github.com/verrazzano/verrazzano@v1.7.0/platform-operator/helm_config/charts/verrazzano-cluster-operator/templates/deployment.yaml (about) 1 # Copyright (c) 2022, 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 apiVersion: apps/v1 4 kind: Deployment 5 metadata: 6 name: {{ .Values.name }} 7 namespace: {{ .Values.namespace }} 8 labels: 9 app: {{ .Values.name }} 10 spec: 11 replicas: 1 12 selector: 13 matchLabels: 14 app: {{ .Values.name }} 15 template: 16 metadata: 17 labels: 18 app: {{ .Values.name }} 19 sidecar.istio.io/inject: 'false' 20 annotations: 21 verrazzano.io/checksum: {{ tpl (toYaml .Values) . | sha256sum }} 22 spec: 23 terminationGracePeriodSeconds: 0 24 initContainers: 25 - name: webhookswait 26 imagePullPolicy: {{ .Values.imagePullPolicy }} 27 image: {{ .Values.image }} 28 command: [ 'sh', '-c', "/usr/local/bin/wait4webhook.sh" ] 29 securityContext: 30 privileged: false 31 allowPrivilegeEscalation: false 32 capabilities: 33 drop: 34 - ALL 35 {{- if .Values.affinity }} 36 affinity: {{ toYaml .Values.affinity | nindent 8 }} 37 {{- end }} 38 containers: 39 - name: {{ .Values.name }} 40 image: {{ .Values.image }} 41 imagePullPolicy: {{ .Values.imagePullPolicy }} 42 env: 43 - name: CLUSTER_SYNC_ENABLED 44 valueFrom: 45 configMapKeyRef: 46 name: {{ .Values.name }}-selector 47 key: enabled 48 - name: ARGOCD_CLUSTER_TOKEN_TTL 49 value: "{{ .Values.argoCDClusterTokenTTL }}" 50 volumeMounts: 51 - name: cluster-selector 52 mountPath: /var/syncClusters 53 ports: 54 - containerPort: 9100 55 name: http-metric 56 protocol: TCP 57 securityContext: 58 privileged: false 59 allowPrivilegeEscalation: false 60 capabilities: 61 drop: 62 - ALL 63 serviceAccountName: {{ .Values.name }} 64 volumes: 65 - name: cluster-selector 66 configMap: 67 name: {{ .Values.name }}-selector 68 items: 69 - key: selector.yaml 70 path: selector.yaml 71 optional: true 72 securityContext: 73 runAsUser: 1000 74 runAsGroup: 999 75 runAsNonRoot: true 76 seccompProfile: 77 type: RuntimeDefault 78 --- 79 apiVersion: apps/v1 80 kind: Deployment 81 metadata: 82 name: {{ .Values.name }}-webhook 83 namespace: {{ .Values.namespace }} 84 labels: 85 app: {{ .Values.name }}-webhook 86 app.kubernetes.io/version: {{ .Chart.Version }} 87 spec: 88 replicas: 1 89 strategy: 90 type: RollingUpdate 91 rollingUpdate: 92 maxUnavailable: 0 93 maxSurge: 1 94 selector: 95 matchLabels: 96 app: {{ .Values.name }}-webhook 97 template: 98 metadata: 99 labels: 100 app: {{ .Values.name }}-webhook 101 app.kubernetes.io/version: {{ .Chart.Version }} 102 sidecar.istio.io/inject: 'false' 103 spec: 104 terminationGracePeriodSeconds: 0 105 {{- if .Values.webhookAffinity }} 106 affinity: {{ toYaml .Values.webhookAffinity | nindent 8 }} 107 {{- end }} 108 initContainers: 109 - name: initwebhooks 110 imagePullPolicy: {{ .Values.imagePullPolicy }} 111 image: {{ .Values.image }} 112 args: 113 - --zap-log-level=info 114 - --run-webhook-init=true 115 resources: 116 requests: 117 memory: 72Mi 118 volumeMounts: 119 - name: webhook-certs 120 mountPath: /etc/certs 121 securityContext: 122 privileged: false 123 allowPrivilegeEscalation: false 124 capabilities: 125 drop: 126 - ALL 127 containers: 128 - name: webhook-run 129 image: {{ .Values.image }} 130 imagePullPolicy: {{ .Values.imagePullPolicy }} 131 args: 132 - --zap-log-level=info 133 - --run-webhooks=true 134 volumeMounts: 135 - name: webhook-certs 136 mountPath: /etc/certs 137 resources: 138 requests: 139 memory: 72Mi 140 ports: 141 - containerPort: 9100 142 name: http-metric 143 protocol: TCP 144 - containerPort: 9443 145 name: webhook 146 protocol: TCP 147 securityContext: 148 privileged: false 149 allowPrivilegeEscalation: false 150 capabilities: 151 drop: 152 - ALL 153 volumes: 154 - name: webhook-certs 155 emptyDir: {} 156 serviceAccountName: {{ .Values.name }} 157 securityContext: 158 runAsUser: 1000 159 runAsGroup: 999 160 runAsNonRoot: true 161 seccompProfile: 162 type: RuntimeDefault