github.com/oam-dev/kubevela@v1.9.11/charts/vela-core/templates/kubevela-controller.yaml (about) 1 {{- if .Values.serviceAccount.create -}} 2 apiVersion: v1 3 kind: ServiceAccount 4 metadata: 5 name: {{ include "kubevela.serviceAccountName" . }} 6 namespace: {{ .Release.Namespace }} 7 labels: 8 {{- include "kubevela.labels" . | nindent 4 }} 9 {{- with .Values.serviceAccount.annotations }} 10 annotations: 11 {{- toYaml . | nindent 4 }} 12 {{- end }} 13 {{- end }} 14 15 {{ if .Values.authentication.enabled }} 16 --- 17 apiVersion: rbac.authorization.k8s.io/v1 18 kind: ClusterRole 19 metadata: 20 name: {{ include "kubevela.fullname" . }}:manager 21 rules: 22 - apiGroups: ["core.oam.dev", "terraform.core.oam.dev", "prism.oam.dev", "standard.oam.dev"] 23 resources: ["*"] 24 verbs: ["*"] 25 - apiGroups: ["cluster.open-cluster-management.io"] 26 resources: ["managedclusters"] 27 verbs: ["get", "list", "watch"] 28 - apiGroups: [""] 29 resources: ["users", "groups", "serviceaccounts"] 30 verbs: ["impersonate"] 31 - apiGroups: [""] 32 resources: ["namespaces", "secrets", "services"] 33 verbs: ["get", "watch", "list"] 34 - apiGroups: [""] 35 resources: ["configmaps", "events"] 36 verbs: ["*"] 37 - apiGroups: ["apps"] 38 resources: ["controllerrevisions"] 39 verbs: ["*"] 40 - apiGroups: ["apiregistration.k8s.io"] 41 resources: ["apiservices"] 42 verbs: ["get", "list", "watch", "update"] 43 - apiGroups: ["coordination.k8s.io"] 44 resources: ["leases"] 45 verbs: ["*"] 46 - apiGroups: ["admissionregistration.k8s.io"] 47 resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] 48 verbs: ["get", "list", "watch"] 49 - apiGroups: ["flowcontrol.apiserver.k8s.io"] 50 resources: ["prioritylevelconfigurations", "flowschemas"] 51 verbs: ["get", "list", "watch"] 52 - apiGroups: ["authentication.k8s.io"] 53 resources: ["tokenreviews"] 54 verbs: ["*"] 55 - apiGroups: ["authorization.k8s.io"] 56 resources: ["subjectaccessreviews"] 57 verbs: ["*"] 58 --- 59 60 apiVersion: rbac.authorization.k8s.io/v1 61 kind: ClusterRoleBinding 62 metadata: 63 name: {{ include "kubevela.fullname" . }}:manager-authentication-rolebinding 64 roleRef: 65 apiGroup: rbac.authorization.k8s.io 66 kind: ClusterRole 67 name: {{ include "kubevela.fullname" . }}:manager 68 subjects: 69 - kind: ServiceAccount 70 name: {{ include "kubevela.serviceAccountName" . }} 71 namespace: {{ .Release.Namespace }} 72 73 {{ else }} 74 75 --- 76 77 apiVersion: rbac.authorization.k8s.io/v1 78 kind: ClusterRoleBinding 79 metadata: 80 name: {{ include "kubevela.fullname" . }}:manager-rolebinding 81 roleRef: 82 apiGroup: rbac.authorization.k8s.io 83 kind: ClusterRole 84 name: "cluster-admin" 85 subjects: 86 - kind: ServiceAccount 87 name: {{ include "kubevela.serviceAccountName" . }} 88 namespace: {{ .Release.Namespace }} 89 90 {{ end }} 91 92 93 {{ if and .Values.sharding.enabled .Values.authentication.enabled }} 94 --- 95 apiVersion: rbac.authorization.k8s.io/v1 96 kind: Role 97 metadata: 98 name: {{ include "kubevela.fullname" . }}:shard-scheduler 99 namespace: {{ .Release.Namespace }} 100 rules: 101 - apiGroups: [""] 102 resources: ["pods"] 103 verbs: ["get", "list", "watch"] 104 --- 105 apiVersion: rbac.authorization.k8s.io/v1 106 kind: RoleBinding 107 metadata: 108 name: {{ include "kubevela.fullname" . }}:shard-scheduler 109 namespace: {{ .Release.Namespace }} 110 roleRef: 111 apiGroup: rbac.authorization.k8s.io 112 kind: Role 113 name: {{ include "kubevela.fullname" . }}:shard-scheduler 114 subjects: 115 - kind: ServiceAccount 116 name: {{ include "kubevela.serviceAccountName" . }} 117 {{ end }} 118 119 --- 120 # permissions to do leader election. 121 apiVersion: rbac.authorization.k8s.io/v1 122 kind: Role 123 metadata: 124 name: {{ include "kubevela.fullname" . }}:leader-election-role 125 namespace: {{ .Release.Namespace }} 126 rules: 127 - apiGroups: 128 - "" 129 resources: 130 - configmaps 131 verbs: 132 - get 133 - list 134 - watch 135 - create 136 - update 137 - patch 138 - delete 139 - apiGroups: 140 - "" 141 resources: 142 - configmaps/status 143 verbs: 144 - get 145 - update 146 - patch 147 - apiGroups: 148 - "" 149 resources: 150 - events 151 verbs: 152 - create 153 154 --- 155 apiVersion: rbac.authorization.k8s.io/v1 156 kind: RoleBinding 157 metadata: 158 name: {{ include "kubevela.fullname" . }}:leader-election-rolebinding 159 namespace: {{ .Release.Namespace }} 160 roleRef: 161 apiGroup: rbac.authorization.k8s.io 162 kind: Role 163 name: {{ include "kubevela.fullname" . }}:leader-election-role 164 subjects: 165 - kind: ServiceAccount 166 name: {{ include "kubevela.serviceAccountName" . }} 167 168 --- 169 # permissions to read the view of VelaQL, schemas, and templates. 170 apiVersion: rbac.authorization.k8s.io/v1 171 kind: Role 172 metadata: 173 name: {{ include "kubevela.fullname" . }}:template-reader-role 174 namespace: {{ .Release.Namespace }} 175 rules: 176 - apiGroups: 177 - "" 178 resources: 179 - configmaps 180 verbs: 181 - get 182 - list 183 - watch 184 - apiGroups: 185 - "" 186 resources: 187 - configmaps/status 188 verbs: 189 - get 190 --- 191 apiVersion: rbac.authorization.k8s.io/v1 192 kind: RoleBinding 193 metadata: 194 name: {{ include "kubevela.fullname" . }}:template-reader-binding 195 namespace: {{ .Release.Namespace }} 196 roleRef: 197 apiGroup: rbac.authorization.k8s.io 198 kind: Role 199 name: {{ include "kubevela.fullname" . }}:template-reader-role 200 subjects: 201 - kind: Group 202 name: template-reader 203 --- 204 apiVersion: apps/v1 205 kind: Deployment 206 metadata: 207 name: {{ include "kubevela.fullname" . }} 208 namespace: {{ .Release.Namespace }} 209 labels: 210 controller.oam.dev/name: vela-core 211 {{- include "kubevela.labels" . | nindent 4 }} 212 spec: 213 replicas: {{ .Values.replicaCount }} 214 selector: 215 matchLabels: 216 {{- include "kubevela.selectorLabels" . | nindent 6 }} 217 template: 218 metadata: 219 labels: 220 {{- include "kubevela.selectorLabels" . | nindent 8 }} 221 {{ if .Values.sharding.enabled }} 222 controller.core.oam.dev/shard-id: master 223 {{ end }} 224 annotations: 225 prometheus.io/path: /metrics 226 prometheus.io/port: "8080" 227 prometheus.io/scrape: "true" 228 spec: 229 {{- with .Values.imagePullSecrets }} 230 imagePullSecrets: 231 {{- toYaml . | nindent 8 }} 232 {{- end }} 233 serviceAccountName: {{ include "kubevela.serviceAccountName" . }} 234 securityContext: 235 {{- toYaml .Values.podSecurityContext | nindent 8 }} 236 containers: 237 - name: {{ .Release.Name }} 238 securityContext: 239 {{- toYaml .Values.securityContext | nindent 12 }} 240 args: 241 - "--metrics-addr=:8080" 242 - "--enable-leader-election" 243 {{ if ne .Values.logFilePath "" }} 244 - "--log-file-path={{ .Values.logFilePath }}" 245 - "--log-file-max-size={{ .Values.logFileMaxSize }}" 246 {{ end }} 247 {{ if .Values.logDebug }} 248 - "--log-debug=true" 249 {{ end }} 250 {{ if .Values.admissionWebhooks.enabled }} 251 - "--use-webhook=true" 252 - "--webhook-port={{ .Values.webhookService.port }}" 253 - "--webhook-cert-dir={{ .Values.admissionWebhooks.certificate.mountPath }}" 254 {{ end }} 255 {{ if ne .Values.optimize.cachedGvks "" }} 256 - "--optimize-cached-gvks={{ .Values.optimize.cachedGvks }}" 257 {{ end }} 258 {{ if .Values.optimize.markWithProb }} 259 - "--optimize-mark-with-prob={{ .Values.optimize.markWithProb }}" 260 {{ end }} 261 {{ if .Values.optimize.disableComponentRevision }} 262 - "--optimize-disable-component-revision" 263 {{ end }} 264 {{ if .Values.optimize.disableApplicationRevision }} 265 - "--optimize-disable-application-revision" 266 {{ end }} 267 {{ if .Values.optimize.enableInMemoryWorkflowContext }} 268 - "--optimize-enable-in-memory-workflow-context" 269 {{ end }} 270 {{ if .Values.optimize.disableResourceApplyDoubleCheck }} 271 - "--optimize-disable-resource-apply-double-check" 272 {{ end }} 273 {{ if not .Values.optimize.enableResourceTrackerDeleteOnlyTrigger }} 274 - "--optimize-enable-resource-tracker-delete-only-trigger=false" 275 {{ end }} 276 - "--health-addr=:{{ .Values.healthCheck.port }}" 277 - "--system-definition-namespace={{ include "systemDefinitionNamespace" . }}" 278 - "--application-revision-limit={{ .Values.applicationRevisionLimit }}" 279 - "--definition-revision-limit={{ .Values.definitionRevisionLimit }}" 280 {{ if .Values.multicluster.enabled }} 281 - "--enable-cluster-gateway" 282 {{ if .Values.multicluster.clusterGateway.direct }} 283 - "--cluster-gateway-url={{ .Release.Name }}-cluster-gateway-service:9443" 284 {{ if .Values.multicluster.clusterGateway.secureTLS.enabled }} 285 - "--cluster-gateway-ca-file=/cluster-gateway-tls-cert/ca" 286 {{ end }} 287 {{ end }} 288 {{ end }} 289 {{ if .Values.multicluster.metrics.enabled }} 290 - "--enable-cluster-metrics" 291 {{ end }} 292 - "--application-re-sync-period={{ .Values.controllerArgs.reSyncPeriod }}" 293 - "--concurrent-reconciles={{ .Values.concurrentReconciles }}" 294 - "--kube-api-qps={{ .Values.kubeClient.qps }}" 295 - "--kube-api-burst={{ .Values.kubeClient.burst }}" 296 - "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}" 297 - "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}" 298 - "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}" 299 - "--feature-gates=EnableSuspendOnFailure={{- .Values.workflow.enableSuspendOnFailure | toString -}}" 300 - "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}" 301 - "--feature-gates=GzipResourceTracker={{- .Values.featureGates.gzipResourceTracker | toString -}}" 302 - "--feature-gates=ZstdResourceTracker={{- .Values.featureGates.zstdResourceTracker | toString -}}" 303 - "--feature-gates=ApplyOnce={{- .Values.featureGates.applyOnce | toString -}}" 304 - "--feature-gates=MultiStageComponentApply= {{- .Values.featureGates.multiStageComponentApply | toString -}}" 305 - "--feature-gates=GzipApplicationRevision={{- .Values.featureGates.gzipApplicationRevision | toString -}}" 306 - "--feature-gates=ZstdApplicationRevision={{- .Values.featureGates.zstdApplicationRevision | toString -}}" 307 - "--feature-gates=PreDispatchDryRun={{- .Values.featureGates.preDispatchDryRun | toString -}}" 308 - "--feature-gates=DisableBootstrapClusterInfo={{- .Values.featureGates.disableBootstrapClusterInfo | toString -}}" 309 - "--feature-gates=InformerCacheFilterUnnecessaryFields={{- .Values.featureGates.informerCacheFilterUnnecessaryFields | toString -}}" 310 - "--feature-gates=SharedDefinitionStorageForApplicationRevision={{- .Values.featureGates.sharedDefinitionStorageForApplicationRevision | toString -}}" 311 - "--feature-gates=DisableWorkflowContextConfigMapCache={{- .Values.featureGates.disableWorkflowContextConfigMapCache | toString -}}" 312 {{ if .Values.authentication.enabled }} 313 {{ if .Values.authentication.withUser }} 314 - "--authentication-with-user" 315 {{ end }} 316 - "--authentication-default-user={{ .Values.authentication.defaultUser }}" 317 - "--authentication-group-pattern={{ .Values.authentication.groupPattern }}" 318 {{ end }} 319 {{ if .Values.sharding.enabled }} 320 - "--enable-sharding" 321 - "--schedulable-shards={{ .Values.sharding.schedulableShards }}" 322 - "--feature-gates=ValidateComponentWhenSharding={{- .Values.featureGates.validateComponentWhenSharding | toString -}}" 323 - "--feature-gates=DisableWebhookAutoSchedule={{- .Values.featureGates.disableWebhookAutoSchedule | toString -}}" 324 {{ end }} 325 image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }} 326 imagePullPolicy: {{ quote .Values.image.pullPolicy }} 327 resources: 328 {{- toYaml .Values.resources | nindent 12 }} 329 {{ if .Values.admissionWebhooks.enabled }} 330 ports: 331 - containerPort: {{ .Values.webhookService.port }} 332 name: webhook-server 333 protocol: TCP 334 - containerPort: {{ .Values.healthCheck.port }} 335 name: healthz 336 protocol: TCP 337 readinessProbe: 338 httpGet: 339 path: /readyz 340 port: healthz 341 initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 342 periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 343 timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 344 failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 345 successThreshold: {{ .Values.readinessProbe.successThreshold }} 346 livenessProbe: 347 httpGet: 348 path: /healthz 349 port: healthz 350 initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 351 periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 352 timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 353 failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 354 successThreshold: {{ .Values.livenessProbe.successThreshold }} 355 volumeMounts: 356 - mountPath: {{ .Values.admissionWebhooks.certificate.mountPath }} 357 name: tls-cert-vol 358 readOnly: true 359 {{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.direct }} 360 - mountPath: /cluster-gateway-tls-cert 361 name: tls-cert-vol-cg 362 readOnly: true 363 {{ end }} 364 {{ end }} 365 {{ if .Values.admissionWebhooks.enabled }} 366 volumes: 367 - name: tls-cert-vol 368 secret: 369 defaultMode: 420 370 secretName: {{ template "kubevela.fullname" . }}-admission 371 {{ if and .Values.multicluster.enabled .Values.multicluster.clusterGateway.secureTLS.enabled .Values.multicluster.clusterGateway.direct }} 372 - name: tls-cert-vol-cg 373 secret: 374 defaultMode: 420 375 secretName: {{ template "kubevela.fullname" . }}-cluster-gateway-tls-v2 376 {{ end }} 377 {{ end }} 378 {{- with .Values.nodeSelector }} 379 nodeSelector: 380 {{- toYaml . | nindent 8 }} 381 {{- end }} 382 affinity: 383 {{ if .Values.affinity }} 384 {{- toYaml .Values.affinity | nindent 8 }} 385 {{ else }} 386 podAntiAffinity: 387 preferredDuringSchedulingIgnoredDuringExecution: 388 - podAffinityTerm: 389 labelSelector: 390 matchLabels: 391 {{- include "kubevela.selectorLabels" . | nindent 20 }} 392 topologyKey: kubernetes.io/hostname 393 weight: 100 394 {{ end }} 395 {{- with .Values.tolerations }} 396 tolerations: 397 {{- toYaml . | nindent 8 }} 398 {{- end }}