-
Notifications
You must be signed in to change notification settings - Fork 347
Expand file tree
/
Copy pathkubit.yml
More file actions
131 lines (131 loc) · 3.78 KB
/
kubit.yml
File metadata and controls
131 lines (131 loc) · 3.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
{{- if not .Values.skipOperator}}
{{- if not .Values.kubitSingleNamespace}}
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/component: manager
app.kubernetes.io/instance: kubit
app.kubernetes.io/name: namespace
app.kubernetes.io/part-of: kubit
control-plane: kubit
name: kubit
---
{{- end}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubit
namespace: {{if .Values.kubitSingleNamespace}}{{.Values.namespaceOverride | default .Release.Namespace}}{{else}}kubit{{end}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{if .Values.kubitSingleNamespace}}Role{{else}}ClusterRole{{end}}
metadata:
name: kubit
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- create
- update
- get
- list
- patch
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{if .Values.kubitSingleNamespace}}RoleBinding{{else}}ClusterRoleBinding{{end}}
metadata:
name: kubit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{if .Values.kubitSingleNamespace}}Role{{else}}ClusterRole{{end}}
name: kubit
subjects:
- kind: ServiceAccount
name: kubit
namespace: {{if .Values.kubitSingleNamespace}}{{.Values.namespaceOverride | default .Release.Namespace}}{{else}}kubit{{end}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: manager
app.kubernetes.io/instance: kubit
app.kubernetes.io/name: deployment
app.kubernetes.io/part-of: kubit
control-plane: kubit
name: kubit
namespace: {{if .Values.kubitSingleNamespace}}{{.Values.namespaceOverride | default .Release.Namespace}}{{else}}kubit{{end}}
spec:
replicas: 1
selector:
matchLabels:
control-plane: kubit
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: kubit
spec:
containers:
- env:
{{- if .Values.kubitSingleNamespace}}
- name: KUBIT_WATCHED_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- end}}
- name: KUBIT_CONTROLLER_IMAGE
value: "{{.Values.operatorImageOverride | default "ghcr.io/kubecfg/kubit"}}:{{.Values.operatorImageVersion}}"
{{- if .Values.kubit.apply_step_image}}
- name: KUBIT_APPLY_STEP_KUBECTL_IMAGE
value: "{{.Values.kubit.apply_step_image}}"
{{- end}}
{{- if .Values.kubit.render_step_image}}
- name: KUBIT_RENDER_STEP_KUBECTL_IMAGE
value: "{{.Values.kubit.render_step_image}}"
{{- end}}
{{- if .Values.kubit.kubecfg_image}}
- name: KUBIT_KUBECFG_IMAGE
value: "{{.Values.kubit.kubecfg_image}}"
{{- end}}
image: "{{.Values.operatorImageOverride | default "ghcr.io/kubecfg/kubit"}}:{{.Values.operatorImageVersion}}"
livenessProbe:
httpGet:
path: /live
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
name: manager
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
{{- $default_kubit_resources := dict
"requests" (dict "cpu" "50m" "memory" "64Mi")
"limits" (dict "cpu" "100m" "memory" "128Mi") -}}
{{- $kubit_resources := mergeOverwrite $default_kubit_resources (.Values.kubit.resources | default dict) -}}
resources: {{ $kubit_resources | include "mapTrim" | trim | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: kubit
terminationGracePeriodSeconds: 10
{{end}}