# Copyright 2019 The Tekton Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tekton-triggers-webhook
  namespace: tekton-pipelines
  labels:
    app.kubernetes.io/name: webhook
    app.kubernetes.io/component: webhook
    app.kubernetes.io/instance: default
    app.kubernetes.io/version: "v0.26.1"
    app.kubernetes.io/part-of: tekton-triggers
    # tekton.dev/release value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
    triggers.tekton.dev/release: "v0.26.1"
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: webhook
      app.kubernetes.io/component: webhook
      app.kubernetes.io/instance: default
      app.kubernetes.io/part-of: tekton-triggers
  template:
    metadata:
      labels:
        app.kubernetes.io/name: webhook
        app.kubernetes.io/component: webhook
        app.kubernetes.io/instance: default
        app.kubernetes.io/version: "v0.26.1"
        app.kubernetes.io/part-of: tekton-triggers
        app: tekton-triggers-webhook
        triggers.tekton.dev/release: "v0.26.1"
        # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
        version: "v0.26.1"
    spec:
      serviceAccountName: tekton-triggers-webhook
      containers:
        - name: webhook
          # This is the Go import path for the binary that is containerized
          # and substituted here.
          image: "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/webhook:v0.26.1@sha256:229240b3ac6770bb8513f672d1b19fa9879be6c379b73a47d94b208a1d6e3992"
          env:
            - name: SYSTEM_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: CONFIG_LOGGING_NAME
              value: config-logging-triggers
            - name: WEBHOOK_SERVICE_NAME
              value: tekton-triggers-webhook
            - name: WEBHOOK_SECRET_NAME
              value: triggers-webhook-certs
            - name: METRICS_DOMAIN
              value: tekton.dev/triggers
            - name: CONFIG_LEADERELECTION_NAME
              value: config-leader-election-triggers-webhook
          ports:
            - name: metrics
              containerPort: 9000
            - name: profiling
              containerPort: 8008
            - name: https-webhook
              containerPort: 8443
          securityContext:
            allowPrivilegeEscalation: false
            # User 65532 is the distroless nonroot user ID
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            capabilities:
              drop:
                - "ALL"
            seccompProfile:
              type: RuntimeDefault