114 lines
3.7 KiB
YAML
114 lines
3.7 KiB
YAML
{{- if .Values.updater.enabled -}}
|
|
{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}}
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ .Release.Name }}-updater
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app: {{ .Release.Name }}-updater
|
|
{{- if $updater.extraLabels.deployment }}
|
|
{{- toYaml $updater.extraLabels.deployment | nindent 4 }}
|
|
{{- end }}
|
|
{{- if $updater.annotations.deployment }}
|
|
annotations: {{- toYaml $updater.annotations.deployment | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: {{ .Release.Name }}-updater
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
{{- if $updater.annotations.pod }}
|
|
{{- toYaml $updater.annotations.pod | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
app: {{ .Release.Name }}-updater
|
|
{{- if $updater.extraLabels.pod }}
|
|
{{- toYaml $updater.extraLabels.pod | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if $updater.affinity }}
|
|
affinity: {{- toYaml $updater.affinity | nindent 8 }}
|
|
{{- end }}
|
|
{{- if $updater.tolerations }}
|
|
tolerations: {{- toYaml $updater.tolerations | nindent 8 }}
|
|
{{- end }}
|
|
{{- if $updater.imagePullSecrets }}
|
|
imagePullSecrets: {{- toYaml $updater.imagePullSecrets | nindent 8 }}
|
|
{{- end }}
|
|
{{- if $updater.nodeSelector }}
|
|
nodeSelector: {{- toYaml $updater.nodeSelector | nindent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: "kube-agent-updater"
|
|
image: "{{ $updater.image }}:{{ include "teleport-kube-agent.version" . }}"
|
|
{{- if $updater.imagePullPolicy }}
|
|
imagePullPolicy: {{ toYaml $updater.imagePullPolicy }}
|
|
{{- end }}
|
|
{{- if or $updater.extraEnv $updater.tls.existingCASecretName }}
|
|
env:
|
|
{{- if (gt (len $updater.extraEnv) 0) }}
|
|
{{- toYaml $updater.extraEnv | nindent 8 }}
|
|
{{- end }}
|
|
{{- if $updater.tls.existingCASecretName }}
|
|
- name: SSL_CERT_FILE
|
|
value: /etc/teleport-tls-ca/ca.pem
|
|
# Used to track whether a Teleport agent was installed using this method.
|
|
- name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
|
|
value: true
|
|
{{- end }}
|
|
{{- end }}
|
|
args:
|
|
- "--agent-name={{ .Release.Name }}"
|
|
- "--agent-namespace={{ .Release.Namespace }}"
|
|
- "--base-image={{ include "teleport-kube-agent.baseImage" . }}"
|
|
- "--version-server={{ $updater.versionServer }}"
|
|
- "--version-channel={{ $updater.releaseChannel }}"
|
|
{{- if $updater.securityContext }}
|
|
securityContext: {{- toYaml $updater.securityContext | nindent 10 }}
|
|
{{- end }}
|
|
ports:
|
|
- name: metrics
|
|
containerPort: 8080
|
|
protocol: TCP
|
|
- name: healthz
|
|
containerPort: 8081
|
|
protocol: TCP
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: healthz
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: healthz
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
failureThreshold: 6 # consider unready after 30s
|
|
timeoutSeconds: 5
|
|
{{- if $updater.resources }}
|
|
resources: {{- toYaml $updater.resources | nindent 10 }}
|
|
{{- end }}
|
|
{{- if $updater.tls.existingCASecretName }}
|
|
volumeMounts:
|
|
- mountPath: /etc/teleport-tls-ca
|
|
name: "teleport-tls-ca"
|
|
readOnly: true
|
|
volumes:
|
|
- name: "teleport-tls-ca"
|
|
secret:
|
|
secretName: {{ $updater.tls.existingCASecretName }}
|
|
{{- end }}
|
|
{{- if $updater.priorityClassName }}
|
|
priorityClassName: {{ $updater.priorityClassName }}
|
|
{{- end }}
|
|
serviceAccountName: {{ template "teleport-kube-agent-updater.serviceAccountName" . }}
|
|
{{- end -}}
|