103 lines
3.8 KiB
YAML
103 lines
3.8 KiB
YAML
# Here we deploy cloudflared images. The tunnel credentials are stored in
|
|
# a k8s secret, and the configuration is stored in a k8s configmap.
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "cloudflare-tunnel.fullname" . }}
|
|
labels:
|
|
{{- include "cloudflare-tunnel.labels" . | nindent 4 }}
|
|
spec:
|
|
replicas: {{ .Values.replicaCount }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "cloudflare-tunnel.selectorLabels" . | nindent 6 }}
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
# These are here so the deployment rolls when the config or secret change.
|
|
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
|
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
|
|
{{- with .Values.podAnnotations }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "cloudflare-tunnel.selectorLabels" . | nindent 8 }}
|
|
spec:
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: {{ include "cloudflare-tunnel.fullname" . }}
|
|
securityContext:
|
|
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
|
containers:
|
|
- name: {{ .Chart.Name }}
|
|
securityContext:
|
|
{{- toYaml .Values.securityContext | nindent 12 }}
|
|
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
args:
|
|
- tunnel
|
|
# Points cloudflared to the config file, which configures what
|
|
# cloudflared will actually do. This file is created by a ConfigMap.
|
|
- --config
|
|
- /etc/cloudflared/config/config.yaml
|
|
- run
|
|
livenessProbe:
|
|
httpGet:
|
|
# Cloudflared has a /ready endpoint which returns 200 if and only if
|
|
# it has an active connection to the edge.
|
|
path: /ready
|
|
port: 2000
|
|
failureThreshold: 1
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /etc/cloudflared/config
|
|
readOnly: true
|
|
# Each tunnel has an associated "credentials file" which authorizes machines
|
|
# to run the tunnel. cloudflared will read this file from its local filesystem,
|
|
# and it'll be stored in a k8s secret.
|
|
- name: creds
|
|
mountPath: /etc/cloudflared/creds
|
|
readOnly: true
|
|
resources:
|
|
{{- toYaml .Values.resources | nindent 12 }}
|
|
volumes:
|
|
- name: creds
|
|
secret:
|
|
secretName: {{ include "cloudflare-tunnel.fullname" . }}
|
|
- name: config
|
|
configMap:
|
|
name: {{ include "cloudflare-tunnel.fullname" . }}
|
|
items:
|
|
- key: config.yaml
|
|
path: config.yaml
|
|
{{- with .Values.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
affinity:
|
|
{{- with .Values.affinity }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- else }}
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 10
|
|
podAffinityTerm:
|
|
topologyKey: kubernetes.io/hostname
|
|
labelSelector:
|
|
matchExpressions:
|
|
{{- range $k, $v := include "cloudflare-tunnel.selectorLabels" . | fromYaml }}
|
|
- key: {{ $k }}
|
|
operator: In
|
|
values:
|
|
- {{ $v }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.tolerations }}
|
|
tolerations:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|