kubelet-serving-cert-approver:
  defaultPodOptions:
    priorityClassName: system-cluster-critical
    affinity:
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
          - preference:
              matchExpressions:
                - key: node-role.kubernetes.io/master
                  operator: DoesNotExist
                - key: node-role.kubernetes.io/control-plane
                  operator: DoesNotExist
            weight: 100
    securityContext:
      fsGroup: 65534
      runAsGroup: 65534
      runAsUser: 65534
      seccompProfile:
        type: RuntimeDefault
    tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Exists
  controllers:
    main:
      type: deployment
      replicas: 1
      strategy: Recreate
      serviceAccount:
        name: kubelet-serving-cert-approver
      pod:
        automountServiceAccountToken: true
      containers:
        main:
          image:
            repository: ghcr.io/alex1989hu/kubelet-serving-cert-approver
            tag: 0.10.3@sha256:4cdc92140c48341433513dce3201806309d5256cfbac6f830feae1e7e9fb0d7d
          args:
            - serve
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 1m
              memory: 20Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
  serviceAccount:
    kubelet-serving-cert-approver:
      enabled: true
      staticToken: true
  service:
    main:
      controller: main
      ports:
        health:
          port: 8080
          targetPort: 8080
        metrics:
          port: 9090
          targetPort: 9090