90 - name: APP_OPERATION_TIMEOUT 91 value: "{{ .Values.broker.operationTimeout }}" 92 - name: APP_RECONCILER_URL 93 value: "{{ .Values.reconciler.URL }}" 94 - name: APP_LIFECYCLE_MANAGER_INTEGRATION_DISABLED 95 value: "{{ .Values.lifecycleManager.disabled}}" 96 - name: APP_RECONCILER_INTEGRATION_DISABLED 97 value: "{{ .Values.reconciler.disabled }}" 98 - name: APP_RECONCILER_PROVISIONING_TIMEOUT 99 value: "{{ .Values.reconciler.provisioningTimeout }}" 100 - name: APP_PROVISIONER_URL 101 value: "{{ .Values.provisioner.URL }}" 102 - name: APP_PROVISIONER_PROVISIONING_TIMEOUT 103 value: "{{ .Values.provisioner.provisioningTimeout }}" 104 - name: APP_PROVISIONER_DEPROVISIONING_TIMEOUT 105 value: "{{ .Values.provisioner.deprovisioningTimeout }}" 106 - name: APP_PROVISIONER_OPENSTACK_FLOATING_POOL_NAME 107 value: "{{ .Values.provisioner.openstack.floatingPoolName }}" 108 - name: APP_PROVISIONER_DEFAULT_GARDENER_SHOOT_PURPOSE 109 value: "{{ .Values.gardener.defaultShootPurpose }}" 110 - name: APP_PROVISIONER_DEFAULT_TRIAL_PROVIDER 111 value: "{{ .Values.gardener.defaultTrialProvider }}" 112 - name: APP_PORT 113 value: "{{ .Values.broker.port }}" 114 - name: APP_STATUS_PORT 115 value: "{{ .Values.broker.statusPort }}" 116 - name: APP_DIRECTOR_DEFAULT_TENANT 117 value: "{{ .Values.global.defaultTenant }}" 118 - name: APP_DIRECTOR_URL 119 value: "https://{{ .Values.global.compass.tls.secure.oauth.host }}.{{ .Values.global.compass.domain | default .Values.global.ingress.domainName }}/director/graphql" 120 - name: APP_DIRECTOR_OAUTH_TOKEN_URL 121 valueFrom: 122 secretKeyRef: 123 name: "{{ .Values.global.kyma_environment_broker.secrets.integrationSystemCredentials.name }}" 124 key: tokens_endpoint 125 optional: true 126 - name: APP_DIRECTOR_OAUTH_CLIENT_ID 127 valueFrom: 128 secretKeyRef: 129 name: "{{ .Values.global.kyma_environment_broker.secrets.integrationSystemCredentials.name }}" 130 key: client_id 131 optional: true 132 - name: APP_DIRECTOR_OAUTH_CLIENT_SECRET 133 valueFrom: 134 secretKeyRef: 135 name: "{{ .Values.global.kyma_environment_broker.secrets.integrationSystemCredentials.name }}" 136 key: client_secret 137 optional: true 138 - name: APP_DIRECTOR_OAUTH_SCOPE 139 value: "{{ .Values.director.scope }}" 140 - name: APP_IAS_URL 141 value: "{{ .Values.ias.url }}" 142 - name: APP_IAS_USER_ID 143 valueFrom: 144 secretKeyRef: 145 name: "{{ .Values.ias.secretName }}" 146 key: id 147 - name: APP_IAS_USER_SECRET 148 valueFrom: 149 secretKeyRef: 150 name: "{{ .Values.ias.secretName }}" 151 key: secret 152 - name: APP_IAS_IDENTITY_PROVIDER 153 value: "{{ .Values.ias.identityProvider }}" 154 - name: APP_IAS_DISABLED 155 value: "{{ .Values.ias.disabled }}" 156 - name: APP_IAS_TLS_RENEGOTIATION_ENABLE 157 value: "{{ .Values.ias.tlsRenegotiationEnable }}" 158 - name: APP_IAS_TLS_SKIP_CERT_VERIFICATION 159 value: "{{ .Values.ias.tlsRenegotiationEnable }}" 160 - name: APP_EDP_AUTH_URL 161 value: "{{ .Values.edp.authURL }}" 162 - name: APP_EDP_ADMIN_URL 163 value: "{{ .Values.edp.adminURL }}" 164 - name: APP_EDP_NAMESPACE 165 value: "{{ .Values.edp.namespace }}" 166 - name: APP_EDP_ENVIRONMENT 167 value: "{{ .Values.edp.environment }}" 168 - name: APP_EDP_REQUIRED 169 value: "{{ .Values.edp.required }}" 170 - name: APP_EDP_DISABLED 171 value: "{{ .Values.edp.disabled }}" 172 - name: APP_EDP_SECRET 173 valueFrom: 174 secretKeyRef: 175 name: "{{ .Values.edp.secretName }}" 176 key: secret 177 - name: APP_DATABASE_SECRET_KEY 178 valueFrom: 179 secretKeyRef: 180 name: "{{ .Values.global.database.managedGCP.encryptionSecretName }}" 181 key: secretKey 182 optional: true 183 - name: APP_DATABASE_USER 184 valueFrom: 185 secretKeyRef: 186 name: kcp-postgresql 187 key: postgresql-broker-username 188 - name: APP_DATABASE_PASSWORD 189 valueFrom: 190 secretKeyRef: 191 name: kcp-postgresql 192 key: postgresql-broker-password 193 - name: APP_DATABASE_HOST 194 valueFrom: 195 secretKeyRef: 196 name: kcp-postgresql 197 key: postgresql-serviceName 198 - name: APP_DATABASE_PORT 199 valueFrom: 200 secretKeyRef: 201 name: kcp-postgresql 202 key: postgresql-servicePort 203 - name: APP_DATABASE_NAME 204 valueFrom: 205 secretKeyRef: 206 name: kcp-postgresql 207 key: postgresql-broker-db-name 208 - name: APP_DATABASE_SSLMODE 209 valueFrom: 210 secretKeyRef: 211 name: kcp-postgresql 212 key: postgresql-sslMode 213 - name: APP_DATABASE_SSLROOTCERT 214 value: /secrets/cloudsql-sslrootcert/server-ca.pem 215 - name: APP_AVS_OAUTH_TOKEN_ENDPOINT 216 valueFrom: 217 secretKeyRef: 218 key: oauthTokenEndpoint 219 name: {{ .Values.avs.secretName }} 220 - name: APP_AVS_OAUTH_USERNAME 221 valueFrom: 222 secretKeyRef: 223 key: oauthUserName 224 name: {{ .Values.avs.secretName }} 225 - name: APP_AVS_OAUTH_PASSWORD 226 valueFrom: 227 secretKeyRef: 228 key: oauthPassword 229 name: {{ .Values.avs.secretName }} 230 - name: APP_AVS_API_ENDPOINT 231 valueFrom: 232 secretKeyRef: 233 key: apiEndpoint 234 name: {{ .Values.avs.secretName }} 235 - name: APP_AVS_OAUTH_CLIENT_ID 236 valueFrom: 237 secretKeyRef: 238 key: clientId 239 name: {{ .Values.avs.secretName }} 240 - name: APP_AVS_API_KEY 241 valueFrom: 242 secretKeyRef: 243 key: apiKey 244 name: {{ .Values.avs.secretName }} 245 - name: APP_AVS_INTERNAL_TESTER_ACCESS_ID 246 valueFrom: 247 secretKeyRef: 248 key: internalTesterAccessId 249 name: {{ .Values.avs.secretName }} 250 - name: APP_AVS_EXTERNAL_TESTER_ACCESS_ID 251 valueFrom: 252 secretKeyRef: 253 key: externalTesterAccessId 254 name: {{ .Values.avs.secretName }} 255 - name: APP_AVS_INTERNAL_TESTER_SERVICE 256 valueFrom: 257 secretKeyRef: 258 key: internalTesterService 259 name: {{ .Values.avs.secretName }} 260 - name: APP_AVS_EXTERNAL_TESTER_SERVICE 261 valueFrom: 262 secretKeyRef: 263 key: externalTesterService 264 name: {{ .Values.avs.secretName }} 265 - name: APP_AVS_GROUP_ID 266 valueFrom: 267 secretKeyRef: 268 key: groupId 269 name: {{ .Values.avs.secretName }} 270 - name: APP_AVS_PARENT_ID 271 valueFrom: 272 secretKeyRef: 273 key: parentId 274 name: {{ .Values.avs.secretName }} 275 - name: APP_AVS_TRIAL_API_KEY 276 valueFrom: 277 secretKeyRef: 278 key: trialApiKey 279 name: {{ .Values.avs.secretName }} 280 - name: APP_AVS_TRIAL_INTERNAL_TESTER_ACCESS_ID 281 valueFrom: 282 secretKeyRef: 283 key: trialInternalTesterAccessId 284 name: {{ .Values.avs.secretName }} 285 - name: APP_AVS_TRIAL_GROUP_ID 286 valueFrom: 287 secretKeyRef: 288 key: trialGroupId 289 name: {{ .Values.avs.secretName }} 290 - name: APP_AVS_TRIAL_PARENT_ID 291 valueFrom: 292 secretKeyRef: 293 key: trialParentId 294 name: {{ .Values.avs.secretName }} 295 - name: APP_AVS_INSTANCE_ID_TAG_CLASS_ID 296 value: "{{ .Values.avs.instanceIdTagClassId }}" 297 - name: APP_AVS_GLOBAL_ACCOUNT_ID_TAG_CLASS_ID 298 value: "{{ .Values.avs.globalAccountIdTagClassId }}" 299 - name: APP_AVS_SUB_ACCOUNT_ID_TAG_CLASS_ID 300 value: "{{ .Values.avs.subAccountIdTagClassId }}" 301 - name: APP_AVS_LANDSCAPE_TAG_CLASS_ID 302 value: "{{ .Values.avs.landscapeTagClassId }}" 303 - name: APP_AVS_REGION_TAG_CLASS_ID 304 value: "{{ .Values.avs.regionTagClassId }}" 305 - name: APP_AVS_PROVIDER_TAG_CLASS_ID 306 value: "{{ .Values.avs.providerTagClassId }}" 307 - name: APP_AVS_SHOOT_NAME_TAG_CLASS_ID 308 value: "{{ .Values.avs.shootNameTagClassId }}" 309 - name: APP_AVS_EXTERNAL_TESTER_DISABLED 310 value: "{{ .Values.avs.externalTesterDisabled }}" 311 - name: APP_AVS_MAINTENANCE_MODE_DURING_UPGRADE_DISABLED 312 value: "{{ .Values.avs.maintenanceModeDuringUpgrade.disabled }}" 313 - name: APP_AVS_MAINTENANCE_MODE_DURING_UPGRADE_ALWAYS_DISABLED_GLOBAL_ACCOUNTS_FILE_PATH 314 value: /config/avsMaintenanceModeDuringUpgradeAlwaysDisabledGlobalAccountIDs.yaml 315 - name: APP_KYMA_VERSION 316 value: "{{ .Values.kymaVersion }}" 317 - name: APP_ENABLE_ON_DEMAND_VERSION 318 value: "{{ .Values.kymaVersionOnDemand }}" 319 - name: APP_MANAGED_RUNTIME_COMPONENTS_YAML_FILE_PATH 320 value: /config/additionalRuntimeComponents.yaml 321 - name: APP_TRIAL_REGION_MAPPING_FILE_PATH 322 value: /config/trialRegionMapping.yaml 323 - name: APP_EU_ACCESS_WHITELISTED_GLOBAL_ACCOUNTS_FILE_PATH 324 value: /config/euAccessWhitelistedGlobalAccountIds.yaml 325 - name: APP_EU_ACCESS_REJECTION_MESSAGE 326 value: "{{ .Values.euAccessRejectionMessage }}" 327 - name: APP_FREEMIUM_PROVIDERS 328 value: "{{ .Values.gardener.freemiumProviders }}" 329 - name: APP_CATALOG_FILE_PATH 330 value: /config/catalog.yaml 331 - name: APP_GARDENER_PROJECT 332 value: {{ .Values.gardener.project }} 333 - name: APP_GARDENER_SHOOT_DOMAIN 334 value: "{{ .Values.gardener.shootDomain }}" 335 - name: APP_GARDENER_KUBECONFIG_PATH 336 value: {{ .Values.gardener.kubeconfigPath }} 337 - name: APP_KUBECONFIG_ISSUER_URL 338 value: {{ .Values.kubeconfig.issuerURL }} 339 - name: APP_KUBECONFIG_CLIENT_ID 340 value: {{ .Values.kubeconfig.clientID }} 341 - name: APP_KUBECONFIG_ALLOW_ORIGINS 342 value: "{{ .Values.kubeconfig.allowOrigins }}" 343 - name: APP_PROVISIONER_KUBERNETES_VERSION 344 value: "{{ .Values.gardener.kubernetesVersion }}" 345 - name: APP_PROVISIONER_MACHINE_IMAGE 346 value: {{ .Values.gardener.machineImage }} 347 - name: APP_PROVISIONER_MACHINE_IMAGE_VERSION 348 value: {{ .Values.gardener.machineImageVersion }} 349 - name: APP_PROVISIONER_TRIAL_NODES_NUMBER 350 value: "{{ .Values.gardener.trialNodesNumber }}" 351 - name: APP_PROVISIONER_AUTO_UPDATE_KUBERNETES_VERSION 352 value: "{{ .Values.gardener.autoUpdateKubernetesVersion }}" 353 - name: APP_PROVISIONER_AUTO_UPDATE_MACHINE_IMAGE_VERSION 354 value: "{{ .Values.gardener.autoUpdateMachineImageVersion }}" 355 - name: APP_PROVISIONER_MULTI_ZONE_CLUSTER 356 value: "{{ .Values.gardener.multiZoneCluster }}" 357 - name: APP_PROVISIONER_CONTROL_PLANE_FAILURE_TOLERANCE 358 value: "{{ .Values.gardener.controlPlaneFailureTolerance }}" 359 - name: APP_DEFAULT_REQUEST_REGION 360 value: "{{ .Values.broker.defaultRequestRegion }}" 361 - name: APP_UPDATE_PROCESSING_ENABLED 362 value: "{{ .Values.osbUpdateProcessingEnabled }}" 363 - name: APP_NOTIFICATION_URL 364 value: "{{ .Values.notification.url }}" 365 - name: APP_NOTIFICATION_DISABLED 366 value: "{{ .Values.notification.disabled }}" 367 - name: APP_VERSION_CONFIG_NAMESPACE 368 value: "{{ .Release.Namespace }}" 369 - name: APP_VERSION_CONFIG_NAME 370 value: "kyma-versions" 371 - name: APP_DOMAIN_NAME 372 value: "{{ .Values.global.ingress.domainName }}" 373 - name: APP_SKR_OIDC_DEFAULT_VALUES_YAML_FILE_PATH 374 value: /config/skrOIDCDefaultValues.yaml 375 - name: APP_SKR_DNS_PROVIDERS_VALUES_YAML_FILE_PATH 376 value: /config/skrDNSProvidersValues.yaml 377 - name: APP_ORCHESTRATION_CONFIG_NAMESPACE 378 value: "{{ .Release.Namespace }}" 379 - name: APP_ORCHESTRATION_CONFIG_NAME 380 value: "orchestration-config" 381 - name: APP_NEW_ADDITIONAL_RUNTIME_COMPONENTS_YAML_FILE_PATH 382 value: /config/newAdditionalRuntimeComponents.yaml 383 - name: APP_PROFILER_MEMORY 384 value: "{{ .Values.broker.profiler.memory }}" 385 - name: APP_KYMA_DASHBOARD_CONFIG_LANDSCAPE_URL 386 value: "{{ .Values.dashboardConfig.landscapeURL }}" 387 - name: APP_EVENTS_ENABLED 388 value: "{{ .Values.broker.events.enabled }}" 389 ports: 390 - name: http 391 containerPort: {{ .Values.broker.port }} 392 protocol: TCP 393 livenessProbe: 394 httpGet: 395 path: /healthz 396 port: {{ .Values.broker.statusPort }} 397 periodSeconds: 10 398 timeoutSeconds: 3 399 initialDelaySeconds: 30 400 readinessProbe: 401 httpGet: 402 path: /healthz 403 port: {{ .Values.broker.statusPort }} 404 periodSeconds: 5 405 timeoutSeconds: 2 406 initialDelaySeconds: 10 407 resources: 408 {{- toYaml .Values.resources | nindent 12 }} 409 volumeMounts: 410 - mountPath: /gardener/kubeconfig 411 name: gardener-kubeconfig 412 readOnly: true 413 - mountPath: /config 414 name: config-volume 415 - mountPath: /swagger/schema 416 name: swagger-volume 417 {{- if .Values.broker.profiler.memory }} 418 - name: keb-memory-profile 419 mountPath: /tmp/profiler 420 readOnly: false 421 {{- end }} 422 {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled false)}} 423 - name: cloudsql-sslrootcert 424 mountPath: /secrets/cloudsql-sslrootcert 425 readOnly: true 426 {{- end }} 427 {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled true)}} 428 - name: cloudsql-proxy 429 image: {{ .Values.global.images.cloudsql_proxy_image }} 430 {{- if .Values.global.database.cloudsqlproxy.workloadIdentity.enabled }} 431 command: ["/cloud_sql_proxy", 432 "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432"] 433 {{- else }} 434 command: ["/cloud_sql_proxy", 435 "-instances={{ .Values.global.database.managedGCP.instanceConnectionName }}=tcp:5432", 436 "-credential_file=/secrets/cloudsql-instance-credentials/credentials.json"] 437 volumeMounts: 438 - name: cloudsql-instance-credentials 439 mountPath: /secrets/cloudsql-instance-credentials 440 readOnly: true 441 {{- end }} 442 {{- with .Values.deployment.securityContext }} 443 securityContext: 444 {{ toYaml . | indent 12 }} 445 {{- end }} 446 {{- end}} 447 volumes: 448 - name: config-volume 449 configMap: 450 name: {{ include "kyma-env-broker.fullname" . }} 451 - name: swagger-volume 452 configMap: 453 name: {{ include "kyma-env-broker.fullname" . }}-swagger 454 {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled true) (eq .Values.global.database.cloudsqlproxy.workloadIdentity.enabled false)}} 455 - name: cloudsql-instance-credentials 456 secret: 457 secretName: cloudsql-instance-credentials 458 {{- end}} 459 {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled false)}} 460 - name: cloudsql-sslrootcert 461 secret: 462 secretName: kcp-postgresql 463 items: 464 - key: postgresql-sslRootCert 465 path: server-ca.pem 466 optional: true 467 {{- end}} 468 - name: gardener-kubeconfig 469 secret: 470 secretName: {{ .Values.gardener.secretName }} 471 {{- if .Values.broker.profiler.memory }} 472 - name: keb-memory-profile 473 persistentVolumeClaim: 474 claimName: {{ include "kyma-env-broker.fullname" . }}-profiler 475 {{- end }}