{{- if .Values.forseti.enabled }} apiVersion: apps/v1 kind: Deployment metadata: name: kubezero-forseti namespace: kube-system labels: app: kubezero-forseti spec: replicas: 1 selector: matchLabels: app: kubezero-forseti template: metadata: labels: app: kubezero-forseti spec: containers: - name: kubezero-forseti image: "{{ .Values.forseti.image.name }}:{{ .Values.forseti.image.tag }}" imagePullPolicy: Always args: - --health-probe-bind-address=:8081 - --metrics-bind-address=:8080 #- --zap-log-level=2 #- --dry-run #- --leader-elect command: - /forseti env: - name: AWS_REGION value: "{{ .Values.forseti.aws.region }}" - name: AWS_ROLE_ARN value: "{{ .Values.forseti.aws.iamRoleArn }}" - name: AWS_STS_REGIONAL_ENDPOINTS value: regional - name: AWS_WEB_IDENTITY_TOKEN_FILE value: /var/run/secrets/sts.amazonaws.com/serviceaccount/token livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /readyz port: 8081 initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 500m memory: 128Mi requests: cpu: 10m memory: 64Mi securityContext: allowPrivilegeEscalation: false volumeMounts: - mountPath: /var/run/secrets/sts.amazonaws.com/serviceaccount/ name: aws-token readOnly: true securityContext: runAsNonRoot: true serviceAccountName: kubezero-forseti terminationGracePeriodSeconds: 10 nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: node-role.kubernetes.io/control-plane effect: NoSchedule volumes: - name: aws-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: sts.amazonaws.com expirationSeconds: 86400 path: token {{- end }}