apps/network-resources-injector/kubespray/playbooks/roles/install/templates/nri_server.yaml.j2

   1 # Copyright (C) 2021 The Nordix Foundation. All rights reserved.
   2 # Copyright (c) 2019 Intel Corporation
   3 #
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7 #
   8 #     http:#www.apache.org/licenses/LICENSE-2.0
   9 #
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15 ---
  16 apiVersion: v1
  17 kind: Pod
  18 metadata:
  19   labels:
  20     app: network-resources-injector
  21   name: network-resources-injector
  22   namespace: kube-system
  23 spec:
  24   serviceAccount: network-resources-injector-sa
  25   containers:
  26   - name: webhook-server
  27     image: network-resources-injector:latest
  28     imagePullPolicy: IfNotPresent
  29     command:
  30     - webhook
  31     args:
  32     - -bind-address=0.0.0.0
  33     - -port=8443
  34     - -tls-private-key-file=/etc/tls/tls.key
  35     - -tls-cert-file=/etc/tls/tls.crt
  36     - -logtostderr
  37     - -insecure
  38     env:
  39     - name: NAMESPACE
  40       valueFrom:
  41         fieldRef:
  42           fieldPath: metadata.namespace
  43     securityContext:
  44       runAsUser: 10000
  45       runAsGroup: 10000
  46       capabilities:
  47         drop:
  48           - ALL
  49         add: ["NET_BIND_SERVICE"]
  50       readOnlyRootFilesystem: true
  51       allowPrivilegeEscalation: false
  52     volumeMounts:
  53     - mountPath: /etc/tls
  54       name: tls
  55     resources:
  56       requests:
  57         memory: "50Mi"
  58         cpu: "250m"
  59       limits:
  60         memory: "200Mi"
  61         cpu: "500m"
  62   initContainers:
  63   - name: installer
  64     image: network-resources-injector:latest
  65     imagePullPolicy: IfNotPresent
  66     command:
  67     - installer
  68     args:
  69     - -name=network-resources-injector
  70     - -namespace=kube-system
  71     - -alsologtostderr
  72     securityContext:
  73       runAsUser: 10000
  74       runAsGroup: 10000
  75     volumeMounts:
  76     - name: tls
  77       mountPath: /etc/tls
  78   volumes:
  79   - name: tls
  80     emptyDir: {}
  81
  82 # For third-party certificate, use secret resource
  83 # instead of self-generated one from installer as below:
  84 #
  85 # 1) Remove initContainers from Pod spec.
  86 # 2) Replace `emptyDir: {}` with below config
  87 #
  88 #   secret:
  89 #     secretName: network-resources-injector-secret
  90