apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubelet-serving-cert-approver
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kubelet-serving-cert-approver
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: server
    app.kubernetes.io/part-of: kubelet-serving-cert-approver
spec:
  revisionHistoryLimit: 3
  replicas: {{ .Values.deployment.replicas }}
  strategy:
    type: {{ .Values.deployment.strategy }}
  selector:
    matchLabels:
      app.kubernetes.io/name: kubelet-serving-cert-approver
      app.kubernetes.io/instance: {{ .Release.Name }}

  template:
    metadata:
      labels:
        app.kubernetes.io/name: kubelet-serving-cert-approver
        app.kubernetes.io/instance: {{ .Release.Name }}
    spec:
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - preference:
                matchExpressions:
                  - key: node-role.kubernetes.io/master
                    operator: DoesNotExist
                  - key: node-role.kubernetes.io/control-plane
                    operator: DoesNotExist
              weight: 100
      containers:
        - name: {{ .Release.Name }}
          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
          ports:
            - containerPort: 8080
              name: health
            - containerPort: 9090
              name: metrics
          args:
            - serve
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          resources:
            {{- toYaml .Values.deployment.resources | nindent 12 }}
          livenessProbe:
            httpGet:
              path: /healthz
              port: health
            initialDelaySeconds: 6
          readinessProbe:
            httpGet:
              path: /readyz
              port: health
            initialDelaySeconds: 3
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
      priorityClassName: {{ .Values.deployment.priorityClassName }}
      securityContext:
        fsGroup: 65534
        runAsGroup: 65534
        runAsUser: 65534
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: kubelet-serving-cert-approver
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
          operator: Exists