github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/oam-kubernetes-runtime/templates/oam-controller.yaml (about) 1 --- 2 {{- if .Values.serviceAccount.create -}} 3 apiVersion: v1 4 kind: ServiceAccount 5 metadata: 6 name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }} 7 labels: 8 {{- include "oam-kubernetes-runtime.labels" . | nindent 4 }} 9 {{- end }} 10 11 --- 12 apiVersion: rbac.authorization.k8s.io/v1 13 kind: ClusterRole 14 metadata: 15 name: {{ include "oam-kubernetes-runtime.fullname" . }} 16 labels: 17 {{- include "oam-kubernetes-runtime.labels" . | nindent 4 }} 18 aggregationRule: 19 clusterRoleSelectors: 20 - matchLabels: 21 rbac.oam.dev/aggregate-to-controller: "true" 22 23 --- 24 apiVersion: rbac.authorization.k8s.io/v1 25 kind: ClusterRole 26 metadata: 27 name: {{ include "oam-kubernetes-runtime.fullname" . }}:system:aggregate-to-controller 28 labels: 29 {{- include "oam-kubernetes-runtime.labels" . | nindent 4 }} 30 rbac.oam.dev/aggregate-to-controller: "true" 31 rules: 32 - apiGroups: 33 - "" 34 resources: 35 - configmaps 36 - events 37 - services 38 verbs: 39 - create 40 - delete 41 - deletecollection 42 - get 43 - list 44 - patch 45 - update 46 - watch 47 - apiGroups: 48 - apps 49 resources: 50 - deployments 51 - controllerrevisions 52 verbs: 53 - create 54 - delete 55 - deletecollection 56 - get 57 - list 58 - patch 59 - update 60 - watch 61 - apiGroups: 62 - core.oam.dev 63 resources: 64 - "*" 65 verbs: 66 - create 67 - delete 68 - deletecollection 69 - get 70 - list 71 - patch 72 - update 73 - watch 74 - apiGroups: 75 - oam.verrazzano.io 76 resources: 77 - "*" 78 verbs: 79 - create 80 - delete 81 - deletecollection 82 - get 83 - list 84 - patch 85 - update 86 - watch 87 --- 88 apiVersion: rbac.authorization.k8s.io/v1 89 kind: ClusterRoleBinding 90 metadata: 91 name: {{ include "oam-kubernetes-runtime.fullname" . }} 92 labels: 93 {{- include "oam-kubernetes-runtime.labels" . | nindent 4 }} 94 roleRef: 95 apiGroup: rbac.authorization.k8s.io 96 kind: ClusterRole 97 name: {{ include "oam-kubernetes-runtime.fullname" . }} 98 subjects: 99 - kind: ServiceAccount 100 name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }} 101 namespace: {{ .Release.Namespace }} 102 103 --- 104 # permissions to do leader election. 105 apiVersion: rbac.authorization.k8s.io/v1 106 kind: Role 107 metadata: 108 name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election 109 labels: 110 {{- include "oam-kubernetes-runtime.labels" . | nindent 4 }} 111 rules: 112 - apiGroups: 113 - "" 114 resources: 115 - configmaps 116 verbs: 117 - get 118 - list 119 - watch 120 - create 121 - update 122 - patch 123 - delete 124 - apiGroups: 125 - "" 126 resources: 127 - configmaps/status 128 verbs: 129 - get 130 - update 131 - patch 132 - apiGroups: 133 - "" 134 resources: 135 - events 136 verbs: 137 - create 138 139 --- 140 apiVersion: rbac.authorization.k8s.io/v1 141 kind: RoleBinding 142 metadata: 143 name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election 144 labels: 145 {{- include "oam-kubernetes-runtime.labels" . | nindent 4 }} 146 roleRef: 147 apiGroup: rbac.authorization.k8s.io 148 kind: Role 149 name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election 150 subjects: 151 - kind: ServiceAccount 152 name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }} 153 154 --- 155 apiVersion: apps/v1 156 kind: Deployment 157 metadata: 158 name: {{ include "oam-kubernetes-runtime.fullname" . }} 159 labels: 160 {{- include "oam-kubernetes-runtime.labels" . | nindent 4 }} 161 spec: 162 selector: 163 matchLabels: 164 {{- include "oam-kubernetes-runtime.selectorLabels" . | nindent 6 }} 165 replicas: {{ .Values.replicaCount }} 166 template: 167 metadata: 168 labels: 169 {{- include "oam-kubernetes-runtime.selectorLabels" . | nindent 8 }} 170 {{- toYaml .Values.extraLabels | nindent 8 }} 171 spec: 172 serviceAccountName: {{ include "oam-kubernetes-runtime.serviceAccountName" . }} 173 securityContext: 174 {{- toYaml .Values.podSecurityContext | nindent 8 }} 175 {{- if .Values.imagePullSecrets }} 176 imagePullSecrets: 177 {{ toYaml .Values.imagePullSecrets | indent 8 }} 178 {{- end }} 179 containers: 180 - name: {{ .Release.Name }} 181 securityContext: 182 {{- toYaml .Values.securityContext | nindent 12 }} 183 args: 184 - "--metrics-addr=:8080" 185 - "--enable-leader-election" 186 {{ if .Values.useWebhook }} 187 - "--use-webhook=true" 188 - "--webhook-port={{ .Values.webhookService.port }}" 189 - "--webhook-cert-dir={{ .Values.certificate.mountPath }}" 190 {{ end }} 191 image: {{ .Values.image.repository }}:{{ .Values.image.tag }} 192 imagePullPolicy: {{ quote .Values.image.pullPolicy }} 193 resources: 194 {{- toYaml .Values.resources | nindent 12 }} 195 {{ if .Values.useWebhook }} 196 ports: 197 - containerPort: {{ .Values.webhookService.port }} 198 name: webhook-server 199 protocol: TCP 200 volumeMounts: 201 - mountPath: {{ .Values.certificate.mountPath }} 202 name: tls-cert 203 readOnly: true 204 {{ end }} 205 {{ if .Values.useWebhook }} 206 volumes: 207 - name: tls-cert 208 secret: 209 defaultMode: 420 210 secretName: {{ .Values.certificate.secretName | quote }} 211 {{ end }} 212 terminationGracePeriodSeconds: 10 213 {{- with .Values.nodeSelector }} 214 nodeSelector: 215 {{- toYaml . | nindent 8 }} 216 {{- end }} 217 {{- with .Values.affinity }} 218 affinity: 219 {{- toYaml . | nindent 8 }} 220 {{- end }} 221 {{- with .Values.tolerations }} 222 tolerations: 223 {{- toYaml . | nindent 8 }} 224 {{- end }}