+{{- if or .Values.deployment.kong.enabled .Values.ingressController.enabled }}
apiVersion: apps/v1
+{{- if .Values.deployment.daemonset }}
+kind: DaemonSet
+{{- else }}
kind: Deployment
+{{- end }}
metadata:
- name: "{{ template "kong.fullname" . }}"
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
- app: "{{ template "kong.name" . }}"
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- component: app
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ app.kubernetes.io/component: app
+ {{- if .Values.deploymentAnnotations }}
+ annotations:
+ {{- range $key, $value := .Values.deploymentAnnotations }}
+ {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
+ {{- end }}
+ {{- end }}
spec:
+ {{- if not .Values.autoscaling.enabled }}
+ {{- if not .Values.deployment.daemonset }}
replicas: {{ .Values.replicaCount }}
+ {{- end }}
+ {{- end }}
selector:
matchLabels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
+ {{- if .Values.deployment.daemonset }}
+ updateStrategy:
+ {{- else }}
strategy:
+ {{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
+ {{- if .Values.deployment.minReadySeconds }}
+ minReadySeconds: {{ .Values.deployment.minReadySeconds }}
+ {{- end }}
template:
metadata:
annotations:
+ {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+ kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+ {{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
-{{ toYaml .Values.podAnnotations | indent 8 }}
+ {{- range $key, $value := .Values.podAnnotations }}
+ {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
+ {{- end }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.metaLabels" . | nindent 8 }}
+ app.kubernetes.io/component: app
+ app: {{ template "kong.fullname" . }}
+ version: {{ .Chart.AppVersion | quote }}
+ {{- if .Values.podLabels }}
+ {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
+ {{- end }}
spec:
- {{- if (and (.Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+ {{- if .Values.deployment.hostname }}
+ hostname: {{ .Values.deployment.hostname }}
+ {{- end }}
+ {{- if .Values.deployment.hostNetwork }}
+ hostNetwork: true
+ {{- end }}
+ {{- if .Values.priorityClassName }}
+ priorityClassName: "{{ .Values.priorityClassName }}"
+ {{- end }}
+ {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
+ {{- end }}
+ {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
+ automountServiceAccountToken: true
+ {{- else }}
+ automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
- name: {{ . }}
{{- end }}
{{- end }}
- {{- if not (eq .Values.env.database "off") }}
+ {{- if .Values.deployment.kong.enabled }}
initContainers:
- {{- include "kong.wait-for-db" . | nindent 6 }}
- {{ end }}
+ - name: clear-stale-pid
+ image: {{ include "kong.getRepoTag" .Values.image }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 10 }}
+ resources:
+{{ toYaml .Values.resources | indent 10 }}
+ command:
+ - "rm"
+ - "-vrf"
+ - "$KONG_PREFIX/pids"
+ env:
+ {{- include "kong.env" . | nindent 8 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
+ volumeMounts:
+ {{- include "kong.volumeMounts" . | nindent 8 }}
+ {{- if .Values.deployment.initContainers }}
+ {{- toYaml .Values.deployment.initContainers | nindent 6 }}
+ {{- end }}
+ {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
+ {{- include "kong.wait-for-db" . | nindent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.deployment.hostAliases }}
+ hostAliases:
+ {{- toYaml .Values.deployment.hostAliases | nindent 6 }}
+ {{- end}}
+ {{- if .Values.dnsPolicy }}
+ dnsPolicy: {{ .Values.dnsPolicy | quote }}
+ {{- end }}
+ {{- if .Values.dnsConfig }}
+ dnsConfig:
+{{ toYaml .Values.dnsConfig | indent 8 }}
+ {{- end }}
containers:
- {{- if (and (.Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+ {{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
- - name: {{ template "kong.name" . }}
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ {{- if .Values.deployment.sidecarContainers }}
+ {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
+ {{- end }}
+ {{- if .Values.deployment.kong.enabled }}
+ - name: "proxy"
+ image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
- {{- if not .Values.env.admin_listen }}
- {{- if .Values.admin.useTLS }}
- - name: KONG_ADMIN_LISTEN
- value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl"
- {{- else }}
- - name: KONG_ADMIN_LISTEN
- value: 0.0.0.0:{{ .Values.admin.containerPort }}
- {{- end }}
- {{- end }}
- {{- if not .Values.env.proxy_listen }}
- - name: KONG_PROXY_LISTEN
- value: {{ template "kong.kongProxyListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.admin_gui_listen) (.Values.enterprise.enabled) }}
- - name: KONG_ADMIN_GUI_LISTEN
- value: {{ template "kong.kongManagerListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.portal_gui_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
- - name: KONG_PORTAL_GUI_LISTEN
- value: {{ template "kong.kongPortalListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.portal_api_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
- - name: KONG_PORTAL_API_LISTEN
- value: {{ template "kong.kongPortalApiListenValue" . }}
- {{- end }}
- - name: KONG_NGINX_DAEMON
- value: "off"
- {{- if .Values.enterprise.enabled }}
- {{- if .Values.enterprise.vitals.enabled }}
- - name: KONG_VITALS
- value: "on"
- {{- end }}
- {{- if .Values.enterprise.portal.enabled }}
- - name: KONG_PORTAL
- value: "on"
- {{- if .Values.enterprise.portal.portal_auth }}
- - name: KONG_PORTAL_AUTH
- value: {{ .Values.enterprise.portal.portal_auth }}
- - name: KONG_PORTAL_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.portal.session_conf_secret }}
- key: portal_session_conf
- {{- end }}
- {{- end }}
- {{- if .Values.enterprise.rbac.enabled }}
- - name: KONG_ENFORCE_RBAC
- value: "on"
- - name: KONG_ADMIN_GUI_AUTH
- value: {{ .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" }}
- - name: KONG_ADMIN_GUI_AUTH_CONF
- value: '{{ toJson .Values.enterprise.rbac.admin_gui_auth_conf }}'
- - name: KONG_ADMIN_GUI_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.rbac.session_conf_secret }}
- key: admin_gui_session_conf
- {{- end }}
- {{- if .Values.enterprise.smtp.enabled }}
- - name: KONG_PORTAL_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.portal_emails_from }}
- - name: KONG_PORTAL_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.portal_emails_reply_to }}
- - name: KONG_ADMIN_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.admin_emails_from }}
- - name: KONG_ADMIN_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.admin_emails_reply_to }}
- - name: KONG_SMTP_HOST
- value: {{ .Values.enterprise.smtp.smtp_host }}
- - name: KONG_SMTP_PORT
- value: {{ .Values.enterprise.smtp.smtp_port }}
- - name: KONG_SMTP_STARTTLS
- value: {{ .Values.enterprise.smtp.smtp_starttls }}
- {{- if .Values.enterprise.smtp.auth.smtp_username }}
- - name: KONG_SMTP_USERNAME
- value: {{ .Values.enterprise.smtp.auth.smtp_username }}
- - name: KONG_SMTP_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.smtp.auth.smtp_password }}
- key: smtp_password
- {{- end }}
- {{- else }}
- - name: KONG_SMTP_MOCK
- value: "on"
- {{- end }}
- {{- include "kong.license" . | nindent 8 }}
- {{- end }}
- - name: KONG_NGINX_HTTP_INCLUDE
- value: /kong/servers.conf
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
- {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: KONG_DECLARATIVE_CONFIG
- value: "/kong_dbless/kong.yml"
- {{- end }}
- {{- include "kong.env" . | indent 8 }}
+ {{- include "kong.no_daemon_env" . | nindent 8 }}
+ {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
+ lifecycle:
+ {{- toYaml .Values.lifecycle | nindent 10 }}
ports:
+ {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
- containerPort: {{ .Values.admin.containerPort }}
- {{- if .Values.admin.hostPort }}
- hostPort: {{ .Values.admin.hostPort }}
+ containerPort: {{ .Values.admin.http.containerPort }}
+ {{- if .Values.admin.http.hostPort }}
+ hostPort: {{ .Values.admin.http.hostPort }}
+ {{- end}}
+ protocol: TCP
+ {{- end }}
+ {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
+ - name: admin-tls
+ containerPort: {{ .Values.admin.tls.containerPort }}
+ {{- if .Values.admin.tls.hostPort }}
+ hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
- {{- if .Values.proxy.http.enabled }}
+ {{- end }}
+ {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.proxy.tls.enabled }}
+ {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- - name: metrics
- containerPort: 9542
+ {{- range .Values.proxy.stream }}
+ - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
+ containerPort: {{ .containerPort }}
+ {{- if .hostPort }}
+ hostPort: {{ .hostPort }}
+ {{- end}}
+ protocol: {{ .protocol }}
+ {{- end }}
+ {{- range .Values.udpProxy.stream }}
+ - name: streamudp-{{ .containerPort }}
+ containerPort: {{ .containerPort }}
+ {{- if .hostPort }}
+ hostPort: {{ .hostPort }}
+ {{- end}}
+ protocol: {{ .protocol }}
+ {{- end }}
+ {{- if (and .Values.status.http.enabled .Values.status.enabled)}}
+ - name: status
+ containerPort: {{ .Values.status.http.containerPort }}
+ {{- if .Values.status.http.hostPort }}
+ hostPort: {{ .Values.status.http.hostPort }}
+ {{- end}}
+ protocol: TCP
+ {{- end }}
+ {{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
+ - name: status-tls
+ containerPort: {{ .Values.status.tls.containerPort }}
+ {{- if .Values.status.tls.hostPort }}
+ hostPort: {{ .Values.status.tls.hostPort }}
+ {{- end}}
+ protocol: TCP
+ {{- end }}
+ {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
+ - name: cluster-tls
+ containerPort: {{ .Values.cluster.tls.containerPort }}
+ {{- if .Values.cluster.tls.hostPort }}
+ hostPort: {{ .Values.cluster.tls.hostPort }}
+ {{- end}}
protocol: TCP
+ {{- end }}
{{- if .Values.enterprise.enabled }}
- {{- if .Values.manager.http.enabled }}
+ {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.manager.tls.enabled }}
+ {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portal.http.enabled }}
+ {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portal.tls.enabled }}
+ {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portalapi.http.enabled }}
+ {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
- {{- if .Values.portalapi.tls.enabled }}
+ {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
+ {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
+ - name: clustert-tls
+ containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
+ {{- if .Values.clustertelemetry.tls.hostPort }}
+ hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
+ {{- end}}
+ protocol: TCP
+ {{- end }}
{{- end }}
volumeMounts:
- - name: custom-nginx-template-volume
- mountPath: /kong
- {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: kong-custom-dbless-config-volume
- mountPath: /kong_dbless/
- {{- end }}
+ {{- include "kong.volumeMounts" . | nindent 10 }}
+ {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
-{{ toYaml .Values.readinessProbe | indent 10 }}
+{{ include "kong.proxy.compatibleReadiness" . | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
+ {{- if .Values.startupProbe }}
+ startupProbe:
+{{ toYaml .Values.startupProbe | indent 10 }}
+ {{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
+ {{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
+ {{- if .Values.topologySpreadConstraints }}
+ topologySpreadConstraints:
+{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
+ {{- end }}
+ securityContext:
+ {{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
+ terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+ {{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
+ {{- end }}
volumes:
- - name: custom-nginx-template-volume
- configMap:
- name: {{ template "kong.fullname" . }}-default-custom-server-blocks
-{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: kong-custom-dbless-config-volume
- configMap:
- {{- if .Values.dblessConfig.configMap }}
- name: {{ .Values.dblessConfig.configMap }}
- {{- else }}
- name: {{ template "kong.dblessConfig.fullname" . }}
- {{- end }}
+ {{- include "kong.volumes" . | nindent 8 -}}
+ {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- end }}