karmada/charts/karmada/templates/karmada-aggregated-apiserver.yaml

{{- if eq .Values.installMode "host" }}
{{- $name := include "karmada.name" . -}}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ $name }}-aggregated-apiserver
  namespace: {{ include "karmada.namespace" . }}
  labels:
    {{- include "karmada.aggregatedApiServer.labels" . | nindent 4 }}
spec:
  selector:
    matchLabels:
      {{- include "karmada.aggregatedApiServer.labels" . | nindent 6 }}
  replicas: {{ .Values.aggregatedApiServer.replicaCount }}
  {{- with .Values.aggregatedApiServer.strategy }}
  strategy:
  {{- toYaml . | nindent 4 }}
  {{- end }}
  template:
    metadata:
      {{- with .Values.aggregatedApiServer.podAnnotations }}
      annotations:
      {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "karmada.aggregatedApiServer.labels" . | nindent 8 }}
        {{- include "karmada.aggregatedApiServer.podLabels" . | nindent 8 }}
    spec:
      {{- include "karmada.aggregatedApiServer.imagePullSecrets" . | nindent 6 }}
      automountServiceAccountToken: false
      initContainers:
        {{- include "karmada.initContainer.waitStaticResource" . | nindent 8 }}
      containers:
        - name: {{ $name }}-aggregated-apiserver
          image: {{ template "karmada.aggregatedApiServer.image" . }}
          imagePullPolicy: {{ .Values.aggregatedApiServer.image.pullPolicy }}
          volumeMounts:
            {{- include "karmada.kubeconfig.volumeMount" . | nindent 12 }}
            - name: etcd-cert
              mountPath: /etc/etcd/pki
              readOnly: true
            - name: apiserver-cert
              mountPath: /etc/kubernetes/pki
              readOnly: true
          command:
            - /bin/karmada-aggregated-apiserver
            - --kubeconfig=/etc/kubeconfig
            - --authentication-kubeconfig=/etc/kubeconfig
            - --authorization-kubeconfig=/etc/kubeconfig
            {{- if eq .Values.etcd.mode "external" }}
            - --etcd-cafile=/etc/etcd/pki/ca.crt
            - --etcd-certfile=/etc/etcd/pki/tls.crt
            - --etcd-keyfile=/etc/etcd/pki/tls.key
            - --etcd-servers={{ .Values.etcd.external.servers }}
            - --etcd-prefix={{ .Values.etcd.external.registryPrefix }}
            {{- end }}
            {{- if eq .Values.etcd.mode "internal" }}
            - --etcd-cafile=/etc/etcd/pki/server-ca.crt
            - --etcd-certfile=/etc/etcd/pki/karmada.crt
            - --etcd-keyfile=/etc/etcd/pki/karmada.key
            - --etcd-servers=https://etcd-client.{{ include "karmada.namespace" . }}.svc.{{ .Values.clusterDomain }}:2379
            {{- end }}
            - --tls-cert-file=/etc/kubernetes/pki/karmada.crt
            - --tls-private-key-file=/etc/kubernetes/pki/karmada.key
            - --audit-log-path=-
            - --audit-log-maxage=0
            - --audit-log-maxbackup=0
            - --tls-min-version=VersionTLS13
          resources:
            {{- toYaml .Values.aggregatedApiServer.resources | nindent 12 }}
          readinessProbe:
            httpGet:
              path: /readyz
              port: 443
              scheme: HTTPS
            initialDelaySeconds: 1
            periodSeconds: 3
            timeoutSeconds: 15
          livenessProbe:
            httpGet:
              path: /healthz
              port: 443
              scheme: HTTPS
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 15
      {{- with .Values.aggregatedApiServer.nodeSelector }}
      nodeSelector:
      {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.aggregatedApiServer.affinity }}
      affinity:
      {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.aggregatedApiServer.tolerations }}
      tolerations:
      {{- toYaml . | nindent 8 }}
      {{- end }}
      priorityClassName: {{ .Values.aggregatedApiServer.priorityClassName }}
      volumes:
        {{- include "karmada.kubeconfig.volume" . | nindent 8 }}
        - name: apiserver-cert
          secret:
            secretName: {{ $name }}-cert
        - name: etcd-cert
          secret:
          {{- if eq .Values.etcd.mode "internal" }}
            secretName: {{ $name }}-cert
          {{- end }}
          {{- if eq .Values.etcd.mode "external" }}
            secretName: {{ $name }}-external-etcd-cert
          {{- end }}
---
apiVersion: v1
kind: Service
metadata:
  name: {{ $name }}-aggregated-apiserver
  namespace: {{ include "karmada.namespace" . }}
  labels:
    {{- include "karmada.aggregatedApiServer.labels" . | nindent 4 }}
spec:
  ports:
    - port: 443
      protocol: TCP
      targetPort: 443
  selector:
    {{- include "karmada.aggregatedApiServer.labels" . | nindent 4 }}

{{ if and .Values.aggregatedApiServer .Values.aggregatedApiServer.podDisruptionBudget }}
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: {{ $name }}-aggregated-apiserver
  namespace: {{ include "karmada.namespace" . }}
  labels:
    {{- include "karmada.aggregatedApiServer.labels" . | nindent 4 }}
spec:
  selector:
    matchLabels:
      {{- include "karmada.aggregatedApiServer.labels" . | nindent 6 }}
  {{ toYaml .Values.aggregatedApiServer.podDisruptionBudget | nindent 2 }}
{{- end -}}

{{- end }}