diff --git a/.gitignore b/.gitignore index 02f8b179..02883efb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ .tools/ website/site/ -kyverno-envoy-plugin +/kyverno-envoy-plugin diff --git a/Makefile b/Makefile index c7a5814b..14152f92 100644 --- a/Makefile +++ b/Makefile @@ -171,7 +171,7 @@ mkdocs-serve: ## Generate and serve mkdocs website @$(PIP) install -U mkdocs-material mkdocs-redirects mkdocs-minify-plugin mkdocs-include-markdown-plugin lunr mkdocs-rss-plugin mike @mkdocs serve -f ./website/mkdocs.yaml -######## +######## # KIND # ######## @@ -196,7 +196,7 @@ kind-load-taged-image: build-ko docker tag $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA) $(KO_REGISTRY)/$(PACKAGE):latest @$(KIND) load docker-image $(KO_REGISTRY)/$(PACKAGE):latest -######### +######### # ISTIO # ######### @@ -207,6 +207,20 @@ install-istio: $(HELM) @$(HELM) upgrade --install istio-base --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts base @$(HELM) upgrade --install istiod --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts istiod +######## +# HELM # +######## + +.PHONY: chart-install +chart-install: ## Install chart +chart-install: kind-load-image +chart-install: $(HELM) + @echo Install helm chart... >&2 + @$(HELM) upgrade --install kyverno-envoy-plugin --namespace kyverno --create-namespace --wait ./charts/kyverno-envoy-plugin \ + --set sidecarInjector.containers.injector.image.registry=ko.local \ + --set sidecarInjector.containers.injector.image.repository=github.com/kyverno/kyverno-envoy-plugin \ + --set sidecarInjector.containers.injector.image.tag=$(GIT_SHA) + ######## # HELP # ######## diff --git a/charts/kyverno-envoy-plugin/.helmignore b/charts/kyverno-envoy-plugin/.helmignore new file mode 100644 index 00000000..85df807a --- /dev/null +++ b/charts/kyverno-envoy-plugin/.helmignore @@ -0,0 +1,3 @@ +.helmignore +ci/ +README.md.gotmpl diff --git a/charts/kyverno-envoy-plugin/Chart.yaml b/charts/kyverno-envoy-plugin/Chart.yaml new file mode 100644 index 00000000..ccd0dd1c --- /dev/null +++ b/charts/kyverno-envoy-plugin/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +type: application +name: kyverno-envoy-plugin +version: v0.0.0 +appVersion: latest +icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png +description: Kyverno policies based authorization plugin for Envoy ❤️ +keywords: + - kubernetes + - kyverno + - authz + - policy + - envoy + - istio + - security +home: https://kyverno.github.io/kyverno-envoy-plugin +sources: + - https://github.com/kyverno/kyverno-envoy-plugin +maintainers: + - name: Kyverno + url: https://kyverno.io/ +kubeVersion: ">=1.25.0-0" diff --git a/charts/kyverno-envoy-plugin/templates/NOTES.txt b/charts/kyverno-envoy-plugin/templates/NOTES.txt new file mode 100644 index 00000000..1818ad1d --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/NOTES.txt @@ -0,0 +1 @@ +Chart version: {{ .Chart.Version }} diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl new file mode 100644 index 00000000..840aa7eb --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/_helpers/_chart.tpl @@ -0,0 +1,9 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.chart.name" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.chart.version" -}} + {{- .Chart.Version | replace "+" "_" -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl new file mode 100644 index 00000000..97c0ccba --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/_helpers/_labels.tpl @@ -0,0 +1,43 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.labels.merge" -}} +{{- $labels := dict -}} +{{- range . -}} + {{- $labels = merge $labels (fromYaml .) -}} +{{- end -}} +{{- with $labels -}} + {{- toYaml $labels -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.labels.helm" -}} +{{- if not .Values.templating.enabled -}} +helm.sh/chart: {{ template "kyverno.chart.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.labels.version" -}} +app.kubernetes.io/version: {{ template "kyverno.chart.version" . }} +{{- end -}} + +{{- define "kyverno.labels.common" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.helm" .) + (include "kyverno.labels.version" .) + (toYaml .Values.customLabels) +) -}} +{{- end -}} + +{{- define "kyverno.labels.component" -}} +app.kubernetes.io/component: {{ . }} +{{- end -}} + +{{- define "kyverno.labels.name" -}} +app.kubernetes.io/name: {{ . }} +{{- end -}} + +{{- define "kyverno.labels.match.common" -}} +app.kubernetes.io/part-of: {{ template "kyverno.names.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl b/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl new file mode 100644 index 00000000..327826f7 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/_helpers/_names.tpl @@ -0,0 +1,22 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.names.fullname" -}} +{{- if .Values.fullnameOverride -}} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- $name := default .Chart.Name .Values.nameOverride -}} + {{- if contains $name .Release.Name -}} + {{- .Release.Name | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.namespace" -}} +{{ default .Release.Namespace .Values.namespaceOverride }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl b/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl new file mode 100644 index 00000000..24d2708c --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.sidecar-injector.name" -}} +{{ template "kyverno.names.name" . }}-sidecar-injector +{{- end -}} + +{{- define "kyverno.sidecar-injector.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.sidecar-injector.labels.match" .) +) -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.labels.match" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.match.common" .) + (include "kyverno.labels.component" "sidecar-injector") +) -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.role.name" -}} +{{- include "kyverno.names.fullname" . -}}:sidecar-injector +{{- end -}} + +{{- define "kyverno.sidecar-injector.service-account.name" -}} +{{- if .Values.sidecarInjector.rbac.create -}} + {{- default (include "kyverno.sidecar-injector.name" .) .Values.sidecarInjector.rbac.serviceAccount.name -}} +{{- else -}} + {{- required "A service account name is required when `rbac.create` is set to `false`" .Values.sidecarInjector.rbac.serviceAccount.name -}} +{{- end -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.serviceName" -}} +{{- printf "%s-svc" (include "kyverno.names.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.caCertificatesConfigMapName" -}} +{{- printf "%s-ca-certificates" (include "kyverno.sidecar-injector.name" .) -}} +{{- end -}} + +{{- define "kyverno.sidecar-injector.image" -}} +{{- printf "%s/%s:%s" .registry .repository (default "latest" .tag) -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml new file mode 100644 index 00000000..b95689df --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml @@ -0,0 +1,32 @@ +{{- if .Values.sidecarInjector.enabled -}} +{{- if .Values.sidecarInjector.certificates.selfSigned -}} +{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}} +{{- $svcName := (printf "%s.%s.svc" (include "kyverno.sidecar-injector.name" .) (include "kyverno.namespace" .)) -}} +{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.key: {{ $ca.Key | b64enc }} + tls.crt: {{ $ca.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} + annotations: + self-signed-cert: "true" +type: kubernetes.io/tls +data: + tls.key: {{ $cert.Key | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml new file mode 100644 index 00000000..30f92053 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/deployment.yaml @@ -0,0 +1,111 @@ +{{- if .Values.sidecarInjector.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kyverno.sidecar-injector.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} + {{- with .Values.sidecarInjector.deployment.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + replicas: {{ template "kyverno.deployment.replicas" .Values.sidecarInjector.deployment.replicas }} + revisionHistoryLimit: {{ .Values.sidecarInjector.deployment.revisionHistoryLimit }} + {{- with .Values.sidecarInjector.deployment.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "kyverno.sidecar-injector.labels.match" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 8 }} + {{- with .Values.sidecarInjector.pod.labels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.annotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.sidecarInjector.pod.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.securityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.tolerations }} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.sidecarInjector.pod.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.sidecarInjector.pod.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + affinity: + {{- with .Values.sidecarInjector.pod.antiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.affinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.sidecarInjector.pod.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + serviceAccountName: {{ template "kyverno.sidecar-injector.service-account.name" . }} + containers: + {{- with .Values.sidecarInjector.containers.injector }} + - name: injector + image: {{ include "kyverno.sidecar-injector.image" .image }} + imagePullPolicy: {{ .image.pullPolicy }} + {{- with .resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .startupProbe }} + startupProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .livenessProbe }} + livenessProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .readinessProbe }} + readinessProbe: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .ports }} + ports: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .args }} + args: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml new file mode 100644 index 00000000..61687e4e --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml @@ -0,0 +1,35 @@ +{{- if .Values.sidecarInjector.enabled -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "kyverno.sidecar-injector.name" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +webhooks: + - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc + clientConfig: + service: + name: {{ template "kyverno.sidecar-injector.name" . }} + namespace: {{ template "kyverno.namespace" . }} + path: "/mutate" + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - apiGroups: + - '' + apiVersions: + - v1 + resources: + - pods + operations: + - CREATE + scope: '*' + objectSelector: + matchExpressions: + - key: kyverno-envoy-sidecar/injection + operator: In + values: + - enabled +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml new file mode 100644 index 00000000..84635c14 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/rbac.yaml @@ -0,0 +1,45 @@ +{{- if .Values.sidecarInjector.enabled -}} +{{- if .Values.sidecarInjector.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} + {{- with .Values.sidecarInjector.rbac.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.sidecar-injector.role.name" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kyverno.sidecar-injector.role.name" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.sidecar-injector.role.name" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml new file mode 100644 index 00000000..fa745d98 --- /dev/null +++ b/charts/kyverno-envoy-plugin/templates/sidecar-injector/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.sidecarInjector.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.sidecar-injector.service-account.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - name: https + protocol: TCP + port: 443 + targetPort: 8443 + selector: + {{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} +{{- end -}} diff --git a/charts/kyverno-envoy-plugin/values.yaml b/charts/kyverno-envoy-plugin/values.yaml new file mode 100644 index 00000000..192be520 --- /dev/null +++ b/charts/kyverno-envoy-plugin/values.yaml @@ -0,0 +1,233 @@ +# -- Internal settings used with `helm template` to generate install manifest +# @ignored +templating: + enabled: false + debug: false + version: ~ + +# -- (string) Override the name of the chart +nameOverride: ~ + +# -- (string) Override the expanded name of the chart +fullnameOverride: ~ + +# -- (string) Override the namespace the chart deploys to +namespaceOverride: ~ + +# Sidecar injector configuration +sidecarInjector: + + # -- Enable sidecar injector + enabled: true + + rbac: + + # -- Create RBAC resources + create: true + + serviceAccount: + # -- The ServiceAccount name + name: + + # -- Annotations for the ServiceAccount + annotations: {} + # example.com/annotation: value + + certificates: + + # -- Create self-signed certificates at deployment time. + # The certificates won't be automatically renewed if this is set to `true`. + selfSigned: true + + deployment: + + # -- (int) Desired number of pods + replicas: ~ + + # -- The number of revisions to keep + revisionHistoryLimit: 10 + + # -- Deployment annotations. + annotations: {} + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + pod: + + # -- Additional labels to add to each pod + labels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + annotations: {} + # example.com/annotation: foo + + # -- Image pull secrets + imagePullSecrets: [] + # - secretName + + # -- Security context + securityContext: {} + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Optional priority class + priorityClassName: '' + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + antiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - admission-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + affinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + containers: + injector: + + image: + + # -- Image registry + registry: ghcr.io + + # -- Image repository + repository: kyverno/kyverno-envoy-plugin + + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + + # -- Image pull policy + pullPolicy: IfNotPresent + + resources: + + # -- Pod resource limits + limits: + memory: 384Mi + + # -- Pod resource requests + requests: + cpu: 100m + memory: 128Mi + + # -- Container security context + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + # -- Startup probe. + # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + startupProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + failureThreshold: 20 + initialDelaySeconds: 2 + periodSeconds: 6 + + # -- Liveness probe. + # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + livenessProbe: + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + + # -- Readiness Probe. + # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + # @default -- See [values.yaml](values.yaml) + readinessProbe: + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + # -- Container ports. + ports: + - containerPort: 9443 + name: https + protocol: TCP + + # -- Container args. + args: + - sidecar-injector + - --port=9443 + + service: + + # -- Service port. + port: 443 + + # -- Service type. + type: ClusterIP + + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + + # -- Service annotations. + annotations: {} + + webhook: + + pdb: