apiVersion: apps/v1 kind: Deployment metadata: name: clusters-service namespace: '{{ .Release.Namespace }}' labels: app: clusters-service spec: selector: matchLabels: app: clusters-service replicas: {{ .Values.replicas }} template: metadata: labels: app: clusters-service azure.workload.identity/use: "true" annotations: checksum/db: '{{ include (print $.Template.BasePath "/database.secret.yaml") . | sha256sum }}' checksum/operatorcfg: '{{ include (print $.Template.BasePath "/azure-operators-managed-identities-config.configmap.yaml") . | sha256sum }}' checksum/cskv: '{{ include (print $.Template.BasePath "/cs-keyvault.secret.yaml") . | sha256sum }}' checksum/provisionshard: '{{ include (print $.Template.BasePath "/provisioning-shards.secret.yaml") . | sha256sum }}' checksum/cs: '{{ include (print $.Template.BasePath "/clusters-service.secret.yaml") . | sha256sum }}' checksum/runtime: '{{ include (print $.Template.BasePath "/azure-runtime-config.configmap.yaml") . | sha256sum }}' checksum/cloudres: '{{ include (print $.Template.BasePath "/cloud-resources-config.configmap.yaml") . | sha256sum }}' checksum/sa: '{{ include (print $.Template.BasePath "/serviceaccount.yaml") . | sha256sum }}' spec: serviceAccount: '{{ .Values.serviceAccountName }}' serviceAccountName: '{{ .Values.serviceAccountName }}' volumes: - name: service secret: secretName: clusters-service - name: shards secret: secretName: provision-shards - name: rds secret: secretName: ocm-cs-db - name: oidc secret: secretName: rh-oidc-s3-secret - name: authentication configMap: name: authentication - name: region-constraints configMap: name: region-constraints-config - name: instance-types configMap: name: cloud-resources-config - name: instance-type-constraints configMap: name: cloud-resource-constraints-config - name: cloud-regions configMap: name: cloud-resources-config - name: cloud-region-constraints configMap: name: cloud-resource-constraints-config - name: proxy configMap: name: cluster-proxy-service-config - name: azure-runtime-config configMap: name: azure-runtime-config - name: azure-operators-managed-identities-config configMap: name: azure-operators-managed-identities-config - name: mixin-pull-secret secret: secretName: hive-ci-global-pull-secret optional: true - name: keyvault csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: cs-keyvault initContainers: - name: init image: '{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}@{{ .Values.imageDigest }}' imagePullPolicy: IfNotPresent volumeMounts: - name: rds mountPath: /secrets/rds - name: service mountPath: /secrets/service - name: azure-runtime-config mountPath: /configs/azure-runtime-config command: - /usr/local/bin/clusters-service - init - --db-host=@/secrets/rds/db.host - --db-port=@/secrets/rds/db.port - --db-name=@/secrets/rds/db.name - --db-user=@/secrets/rds/db.user - --db-password=@/secrets/rds/db.password - --db-disable-tls={{ .Values.databaseDisableTls }} - --db-auth-method={{ .Values.databaseAuthMethod }} - --force-migration={{ .Values.forceMigration }} - --batch-processes-dry-run={{ .Values.batchProcessesDryRun }} - --batch-processes={{ .Values.batchProcesses }} - --azure-runtime-config-path=/configs/azure-runtime-config/config.json containers: - name: service image: '{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}@{{ .Values.imageDigest }}' imagePullPolicy: IfNotPresent volumeMounts: - name: service mountPath: /secrets/service - name: shards mountPath: /secrets/shards - name: rds mountPath: /secrets/rds - name: authentication mountPath: /configs/authentication - name: region-constraints mountPath: /configs/region-constraints - name: proxy mountPath: /configs/proxy - name: mixin-pull-secret mountPath: /secrets/mixin-pull-secret - name: instance-types mountPath: /configs/cloud-resources/instance-types.yaml subPath: instance-types.yaml - name: instance-type-constraints mountPath: /configs/cloud-resource-constraints/instance-type-constraints.yaml subPath: instance-type-constraints.yaml - name: cloud-regions mountPath: /configs/cloud-resources/cloud-regions.yaml subPath: cloud-regions.yaml - name: cloud-region-constraints mountPath: /configs/cloud-resource-constraints/cloud-region-constraints.yaml subPath: cloud-region-constraints.yaml - name: keyvault mountPath: "/secrets/keyvault" readOnly: true - name: azure-runtime-config mountPath: /configs/azure-runtime-config - name: azure-operators-managed-identities-config mountPath: /configs/azure-operators-managed-identities-config.yaml subPath: azure-operators-managed-identities-config.yaml env: - name: OTEL_EXPORTER_OTLP_ENDPOINT value: '{{ .Values.tracing.address }}' - name: OTEL_TRACES_EXPORTER value: '{{ .Values.tracing.exporter }}' command: - /usr/local/bin/clusters-service - serve - --log-level={{ .Values.logLevel }} - --namespace={{ .Release.Namespace }} - --runtime-mode={{ .Values.runtimeMode }} - --default-expiration={{ .Values.defaultExpiration }} - --maximum-expiration={{ .Values.maximumExpiration }} - --db-host=@/secrets/rds/db.host - --db-port=@/secrets/rds/db.port - --db-name=@/secrets/rds/db.name - --db-user=@/secrets/rds/db.user - --db-password=@/secrets/rds/db.password - --db-disable-tls={{ .Values.databaseDisableTls }} - --db-auth-method={{ .Values.databaseAuthMethod }} - --gateway-url={{ .Values.gatewayURL }} - --client-id=@/secrets/service/client.id - --client-secret=@/secrets/service/client.secret - --client-scopes={{ .Values.clientScopes }} - --user-defined-dns-base-domain={{ .Values.userDefinedDnsBaseDomain }} - --jwks-url={{ .Values.jwksUrl }} - --jwks-file=/configs/authentication/jwks.json - --acl-file=/configs/authentication/acl.yml - --token-url={{ .Values.tokenUrl }} - --insecure={{ .Values.insecure }} - --api-listener-network=tcp - --api-listener-address=:8000 - --metrics-listener-network=tcp - --metrics-listener-address=:8080 - --healthcheck-listener-network=tcp - --healthcheck-listener-address=:8083 - --environment={{ .Values.environment }} - --backplane-url={{ .Values.backplaneURL }} - --provision-shards-config=/secrets/shards/config - --proxy-config-file=/configs/proxy/config.yaml - --aws-sts-policy-directory=/configs/policies - --mixin-pull-secret-path=/secrets/mixin-pull-secret - --region-constraints-config=/configs/region-constraints/config.yaml - --instance-type-config=/configs/cloud-resources/instance-types.yaml - --instance-type-constraints-config=/configs/cloud-resource-constraints/instance-type-constraints.yaml - --cloud-region-config=/configs/cloud-resources/cloud-regions.yaml - --cloud-region-constraints-config=/configs/cloud-resource-constraints/cloud-region-constraints.yaml - --azure-first-party-application-client-id={{ .Values.azureFirstPartyApplicationClientId }} - --azure-first-party-application-certificate-bundle-path=/secrets/keyvault/firstPartyApplicationCertificateBundle - --azure-runtime-config-path=/configs/azure-runtime-config/config.json - --azure-operators-managed-identities-config-path=/configs/azure-operators-managed-identities-config.yaml {{- if and .Values.azureMiMockServicePrincipalCertName .Values.azureMiMockServicePrincipalClientId .Values.azureMiMockServicePrincipalPrincipalId }} - --azure-mi-mock-service-principal-certificate-bundle-path=/secrets/keyvault/mockMiServicePrincipalCertificateBundle - --azure-mi-mock-service-principal-client-id={{ .Values.azureMiMockServicePrincipalClientId }} - --azure-mi-mock-service-principal-principal-id={{ .Values.azureMiMockServicePrincipalPrincipalId }} {{- end }} {{- if and .Values.azureArmHelperIdentityCertName .Values.azureArmHelperIdentityClientId .Values.azureArmHelperMockFpaPrincipalId }} - --azure-arm-helper-identity-certificate-bundle-path=/secrets/keyvault/armHelperIndentityCertificateBundle - --azure-arm-helper-identity-client-id={{ .Values.azureArmHelperIdentityClientId }} - --azure-arm-helper-mock-fpa-principal-id={{ .Values.azureArmHelperMockFpaPrincipalId }} {{- end }} # Baggage items are populated by the RP frontend and defined in internal/tracing/attributes.go. - --log-fields-from-baggage=aro.correlation_id=correlation_id,aro.client.request_id=client_request_id livenessProbe: httpGet: path: /api/clusters_mgmt/v1 port: 8000 scheme: HTTP initialDelaySeconds: 15 periodSeconds: 10 timeoutSeconds: 5 readinessProbe: httpGet: path: /healthcheck port: 8083 scheme: HTTP httpHeaders: - name: User-Agent value: Probe initialDelaySeconds: 20 periodSeconds: 10 resources: requests: memory: '{{ .Values.memoryRequest }}' cpu: '{{ .Values.cpuRequest }}' limits: memory: '{{ .Values.memoryLimit }}' cpu: '{{ .Values.cpuLimit }}'