github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/charts/security/templates/deployment.yaml (about) 1 # istio CA watching all namespaces 2 apiVersion: extensions/v1beta1 3 kind: Deployment 4 metadata: 5 name: istio-citadel 6 namespace: {{ .Release.Namespace }} 7 labels: 8 app: {{ template "security.name" . }} 9 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 10 release: {{ .Release.Name }} 11 heritage: {{ .Release.Service }} 12 istio: citadel 13 spec: 14 replicas: {{ .Values.replicaCount }} 15 template: 16 metadata: 17 labels: 18 istio: citadel 19 annotations: 20 sidecar.istio.io/inject: "false" 21 scheduler.alpha.kubernetes.io/critical-pod: "" 22 spec: 23 serviceAccountName: istio-citadel-service-account 24 {{- if .Values.global.priorityClassName }} 25 priorityClassName: "{{ .Values.global.priorityClassName }}" 26 {{- end }} 27 containers: 28 - name: citadel 29 image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" 30 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 31 args: 32 - --append-dns-names=true 33 - --grpc-port=8060 34 - --grpc-hostname=citadel 35 - --citadel-storage-namespace={{ .Release.Namespace }} 36 - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }},istio-ingressgateway-service-account.{{ .Release.Namespace }}:istio-ingressgateway.{{ .Release.Namespace }} 37 {{- if .Values.selfSigned }} 38 - --self-signed-ca=true 39 {{- else }} 40 - --self-signed-ca=false 41 - --signing-cert=/etc/cacerts/ca-cert.pem 42 - --signing-key=/etc/cacerts/ca-key.pem 43 - --root-cert=/etc/cacerts/root-cert.pem 44 - --cert-chain=/etc/cacerts/cert-chain.pem 45 {{- end }} 46 resources: 47 {{- if .Values.resources }} 48 {{ toYaml .Values.resources | indent 12 }} 49 {{- else }} 50 {{ toYaml .Values.global.defaultResources | indent 12 }} 51 {{- end }} 52 {{- if not .Values.selfSigned }} 53 volumeMounts: 54 - name: cacerts 55 mountPath: /etc/cacerts 56 readOnly: true 57 volumes: 58 - name: cacerts 59 secret: 60 secretName: cacerts 61 optional: true 62 {{- end }} 63 affinity: 64 {{- include "nodeaffinity" . | indent 6 }}