{{- if .Values.operator.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "gitdata.fullname" . }}-operator namespace: {{ include "gitdata.namespace" . }} labels: app.kubernetes.io/name: {{ include "gitdata.fullname" . }}-operator app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: {{ include "gitdata.fullname" . }}-operator app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: labels: app.kubernetes.io/name: {{ include "gitdata.fullname" . }}-operator app.kubernetes.io/instance: {{ .Release.Name }} spec: serviceAccountName: {{ include "gitdata.fullname" . }}-operator terminationGracePeriodSeconds: 10 volumes: - name: tmp emptyDir: {} containers: - name: operator image: "{{ .Values.image.registry }}/{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}" imagePullPolicy: {{ .Values.operator.image.pullPolicy | default .Values.image.pullPolicy }} envFrom: - secretRef: name: {{ include "gitdata.fullname" . }}-secrets env: - name: OPERATOR_IMAGE_PREFIX value: {{ .Values.operator.imagePrefix | default (printf "%s/" (include "gitdata.fullname" .)) | quote }} - name: OPERATOR_LOG_LEVEL value: {{ .Values.operator.logLevel | default "info" | quote }} - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: tmp mountPath: /tmp securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL {{- with .Values.operator.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.operator.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.operator.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "gitdata.fullname" . }}-operator namespace: {{ include "gitdata.namespace" . }} labels: app.kubernetes.io/name: {{ include "gitdata.fullname" . }}-operator app.kubernetes.io/instance: {{ .Release.Name }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "gitdata.fullname" . }}-operator namespace: {{ include "gitdata.namespace" . }} labels: app.kubernetes.io/name: {{ include "gitdata.fullname" . }}-operator app.kubernetes.io/instance: {{ .Release.Name }} rules: - apiGroups: ["code.dev"] resources: ["apps", "gitservers", "emailworkers", "githooks", "migrates"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["code.dev"] resources: ["apps/status", "gitservers/status", "emailworkers/status", "githooks/status", "migrates/status"] verbs: ["get", "patch", "update"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["services", "persistentvolumeclaims", "configmaps", "secrets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "gitdata.fullname" . }}-operator namespace: {{ include "gitdata.namespace" . }} labels: app.kubernetes.io/name: {{ include "gitdata.fullname" . }}-operator app.kubernetes.io/instance: {{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ include "gitdata.fullname" . }}-operator namespace: {{ include "gitdata.namespace" . }} roleRef: kind: Role name: {{ include "gitdata.fullname" . }}-operator apiGroup: rbac.authorization.k8s.io {{- end }}