434 lines
17 KiB
YAML
434 lines
17 KiB
YAML
{{- $oidc := .Values.config.oidc }}
|
|
{{- $env := .Values.env }}
|
|
|
|
{{- $clientID := "" }}
|
|
{{- $clientSecret := "" }}
|
|
{{- $issuerURL := "" }}
|
|
{{- $scopes := "" }}
|
|
{{- $callbackURL := "" }}
|
|
{{- $validatorClientID := "" }}
|
|
{{- $validatorIssuerURL := "" }}
|
|
{{- $usePKCE := "" }}
|
|
{{- $useAccessToken := "" }}
|
|
{{- $meUserInfoURL := "" }}
|
|
|
|
# This block of code is used to extract the values from the env.
|
|
# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
|
|
{{- range $env }}
|
|
{{- if eq .name "OIDC_CLIENT_ID" }}
|
|
{{- $clientID = .value }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_CLIENT_SECRET" }}
|
|
{{- $clientSecret = .value }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_ISSUER_URL" }}
|
|
{{- $issuerURL = .value }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_SCOPES" }}
|
|
{{- $scopes = .value }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_CALLBACK_URL" }}
|
|
{{- $callbackURL = .value }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_VALIDATOR_CLIENT_ID" }}
|
|
{{- $validatorClientID = .value }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_VALIDATOR_ISSUER_URL" }}
|
|
{{- $validatorIssuerURL = .value }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_USE_ACCESS_TOKEN" }}
|
|
{{- $useAccessToken = .value | toString }}
|
|
{{- end }}
|
|
{{- if eq .name "OIDC_USE_PKCE" }}
|
|
{{- $usePKCE = .value | toString }}
|
|
{{- end }}
|
|
{{- if eq .name "ME_USER_INFO_URL" }}
|
|
{{- $meUserInfoURL = .value | toString }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "headlamp.fullname" . }}
|
|
namespace: {{ include "headlamp.namespace" . }}
|
|
labels:
|
|
{{- include "headlamp.labels" . | nindent 4 }}
|
|
{{- with .Values.deploymentAnnotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
replicas: {{ .Values.replicaCount }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "headlamp.selectorLabels" . | nindent 6 }}
|
|
template:
|
|
metadata:
|
|
{{- with .Values.podAnnotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "headlamp.selectorLabels" . | nindent 8 }}
|
|
{{- with .Values.podLabels }}
|
|
{{- tpl (toYaml .) $ | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: {{ include "headlamp.serviceAccountName" . }}
|
|
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
|
|
hostUsers: {{ .Values.hostUsers }}
|
|
securityContext:
|
|
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
|
{{- with .Values.initContainers }}
|
|
initContainers:
|
|
{{ toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: {{ .Chart.Name }}
|
|
securityContext:
|
|
{{- if .Values.securityContext }}
|
|
{{- toYaml .Values.securityContext | nindent 12 }}
|
|
{{- else }}
|
|
{{- $defaultSC := dict "allowPrivilegeEscalation" false "runAsNonRoot" true "seccompProfile" (dict "type" "RuntimeDefault") "capabilities" (dict "drop" (list "ALL")) }}
|
|
{{- toYaml $defaultSC | nindent 12 }}
|
|
{{- end }}
|
|
image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
{{ if or $oidc .Values.env }}
|
|
{{- if $oidc.externalSecret.enabled }}
|
|
# Check if externalSecret is enabled
|
|
envFrom:
|
|
- secretRef:
|
|
name: {{ $oidc.externalSecret.name }}
|
|
{{- if .Values.env }}
|
|
env:
|
|
{{- toYaml .Values.env | nindent 12 }}
|
|
{{- end }}
|
|
{{- else }}
|
|
env:
|
|
{{- if $oidc.secret.create }}
|
|
{{- if $oidc.clientID }}
|
|
- name: OIDC_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: clientID
|
|
{{- end }}
|
|
{{- if $oidc.clientSecret }}
|
|
- name: OIDC_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: clientSecret
|
|
{{- end }}
|
|
{{- if $oidc.issuerURL }}
|
|
- name: OIDC_ISSUER_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: issuerURL
|
|
{{- end }}
|
|
{{- if $oidc.scopes }}
|
|
- name: OIDC_SCOPES
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: scopes
|
|
{{- end }}
|
|
{{- if $oidc.callbackURL }}
|
|
- name: OIDC_CALLBACK_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: callbackURL
|
|
{{- end }}
|
|
{{- if $oidc.validatorClientID }}
|
|
- name: OIDC_VALIDATOR_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: validatorClientID
|
|
{{- end }}
|
|
{{- if $oidc.validatorIssuerURL }}
|
|
- name: OIDC_VALIDATOR_ISSUER_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: validatorIssuerURL
|
|
{{- end }}
|
|
{{- if $oidc.useAccessToken }}
|
|
- name: OIDC_USE_ACCESS_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: useAccessToken
|
|
{{- end }}
|
|
{{- if $oidc.usePKCE }}
|
|
- name: OIDC_USE_PKCE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: usePKCE
|
|
{{- end }}
|
|
{{- if $oidc.meUserInfoURL }}
|
|
- name: ME_USER_INFO_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ $oidc.secret.name }}
|
|
key: meUserInfoURL
|
|
{{- end }}
|
|
{{- else }}
|
|
{{- if $oidc.clientID }}
|
|
- name: OIDC_CLIENT_ID
|
|
value: {{ $oidc.clientID }}
|
|
{{- end }}
|
|
{{- if $oidc.clientSecret }}
|
|
- name: OIDC_CLIENT_SECRET
|
|
value: {{ $oidc.clientSecret }}
|
|
{{- end }}
|
|
{{- if $oidc.issuerURL }}
|
|
- name: OIDC_ISSUER_URL
|
|
value: {{ $oidc.issuerURL }}
|
|
{{- end }}
|
|
{{- if $oidc.scopes }}
|
|
- name: OIDC_SCOPES
|
|
value: {{ $oidc.scopes }}
|
|
{{- end }}
|
|
{{- if $oidc.callbackURL }}
|
|
- name: OIDC_CALLBACK_URL
|
|
value: {{ $oidc.callbackURL }}
|
|
{{- end }}
|
|
{{- if $oidc.validatorClientID }}
|
|
- name: OIDC_VALIDATOR_CLIENT_ID
|
|
value: {{ $oidc.validatorClientID }}
|
|
{{- end }}
|
|
{{- if $oidc.validatorIssuerURL }}
|
|
- name: OIDC_VALIDATOR_ISSUER_URL
|
|
value: {{ $oidc.validatorIssuerURL }}
|
|
{{- end }}
|
|
{{- if $oidc.useAccessToken }}
|
|
- name: OIDC_USE_ACCESS_TOKEN
|
|
value: {{ $oidc.useAccessToken | quote }}
|
|
{{- end }}
|
|
{{- if $oidc.usePKCE }}
|
|
- name: OIDC_USE_PKCE
|
|
value: {{ $oidc.usePKCE | quote }}
|
|
{{- end }}
|
|
{{- if $oidc.meUserInfoURL }}
|
|
- name: ME_USER_INFO_URL
|
|
value: {{ $oidc.meUserInfoURL }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.env }}
|
|
{{- toYaml .Values.env | nindent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
args:
|
|
{{- if .Values.config.inCluster }}
|
|
- "-in-cluster"
|
|
{{- if .Values.config.inClusterContextName }}
|
|
- "-in-cluster-context-name={{ .Values.config.inClusterContextName }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.config.enableHelm }}
|
|
- "-enable-helm"
|
|
{{- end }}
|
|
{{- if .Values.config.watchPlugins }}
|
|
- "-watch-plugins-changes"
|
|
{{- end }}
|
|
{{- with .Values.config.pluginsDir}}
|
|
- "-plugins-dir={{ . }}"
|
|
{{- end }}
|
|
{{- if not $oidc.externalSecret.enabled}}
|
|
# Check if externalSecret is disabled
|
|
{{- if or (ne $oidc.clientID "") (ne $clientID "") }}
|
|
# Check if clientID is non empty either from env or oidc.config
|
|
- "-oidc-client-id=$(OIDC_CLIENT_ID)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.clientSecret "") (ne $clientSecret "") }}
|
|
# Check if clientSecret is non empty either from env or oidc.config
|
|
- "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.issuerURL "") (ne $issuerURL "") }}
|
|
# Check if issuerURL is non empty either from env or oidc.config
|
|
- "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.scopes "") (ne $scopes "") }}
|
|
# Check if scopes are non empty either from env or oidc.config
|
|
- "-oidc-scopes=$(OIDC_SCOPES)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.callbackURL "") (ne $callbackURL "") }}
|
|
# Check if callbackURL is non empty either from env or oidc.config
|
|
- "-oidc-callback-url=$(OIDC_CALLBACK_URL)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.validatorClientID "") (ne $validatorClientID "") }}
|
|
# Check if validatorClientID is non empty either from env or oidc.config
|
|
- "-oidc-validator-client-id=$(OIDC_VALIDATOR_CLIENT_ID)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.validatorIssuerURL "") (ne $validatorIssuerURL "") }}
|
|
# Check if validatorIssuerURL is non empty either from env or oidc.config
|
|
- "-oidc-validator-idp-issuer-url=$(OIDC_VALIDATOR_ISSUER_URL)"
|
|
{{- end }}
|
|
{{- if or (ne ($oidc.useAccessToken | toString) "false") (ne $useAccessToken "") }}
|
|
# Check if useAccessToken is non false either from env or oidc.config
|
|
- "-oidc-use-access-token=$(OIDC_USE_ACCESS_TOKEN)"
|
|
{{- end }}
|
|
{{- if or (eq ($oidc.usePKCE | toString) "true") (eq $usePKCE "true") }}
|
|
- "-oidc-use-pkce=$(OIDC_USE_PKCE)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.meUserInfoURL "") (ne $meUserInfoURL "") }}
|
|
- "-me-user-info-url=$(ME_USER_INFO_URL)"
|
|
{{- end }}
|
|
{{- else }}
|
|
- "-oidc-client-id=$(OIDC_CLIENT_ID)"
|
|
- "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
|
|
- "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
|
|
- "-oidc-scopes=$(OIDC_SCOPES)"
|
|
{{- if or (ne $oidc.callbackURL "") (ne $callbackURL "") }}
|
|
# Check if callbackURL is non empty either from env or oidc.config
|
|
- "-oidc-callback-url=$(OIDC_CALLBACK_URL)"
|
|
{{- end }}
|
|
{{- if or (eq ($oidc.usePKCE | toString) "true") (eq $usePKCE "true") }}
|
|
- "-oidc-use-pkce=$(OIDC_USE_PKCE)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.validatorClientID "") (ne $validatorClientID "") }}
|
|
# Check if validatorClientID is non empty either from env or oidc.config
|
|
- "-oidc-validator-client-id=$(OIDC_VALIDATOR_CLIENT_ID)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.validatorIssuerURL "") (ne $validatorIssuerURL "") }}
|
|
# Check if validatorIssuerURL is non empty either from env or oidc.config
|
|
- "-oidc-validator-idp-issuer-url=$(OIDC_VALIDATOR_ISSUER_URL)"
|
|
{{- end }}
|
|
{{- if or (eq ($oidc.useAccessToken | toString) "true") (eq $useAccessToken "true") }}
|
|
# Check if useAccessToken is non false either from env or oidc.config
|
|
- "-oidc-use-access-token=$(OIDC_USE_ACCESS_TOKEN)"
|
|
{{- end }}
|
|
{{- if or (ne $oidc.meUserInfoURL "") (ne $meUserInfoURL "") }}
|
|
- "-me-user-info-url=$(ME_USER_INFO_URL)"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.config.baseURL }}
|
|
- "-base-url={{ . }}"
|
|
{{- end }}
|
|
{{- with .Values.config.tlsCertPath }}
|
|
- "-tls-cert-path={{ . }}"
|
|
{{- end }}
|
|
{{- with .Values.config.tlsKeyPath }}
|
|
- "-tls-key-path={{ . }}"
|
|
{{- end }}
|
|
{{- with .Values.config.extraArgs }}
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
ports:
|
|
- name: http
|
|
containerPort: 4466
|
|
protocol: TCP
|
|
livenessProbe:
|
|
httpGet:
|
|
path: "{{ .Values.config.baseURL }}/"
|
|
port: http
|
|
readinessProbe:
|
|
httpGet:
|
|
path: "{{ .Values.config.baseURL }}/"
|
|
port: http
|
|
resources:
|
|
{{- toYaml .Values.resources | nindent 12 }}
|
|
{{- if or .Values.pluginsManager.enabled .Values.volumeMounts }}
|
|
volumeMounts:
|
|
{{- if .Values.pluginsManager.enabled }}
|
|
- name: plugins-dir
|
|
mountPath: {{ .Values.config.pluginsDir }}
|
|
{{- end }}
|
|
{{- with .Values.volumeMounts }}
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.pluginsManager.enabled }}
|
|
- name: headlamp-plugin
|
|
image: {{ .Values.pluginsManager.baseImage }}
|
|
command: ["/bin/sh", "-c"]
|
|
{{- if .Values.pluginsManager.env }}
|
|
env:
|
|
{{- toYaml .Values.pluginsManager.env | nindent 12 }}
|
|
{{- end }}
|
|
args:
|
|
- |
|
|
if [ -f "/config/plugin.yml" ]; then
|
|
echo "Installing plugins from config..."
|
|
cat /config/plugin.yml
|
|
# Use a writable cache directory
|
|
export NPM_CONFIG_CACHE=/tmp/npm-cache
|
|
# Use a writable config directory
|
|
export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig
|
|
mkdir -p /tmp/npm-cache /tmp/npm-userconfig
|
|
npx --yes @headlamp-k8s/pluginctl@{{ .Values.pluginsManager.version }} install --config /config/plugin.yml --folderName {{ .Values.config.pluginsDir }} --watch
|
|
fi
|
|
volumeMounts:
|
|
- name: plugins-dir
|
|
mountPath: {{ .Values.config.pluginsDir }}
|
|
- name: plugin-config
|
|
mountPath: /config
|
|
{{- with .Values.pluginsManager.volumeMounts }}
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
resources:
|
|
{{- toYaml .Values.pluginsManager.resources | nindent 12 }}
|
|
securityContext:
|
|
{{- if .Values.pluginsManager.securityContext }}
|
|
{{- toYaml .Values.pluginsManager.securityContext | nindent 12 }}
|
|
{{- else if $.Values.securityContext }}
|
|
{{- toYaml $.Values.securityContext | nindent 12 }}
|
|
{{- else }}
|
|
{{- $defaultSC := dict "allowPrivilegeEscalation" false "runAsNonRoot" true "seccompProfile" (dict "type" "RuntimeDefault") "capabilities" (dict "drop" (list "ALL")) }}
|
|
{{- toYaml $defaultSC | nindent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.extraContainers }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.topologySpreadConstraints }}
|
|
topologySpreadConstraints:
|
|
{{- range $constraint := . }}
|
|
- {{ toYaml $constraint | nindent 10 }}
|
|
{{- if not $constraint.labelSelector }}
|
|
labelSelector:
|
|
matchLabels:
|
|
{{- include "headlamp.selectorLabels" $ | nindent 14 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.priorityClassName }}
|
|
priorityClassName: {{ . | quote }}
|
|
{{- end }}
|
|
{{- if or .Values.pluginsManager.enabled .Values.volumes }}
|
|
volumes:
|
|
{{- if .Values.pluginsManager.enabled }}
|
|
- name: plugins-dir
|
|
emptyDir: {}
|
|
- name: plugin-config
|
|
configMap:
|
|
name: {{ include "headlamp.fullname" . }}-plugin-config
|
|
{{- end }}
|
|
{{- with .Values.volumes}}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|