apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "web-application.fullname" . }} labels: {{- include "web-application.labels" . | nindent 4 }} {{- if or .Values.annotations.deployment }} annotations: {{- tpl (toYaml .Values.annotations.deployment) $ | nindent 4 }} {{- end }} spec: {{- if not .Values.hpa.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} selector: matchLabels: {{- include "web-application.selectorLabels" . | nindent 6 }} template: metadata: labels: {{- include "web-application.selectorLabels" . | nindent 8 }} {{- if .Values.istio }} sidecar.istio.io/inject: {{ .Values.istio.enabled | quote }} {{ end }} {{- if or .Values.annotations.deployment }} annotations: {{- tpl (toYaml .Values.annotations.deployment) $ | nindent 8 }} {{- end }} spec: {{- if (include "web-application.internal.imagePullSecretName" .) }} imagePullSecrets: - name: {{ include "web-application.internal.imagePullSecretName" . }} {{- end }} automountServiceAccountToken: {{ ternary false true (empty (or .Values.rbac.rules .Values.rbac.role .Values.rbac.clusterRole)) }} serviceAccountName: {{ tpl (.Values.serviceAccountName | default (include "web-application.fullname" .)) $ }} containers: - image: {{ include "web-application.internal.imageName" (dict "image" .Values.image "context" $) }} {{- if ( or .Values.global.imagePullPolicy .Values.imagePullPolicy ) }} imagePullPolicy: {{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }} {{- end }} name: {{ include "web-application.name" . }} {{- if .Values.command }} command: {{- .Values.command | toYaml | nindent 8 }} {{- end }} {{- if .Values.args }} args: {{- .Values.args | toYaml | nindent 8 }} {{- end }} ports: - name: http containerPort: {{ .Values.port }} protocol: TCP envFrom: {{- $envFromVars := (include "web-application.internal.processEnvFrom" (dict "envFrom" .Values.envFrom "context" $) | fromJson) }} {{- if not (eq (len $envFromVars.vars) 0) }} {{- $envFromVars.vars | toYaml | nindent 8}} {{- end }} env: - name: SERVICE_BINDING_ROOT value: /bindings - name: PORT value: {{ .Values.port | quote }} - name: TMPDIR value: /tmp {{- if .Values.otlp.traces.enabled }} - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT value: {{ .Values.otlp.traces.endpoint }} {{- end }} {{- if .Values.otlp.metrics.enabled }} - name: OTEL_EXPORTER_OTLP_METRICS_ENDPOINT value: {{ .Values.otlp.metrics.endpoint }} {{- end }} {{- if .Values.otlp.logs.enabled }} - name: OTEL_EXPORTER_OTLP_LOGS_ENDPOINT value: {{ .Values.otlp.logs.endpoint }} {{- end }} {{- $envVars := (include "web-application.internal.processEnv" (dict "env" .Values.env "context" $) | fromJson) }} {{- if not $envVars.appName}} - name: APPLICATION_NAME value: {{ include "web-application.fullname" . }} {{- end }} {{- if not $envVars.appURI}} - name: APPLICATION_URI value: {{ include "web-application.internal.applicationUri" . }} {{- end }} {{- if not (eq (len $envVars.vars) 0) }} {{- $envVars.vars | toYaml | nindent 8}} {{- end }} {{ include "web-application.internal.healthCheck" (dict "checkName" "livenessProbe" "checkValues" .Values.health.liveness "values" .Values.health "context" $) | nindent 8}} {{ include "web-application.internal.healthCheck" (dict "checkName" "readinessProbe" "checkValues" .Values.health.readiness "values" .Values.health "context" $) | nindent 8}} {{ include "web-application.internal.healthCheck" (dict "checkName" "startupProbe" "checkValues" .Values.health.liveness "values" .Values.health "context" $) | nindent 8}} volumeMounts: - name: tmp mountPath: /tmp - name: bindings-root mountPath: /bindings {{- range $volume := .Values.additionalVolumes }} - name: {{ $volume.name | quote }} {{- tpl ($volume.volumeMount | toYaml) $ | nindent 10 }} {{- end }} {{- include "web-application.internal.serviceMounts" . | nindent 8 }} resources: {{- toYaml .Values.resources | nindent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true {{- if .Values.runAsUser }} runAsUser: {{ .Values.runAsUser }} {{- end }} readOnlyRootFilesystem: {{ .Values.readOnlyRootFilesystem | default false }} seccompProfile: type: RuntimeDefault appArmorProfile: type: RuntimeDefault {{- range $key, $sidecar := .Values.sidecars }} - image: {{ include "web-application.internal.imageName" (dict "image" $sidecar.image "context" $) }} {{- if ( or $.Values.global.imagePullPolicy $sidecar.imagePullPolicy ) }} imagePullPolicy: {{ $sidecar.imagePullPolicy | default $.Values.global.imagePullPolicy }} {{- end }} name: {{ $key }} {{- if $sidecar.command }} command: {{- $sidecar.command | toYaml | nindent 8 }} {{- end }} {{- if $sidecar.args }} args: {{- $sidecar.args | toYaml | nindent 8 }} {{- end }} envFrom: {{- $envFromVars := (include "web-application.internal.processEnvFrom" (dict "envFrom" $sidecar.envFrom "context" $) | fromJson) }} {{- if not (eq (len $envFromVars.vars) 0) }} {{- $envFromVars.vars | toYaml | nindent 8}} {{- end }} env: - name: SERVICE_BINDING_ROOT value: /bindings - name: TMPDIR value: /tmp {{- if $.Values.otlp.traces.enabled }} - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT value: {{ $.Values.otlp.traces.endpoint }} {{- end }} {{- if $.Values.otlp.metrics.enabled }} - name: OTEL_EXPORTER_OTLP_METRICS_ENDPOINT value: {{ $.Values.otlp.metrics.endpoint }} {{- end }} {{- if $.Values.otlp.logs.enabled }} - name: OTEL_EXPORTER_OTLP_LOGS_ENDPOINT value: {{ $.Values.otlp.logs.endpoint }} {{- end }} {{- $envVars := (include "web-application.internal.processEnv" (dict "env" $sidecar.env "context" $) | fromJson) }} {{- if not (eq (len $envVars.vars) 0) }} {{- $envVars.vars | toYaml | nindent 8}} {{- end }} volumeMounts: - name: tmp mountPath: /tmp - name: bindings-root mountPath: /bindings {{- range $volume := $.Values.additionalVolumes }} - name: {{ $volume.name | quote }} {{- tpl ($volume.volumeMount | toYaml) $ | nindent 10 }} {{- end }} {{- include "web-application.internal.serviceMounts" $ | nindent 8 }} {{- if $sidecar.resources }} resources: {{- toYaml $sidecar.resources | nindent 10 }} {{- end }} {{- if $sidecar.health }} {{ include "web-application.internal.healthCheck" (dict "checkName" "livenessProbe" "checkValues" $sidecar.health.liveness "values" $sidecar.health "context" $) | nindent 8}} {{ include "web-application.internal.healthCheck" (dict "checkName" "readinessProbe" "checkValues" $sidecar.health.readiness "values" $sidecar.health "context" $) | nindent 8}} {{ include "web-application.internal.healthCheck" (dict "checkName" "startupProbe" "checkValues" $sidecar.health.liveness "values" $sidecar.health "context" $) | nindent 8}} {{- end }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false runAsNonRoot: true {{- if $sidecar.runAsUser }} runAsUser: {{ $sidecar.runAsUser }} {{- end }} readOnlyRootFilesystem: {{ $.Values.readOnlyRootFilesystem | default false }} seccompProfile: type: RuntimeDefault appArmorProfile: type: RuntimeDefault {{- end }} restartPolicy: Always terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- if .Values.nodeSelector }} nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} {{- end }} {{- if .Values.nodeAffinity }} affinity: nodeAffinity: {{- .Values.nodeAffinity | toYaml | nindent 10 }} {{- end }} topologySpreadConstraints: {{- range $constraint := .Values.availability.topologySpreadConstraints }} - labelSelector: matchLabels: {{- include "web-application.selectorLabels" $ | nindent 12 }} maxSkew: {{ $constraint.maxSkew }} topologyKey: {{ $constraint.topologyKey }} whenUnsatisfiable: {{ $constraint.whenUnsatisfiable }} matchLabelKeys: {{ $constraint.matchLabelKeys | default (list "pod-template-hash") | toYaml | nindent 10 }} {{- end }} volumes: - emptyDir: {} name: tmp - emptyDir: {} name: bindings-root {{- include "web-application.internal.serviceVolumes" . | nindent 6 }} {{- range $volume := .Values.additionalVolumes }} - {{- tpl (omit $volume "volumeMount" | toYaml) $ | nindent 8 }} {{- end }}