apiVersion: apps/v1 kind: Deployment metadata: labels: {{- include "cd-pipeline-operator.labels" . | nindent 4 }} {{- with .Values.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} name: {{ .Values.name }} spec: replicas: 1 selector: matchLabels: name: {{ .Values.name }} template: metadata: labels: name: {{ .Values.name }} spec: serviceAccountName: edp-{{ .Values.name }} securityContext: runAsNonRoot: true containers: - name: {{ .Values.name }} image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} imagePullPolicy: "{{ .Values.imagePullPolicy }}" command: - /manager securityContext: allowPrivilegeEscalation: false env: - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: PLATFORM_TYPE value: {{ .Values.global.platform }} - name: TENANCY_ENGINE value: "{{ .Values.tenancyEngine }}" - name: MANAGE_NAMESPACE value: "{{ .Values.manageNamespace }}" - name: SECRET_MANAGER value: "{{ .Values.secretManager }}" - name: OIDC_ADMIN_GROUP_NAME value: "{{ .Values.global.adminGroupName }}" - name: OIDC_DEVELOPER_GROUP_NAME value: "{{ .Values.global.developerGroupName }}" ports: - containerPort: 9443 name: webhook-server protocol: TCP volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true resources: {{ toYaml .Values.resources | indent 12 }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} volumes: - name: cert secret: defaultMode: 420 secretName: edp-cd-pipeline-operator-webhook-certs