apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    cluster.x-k8s.io/provider: cluster-api
    control-plane: controller-manager
  name: capi-controller-manager
  namespace: "{{ .Release.Namespace }}"
spec:
  replicas: 1
  selector:
    matchLabels:
      cluster.x-k8s.io/provider: cluster-api
      control-plane: controller-manager
  template:
    metadata:
      labels:
        cluster.x-k8s.io/provider: cluster-api
        control-plane: controller-manager
    spec:
      containers:
        - command:
            - /manager
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_UID
              valueFrom:
                fieldRef:
                  fieldPath: metadata.uid
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 12 }}
{{- end }}
          imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
          name: manager
          ports:
            - containerPort: 9443
              name: webhook-server
              protocol: TCP
            - containerPort: 9440
              name: healthz
              protocol: TCP
          readinessProbe:
            httpGet:
              path: /readyz
              port: healthz
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            runAsGroup: 65532
            runAsUser: 65532
          volumeMounts:
            - mountPath: /tmp/k8s-webhook-server/serving-certs
              name: cert
              readOnly: true
          image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
          args:
            - --leader-elect
{{ toYaml .Values.args | indent 12 }}
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: capi-manager
      terminationGracePeriodSeconds: 10
      volumes:
        - name: cert
          secret:
            secretName: capi-webhook-service-cert
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
      {{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
      {{- end }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
      {{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 6 }}
      {{- else }}
      - effect: NoSchedule
        key: node-role.kubernetes.io/controlplane
        value: "true"
      - effect: NoSchedule
        key: "node-role.kubernetes.io/control-plane"
        operator: "Exists"
      - effect: NoSchedule
        key: "node-role.kubernetes.io/master"
        operator: "Exists"
      - effect: "NoExecute"
        key: "node-role.kubernetes.io/etcd"
        operator: "Exists"
      {{- end }}
      {{- if .Values.priorityClassName }}
      priorityClassName: "{{.Values.priorityClassName}}"
      {{- end }}