{{- /* # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. */}} apiVersion: apps/v1 kind: Deployment metadata: name: rule-evaluator labels: {{- include "rule-evaluator.labels" . | nindent 4 }} spec: selector: matchLabels: {{- include "rule-evaluator.selectorLabels" . | nindent 6 }} template: metadata: labels: {{- include "rule-evaluator.templateLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "rule-evaluator.serviceAccountName" . }} automountServiceAccountToken: true initContainers: - name: config-init image: {{.Values.images.bash.image}}:{{.Values.images.bash.tag}} command: ['/bin/bash', '-c', 'touch /prometheus/config_out/config.yaml'] volumeMounts: - name: config-out mountPath: /prometheus/config_out containers: - name: config-reloader image: {{.Values.images.configReloader.image}}:{{.Values.images.configReloader.tag}} args: - --config-file=/prometheus/config/config.yaml - --config-file-output=/prometheus/config_out/config.yaml - --config-dir=/etc/rules - --config-dir-output=/prometheus/rules_out - --reload-url=http://127.0.0.1:9092/-/reload - --ready-url=http://127.0.0.1:9092/-/ready - --listen-address=:9093 ports: - name: cfg-rel-metrics protocol: TCP containerPort: 9093 resources: {{- toYaml $.Values.resources.configReloader | nindent 10}} volumeMounts: - name: config readOnly: true mountPath: /prometheus/config - name: config-out mountPath: /prometheus/config_out - name: rules readOnly: true mountPath: /etc/rules - name: rules-out mountPath: /prometheus/rules_out securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true - name: evaluator image: {{.Values.images.ruleEvaluator.image}}:{{.Values.images.ruleEvaluator.tag}} args: - "--config.file=/prometheus/config_out/config.yaml" - "--web.listen-address=:9092" ports: - name: r-eval-metrics containerPort: 9092 resources: {{- toYaml $.Values.resources.ruleEvaluator | nindent 10}} volumeMounts: - name: config-out readOnly: true mountPath: /prometheus/config_out - name: rules-out readOnly: true mountPath: /etc/rules livenessProbe: httpGet: port: r-eval-metrics path: /-/healthy readinessProbe: httpGet: port: r-eval-metrics path: /-/ready # Readiness attempts a query round-trip so we need a more generous timeout. timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true volumes: - name: config configMap: name: rule-evaluator - name: config-out emptyDir: {} - name: rules configMap: name: rules - name: rules-out emptyDir: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - amd64 - key: kubernetes.io/os operator: In values: - linux tolerations: - key: "components.gke.io/gke-managed-components" operator: "Exists" - value: "amd64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" - value: "arm64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault