-
Notifications
You must be signed in to change notification settings - Fork 15
/
deployment.yaml
123 lines (123 loc) · 4.62 KB
/
deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "example-apiserver.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "example-apiserver.labels" . | nindent 4 }}
app.kubernetes.io/component: apiserver
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "example-apiserver.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: apiserver
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "example-apiserver.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: apiserver
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "example-apiserver.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
# Insecure etcd to chat with
- name: etcd
image: {{ .Values.etcd.image.repository }}:{{ .Values.etcd.image.tag }}
imagePullPolicy: {{ .Values.etcd.imagePullPolicy }}
command:
- etcd
- --listen-client-urls={{ .Values.etcd.svc.protocol }}://0.0.0.0:{{ .Values.etcd.svc.port }}
- --advertise-client-urls={{ .Values.etcd.svc.protocol }}://{{ .Values.etcd.svc.name }}:{{ .Values.etcd.svc.port }}
ports:
- containerPort: {{ .Values.etcd.svc.port }}
readinessProbe:
httpGet:
port: {{ .Values.etcd.svc.port }}
path: /health
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
port: {{ .Values.etcd.svc.port }}
path: /health
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 443
protocol: TCP
# livenessProbe:
# httpGet:
# path: /
# port: http
# readinessProbe:
# httpGet:
# path: /
# port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: apiserver-certs
mountPath: /apiserver.local.config/certificates
readOnly: true
- name: kubeconfig
mountPath: /kubeconfig
readOnly: true
command:
- "./apiserver"
args:
# https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#kubernetes-apiserver-client-authentication
# authN kubeconfig looks up the configmap kube-system/extension-apiserver-authentication
- --authentication-kubeconfig=/kubeconfig/admin.conf
# authZ kubeconfig creates subjectaccessreviews.authorization.k8s.io
- --authorization-kubeconfig=/kubeconfig/admin.conf
# https://github.com/kubernetes-sigs/apiserver-builder-alpha/blob/master/docs/concepts/auth.md#delegated-token-authentication
- --delegated-auth=true
- --etcd-servers=http://127.0.0.1:{{ .Values.etcd.svc.port }}
# Server certificates must be signed with CA used in apiregistration object
- --tls-cert-file=/apiserver.local.config/certificates/tls.crt
- --tls-private-key-file=/apiserver.local.config/certificates/tls.key
- -v=10
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: apiserver-certs
secret:
# Generated by konkservice's kubectl pod
secretName: {{ include "example-apiserver.konk-service-name" . }}-server
- name: kubeconfig
secret:
secretName: {{ include "example-apiserver.konk-service-name" . }}-kubeconfig