kubesphere/config/ks-core/templates/ks-apiserver.yaml

{{ if eq (include "multicluster.role" .) "host" }}
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ks-apiserver
    version: {{ .Chart.AppVersion }}
  name: ks-apiserver
spec:
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  replicas: {{ if .Values.ha.enabled }} 3 {{ else }} 1 {{ end }}
  selector:
    matchLabels:
      app: ks-apiserver
      tier: backend
  template:
    metadata:
      labels:
        app: ks-apiserver
        tier: backend
      annotations:
        # force restart ks-apiserver after the upgrade is complete if kubesphere-config changes
        checksum/config: {{ include (print $.Template.BasePath "/kubesphere-config.yaml") . | sha256sum }}
    spec:
      serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
      {{- if .Values.global.imagePullSecrets }}
      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
      {{- end }}
      affinity:
      {{- with .Values.affinity }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
        podAntiAffinity:
        {{- if .Values.apiserver.hardAntiAffinity }}
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app: ks-apiserver
              topologyKey: kubernetes.io/hostname
              namespaces:
                - {{ .Release.Namespace | quote }}
        {{- else }}
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app: ks-apiserver
                topologyKey: kubernetes.io/hostname
                namespaces:
                  - {{ .Release.Namespace | quote }}
        {{- end }}
      {{- if .Values.nodeSelector }}
      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.tolerations }}
      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
      {{- end }}
      containers:
        - name: ks-apiserver
          image: {{ template "apiserver.image" . }}
          imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }}
          {{- if .Values.apiserver.containerPorts }}
          ports: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.containerPorts "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.apiserver.command }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.command "context" $) | nindent 12 }}
            {{- if .Values.internalTLS }}
            - --secure-port=9090
            - --tls-private-key=/etc/kubesphere/pki/tls.key
            - --tls-cert-file=/etc/kubesphere/pki/tls.crt
            {{- end }}
          {{- end }}
          env:
            {{- if .Values.apiserver.extraEnvVars }}
            {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraEnvVars "context" $) | nindent 12 }}
            {{- end }}
          {{- if .Values.apiserver.resources }}
          resources: {{- toYaml .Values.apiserver.resources | nindent 12 }}
          {{- end }}
          livenessProbe:
            failureThreshold: 8
            httpGet:
              path: /livez
              port: 9090
            {{- if .Values.internalTLS }}
              scheme: HTTPS
            {{- else }}
              scheme: HTTP
            {{- end }}
            initialDelaySeconds: 15
            timeoutSeconds: 15
          volumeMounts:
            - mountPath: /etc/kubesphere/
              name: kubesphere-config
            - mountPath: /etc/localtime
              name: host-time
              readOnly: true
          {{- if .Values.apiserver.extraVolumeMounts }}
          {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumeMounts "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.internalTLS }}
            - name: tls-cert
              mountPath: /etc/kubesphere/pki/
          {{- end }}
          {{- if .Values.ha.enabled }}
          env:
            - name: KUBESPHERE_CACHE_OPTIONS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: redis-secret
                  key: auth
          {{- end }}
      volumes:
        - configMap:
            defaultMode: 420
            name: kubesphere-config
          name: kubesphere-config
        - hostPath:
            path: /etc/localtime
            type: ""
          name: host-time
        {{- if .Values.apiserver.extraVolumes }}
        {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumes "context" $) | nindent 8 }}
        {{- end }}
        {{- if .Values.internalTLS }}
        - name: tls-cert
          secret:
            secretName: ks-apiserver-tls-certs
            defaultMode: 420
        {{- end }}
{{ end }}