github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/rancher/templates/deployment.yaml (about) 1 kind: Deployment 2 apiVersion: apps/v1 3 metadata: 4 name: {{ template "rancher.fullname" . }} 5 annotations: 6 {{- if (lt (int .Values.replicas) 0) }} 7 management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}" 8 {{- end }} 9 labels: 10 {{ include "rancher.labels" . | indent 4 }} 11 spec: 12 {{- if (gt (int .Values.replicas) 0) }} 13 replicas: {{ .Values.replicas }} 14 {{- end }} 15 selector: 16 matchLabels: 17 app: {{ template "rancher.fullname" . }} 18 strategy: 19 rollingUpdate: 20 maxSurge: 1 21 {{- if (eq (int .Values.replicas) 1) }} 22 maxUnavailable: 0 23 {{- else }} 24 maxUnavailable: 1 25 {{- end }} 26 type: RollingUpdate 27 template: 28 metadata: 29 labels: 30 app: {{ template "rancher.fullname" . }} 31 release: {{ .Release.Name }} 32 spec: 33 priorityClassName: {{ .Values.priorityClassName }} 34 serviceAccountName: {{ template "rancher.fullname" . }} 35 {{- if .Values.imagePullSecrets }} 36 imagePullSecrets: 37 {{ toYaml .Values.imagePullSecrets | indent 6 }} 38 {{- end }} 39 affinity: 40 {{- if .Values.affinity }} 41 {{ toYaml .Values.affinity | indent 8 }} 42 {{- else }} 43 {{- if .Values.podAffinity }} 44 podAffinity: 45 {{ toYaml .Values.podAffinity | indent 10 }} 46 {{- end }} 47 podAntiAffinity: 48 {{- if .Values.podAntiAffinity }} 49 {{ toYaml .Values.podAntiAffinity | indent 10 }} 50 {{- else }} 51 {{- if eq .Values.antiAffinity "required" }} 52 requiredDuringSchedulingIgnoredDuringExecution: 53 - labelSelector: 54 matchExpressions: 55 - key: app 56 operator: In 57 values: 58 - {{ template "rancher.fullname" . }} 59 topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }} 60 {{- else }} 61 preferredDuringSchedulingIgnoredDuringExecution: 62 - weight: 100 63 podAffinityTerm: 64 labelSelector: 65 matchExpressions: 66 - key: app 67 operator: In 68 values: 69 - {{ template "rancher.fullname" . }} 70 topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }} 71 {{- end }} 72 {{- end }} 73 nodeAffinity: 74 {{- if .Values.nodeAffinity }} 75 {{ toYaml .Values.nodeAffinity | indent 10 }} 76 {{- else }} 77 requiredDuringSchedulingIgnoredDuringExecution: 78 nodeSelectorTerms: {{ include "linux-node-selector-terms" . | nindent 14 }} 79 {{- end }} 80 {{- end }} 81 {{- if .Values.topologySpreadConstraints }} 82 topologySpreadConstraints: 83 {{ toYaml .Values.topologySpreadConstraints | indent 8 }} 84 {{- end }} 85 {{- if .Values.nodeSelector }} 86 nodeSelector: 87 {{ toYaml .Values.nodeSelector | indent 8 }} 88 {{- end }} 89 tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} 90 containers: 91 - image: {{ .Values.rancherImage }}:{{ default .Chart.AppVersion .Values.rancherImageTag }} 92 imagePullPolicy: {{ default "IfNotPresent" .Values.rancherImagePullPolicy }} 93 name: {{ template "rancher.name" . }} 94 ports: 95 - containerPort: 80 96 protocol: TCP 97 {{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }} 98 - containerPort: 444 99 hostPort: {{ int .Values.hostPort }} 100 protocol: TCP 101 {{- end}} 102 args: 103 {{- if .Values.debug }} 104 - "--debug" 105 {{- end }} 106 {{- if .Values.privateCA }} 107 # Private CA - don't clear ca certs 108 {{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }} 109 # Rancher self-signed - don't clear ca certs 110 {{- else }} 111 # Public trusted CA - clear ca certs 112 - "--no-cacerts" 113 {{- end }} 114 - "--http-listen-port=80" 115 - "--https-listen-port=443" 116 - "--add-local={{ .Values.addLocal }}" 117 env: 118 - name: CATTLE_NAMESPACE 119 value: {{ .Release.Namespace }} 120 - name: CATTLE_PEER_SERVICE 121 value: {{ template "rancher.fullname" . }} 122 {{- if .Values.features }} 123 - name: CATTLE_FEATURES 124 value: "{{ .Values.features }}" 125 {{- end}} 126 {{- if .Values.noDefaultAdmin }} 127 - name: CATTLE_NO_DEFAULT_ADMIN 128 value: "{{ .Values.noDefaultAdmin }}" 129 {{- end}} 130 {{- if gt (int .Values.auditLog.level) 0 }} 131 - name: AUDIT_LEVEL 132 value: {{ .Values.auditLog.level | quote }} 133 - name: AUDIT_LOG_MAXAGE 134 value: {{ .Values.auditLog.maxAge | quote }} 135 - name: AUDIT_LOG_MAXBACKUP 136 value: {{ .Values.auditLog.maxBackup | quote }} 137 - name: AUDIT_LOG_MAXSIZE 138 value: {{ .Values.auditLog.maxSize | quote }} 139 {{- end }} 140 {{- if .Values.proxy }} 141 - name: HTTP_PROXY 142 value: {{ .Values.proxy }} 143 - name: HTTPS_PROXY 144 value: {{ .Values.proxy }} 145 - name: NO_PROXY 146 value: {{ .Values.noProxy }} 147 {{- end }} 148 {{- if .Values.systemDefaultRegistry }} 149 - name: CATTLE_SYSTEM_DEFAULT_REGISTRY 150 value: {{ .Values.systemDefaultRegistry }} 151 {{- end }} 152 {{- if .Values.useBundledSystemChart }} 153 - name: CATTLE_SYSTEM_CATALOG 154 value: bundled 155 {{- end }} 156 {{- if .Values.restrictedAdmin }} 157 - name: CATTLE_RESTRICTED_DEFAULT_ADMIN 158 value: "true" 159 {{- end}} 160 {{- if .Values.bootstrapPassword }} 161 - name: CATTLE_BOOTSTRAP_PASSWORD 162 valueFrom: 163 secretKeyRef: 164 name: "bootstrap-secret" 165 key: "bootstrapPassword" 166 {{- end }} 167 {{- if .Values.extraEnv }} 168 {{ toYaml .Values.extraEnv | indent 8}} 169 {{- end }} 170 livenessProbe: 171 httpGet: 172 path: /healthz 173 port: 80 174 initialDelaySeconds: {{.Values.livenessProbe.initialDelaySeconds | default 60 }} 175 periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 30 }} 176 readinessProbe: 177 httpGet: 178 path: /healthz 179 port: 80 180 initialDelaySeconds: {{.Values.readinessProbe.initialDelaySeconds | default 5}} 181 periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 30}} 182 {{- if .Values.startupProbe }} 183 startupProbe: 184 httpGet: 185 path: /healthz 186 port: 80 187 failureThreshold: {{.Values.startupProbe.failureThreshold | default 1}} 188 periodSeconds: {{ .Values.startupProbe.periodSeconds | default 30}} 189 {{- end }} 190 # CRI-O does not deliver MKNOD by default so we need to add it 191 securityContext: 192 capabilities: 193 add: 194 - MKNOD 195 # additional capabilities are required on some systems to fork kontainerdriver processes. 196 - SYS_CHROOT 197 resources: 198 {{ toYaml .Values.resources | indent 10 }} 199 volumeMounts: 200 {{- if .Values.additionalTrustedCAs }} 201 - mountPath: /etc/pki/trust/anchors/ca-additional.pem 202 name: tls-ca-additional-volume 203 subPath: ca-additional.pem 204 readOnly: true 205 - mountPath: /etc/rancher/ssl/ca-additional.pem 206 name: tls-ca-additional-volume 207 subPath: ca-additional.pem 208 readOnly: true 209 {{- end }} 210 {{- if .Values.privateCA }} 211 # Pass CA cert into rancher for private CA 212 - mountPath: /etc/rancher/ssl/cacerts.pem 213 name: tls-ca-volume 214 subPath: cacerts.pem 215 readOnly: true 216 {{- end }} 217 {{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }} 218 # Mount rancher custom-logos volume 219 - mountPath: /usr/share/rancher/ui/assets/images/logos 220 name: custom-logos 221 subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }} 222 - mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl 223 name: custom-logos 224 subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }} 225 {{- end }} 226 {{- if gt (int .Values.auditLog.level) 0 }} 227 - mountPath: /var/log/auditlog 228 name: audit-log 229 {{- end }} 230 {{- if eq .Values.auditLog.destination "sidecar" }} 231 {{- if gt (int .Values.auditLog.level) 0 }} 232 # Make audit logs available for Rancher log collector tools. 233 {{- if .Values.busyboxImage }} 234 - image: {{ .Values.busyboxImage}} 235 {{- else }} 236 - image: {{ .Values.auditLog.image.repository }}:{{.Values.auditLog.image.tag}} 237 {{- end }} 238 {{- if .Values.busyboxImagePullPolicy }} 239 imagePullPolicy: {{ .Values.busyboxImagePullPolicy }} 240 {{- else }} 241 imagePullPolicy: {{ .Values.auditLog.image.pullPolicy }} 242 {{- end }} 243 name: {{ template "rancher.name" . }}-audit-log 244 command: ["tail"] 245 args: ["-F", "/var/log/auditlog/rancher-api-audit.log"] 246 volumeMounts: 247 - mountPath: /var/log/auditlog 248 name: audit-log 249 {{- end }} 250 {{- end }} 251 volumes: 252 {{- if .Values.additionalTrustedCAs }} 253 - name: tls-ca-additional-volume 254 secret: 255 defaultMode: 0400 256 secretName: tls-ca-additional 257 {{- end }} 258 {{- if .Values.privateCA }} 259 - name: tls-ca-volume 260 secret: 261 defaultMode: 0400 262 secretName: tls-ca 263 {{- end }} 264 {{- if gt (int .Values.auditLog.level) 0 }} 265 {{- if eq .Values.auditLog.destination "hostPath" }} 266 - name: audit-log 267 hostPath: 268 path: {{ .Values.auditLog.hostPath }} 269 type: DirectoryOrCreate 270 {{- else }} 271 - name: audit-log 272 emptyDir: {} 273 {{- end }} 274 {{- end }} 275 {{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }} 276 - name: custom-logos 277 {{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }} 278 persistentVolumeClaim: 279 claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }} 280 {{- else if (eq .Values.customLogos.volumeKind "configMap") }} 281 configMap: 282 name: {{ .Values.customLogos.volumeName }} 283 {{- end }} 284 {{- end }}