---
# Source: volsync/charts/volsync/templates/deployment-controller.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: volsync
  labels:
    control-plane: volsync-controller
    helm.sh/chart: volsync-0.14.0
    app.kubernetes.io/name: volsync
    app.kubernetes.io/instance: volsync
    app.kubernetes.io/version: "0.14.0"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 3
  selector:
    matchLabels:
      control-plane: volsync-controller
      app.kubernetes.io/name: volsync
      app.kubernetes.io/instance: volsync
  template:
    metadata:
      annotations:
        kubectl.kubernetes.io/default-container: manager
      labels:
        control-plane: volsync-controller
        app.kubernetes.io/name: volsync
        app.kubernetes.io/instance: volsync
    spec:
      serviceAccountName: volsync
      # The default for podSecurityContext is moved here so that we can probe
      # the cluster and and adjust the template
      securityContext:
        runAsNonRoot: true
        # When not OpenShift, we need to set the UID
        runAsUser: 65534
        runAsGroup: 65534
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: kube-rbac-proxy
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - "ALL"
            readOnlyRootFilesystem: true
          image: "quay.io/brancz/kube-rbac-proxy:v0.19.0"
          args:
            - --secure-listen-address=0.0.0.0:8443
            - --upstream=http://127.0.0.1:8080/
            - --logtostderr=true
            - "--tls-min-version=VersionTLS12"
            - --v=0
            - --ignore-paths=/metrics
          ports:
            - containerPort: 8443
              protocol: TCP
              name: https
          resources:
            limits:
              cpu: 500m
              memory: 128Mi
            requests:
              cpu: 5m
              memory: 64Mi
        - name: manager
          args:
            - --health-probe-bind-address=:8081
            - --metrics-bind-address=127.0.0.1:8080
            - --leader-elect
            - --rclone-container-image=quay.io/backube/volsync:0.14.0
            - --restic-container-image=quay.io/backube/volsync:0.14.0
            - --rsync-container-image=quay.io/backube/volsync:0.14.0
            - --rsync-tls-container-image=quay.io/backube/volsync:0.14.0
            - --syncthing-container-image=quay.io/backube/volsync:0.14.0
            - --scc-name=volsync-privileged-mover
          command:
            - /manager
          image: "quay.io/backube/volsync:0.14.0"
          imagePullPolicy: IfNotPresent
          env:
            - name: VOLSYNC_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8081
            initialDelaySeconds: 15
            periodSeconds: 20
          readinessProbe:
            httpGet:
              path: /readyz
              port: 8081
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            limits:
              cpu: 1000m
              memory: 1Gi
            requests:
              cpu: 10m
              memory: 128Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
          volumeMounts:
            - name: tempdir
              mountPath: /tmp
      terminationGracePeriodSeconds: 10
      volumes:
        - name: tempdir
          emptyDir:
            medium: "Memory"