kyverno/charts/kyverno/templates/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ template "kyverno.fullname" . }}
  labels: {{ include "kyverno.labels" . | nindent 4 }}
    app: kyverno
  namespace: {{ template "kyverno.namespace" . }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
  {{- if .Values.updateStrategy }}
  strategy:
    {{ toYaml .Values.updateStrategy | nindent 4 | trim }}
  {{- end }}
  template:
    metadata:
      labels: {{ include "kyverno.labels" . | nindent 8 }}
        app: kyverno
        {{- range $key, $value := .Values.podLabels }}
        {{ $key }}: {{ $value }}
        {{- end }}
      {{- with .Values.podAnnotations }}
      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
    spec:
      {{- with .Values.image.pullSecrets }}
      imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- with .Values.podSecurityContext }}
      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
      affinity:
        {{- if and .Values.antiAffinity.enable .Values.podAntiAffinity }}
        podAntiAffinity:
          {{- toYaml .Values.podAntiAffinity | nindent 10 }}
        {{- end }}
        {{- if .Values.podAffinity }}
        podAffinity:
          {{- toYaml .Values.podAffinity | nindent 10 }}
        {{- end }}
        {{- if .Values.nodeAffinity }}
        nodeAffinity:
          {{- toYaml .Values.nodeAffinity | nindent 10 }}
        {{- end }}
      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
      {{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName | quote }}
      {{- end }}
      {{- if .Values.hostNetwork }}
      hostNetwork: {{ .Values.hostNetwork }}
      {{- end }}
      {{- if .Values.dnsPolicy }}
      dnsPolicy: {{ .Values.dnsPolicy }}
      {{- end }}
      initContainers:
        - name: kyverno-pre
          image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
          imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
          {{- with .Values.initResources }}
          resources: {{ tpl (toYaml .) $ | nindent 12 }}
          {{- end }}
          {{- if .Values.securityContext }}
          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
          {{- end }}
          env:
          - name: METRICS_CONFIG
            value: {{ template "kyverno.metricsConfigMapName" . }}
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_DEPLOYMENT
            value: {{ template "kyverno.fullname" . }}
          {{- with .Values.envVarsInit }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
      containers:
        - name: kyverno
          image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          {{- if or .Values.extraArgs .Values.imagePullSecrets }}
          args:
            {{- if .Values.extraArgs -}}
              {{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
            {{- end }}
            {{- if .Values.imagePullSecrets }}
            - --imagePullSecrets={{ keys .Values.imagePullSecrets | join "," }}
            {{- end }}
          {{- end }}
          {{- with .Values.resources }}
          resources: {{ tpl (toYaml .) $ | nindent 12 }}
          {{- end }}
          {{- if .Values.securityContext }}
          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
          {{- end }}
          ports:
          - containerPort: 9443
            name: https
            protocol: TCP
          - containerPort: 8000
            name: metrics-port
            protocol: TCP
          env:
          - name: INIT_CONFIG
            value: {{ template "kyverno.configMapName" . }}
          - name: METRICS_CONFIG
            value: {{ template "kyverno.metricsConfigMapName" . }}
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: KYVERNO_SVC
            value: {{ template "kyverno.serviceName" . }}
          - name: TUF_ROOT
            value: {{ .Values.tufRootMountPath }}
          {{- with .Values.envVars }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          - name: KYVERNO_DEPLOYMENT
            value: {{ template "kyverno.fullname" . }}
        {{- with .Values.livenessProbe }}
          livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
        {{- end }}
        {{- with .Values.readinessProbe }}
          readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
        {{- end }}
          volumeMounts:
            - mountPath: {{ .Values.tufRootMountPath }}
              name: sigstore
      volumes:
      - name: sigstore
        emptyDir: {}