apiVersion: apps/v1
kind: Deployment
metadata:
- name: "{{ template "kong.fullname" . }}"
+ name: {{ template "kong.fullname" . }}
labels:
- app: "{{ template "kong.name" . }}"
- chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
- release: "{{ .Release.Name }}"
- heritage: "{{ .Release.Service }}"
- component: app
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ app.kubernetes.io/component: app
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
strategy:
{{ toYaml .Values.updateStrategy | indent 4 }}
template:
metadata:
annotations:
+ {{- if .Values.ingressController.admissionWebhook.enabled }}
+ checksum/admission-webhook.yaml: {{ include (print $.Template.BasePath "/admission-webhook.yaml") . | sha256sum }}
+ {{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
- app: {{ template "kong.name" . }}
- release: {{ .Release.Name }}
- component: app
+ {{- include "kong.metaLabels" . | nindent 8 }}
+ app.kubernetes.io/component: app
spec:
- {{- if (and (.Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+ {{- if or .Values.ingressController.enabled .Values.podSecurityPolicy.enabled }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{ end }}
{{- if .Values.image.pullSecrets }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{ end }}
containers:
- {{- if (and (.Values.ingressController.enabled) (eq .Values.env.database "off")) }}
+ {{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
- - name: {{ template "kong.name" . }}
+ - name: "proxy"
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- {{- if not .Values.env.admin_listen }}
- {{- if .Values.admin.useTLS }}
- - name: KONG_ADMIN_LISTEN
- value: "0.0.0.0:{{ .Values.admin.containerPort }} ssl"
- {{- else }}
- - name: KONG_ADMIN_LISTEN
- value: 0.0.0.0:{{ .Values.admin.containerPort }}
- {{- end }}
- {{- end }}
- {{- if not .Values.env.proxy_listen }}
- - name: KONG_PROXY_LISTEN
- value: {{ template "kong.kongProxyListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.admin_gui_listen) (.Values.enterprise.enabled) }}
- - name: KONG_ADMIN_GUI_LISTEN
- value: {{ template "kong.kongManagerListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.portal_gui_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
- - name: KONG_PORTAL_GUI_LISTEN
- value: {{ template "kong.kongPortalListenValue" . }}
- {{- end }}
- {{- if and (not .Values.env.portal_api_listen) (.Values.enterprise.enabled) (.Values.enterprise.portal.enabled) }}
- - name: KONG_PORTAL_API_LISTEN
- value: {{ template "kong.kongPortalApiListenValue" . }}
- {{- end }}
- - name: KONG_NGINX_DAEMON
- value: "off"
- {{- if .Values.enterprise.enabled }}
- {{- if .Values.enterprise.vitals.enabled }}
- - name: KONG_VITALS
- value: "on"
- {{- end }}
- {{- if .Values.enterprise.portal.enabled }}
- - name: KONG_PORTAL
- value: "on"
- {{- if .Values.enterprise.portal.portal_auth }}
- - name: KONG_PORTAL_AUTH
- value: {{ .Values.enterprise.portal.portal_auth }}
- - name: KONG_PORTAL_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.portal.session_conf_secret }}
- key: portal_session_conf
- {{- end }}
- {{- end }}
- {{- if .Values.enterprise.rbac.enabled }}
- - name: KONG_ENFORCE_RBAC
- value: "on"
- - name: KONG_ADMIN_GUI_AUTH
- value: {{ .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" }}
- - name: KONG_ADMIN_GUI_AUTH_CONF
- value: '{{ toJson .Values.enterprise.rbac.admin_gui_auth_conf }}'
- - name: KONG_ADMIN_GUI_SESSION_CONF
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.rbac.session_conf_secret }}
- key: admin_gui_session_conf
- {{- end }}
- {{- if .Values.enterprise.smtp.enabled }}
- - name: KONG_PORTAL_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.portal_emails_from }}
- - name: KONG_PORTAL_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.portal_emails_reply_to }}
- - name: KONG_ADMIN_EMAILS_FROM
- value: {{ .Values.enterprise.smtp.admin_emails_from }}
- - name: KONG_ADMIN_EMAILS_REPLY_TO
- value: {{ .Values.enterprise.smtp.admin_emails_reply_to }}
- - name: KONG_SMTP_HOST
- value: {{ .Values.enterprise.smtp.smtp_host }}
- - name: KONG_SMTP_PORT
- value: {{ .Values.enterprise.smtp.smtp_port }}
- - name: KONG_SMTP_STARTTLS
- value: {{ .Values.enterprise.smtp.smtp_starttls }}
- {{- if .Values.enterprise.smtp.auth.smtp_username }}
- - name: KONG_SMTP_USERNAME
- value: {{ .Values.enterprise.smtp.auth.smtp_username }}
- - name: KONG_SMTP_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ .Values.enterprise.smtp.auth.smtp_password }}
- key: smtp_password
- {{- end }}
- {{- else }}
- - name: KONG_SMTP_MOCK
- value: "on"
- {{- end }}
- {{- include "kong.license" . | nindent 8 }}
- {{- end }}
- - name: KONG_NGINX_HTTP_INCLUDE
- value: /kong/servers.conf
- {{- if .Values.postgresql.enabled }}
- - name: KONG_PG_HOST
- value: {{ template "kong.postgresql.fullname" . }}
- - name: KONG_PG_PORT
- value: "{{ .Values.postgresql.service.port }}"
- - name: KONG_PG_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "kong.postgresql.fullname" . }}
- key: postgresql-password
- {{- end }}
- {{- if .Values.cassandra.enabled }}
- - name: KONG_CASSANDRA_CONTACT_POINTS
- value: {{ template "kong.cassandra.fullname" . }}
- {{- end }}
- {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: KONG_DECLARATIVE_CONFIG
- value: "/kong_dbless/kong.yml"
- {{- end }}
- {{- include "kong.env" . | indent 8 }}
+ {{- include "kong.final_env" . | nindent 8 }}
+ lifecycle:
+ preStop:
+ exec:
+ command: [ "/bin/sh", "-c", "kong quit" ]
ports:
- name: admin
containerPort: {{ .Values.admin.containerPort }}
- name: metrics
containerPort: 9542
protocol: TCP
+ {{- if .Values.ingressController.admissionWebhook.enabled }}
+ - name: webhook
+ containerPort: {{ .Values.ingressController.admissionWebhook.port }}
+ protocol: TCP
+ {{- end }}
{{- if .Values.enterprise.enabled }}
{{- if .Values.manager.http.enabled }}
- name: manager
{{- end }}
{{- end }}
volumeMounts:
- - name: custom-nginx-template-volume
- mountPath: /kong
- {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: kong-custom-dbless-config-volume
- mountPath: /kong_dbless/
- {{- end }}
+ {{- include "kong.volumeMounts" . | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
+ securityContext:
+ {{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
volumes:
- - name: custom-nginx-template-volume
- configMap:
- name: {{ template "kong.fullname" . }}-default-custom-server-blocks
-{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
- - name: kong-custom-dbless-config-volume
- configMap:
- {{- if .Values.dblessConfig.configMap }}
- name: {{ .Values.dblessConfig.configMap }}
- {{- else }}
- name: {{ template "kong.dblessConfig.fullname" . }}
- {{- end }}
-{{- end }}
+ {{- include "kong.volumes" . | nindent 8 -}}
Code Review / ric-plt / ric-dep.git / blobdiff