{{- with .Values }} {{- if not (and .rbac .rbac.only) }} apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "traffic-manager.name" $ }} namespace: {{ include "traffic-manager.namespace" $ }} labels: {{- include "telepresence.labels" $ | nindent 4 }} spec: replicas: {{ .replicaCount }} selector: matchLabels: {{- include "telepresence.selectorLabels" $ | nindent 6 }} template: metadata: {{- with .podAnnotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "telepresence.selectorLabels" $ | nindent 8 }} {{- with .podLabels }} {{- toYaml . | nindent 8 }} {{- end }} spec: {{- with .image.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} securityContext: {{- toYaml .podSecurityContext | nindent 8 }} {{- if .hostNetwork }} hostNetwork: true {{- end }} containers: - name: {{ include "traffic-manager.name" $ }} securityContext: {{- toYaml .securityContext | nindent 12 }} {{- with .image }} image: "{{ .registry }}/{{ .name }}:{{ .tag | default $.Chart.AppVersion }}" imagePullPolicy: {{ .pullPolicy }} {{- end }} env: - name: LOG_LEVEL value: {{ .logLevel }} {{- with .image }} - name: REGISTRY value: "{{ .registry }}" {{- end }} - name: SERVER_PORT value: {{ .apiPort | quote }} - name: POD_CIDR_STRATEGY value: {{ .podCIDRStrategy }} {{- with .podCIDRs }} - name: POD_CIDRS value: "{{ join " " . }}" {{- end }} {{- if .agentInjector.enabled }} - name: MUTATOR_WEBHOOK_PORT value: {{ .agentInjector.webhook.port | quote }} - name: AGENT_INJECTOR_SECRET {{- if eq .agentInjector.certificate.accessMethod "mount" }} value: /var/run/secrets/tls {{- else }} value: {{ .agentInjector.secret.name }} {{- end }} {{- end }} {{- with .telepresenceAPI }} {{- if .port }} - name: AGENT_REST_API_PORT value: {{ .port | quote }} {{- end }} {{- end }} {{- with .grpc }} {{- if .maxReceiveSize }} - name: GRPC_MAX_RECEIVE_SIZE value: {{ .maxReceiveSize }} {{- if and .connectionTTL (not $.Values.client.connectionTTL) }} - name: CLIENT_CONNECTION_TTL value: {{ .connectionTTL }} {{- end }} {{- end }} {{- end }} {{- if .workloads }} {{- with .workloads }} - name: ENABLED_WORKLOAD_KINDS value: >- {{- if or (not .deployments) .deployments.enabled }} Deployment {{- end }} {{- if or (not .statefulSets) .statefulSets.enabled }} StatefulSet {{- end }} {{- if or (not .replicaSets) .replicaSets.enabled }} ReplicaSet {{- end }} {{- if and .argoRollouts .argoRollouts.enabled }} Rollout {{- end }} {{- end }} {{- else }} - name: ENABLED_WORKLOAD_KINDS value: Deployment StatefulSet ReplicaSet {{- end }} {{- if .agentInjector.enabled }} {{- /* Traffic agent injector configuration */}} - name: AGENT_ARRIVAL_TIMEOUT value: {{ quote (default "30s" .timeouts.agentArrival) }} {{- with .agentInjector }} - name: AGENT_INJECT_POLICY value: {{ .injectPolicy }} - name: AGENT_INJECTOR_NAME value: {{ .name | quote }} {{- end }} {{- /* Traffic agent configuration */}} {{- with .agent }} {{- if .logLevel }} - name: AGENT_LOG_LEVEL value: {{ .logLevel }} {{- end }} {{- if .port }} - name: AGENT_PORT value: {{ .port | quote }} {{- end }} {{- if .appProtocolStrategy }} - name: AGENT_APP_PROTO_STRATEGY value: {{ .appProtocolStrategy }} {{- end }} {{- if .resources }} - name: AGENT_RESOURCES value: '{{ toJson .resources }}' {{- end }} {{- if .initResources }} - name: AGENT_INIT_RESOURCES value: '{{ toJson .initResources }}' {{- end }} {{- if .mountPolicies }} - name: AGENT_MOUNT_POLICIES value: '{{ toJson .mountPolicies }}' {{- end }} {{- with .initContainer }} - name: AGENT_INIT_CONTAINER_ENABLED value: {{ .enabled | quote }} {{- end }} {{- with .image }} {{- if .name }} - name: AGENT_IMAGE_NAME value: {{ .name }} {{- end }} {{- if .tag }} - name: AGENT_IMAGE_TAG value: {{ .tag }} {{- end }} {{- if .registry }} - name: AGENT_REGISTRY value: {{ .registry }} {{- end }} {{- with .pullSecrets }} - name: AGENT_IMAGE_PULL_SECRETS value: '{{ toJson . }}' {{- end }} - name: AGENT_IMAGE_PULL_POLICY value: {{ .pullPolicy }} {{- end }} {{- /* must check against nil. An empty security context is a valid override */}} {{- if not (eq .securityContext nil) }} - name: AGENT_SECURITY_CONTEXT value: '{{ toJson .securityContext }}' {{- end }} {{- /* must check against nil. An empty security context is a valid override */}} {{- if not (eq .initSecurityContext nil) }} - name: AGENT_INIT_SECURITY_CONTEXT value: '{{ toJson .initSecurityContext }}' {{- end }} {{- end }} {{- with fromJsonArray (include "traffic-manager.namespaces" $) }} {{- /* This environment variable is not used, it's here to force a redeploy of the traffic manager when the list changes, because it updates roles and rolebindings and potentially also changes from roles to clusterroles or vice versa. */}} - name: NOT_USED_NSS value: {{ toJson . | quote }} {{- end }} {{- end }} {{- if .prometheus.port }} # 0 is false - name: PROMETHEUS_PORT value: "{{ .prometheus.port }}" {{- end }} - name: MAX_NAMESPACE_SPECIFIC_WATCHERS value: {{.maxNamespaceSpecificWatchers | quote }} - name: MANAGER_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP {{- /* Client configuration */}} {{- with .client }} {{- if .connectionTTL }} - name: CLIENT_CONNECTION_TTL value: {{ .connectionTTL }} {{- end }} {{- with .routing }} {{- if .alsoProxySubnets }} - name: CLIENT_ROUTING_ALSO_PROXY_SUBNETS value: "{{ join " " .alsoProxySubnets }}" {{- end }} {{- if .neverProxySubnets }} - name: CLIENT_ROUTING_NEVER_PROXY_SUBNETS value: "{{ join " " .neverProxySubnets }}" {{- end }} {{- if .allowConflictingSubnets }} - name: CLIENT_ROUTING_ALLOW_CONFLICTING_SUBNETS value: "{{ join " " .allowConflictingSubnets }}" {{- end }} {{- end }} {{- with .dns }} {{- with .excludeSuffixes }} - name: CLIENT_DNS_EXCLUDE_SUFFIXES value: "{{ join " " . }}" {{- end }} {{- with .includeSuffixes }} - name: CLIENT_DNS_INCLUDE_SUFFIXES value: "{{ join " " . }}" {{- end }} {{- end }} {{- end }} {{- with .compatibility }} {{- if .version }} - name: COMPATIBILITY_VERSION value: {{ .version }} {{- end }} {{- end }} {{- if and .trafficManager .trafficManager.envTemplate }} {{- template "traffic-manager-env" . }} {{- end }} ports: - name: api containerPort: {{ .apiPort }} - name: https containerPort: {{ .agentInjector.webhook.port }} {{- if .prometheus.port }} # 0 is false - name: prometheus containerPort: {{ .prometheus.port }} {{- end }} {{- with .livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} {{- end }} {{- with .readinessProbe }} readinessProbe: {{- toYaml . | nindent 12 }} {{- end }} {{- with .resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- if eq .agentInjector.certificate.accessMethod "mount" }} volumeMounts: {{- if .agentInjector.enabled }} - name: tls mountPath: /var/run/secrets/tls readOnly: true {{- end }} {{- if and .trafficManager .trafficManager.mountsTemplate }} {{- template "traffic-manager-mounts" . }} {{- end }} {{- else }} {{- if and .trafficManager .trafficManager.mountsTemplate }} volumeMounts: {{- template "traffic-manager-mounts" . }} {{- end }} {{- end }} {{- with .schedulerName }} schedulerName: {{ . }} {{- end }} {{- with .nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} {{- with .priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} {{- if eq .agentInjector.certificate.accessMethod "mount" }} volumes: {{- if .agentInjector.enabled }} - name: tls secret: defaultMode: 420 secretName: {{ .agentInjector.secret.name }} {{- end }} {{- if and .trafficManager .trafficManager.volsTemplate }} {{- template "traffic-manager-vols" . }} {{- end }} {{- else }} {{- if and .trafficManager .trafficManager.volsTemplate }} volumes: {{- template "traffic-manager-vols" . }} {{- end }} {{- end }} serviceAccount: traffic-manager serviceAccountName: traffic-manager {{- end }} {{- end }}