# # Warning to maintainers, any changes to this file that are not specific to the StatefulSet need to also be duplicated # in the deployment.yaml file. # {{- $replicaCount := (coalesce .Values.replicaCount .Values.highAvailability.replicaCount "1") }} apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} labels: app: {{ .Release.Name }} {{- if .Values.extraLabels.deployment }} {{- toYaml .Values.extraLabels.deployment | nindent 4 }} {{- end }} spec: serviceName: {{ .Release.Name }} replicas: {{ $replicaCount }} selector: matchLabels: app: {{ .Release.Name }} template: metadata: annotations: # ConfigMap checksum, to recreate the pod on config changes. checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} {{- if .Values.annotations.pod }} {{- toYaml .Values.annotations.pod | nindent 8 }} {{- end }} labels: app: {{ .Release.Name }} {{- if .Values.extraLabels.pod }} {{- toYaml .Values.extraLabels.pod | nindent 8 }} {{- end }} spec: {{- if .Values.dnsConfig }} dnsConfig: {{- toYaml .Values.dnsConfig | nindent 8 }} {{- end }} {{- if .Values.dnsPolicy }} dnsPolicy: {{ .Values.dnsPolicy | quote }} {{- end }} {{- if .Values.hostAliases }} hostAliases: {{- toYaml .Values.hostAliases | nindent 8 }} {{- end }} securityContext: fsGroup: 9807 {{- if or .Values.affinity (gt (int $replicaCount) 1) }} affinity: {{- if .Values.affinity }} {{- if .Values.highAvailability.requireAntiAffinity }} {{- fail "Cannot use highAvailability.requireAntiAffinity when affinity is also set in chart values - unset one or the other" }} {{- end }} {{- toYaml .Values.affinity | nindent 8 }} {{- else }} podAntiAffinity: {{- if .Values.highAvailability.requireAntiAffinity }} requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - {{ .Release.Name }} topologyKey: "kubernetes.io/hostname" {{- else if gt (int $replicaCount) 1 }} preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - {{ .Release.Name }} topologyKey: "kubernetes.io/hostname" {{- end }} {{- end }} {{- end }} {{- if .Values.tolerations }} tolerations: {{- toYaml .Values.tolerations | nindent 6 }} {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 6 }} {{- end }} {{- if .Values.initContainers }} initContainers: {{- toYaml .Values.initContainers | nindent 6 }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 10 }} {{- end }} {{- if .Values.initSecurityContext }} securityContext: {{- toYaml .Values.initSecurityContext | nindent 10 }} {{- end }} volumeMounts: - mountPath: /etc/teleport name: "config" readOnly: true - mountPath: /etc/teleport-secrets name: "auth-token" readOnly: true - mountPath: /var/lib/teleport name: "{{ .Release.Name }}-teleport-data" {{- if .Values.tls.existingCASecretName }} - mountPath: /etc/teleport-tls-ca name: "teleport-tls-ca" readOnly: true {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} {{- end }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} serviceAccountName: {{ template "teleport-kube-agent.serviceAccountName" . }} {{- if .Values.nodeSelector }} nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} {{- end }} containers: - name: "teleport" image: {{ include "teleport-kube-agent.image" . | quote }} {{- if .Values.imagePullPolicy }} imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} {{- end }} env: # This variable is set for telemetry purposes. # Telemetry is opt-in and controlled at the auth level. - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - name: TELEPORT_REPLICA_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KUBE_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: RELEASE_NAME value: {{ .Release.Name }} {{- if .Values.updater.enabled }} - name: TELEPORT_EXT_UPGRADER value: kube {{- end }} {{- if .Values.tls.existingCASecretName }} - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem {{- end }} {{- if .Values.extraEnv }} {{- toYaml .Values.extraEnv | nindent 10 }} {{- end }} args: - "--diag-addr=0.0.0.0:3000" {{- if .Values.insecureSkipProxyTLSVerify }} - "--insecure" {{- end }} {{- if .Values.extraArgs }} {{- toYaml .Values.extraArgs | nindent 8 }} {{- end }} {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} {{- end }} ports: - name: diag containerPort: 3000 protocol: TCP livenessProbe: httpGet: path: /healthz port: diag initialDelaySeconds: 5 # wait 5s for agent to start periodSeconds: 5 # poll health every 5s failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s) timeoutSeconds: {{ .Values.probeTimeoutSeconds }} readinessProbe: httpGet: path: /readyz port: diag initialDelaySeconds: 5 # wait 5s for agent to register periodSeconds: 5 # poll health every 5s failureThreshold: 12 # consider agent unhealthy after 60s (12 * 5s) timeoutSeconds: {{ .Values.probeTimeoutSeconds }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 10 }} {{- end }} volumeMounts: - mountPath: /etc/teleport name: "config" readOnly: true - mountPath: /etc/teleport-secrets name: "auth-token" readOnly: true {{- if .Values.storage.enabled }} - mountPath: /var/lib/teleport name: "{{ .Release.Name }}-teleport-data" {{- else }} - mountPath: /var/lib/teleport name: "data" {{- end }} {{- if .Values.tls.existingCASecretName }} - mountPath: /etc/teleport-tls-ca name: "teleport-tls-ca" readOnly: true {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} volumes: - name: "config" configMap: name: {{ .Release.Name }} - name: "auth-token" secret: secretName: {{ coalesce .Values.secretName .Values.joinTokenSecret.name }} {{- if not .Values.storage.enabled }} - name: "data" emptyDir: {} {{- end}} {{- if .Values.tls.existingCASecretName }} - name: "teleport-tls-ca" secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} {{- if and .Values.storage.enabled }} volumeClaimTemplates: - metadata: name: "{{ .Release.Name }}-teleport-data" spec: accessModes: [ "ReadWriteOnce" ] storageClassName: {{ .Values.storage.storageClassName }} resources: requests: storage: {{ .Values.storage.requests }} {{- end }}