{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Deployment for the injector apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "vault.fullname" . }}-agent-injector namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} component: webhook spec: replicas: {{ .Values.injector.replicas }} selector: matchLabels: app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook template: metadata: labels: app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} component: webhook {{- if .Values.injector.extraLabels -}} {{- toYaml .Values.injector.extraLabels | nindent 8 -}} {{- end -}} {{ template "injector.annotations" . }} spec: {{ template "injector.affinity" . }} {{ template "injector.tolerations" . }} {{ template "injector.nodeselector" . }} {{- if .Values.injector.priorityClassName }} priorityClassName: {{ .Values.injector.priorityClassName }} {{- end }} serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" {{- if not .Values.global.openshift }} hostNetwork: {{ .Values.injector.hostNetwork }} securityContext: runAsNonRoot: true runAsGroup: {{ .Values.injector.gid | default 1000 }} runAsUser: {{ .Values.injector.uid | default 100 }} {{- end }} containers: - name: sidecar-injector {{ template "injector.resources" . }} image: "{{ template "imageRegistry" . -}} {{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" {{- if not .Values.global.openshift }} securityContext: allowPrivilegeEscalation: false {{- end }} env: - name: AGENT_INJECT_LISTEN value: {{ printf ":%v" .Values.injector.port }} - name: AGENT_INJECT_LOG_LEVEL value: {{ .Values.injector.logLevel | default "info" }} - name: AGENT_INJECT_VAULT_ADDR {{- if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} - name: AGENT_INJECT_VAULT_IMAGE value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" {{- if .Values.injector.certs.secretName }} - name: AGENT_INJECT_TLS_CERT_FILE value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" - name: AGENT_INJECT_TLS_KEY_FILE value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" {{- else }} - name: AGENT_INJECT_TLS_AUTO value: {{ template "vault.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN value: "{{ .Values.injector.revokeOnShutdown | default false }}" {{- if .Values.global.openshift }} - name: AGENT_INJECT_SET_SECURITY_CONTEXT value: "false" {{- end }} {{- if .Values.injector.metrics.enabled }} - name: AGENT_INJECT_TELEMETRY_PATH value: "/metrics" {{- end }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: AGENT_INJECT_USE_LEADER_ELECTOR value: "true" - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace {{- end }} - name: AGENT_INJECT_CPU_REQUEST value: "{{ .Values.injector.agentDefaults.cpuRequest }}" - name: AGENT_INJECT_CPU_LIMIT value: "{{ .Values.injector.agentDefaults.cpuLimit }}" - name: AGENT_INJECT_MEM_REQUEST value: "{{ .Values.injector.agentDefaults.memRequest }}" - name: AGENT_INJECT_MEM_LIMIT value: "{{ .Values.injector.agentDefaults.memLimit }}" - name: AGENT_INJECT_DEFAULT_TEMPLATE value: "{{ .Values.injector.agentDefaults.template }}" {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} args: - agent-inject - 2>&1 livenessProbe: httpGet: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 readinessProbe: httpGet: path: /health/ready port: {{ .Values.injector.port }} scheme: HTTPS failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 {{- if .Values.injector.certs.secretName }} volumeMounts: - name: webhook-certs mountPath: /etc/webhook/certs readOnly: true {{- end }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ template "imageRegistry" . -}} {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} args: - --election={{ template "vault.fullname" . }}-agent-injector-leader - --election-namespace={{ .Release.Namespace }} - --http=0.0.0.0:4040 - --ttl={{ .Values.injector.leaderElector.ttl }} livenessProbe: httpGet: path: / port: 4040 scheme: HTTP failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 readinessProbe: httpGet: path: / port: 4040 scheme: HTTP failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 {{- end }} {{- if .Values.injector.certs.secretName }} volumes: - name: webhook-certs secret: secretName: "{{ .Values.injector.certs.secretName }}" {{- end }} {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.global.imagePullSecrets | nindent 8 }} {{- end }} {{ end }}