apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "koor-operator.fullname" . }}-controller-manager
  labels:
    app.kubernetes.io/component: manager
    app.kubernetes.io/created-by: koor-operator
    app.kubernetes.io/part-of: koor-operator
    control-plane: controller-manager
  {{- include "koor-operator.labels" . | nindent 4 }}
  annotations:
    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-weight: "3"
spec:
  replicas: {{ .Values.controllerManager.replicas }}
  selector:
    matchLabels:
      control-plane: controller-manager
    {{- include "koor-operator.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        control-plane: controller-manager
      {{- include "koor-operator.selectorLabels" . | nindent 8 }}
      annotations:
        kubectl.kubernetes.io/default-container: manager
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
                - arm64
                - ppc64le
                - s390x
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      containers:
      - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
        command:
        - /manager
        env:
        - name: KUBERNETES_CLUSTER_DOMAIN
          value: {{ quote .Values.kubernetesClusterDomain }}
        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
          | default .Chart.AppVersion }}
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 15
          periodSeconds: 20
        name: manager
        ports:
        - containerPort: 9443
          name: webhook-server
          protocol: TCP
        readinessProbe:
          httpGet:
            path: /readyz
            port: 8081
          initialDelaySeconds: 5
          periodSeconds: 10
        resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10
          }}
        securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
          | nindent 10 }}
        volumeMounts:
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
      - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }}
        env:
        - name: KUBERNETES_CLUSTER_DOMAIN
          value: {{ quote .Values.kubernetesClusterDomain }}
        image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag
          | default .Chart.AppVersion }}
        name: kube-rbac-proxy
        ports:
        - containerPort: 8443
          name: https
          protocol: TCP
        resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent
          10 }}
        securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
          | nindent 10 }}
      securityContext:
        runAsNonRoot: true
      serviceAccountName: {{ include "koor-operator.fullname" . }}-controller-manager
      terminationGracePeriodSeconds: 10
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: webhook-server-cert