diff options
Diffstat (limited to 'kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml')
| -rwxr-xr-x | kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml new file mode 100755 index 0000000000..6c25bac01c --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml @@ -0,0 +1,137 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: + - /bin/sh + args: + - -c + - | + echo "*** set right permissions to the different folders" + chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /var/log; + chmod -R 755 /var/log + chown -R {{ .Values.permissions.uid }}:{{ .Values.permissions.gid }} /opt/; + chmod -R 755 /opt/* + tar -xvf /tmp/policies/policy-data.tar.gz -C /opt/ + image: {{ include "repositoryGenerator.image.busybox" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-readiness + volumeMounts: + - name: logs + mountPath: /var/log + - name: tmp-policies-data + mountPath: /tmp/policies + - name : opa-policies-data + mountPath: /opt/ + + containers: + - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + env: + - name: UseSASLForKAFKA + value: "{{ .Values.kafka.useSASL }}" + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: GROUPID + value: "{{ .Values.kafka.groupid }}" + - name: LOG_LEVEL + value: "{{ .Values.log.loglevel }}" + - name: PAP_TOPIC + value: "{{ .Values.kafka.topic }}" + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }} + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + + - name: opa-policies-data + mountPath: /opt + - name: opa-config + mountPath: /app/config + - name: opa-bundles + mountPath: /app/bundles + - name: logs + mountPath: /var/log + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: tmp-policies-data + configMap: + name: {{ include "common.fullname" . }}-configmap-policies-data + defaultMode: 0755 + - name: opa-policies-data + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }}-policies-data + - name: opa-config + configMap: + name: {{ include "common.fullname" . }}-configmap-config + defaultMode: 0755 + - name: opa-bundles + emptyDir: + sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} |