apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "vault-secrets-webhook.fullname" . }} namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ template "vault-secrets-webhook.chart" . }} app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/component: mutating-webhook {{- if .Values.labels }} {{ toYaml .Values.labels | indent 4 }} {{- end }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- if .Values.deployment }} {{- if .Values.deployment.strategy }} strategy: {{ toYaml .Values.deployment.strategy | indent 4 }} {{- end }} {{- end }} template: metadata: labels: app.kubernetes.io/name: {{ template "vault-secrets-webhook.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} security.banzaicloud.io/mutate: skip {{- if .Values.labels }} {{ toYaml .Values.labels | indent 8 }} {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/apiservice-webhook.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} spec: {{- if .Values.hostNetwork}} hostNetwork: {{ .Values.hostNetwork}} {{- end }} {{- with .Values.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} serviceAccountName: {{ template "vault-secrets-webhook.serviceAccountName" . }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} volumes: - name: serving-cert secret: defaultMode: 420 secretName: {{ include "vault-secrets-webhook.servingCertificate" . }} {{- if .Values.volumes }} {{ toYaml .Values.volumes | indent 8 }} {{- end }} {{- if .Values.image.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.image.imagePullSecrets | indent 8 }} {{- end }} {{- if .Values.initContainers }} initContainers: {{ toYaml .Values.initContainers | indent 8}} {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ include "vault-secrets-webhook.bank-vaults.version" . }}" env: - name: TLS_CERT_FILE value: /var/serving-cert/tls.crt - name: TLS_PRIVATE_KEY_FILE value: /var/serving-cert/tls.key - name: LISTEN_ADDRESS value: ":{{ .Values.service.internalPort }}" {{- if .Values.debug }} - name: LOG_LEVEL value: "debug" {{- end }} - name: VAULT_ENV_IMAGE value: "{{ .Values.vaultEnv.repository }}:{{ include "vault-secrets-webhook.vault-env.version" . }}" {{- range $key, $value := .Values.env }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: {{ .Values.service.internalPort }} readinessProbe: httpGet: scheme: HTTPS path: /healthz port: {{ .Values.service.internalPort }} volumeMounts: - mountPath: /var/serving-cert name: serving-cert {{- if .Values.volumeMounts }} {{ toYaml .Values.volumeMounts | indent 12 }} {{- end }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} resources: {{ toYaml .Values.resources | indent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} {{- if .Values.tolerations }} tolerations: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} {{- end }} {{- if .Values.podSecurityContext }} securityContext: {{ toYaml .Values.podSecurityContext | indent 8 }} {{- end }} {{- if .Values.topologySpreadConstraints }} topologySpreadConstraints: {{ toYaml .Values.topologySpreadConstraints | indent 8 }} {{- end }}