charts/proxy/templates/install.yaml - helm-charts - Gitiles

 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
 data:
   nginx.conf: |
     {{ .Values.config | nindent 4 }}
 ---
 {{- if .Values.vpn.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Values.name }}-vpn-pre-auth-key
   namespace: {{ .Release.Namespace }}
 stringData:
   TS_AUTHKEY: {{ .Values.vpn.preAuthKey }}
 {{- end }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
 spec:
   selector:
     matchLabels:
       app: proxy
   replicas: 1
   template:
     metadata:
       labels:
         app: proxy
     spec:
       serviceAccountName: {{ .Values.name }}-proxy
       volumes:
       - name: config
         configMap:
           name: {{ .Values.name }}
       containers:
       - name: proxy
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         ports:
           {{- range .Values.ports }}
           - name: {{ .name }}
             containerPort: {{ .value }}
             protocol: {{ .protocol }}
           {{- end }}
         volumeMounts:
         - name: config
           mountPath: /etc/nginx
       {{- if .Values.vpn.enabled }}
       - name: tailscale
         image: {{ .Values.vpn.image.repository }}:{{ .Values.vpn.image.tag }}
         imagePullPolicy: {{ .Values.vpn.image.pullPolicy }}
         securityContext:
           privileged: true
           capabilities:
             add:
             - NET_ADMIN
         env:
         - name: TS_KUBE_SECRET
           value: {{ .Values.name }}-vpn-pre-auth-key
         - name: TS_HOSTNAME
           value: {{ .Values.vpn.hostname }}
         - name: TS_EXTRA_ARGS
           value: --login-server={{ .Values.vpn.loginServer }}
       {{- end }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ .Values.name }}
   namespace: {{ .Release.Namespace }}
 spec:
   type: ClusterIP
   selector:
     app: proxy
   ports:
     {{- range .Values.ports }}
     - name: {{ .name }}
       port: {{ .value }}
       targetPort: {{ .name }}
       protocol: {{ .protocol }}
     {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.name }}-proxy
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ .Values.name }}-proxy
   namespace: {{ .Release.Namespace }}
 rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["secrets"]
   # Create can not be restricted to a resource name.
   verbs: ["create"]
 - apiGroups: [""] # "" indicates the core API group
   resourceNames: ["{{ .Values.name }}-vpn-pre-auth-key"]
   resources: ["secrets"]
   verbs: ["get", "update", "patch"]
 - apiGroups: [""] # "" indicates the core API group
   resources: ["events"]
   verbs: ["get", "create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ .Values.name }}-proxy
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.name }}-proxy
 roleRef:
   kind: Role
   name: {{ .Values.name }}-proxy
   apiGroup: rbac.authorization.k8s.io
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: {{ .Values.name }}
	namespace: {{ .Release.Namespace }}
	data:
	nginx.conf: \|
	{{ .Values.config \| nindent 4 }}
	---
	{{- if .Values.vpn.enabled }}
	apiVersion: v1
	kind: Secret
	metadata:
	name: {{ .Values.name }}-vpn-pre-auth-key
	namespace: {{ .Release.Namespace }}
	stringData:
	TS_AUTHKEY: {{ .Values.vpn.preAuthKey }}
	{{- end }}
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: {{ .Values.name }}
	namespace: {{ .Release.Namespace }}
	spec:
	selector:
	matchLabels:
	app: proxy
	replicas: 1
	template:
	metadata:
	labels:
	app: proxy
	spec:
	serviceAccountName: {{ .Values.name }}-proxy
	volumes:
	- name: config
	configMap:
	name: {{ .Values.name }}
	containers:
	- name: proxy
	image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
	imagePullPolicy: {{ .Values.image.pullPolicy }}
	ports:
	{{- range .Values.ports }}
	- name: {{ .name }}
	containerPort: {{ .value }}
	protocol: {{ .protocol }}
	{{- end }}
	volumeMounts:
	- name: config
	mountPath: /etc/nginx
	{{- if .Values.vpn.enabled }}
	- name: tailscale
	image: {{ .Values.vpn.image.repository }}:{{ .Values.vpn.image.tag }}
	imagePullPolicy: {{ .Values.vpn.image.pullPolicy }}
	securityContext:
	privileged: true
	capabilities:
	add:
	- NET_ADMIN
	env:
	- name: TS_KUBE_SECRET
	value: {{ .Values.name }}-vpn-pre-auth-key
	- name: TS_HOSTNAME
	value: {{ .Values.vpn.hostname }}
	- name: TS_EXTRA_ARGS
	value: --login-server={{ .Values.vpn.loginServer }}
	{{- end }}
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: {{ .Values.name }}
	namespace: {{ .Release.Namespace }}
	spec:
	type: ClusterIP
	selector:
	app: proxy
	ports:
	{{- range .Values.ports }}
	- name: {{ .name }}
	port: {{ .value }}
	targetPort: {{ .name }}
	protocol: {{ .protocol }}
	{{- end }}
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: {{ .Values.name }}-proxy
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: {{ .Values.name }}-proxy
	namespace: {{ .Release.Namespace }}
	rules:
	- apiGroups: [""] # "" indicates the core API group
	resources: ["secrets"]
	# Create can not be restricted to a resource name.
	verbs: ["create"]
	- apiGroups: [""] # "" indicates the core API group
	resourceNames: ["{{ .Values.name }}-vpn-pre-auth-key"]
	resources: ["secrets"]
	verbs: ["get", "update", "patch"]
	- apiGroups: [""] # "" indicates the core API group
	resources: ["events"]
	verbs: ["get", "create", "patch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: {{ .Values.name }}-proxy
	subjects:
	- kind: ServiceAccount
	name: {{ .Values.name }}-proxy
	roleRef:
	kind: Role
	name: {{ .Values.name }}-proxy
	apiGroup: rbac.authorization.k8s.io