84 lines
2.2 KiB
YAML
84 lines
2.2 KiB
YAML
|
{{- if .Values.forseti.enabled }}
|
||
|
|
apiVersion: apps/v1
|
||
|
|
kind: Deployment
|
||
|
|
metadata:
|
||
|
|
name: kubezero-forseti
|
||
|
|
namespace: kube-system
|
||
|
|
labels:
|
||
|
|
app: kubezero-forseti
|
||
|
|
spec:
|
||
|
|
replicas: 1
|
||
|
|
selector:
|
||
|
|
matchLabels:
|
||
|
|
app: kubezero-forseti
|
||
|
|
template:
|
||
|
|
metadata:
|
||
|
|
labels:
|
||
|
|
app: kubezero-forseti
|
||
|
|
spec:
|
||
|
|
containers:
|
||
|
|
- name: kubezero-forseti
|
||
|
|
image: "{{ .Values.forseti.image.name }}:{{ .Values.forseti.image.tag }}"
|
||
|
|
imagePullPolicy: Always
|
||
|
|
args:
|
||
|
|
- --health-probe-bind-address=:8081
|
||
|
|
- --metrics-bind-address=:8080
|
||
|
|
- --zap-log-level=2
|
||
|
|
#- --dry-run
|
||
|
|
# - --leader-elect
|
||
|
|
command:
|
||
|
|
- /forseti
|
||
|
|
env:
|
||
|
|
- name: AWS_REGION
|
||
|
|
value: "{{ .Values.forseti.aws.region }}"
|
||
|
|
- name: AWS_ROLE_ARN
|
||
|
|
value: "{{ .Values.forseti.aws.iamRoleArn }}"
|
||
|
|
- name: AWS_STS_REGIONAL_ENDPOINTS
|
||
|
|
value: regional
|
||
|
|
- name: AWS_WEB_IDENTITY_TOKEN_FILE
|
||
|
|
value: /var/run/secrets/sts.amazonaws.com/serviceaccount/token
|
||
|
|
livenessProbe:
|
||
|
|
httpGet:
|
||
|
|
path: /healthz
|
||
|
|
port: 8081
|
||
|
|
initialDelaySeconds: 15
|
||
|
|
periodSeconds: 20
|
||
|
|
readinessProbe:
|
||
|
|
httpGet:
|
||
|
|
path: /readyz
|
||
|
|
port: 8081
|
||
|
|
initialDelaySeconds: 5
|
||
|
|
periodSeconds: 10
|
||
|
|
resources:
|
||
|
|
limits:
|
||
|
|
cpu: 500m
|
||
|
|
memory: 128Mi
|
||
|
|
requests:
|
||
|
|
cpu: 10m
|
||
|
|
memory: 64Mi
|
||
|
|
securityContext:
|
||
|
|
allowPrivilegeEscalation: false
|
||
|
|
volumeMounts:
|
||
|
|
- mountPath: /var/run/secrets/sts.amazonaws.com/serviceaccount/
|
||
|
|
name: aws-token
|
||
|
|
readOnly: true
|
||
|
|
securityContext:
|
||
|
|
runAsNonRoot: true
|
||
|
|
serviceAccountName: kubezero-forseti
|
||
|
|
terminationGracePeriodSeconds: 10
|
||
|
|
nodeSelector:
|
||
|
|
node-role.kubernetes.io/control-plane: ""
|
||
|
|
tolerations:
|
||
|
|
- key: node-role.kubernetes.io/master
|
||
|
|
effect: NoSchedule
|
||
|
|
volumes:
|
||
|
|
- name: aws-token
|
||
|
|
projected:
|
||
|
|
defaultMode: 420
|
||
|
|
sources:
|
||
|
|
- serviceAccountToken:
|
||
|
|
audience: sts.amazonaws.com
|
||
|
|
expirationSeconds: 86400
|
||
|
|
path: token
|
||
|
|
{{- end }}
|