forked from suse-edge/Factory
166 lines
6.5 KiB
YAML
166 lines
6.5 KiB
YAML
|
{{- if .Values.webhookConfiguration.enabled }}
|
||
|
apiVersion: v1
|
||
|
kind: List
|
||
|
metadata:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
labels: {{- include "akri.labels" . | nindent 4 }}
|
||
|
items:
|
||
|
- apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
namespace: {{ .Release.Namespace }}
|
||
|
labels: {{- include "akri.labels" . | nindent 8 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
app.kubernetes.io/component: admission-webhook
|
||
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: Role
|
||
|
metadata:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
namespace: {{ .Release.Namespace }}
|
||
|
labels: {{- include "akri.labels" . | nindent 8 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
app.kubernetes.io/component: admission-webhook
|
||
|
rules:
|
||
|
- apiGroups: [""]
|
||
|
resources: ["pods"]
|
||
|
verbs: ["get"]
|
||
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: RoleBinding
|
||
|
metadata:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
namespace: {{ .Release.Namespace }}
|
||
|
labels: {{- include "akri.labels" . | nindent 8 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
app.kubernetes.io/component: admission-webhook
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: Role
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
namespace: {{ .Release.Namespace }}
|
||
|
- apiVersion: apps/v1
|
||
|
kind: Deployment
|
||
|
metadata:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
labels: {{- include "akri.labels" . | nindent 8 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
app.kubernetes.io/component: admission-webhook
|
||
|
spec:
|
||
|
replicas: 1
|
||
|
selector:
|
||
|
matchLabels: {{- include "akri.selectorLabels" . | nindent 10 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
template:
|
||
|
metadata:
|
||
|
labels: {{- include "akri.labels" . | nindent 12 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
app.kubernetes.io/component: admission-webhook
|
||
|
spec:
|
||
|
{{- if .Values.rbac.enabled }}
|
||
|
serviceAccountName: {{ .Values.webhookConfiguration.name }}
|
||
|
{{- end }}
|
||
|
containers:
|
||
|
- name: webhook
|
||
|
{{- if .Values.useDevelopmentContainers }}
|
||
|
{{- if .Values.useLatestContainers }}
|
||
|
image: {{ printf "%s:latest-dev" .Values.webhookConfiguration.image.repository | quote }}
|
||
|
{{- else }}
|
||
|
image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s-dev" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }}
|
||
|
{{- end }}
|
||
|
{{- else }}
|
||
|
{{- if .Values.useLatestContainers }}
|
||
|
image: {{ printf "%s:latest" .Values.webhookConfiguration.image.repository | quote }}
|
||
|
{{- else }}
|
||
|
image: {{ printf "%s:%s" .Values.webhookConfiguration.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.webhookConfiguration.image.tag) | quote }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
imagePullPolicy: {{ .Values.webhookConfiguration.image.pullPolicy }}
|
||
|
resources:
|
||
|
requests:
|
||
|
memory: {{ .Values.webhookConfiguration.resources.memoryRequest }}
|
||
|
cpu: {{ .Values.webhookConfiguration.resources.cpuRequest }}
|
||
|
limits:
|
||
|
memory: {{ .Values.webhookConfiguration.resources.memoryLimit }}
|
||
|
cpu: {{ .Values.webhookConfiguration.resources.cpuLimit }}
|
||
|
args:
|
||
|
- --tls-crt-file=/secrets/tls.crt
|
||
|
- --tls-key-file=/secrets/tls.key
|
||
|
- --port=8443
|
||
|
volumeMounts:
|
||
|
- name: secrets
|
||
|
mountPath: /secrets
|
||
|
readOnly: true
|
||
|
volumes:
|
||
|
- name: secrets
|
||
|
secret:
|
||
|
secretName: {{ .Values.webhookConfiguration.name }}
|
||
|
{{- with .Values.imagePullSecrets }}
|
||
|
imagePullSecrets:
|
||
|
{{- toYaml . | nindent 12 }}
|
||
|
{{- end }}
|
||
|
{{- if .Values.webhookConfiguration.allowOnControlPlane }}
|
||
|
tolerations:
|
||
|
{{- /* Allow this pod to run on the master. */}}
|
||
|
- key: node-role.kubernetes.io/master
|
||
|
effect: NoSchedule
|
||
|
{{- end }}
|
||
|
nodeSelector:
|
||
|
{{- if .Values.webhookConfiguration.nodeSelectors }}
|
||
|
{{- toYaml .Values.webhookConfiguration.nodeSelectors | nindent 8 }}
|
||
|
{{- end }}
|
||
|
"kubernetes.io/os": linux
|
||
|
{{- if .Values.webhookConfiguration.onlyOnControlPlane }}
|
||
|
node-role.kubernetes.io/master: ""
|
||
|
{{- end }}
|
||
|
- apiVersion: v1
|
||
|
kind: Service
|
||
|
metadata:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
labels: {{- include "akri.labels" . | nindent 8 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
app.kubernetes.io/component: admission-webhook
|
||
|
spec:
|
||
|
selector: {{- include "akri.selectorLabels" . | nindent 8 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
ports:
|
||
|
- name: http
|
||
|
port: 443
|
||
|
targetPort: 8443
|
||
|
- apiVersion: admissionregistration.k8s.io/v1
|
||
|
kind: ValidatingWebhookConfiguration
|
||
|
metadata:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
labels: {{- include "akri.labels" . | nindent 8 }}
|
||
|
app.kubernetes.io/name: {{ .Values.webhookConfiguration.name }}
|
||
|
app.kubernetes.io/component: admission-webhook
|
||
|
webhooks:
|
||
|
- name: {{ .Values.webhookConfiguration.name }}.{{ .Release.Namespace }}.svc
|
||
|
clientConfig:
|
||
|
service:
|
||
|
name: {{ .Values.webhookConfiguration.name }}
|
||
|
namespace: {{ .Release.Namespace }}
|
||
|
port: 443
|
||
|
path: "/validate"
|
||
|
{{- if .Values.webhookConfiguration.caBundle }}
|
||
|
caBundle: {{ .Values.webhookConfiguration.caBundle }}
|
||
|
{{- end }}
|
||
|
rules:
|
||
|
- operations:
|
||
|
- "CREATE"
|
||
|
- "UPDATE"
|
||
|
apiGroups:
|
||
|
- {{ .Values.crds.group }}
|
||
|
apiVersions:
|
||
|
- {{ .Values.crds.version }}
|
||
|
resources:
|
||
|
- "configurations"
|
||
|
scope: "*"
|
||
|
admissionReviewVersions:
|
||
|
- v1
|
||
|
- v1beta1
|
||
|
sideEffects: None
|
||
|
{{- end }}
|