{{- if not .Values.templating.debug -}} apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "kyverno.fullname" . }} namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} spec: replicas: {{ template "kyverno.deployment.replicas" .Values.admissionController.replicas }} {{- with .Values.admissionController.updateStrategy }} strategy: {{- toYaml . | nindent 4 }} {{- end }} selector: matchLabels: {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} template: metadata: labels: {{- include "kyverno.admission-controller.labels" . | nindent 8 }} {{- range $key, $value := .Values.podLabels }} {{ $key }}: {{ $value }} {{- end }} {{- with .Values.podAnnotations }} annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: {{- with .Values.image.pullSecrets }} imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.admissionController.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.admissionController.tolerations }} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.admissionController.topologySpreadConstraints }} topologySpreadConstraints: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.admissionController.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} {{- with .Values.admissionController.hostNetwork }} hostNetwork: {{ . }} {{- end }} {{- with .Values.admissionController.dnsPolicy }} dnsPolicy: {{ . }} {{- end }} {{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }} affinity: {{- if .Values.antiAffinity.enable }} {{- with .Values.podAntiAffinity }} podAntiAffinity: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- end }} {{- with .Values.podAffinity }} podAffinity: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- with .Values.nodeAffinity }} nodeAffinity: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- end }} serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} initContainers: {{- if .Values.extraInitContainers }} {{- toYaml .Values.extraInitContainers | nindent 8 }} {{- end }} - name: kyverno-pre image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }} {{- if .Values.initContainer.extraArgs }} args: {{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }} {{- end }} {{- with .Values.initResources }} resources: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} env: - name: METRICS_CONFIG value: {{ template "kyverno.config.metricsConfigMapName" . }} - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KYVERNO_DEPLOYMENT value: {{ template "kyverno.fullname" . }} {{- with .Values.envVarsInit }} {{- toYaml . | nindent 10 }} {{- end }} containers: {{- if .Values.extraContainers }} {{- toYaml .Values.extraContainers | nindent 8 }} {{- end }} - name: kyverno image: {{ include "kyverno.image" (dict "image" .Values.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if or .Values.extraArgs .Values.imagePullSecrets }} args: - --servicePort={{ .Values.service.port }} {{- if .Values.extraArgs -}} {{ tpl (toYaml .Values.extraArgs) . | nindent 12 }} {{- end }} {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} {{- end }} {{- with .Values.resources }} resources: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} ports: - containerPort: 9443 name: https protocol: TCP - containerPort: 8000 name: metrics-port protocol: TCP env: - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} - name: METRICS_CONFIG value: {{ template "kyverno.config.metricsConfigMapName" . }} - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.admission-controller.serviceAccountName" . }} - name: KYVERNO_SVC value: {{ template "kyverno.admission-controller.serviceName" . }} - name: TUF_ROOT value: {{ .Values.tufRootMountPath }} {{- with .Values.envVars }} {{- toYaml . | nindent 10 }} {{- end }} - name: KYVERNO_DEPLOYMENT value: {{ template "kyverno.fullname" . }} {{- with .Values.startupProbe }} startupProbe: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.livenessProbe }} livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.readinessProbe }} readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} volumeMounts: - mountPath: {{ .Values.tufRootMountPath }} name: sigstore - mountPath: /var/run/secrets/tokens name: api-token volumes: - name: sigstore {{- toYaml (required "A valid .Values.sigstoreVolume entry is required" .Values.sigstoreVolume) | nindent 8 }} - name: api-token projected: sources: - serviceAccountToken: path: api-token expirationSeconds: 600 audience: kyverno-extension {{- end -}}