179 lines
7.5 KiB
YAML
179 lines
7.5 KiB
YAML
|
{{- $manualHTTPS := and .Values.proxy.https.enabled (eq .Values.proxy.https.type "manual") -}}
|
||
|
|
{{- $manualHTTPSwithsecret := and .Values.proxy.https.enabled (eq .Values.proxy.https.type "secret") -}}
|
||
|
|
apiVersion: apps/v1
|
||
|
|
kind: Deployment
|
||
|
|
metadata:
|
||
|
|
name: {{ include "jupyterhub.proxy.fullname" . }}
|
||
|
|
labels:
|
||
|
|
{{- include "jupyterhub.labels" . | nindent 4 }}
|
||
|
|
spec:
|
||
|
|
{{- if typeIs "int" .Values.proxy.chp.revisionHistoryLimit }}
|
||
|
|
revisionHistoryLimit: {{ .Values.proxy.chp.revisionHistoryLimit }}
|
||
|
|
{{- end }}
|
||
|
|
replicas: 1
|
||
|
|
selector:
|
||
|
|
matchLabels:
|
||
|
|
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
|
||
|
|
strategy:
|
||
|
|
{{- .Values.proxy.deploymentStrategy | toYaml | nindent 4 }}
|
||
|
|
template:
|
||
|
|
metadata:
|
||
|
|
labels:
|
||
|
|
{{- /* Changes here will cause the Deployment to restart the pods. */}}
|
||
|
|
{{- include "jupyterhub.matchLabels" . | nindent 8 }}
|
||
|
|
hub.jupyter.org/network-access-hub: "true"
|
||
|
|
hub.jupyter.org/network-access-singleuser: "true"
|
||
|
|
{{- with .Values.proxy.labels }}
|
||
|
|
{{- . | toYaml | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
annotations:
|
||
|
|
# We want to restart proxy only if the auth token changes
|
||
|
|
# Other changes to the hub config should not restart.
|
||
|
|
# We truncate to 4 chars to avoid leaking auth token info,
|
||
|
|
# since someone could brute force the hash to obtain the token
|
||
|
|
#
|
||
|
|
# Note that if auth_token has to be generated at random, it will be
|
||
|
|
# generated at random here separately from being generated at random in
|
||
|
|
# the k8s Secret template. This will cause this annotation to change to
|
||
|
|
# match the k8s Secret during the first upgrade following an auth_token
|
||
|
|
# was generated.
|
||
|
|
checksum/auth-token: {{ include "jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token" . | sha256sum | trunc 4 | quote }}
|
||
|
|
checksum/proxy-secret: {{ include (print $.Template.BasePath "/proxy/secret.yaml") . | sha256sum | quote }}
|
||
|
|
{{- with .Values.proxy.annotations }}
|
||
|
|
{{- . | toYaml | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
spec:
|
||
|
|
terminationGracePeriodSeconds: 60
|
||
|
|
{{- if .Values.scheduling.podPriority.enabled }}
|
||
|
|
priorityClassName: {{ include "jupyterhub.priority.fullname" . }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.proxy.chp.nodeSelector }}
|
||
|
|
nodeSelector:
|
||
|
|
{{- . | toYaml | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with concat .Values.scheduling.corePods.tolerations .Values.proxy.chp.tolerations }}
|
||
|
|
tolerations:
|
||
|
|
{{- . | toYaml | nindent 8 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- include "jupyterhub.coreAffinity" . | nindent 6 }}
|
||
|
|
{{- if $manualHTTPS }}
|
||
|
|
volumes:
|
||
|
|
- name: tls-secret
|
||
|
|
secret:
|
||
|
|
secretName: {{ include "jupyterhub.proxy-public-manual-tls.fullname" . }}
|
||
|
|
{{- else if $manualHTTPSwithsecret }}
|
||
|
|
volumes:
|
||
|
|
- name: tls-secret
|
||
|
|
secret:
|
||
|
|
secretName: {{ .Values.proxy.https.secret.name }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.proxy.chp.image) }}
|
||
|
|
imagePullSecrets: {{ . }}
|
||
|
|
{{- end }}
|
||
|
|
containers:
|
||
|
|
- name: chp
|
||
|
|
image: {{ .Values.proxy.chp.image.name }}:{{ .Values.proxy.chp.image.tag }}
|
||
|
|
{{- $hubNameAsEnv := include "jupyterhub.hub.fullname" . | upper | replace "-" "_" }}
|
||
|
|
{{- $hubHost := printf "http://%s:$(%s_SERVICE_PORT)" (include "jupyterhub.hub.fullname" .) $hubNameAsEnv }}
|
||
|
|
command:
|
||
|
|
- configurable-http-proxy
|
||
|
|
- "--ip="
|
||
|
|
- "--api-ip="
|
||
|
|
- --api-port=8001
|
||
|
|
- --default-target={{ .Values.proxy.chp.defaultTarget | default $hubHost }}
|
||
|
|
- --error-target={{ .Values.proxy.chp.errorTarget | default (printf "%s/hub/error" $hubHost) }}
|
||
|
|
{{- if $manualHTTPS }}
|
||
|
|
- --port=8443
|
||
|
|
- --redirect-port=8000
|
||
|
|
- --redirect-to=443
|
||
|
|
- --ssl-key=/etc/chp/tls/tls.key
|
||
|
|
- --ssl-cert=/etc/chp/tls/tls.crt
|
||
|
|
{{- else if $manualHTTPSwithsecret }}
|
||
|
|
- --port=8443
|
||
|
|
- --redirect-port=8000
|
||
|
|
- --redirect-to=443
|
||
|
|
- --ssl-key=/etc/chp/tls/{{ .Values.proxy.https.secret.key }}
|
||
|
|
- --ssl-cert=/etc/chp/tls/{{ .Values.proxy.https.secret.crt }}
|
||
|
|
{{- else }}
|
||
|
|
- --port=8000
|
||
|
|
{{- end }}
|
||
|
|
{{- if .Values.debug.enabled }}
|
||
|
|
- --log-level=debug
|
||
|
|
{{- end }}
|
||
|
|
{{- range .Values.proxy.chp.extraCommandLineFlags }}
|
||
|
|
- {{ tpl . $ }}
|
||
|
|
{{- end }}
|
||
|
|
{{- if or $manualHTTPS $manualHTTPSwithsecret }}
|
||
|
|
volumeMounts:
|
||
|
|
- name: tls-secret
|
||
|
|
mountPath: /etc/chp/tls
|
||
|
|
readOnly: true
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.proxy.chp.resources }}
|
||
|
|
resources:
|
||
|
|
{{- . | toYaml | nindent 12 }}
|
||
|
|
{{- end }}
|
||
|
|
env:
|
||
|
|
- name: CONFIGPROXY_AUTH_TOKEN
|
||
|
|
valueFrom:
|
||
|
|
secretKeyRef:
|
||
|
|
# NOTE: References the chart managed k8s Secret even if
|
||
|
|
# hub.existingSecret is specified to avoid using the
|
||
|
|
# lookup function on the user managed k8s Secret.
|
||
|
|
name: {{ include "jupyterhub.hub.fullname" . }}
|
||
|
|
key: hub.config.ConfigurableHTTPProxy.auth_token
|
||
|
|
{{- with .Values.proxy.chp.extraEnv }}
|
||
|
|
{{- include "jupyterhub.extraEnv" . | nindent 12 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.proxy.chp.image.pullPolicy }}
|
||
|
|
imagePullPolicy: {{ . }}
|
||
|
|
{{- end }}
|
||
|
|
ports:
|
||
|
|
{{- if or $manualHTTPS $manualHTTPSwithsecret }}
|
||
|
|
- name: https
|
||
|
|
containerPort: 8443
|
||
|
|
{{- end }}
|
||
|
|
- name: http
|
||
|
|
containerPort: 8000
|
||
|
|
- name: api
|
||
|
|
containerPort: 8001
|
||
|
|
{{- if .Values.proxy.chp.livenessProbe.enabled }}
|
||
|
|
livenessProbe:
|
||
|
|
initialDelaySeconds: {{ .Values.proxy.chp.livenessProbe.initialDelaySeconds }}
|
||
|
|
periodSeconds: {{ .Values.proxy.chp.livenessProbe.periodSeconds }}
|
||
|
|
timeoutSeconds: {{ .Values.proxy.chp.livenessProbe.timeoutSeconds }}
|
||
|
|
failureThreshold: {{ .Values.proxy.chp.livenessProbe.failureThreshold }}
|
||
|
|
httpGet:
|
||
|
|
path: /_chp_healthz
|
||
|
|
{{- if or $manualHTTPS $manualHTTPSwithsecret }}
|
||
|
|
port: https
|
||
|
|
scheme: HTTPS
|
||
|
|
{{- else }}
|
||
|
|
port: http
|
||
|
|
scheme: HTTP
|
||
|
|
{{- end }}
|
||
|
|
{{- end }}
|
||
|
|
{{- if .Values.proxy.chp.readinessProbe.enabled }}
|
||
|
|
readinessProbe:
|
||
|
|
initialDelaySeconds: {{ .Values.proxy.chp.readinessProbe.initialDelaySeconds }}
|
||
|
|
periodSeconds: {{ .Values.proxy.chp.readinessProbe.periodSeconds }}
|
||
|
|
timeoutSeconds: {{ .Values.proxy.chp.readinessProbe.timeoutSeconds }}
|
||
|
|
failureThreshold: {{ .Values.proxy.chp.readinessProbe.failureThreshold }}
|
||
|
|
httpGet:
|
||
|
|
path: /_chp_healthz
|
||
|
|
{{- if or $manualHTTPS $manualHTTPSwithsecret }}
|
||
|
|
port: https
|
||
|
|
scheme: HTTPS
|
||
|
|
{{- else }}
|
||
|
|
port: http
|
||
|
|
scheme: HTTP
|
||
|
|
{{- end }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.proxy.chp.containerSecurityContext }}
|
||
|
|
securityContext:
|
||
|
|
{{- . | toYaml | nindent 12 }}
|
||
|
|
{{- end }}
|
||
|
|
{{- with .Values.proxy.chp.extraPodSpec }}
|
||
|
|
{{- . | toYaml | nindent 6 }}
|
||
|
|
{{- end }}
|