mirror of
https://github.com/kubevela/kubevela.git
synced 2026-02-14 18:10:21 +00:00
231 lines
7.9 KiB
YAML
231 lines
7.9 KiB
YAML
{{- if .Values.serviceAccount.create -}}
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ include "kubevela.serviceAccountName" . }}
|
|
labels:
|
|
{{- include "kubevela.labels" . | nindent 4 }}
|
|
{{- with .Values.serviceAccount.annotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "kubevela.fullname" . }}:manager-rolebinding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: "cluster-admin"
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "kubevela.serviceAccountName" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
- kind: Group
|
|
name: core.oam.dev
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
---
|
|
# permissions to do leader election.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ include "kubevela.fullname" . }}:leader-election-role
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps/status
|
|
verbs:
|
|
- get
|
|
- update
|
|
- patch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ include "kubevela.fullname" . }}:leader-election-rolebinding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ include "kubevela.fullname" . }}:leader-election-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "kubevela.serviceAccountName" . }}
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "kubevela.fullname" . }}
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "kubevela.labels" . | nindent 4 }}
|
|
spec:
|
|
replicas: {{ .Values.replicaCount }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "kubevela.selectorLabels" . | nindent 6 }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "kubevela.selectorLabels" . | nindent 8 }}
|
|
annotations:
|
|
prometheus.io/path: /metrics
|
|
prometheus.io/port: "8080"
|
|
prometheus.io/scrape: "true"
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: {{ include "kubevela.serviceAccountName" . }}
|
|
securityContext:
|
|
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
|
containers:
|
|
- name: {{ .Release.Name }}
|
|
securityContext:
|
|
{{- toYaml .Values.securityContext | nindent 12 }}
|
|
args:
|
|
- "--metrics-addr=:8080"
|
|
- "--enable-leader-election"
|
|
{{ if ne .Values.logFilePath "" }}
|
|
- "--log-file-path={{ .Values.logFilePath }}"
|
|
- "--log-file-max-size={{ .Values.logFileMaxSize }}"
|
|
{{ end }}
|
|
{{ if .Values.logDebug }}
|
|
- "--log-debug=true"
|
|
{{ end }}
|
|
{{ if .Values.admissionWebhooks.enabled }}
|
|
- "--use-webhook=true"
|
|
- "--webhook-port={{ .Values.webhookService.port }}"
|
|
- "--webhook-cert-dir={{ .Values.admissionWebhooks.certificate.mountPath }}"
|
|
{{ end }}
|
|
{{ if ne .Values.optimize.cachedGvks "" }}
|
|
- "--optimize-cached-gvks={{ .Values.optimize.cachedGvks }}"
|
|
{{ end }}
|
|
{{ if not .Values.optimize.resourceTrackerListOp }}
|
|
- "--optimize-resource-tracker-list-op=false"
|
|
{{ end }}
|
|
{{ if .Values.optimize.controllerReconcileLoopReduction }}
|
|
- "--optimize-controller-reconcile-loop-reduction"
|
|
{{ end }}
|
|
{{ if .Values.optimize.markWithProb }}
|
|
- "--optimize-mark-with-prob={{ .Values.optimize.markWithProb }}"
|
|
{{ end }}
|
|
{{ if .Values.optimize.disableComponentRevision }}
|
|
- "--optimize-disable-component-revision"
|
|
{{ end }}
|
|
{{ if .Values.optimize.disableApplicationRevision }}
|
|
- "--optimize-disable-application-revision"
|
|
{{ end }}
|
|
{{ if .Values.optimize.disableWorkflowRecorder }}
|
|
- "--optimize-disable-workflow-recorder"
|
|
{{ end }}
|
|
{{ if .Values.optimize.enableInMemoryWorkflowContext }}
|
|
- "--optimize-enable-in-memory-workflow-context"
|
|
{{ end }}
|
|
{{ if .Values.optimize.disableResourceApplyDoubleCheck }}
|
|
- "--optimize-disable-resource-apply-double-check"
|
|
{{ end }}
|
|
{{ if not .Values.optimize.enableResourceTrackerDeleteOnlyTrigger }}
|
|
- "--optimize-enable-resource-tracker-delete-only-trigger=false"
|
|
{{ end }}
|
|
- "--health-addr=:{{ .Values.healthCheck.port }}"
|
|
{{ if ne .Values.disableCaps "" }}
|
|
- "--disable-caps={{ .Values.disableCaps }}"
|
|
{{ end }}
|
|
- "--system-definition-namespace={{ include "systemDefinitionNamespace" . }}"
|
|
- "--application-revision-limit={{ .Values.applicationRevisionLimit }}"
|
|
- "--definition-revision-limit={{ .Values.definitionRevisionLimit }}"
|
|
- "--oam-spec-ver={{ .Values.OAMSpecVer }}"
|
|
{{ if .Values.multicluster.enabled }}
|
|
- "--enable-cluster-gateway"
|
|
{{ end }}
|
|
- "--application-re-sync-period={{ .Values.controllerArgs.reSyncPeriod }}"
|
|
- "--concurrent-reconciles={{ .Values.concurrentReconciles }}"
|
|
- "--kube-api-qps={{ .Values.kubeClient.qps }}"
|
|
- "--kube-api-burst={{ .Values.kubeClient.burst }}"
|
|
- "--max-workflow-wait-backoff-time={{ .Values.workflow.backoff.maxTime.waitState }}"
|
|
- "--max-workflow-failed-backoff-time={{ .Values.workflow.backoff.maxTime.failedState }}"
|
|
- "--max-workflow-step-error-retry-times={{ .Values.workflow.step.errorRetryTimes }}"
|
|
- "--feature-gates=AuthenticateApplication={{- .Values.authentication.enabled | toString -}}"
|
|
{{ if .Values.authentication.enabled }}
|
|
{{ if .Values.authentication.withUser }}
|
|
- "--authentication-with-user"
|
|
{{ end }}
|
|
- "--authentication-default-user={{ .Values.authentication.defaultUser }}"
|
|
- "--authentication-group-pattern={{ .Values.authentication.groupPattern }}"
|
|
{{ end }}
|
|
image: {{ .Values.imageRegistry }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
|
|
imagePullPolicy: {{ quote .Values.image.pullPolicy }}
|
|
resources:
|
|
{{- toYaml .Values.resources | nindent 12 }}
|
|
{{ if .Values.admissionWebhooks.enabled }}
|
|
ports:
|
|
- containerPort: {{ .Values.webhookService.port }}
|
|
name: webhook-server
|
|
protocol: TCP
|
|
- containerPort: {{ .Values.healthCheck.port }}
|
|
name: healthz
|
|
protocol: TCP
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: healthz
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 5
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: healthz
|
|
initialDelaySeconds: 90
|
|
periodSeconds: 5
|
|
volumeMounts:
|
|
- mountPath: {{ .Values.admissionWebhooks.certificate.mountPath }}
|
|
name: tls-cert-vol
|
|
readOnly: true
|
|
{{ end }}
|
|
{{ if .Values.admissionWebhooks.enabled }}
|
|
volumes:
|
|
- name: tls-cert-vol
|
|
secret:
|
|
defaultMode: 420
|
|
secretName: {{ template "kubevela.fullname" . }}-admission
|
|
{{ end }}
|
|
{{- with .Values.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|