managed-cluster-validating-webhooks/templates/20-validation-webhook.deployment.yaml.tmpl at acaf507943832528a117268ea4cf6ba0ac03a61e · openshift/managed-cluster-validating-webhooks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: "#SVCNAME#"
    deployment: "#SVCNAME#"
  name: "#SVCNAME#"
  namespace: "#NAMESPACE#"
spec:
  replicas: 3
  template:
    metadata:
      labels:
        app: "#SVCNAME#"
    spec:
      serviceAccountName: "#SANAME#"
      initContainers:
      - image: "#IMG#:#IMAGETAG#"
        name: inject-cert
        command:
        - python
        - /app/init.py
        - -a
        - "#VWC_ANNOTATION#"
      containers:
      - image: "#IMG#:#IMAGETAG#"
        imagePullPolicy: Always
        env:
        - name: SUBSCRIPTION_VALIDATION_NAMESPACES
          value: "openshift-operators"
        - name: GROUP_VALIDATION_ADMIN_GROUP
          value: "osd-sre-admins,osd-sre-cluster-admins"
        - name: GROUP_VALIDATION_PREFIX
          value: "osd-sre-"
        command:
        - gunicorn
        - --config
        - /app/gunicorn.py
        - --ca-certs
        - /service-ca/service-ca.crt
        - --keyfile
        - /service-certs/tls.key
        - --certfile
        - /service-certs/tls.crt
        - --access-logfile
        - "-"
        - webhook:app
        name: validation-webhook
        ports:
        - containerPort: 5000
        volumeMounts:
        - name: service-certs
          mountPath: /service-certs
          readOnly: true
        - name: service-ca
          mountPath: /service-ca
          readOnly: true
      restartPolicy: Always
      volumes:
        - name: service-certs
          secret:
            secretName: "#CABUNDLECONFIGMAP#"
        - name: service-ca
          configMap:
            name: "#CABUNDLECONFIGMAP#"