This repository has been archived by the owner on Mar 22, 2024. It is now read-only.
/
daemonset.yaml
102 lines (102 loc) · 3.73 KB
/
daemonset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
{{- $configSum := (include (print $.Template.BasePath "/configmap.yaml") . | sha256sum) }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "spire-agent.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "spire-agent.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "spire-agent.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ $configSum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "spire-agent.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: {{ include "spire-agent.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/vishnubob/wait-for-it
image: {{ template "spire-agent.image" .Values.waitForIt }}
imagePullPolicy: {{ .Values.waitForIt.image.pullPolicy }}
args: ["-t", "30", "-h", "{{ .Release.Name }}-server", "-p", {{ .Values.server.port | quote }}]
resources:
{{- toYaml .Values.waitForIt.resources | nindent 12 }}
containers:
- name: {{ .Chart.Name }}
image: {{ template "spire-agent.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args: ["-config", "/run/spire/config/agent.conf"]
ports:
- containerPort: {{ .Values.healthChecks.port }}
name: healthz
{{- if (dig "telemetry" "prometheus" "enabled" .Values.telemetry.prometheus.enabled .Values.global) }}
- containerPort: {{ .Values.telemetry.prometheus.port }}
name: prom
{{- end }}
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
readOnly: true
- name: spire-agent-socket-dir
mountPath: {{ include "spire.agent-socket-path" . | dir }}
readOnly: false
- name: spire-token
mountPath: /var/run/secrets/tokens
livenessProbe:
httpGet:
path: /live
port: healthz
initialDelaySeconds: 15
periodSeconds: 60
readinessProbe:
httpGet:
path: /ready
port: healthz
initialDelaySeconds: 15
periodSeconds: 60
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: spire-config
configMap:
name: {{ include "spire-agent.fullname" . }}
- name: spire-bundle
configMap:
name: {{ .Values.bundleConfigMap }}
- name: spire-token
projected:
sources:
- serviceAccountToken:
path: spire-agent
expirationSeconds: 7200
audience: spire-server
- name: spire-agent-socket-dir
hostPath:
path: {{ include "spire.agent-socket-path" . | dir }}
type: DirectoryOrCreate