charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml (101 lines of code) (raw):
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: '{{ template "workload-identity-webhook.name" . }}'
azure-workload-identity.io/system: "true"
chart: '{{ template "workload-identity-webhook.name" . }}'
release: '{{ .Release.Name }}'
name: azure-wi-webhook-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: '{{ template "workload-identity-webhook.name" . }}'
azure-workload-identity.io/system: "true"
chart: '{{ template "workload-identity-webhook.name" . }}'
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
{{- include "workload-identity-webhook.podLabels" . }}
app: '{{ template "workload-identity-webhook.name" . }}'
azure-workload-identity.io/system: "true"
chart: '{{ template "workload-identity-webhook.name" . }}'
release: '{{ .Release.Name }}'
spec:
affinity:
{{- toYaml .Values.affinity | nindent 8 }}
containers:
- args:
- --log-level={{ .Values.logLevel }}
- --metrics-addr={{ .Values.metricsAddr }}
- --metrics-backend={{ .Values.metricsBackend }}
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: azure-wi-webhook-config
image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: {{ trimPrefix ":" .Values.metricsAddr }}
name: metrics
protocol: TCP
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
initialDelaySeconds: 5
periodSeconds: 5
resources:
{{- toYaml .Values.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /certs
name: cert
readOnly: true
nodeSelector:
{{- toYaml .Values.nodeSelector | nindent 8 }}
priorityClassName: {{ .Values.priorityClassName }}
serviceAccountName: azure-wi-webhook-admin
tolerations:
{{- toYaml .Values.tolerations | nindent 8 }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: azure-wi-webhook-server-cert