77 lines
3.5 KiB
YAML
77 lines
3.5 KiB
YAML
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ include "ingress-nginx.fullname" . }}-admission-create
|
|
namespace: {{ .Release.Namespace }}
|
|
annotations:
|
|
"helm.sh/hook": pre-install,pre-upgrade
|
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
|
{{- with .Values.controller.admissionWebhooks.annotations }}
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: admission-webhook
|
|
{{- with .Values.controller.admissionWebhooks.patch.labels }}
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
|
|
# Alpha feature since k8s 1.12
|
|
ttlSecondsAfterFinished: 0
|
|
{{- end }}
|
|
template:
|
|
metadata:
|
|
name: {{ include "ingress-nginx.fullname" . }}-admission-create
|
|
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
|
|
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "ingress-nginx.labels" . | nindent 8 }}
|
|
app.kubernetes.io/component: admission-webhook
|
|
{{- with .Values.controller.admissionWebhooks.patch.labels }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
|
|
priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
|
|
{{- end }}
|
|
{{- if .Values.imagePullSecrets }}
|
|
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: create
|
|
{{- with .Values.controller.admissionWebhooks.patch.image }}
|
|
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
|
|
{{- end }}
|
|
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
|
|
args:
|
|
- create
|
|
- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
|
|
- --namespace=$(POD_NAMESPACE)
|
|
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
|
|
env:
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
{{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
|
|
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
|
|
{{- end }}
|
|
restartPolicy: OnFailure
|
|
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
|
|
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
|
|
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
|
|
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
|
|
{{- end }}
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
|
|
fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
|
|
{{- end }}
|