X-Git-Url: https://gerrit.nordix.org/gitweb?p=infra%2Fstack%2Fkubernetes.git;a=blobdiff_plain;f=apps%2Fnetwork-resources-injector%2Fkubespray%2Fplaybooks%2Froles%2Finstall%2Ftemplates%2Fnri_server.yaml.j2;fp=apps%2Fnetwork-resources-injector%2Fkubespray%2Fplaybooks%2Froles%2Finstall%2Ftemplates%2Fnri_server.yaml.j2;h=233416d4f6d55fa7146a6706848bda588af49c01;hp=0000000000000000000000000000000000000000;hb=bc521a1ec1127b1c41ee76e9301009b8ed084f69;hpb=abd49dbf6fdde52d549c92969e222b70efae24db

diff --git a/apps/network-resources-injector/kubespray/playbooks/roles/install/templates/nri_server.yaml.j2 b/apps/network-resources-injector/kubespray/playbooks/roles/install/templates/nri_server.yaml.j2
new file mode 100644
index 0000000..233416d
--- /dev/null
+++ b/apps/network-resources-injector/kubespray/playbooks/roles/install/templates/nri_server.yaml.j2
@@ -0,0 +1,90 @@
+# Copyright (C) 2021 The Nordix Foundation. All rights reserved.
+# Copyright (c) 2019 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: network-resources-injector
+  name: network-resources-injector
+  namespace: kube-system
+spec:
+  serviceAccount: network-resources-injector-sa
+  containers:
+  - name: webhook-server
+    image: network-resources-injector:latest
+    imagePullPolicy: IfNotPresent
+    command:
+    - webhook
+    args:
+    - -bind-address=0.0.0.0
+    - -port=8443
+    - -tls-private-key-file=/etc/tls/tls.key
+    - -tls-cert-file=/etc/tls/tls.crt
+    - -logtostderr
+    - -insecure
+    env:
+    - name: NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+    securityContext:
+      runAsUser: 10000
+      runAsGroup: 10000
+      capabilities:
+        drop:
+          - ALL
+        add: ["NET_BIND_SERVICE"]
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+    volumeMounts:
+    - mountPath: /etc/tls
+      name: tls
+    resources:
+      requests:
+        memory: "50Mi"
+        cpu: "250m"
+      limits:
+        memory: "200Mi"
+        cpu: "500m"
+  initContainers:
+  - name: installer
+    image: network-resources-injector:latest
+    imagePullPolicy: IfNotPresent
+    command:
+    - installer
+    args:
+    - -name=network-resources-injector
+    - -namespace=kube-system
+    - -alsologtostderr
+    securityContext:
+      runAsUser: 10000
+      runAsGroup: 10000
+    volumeMounts:
+    - name: tls
+      mountPath: /etc/tls
+  volumes:
+  - name: tls
+    emptyDir: {}
+
+# For third-party certificate, use secret resource
+# instead of self-generated one from installer as below:
+#
+# 1) Remove initContainers from Pod spec.
+# 2) Replace `emptyDir: {}` with below config
+#
+#   secret:
+#     secretName: network-resources-injector-secret
+