apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: storage
    app.kubernetes.io/managed-by: cdi-operator
    cdi.kubevirt.io: cdi-apiserver
  name: cdi-apiserver
  namespace: "{{ namespace }}"
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      cdi.kubevirt.io: cdi-apiserver
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: storage
        app.kubernetes.io/managed-by: cdi-operator
        cdi.kubevirt.io: cdi-apiserver
    spec:
      containers:
        - args:
            - -v=1
          env:
            - name: INSTALLER_PART_OF_LABEL
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.labels['app.kubernetes.io/part-of']
            - name: INSTALLER_VERSION_LABEL
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.labels['app.kubernetes.io/version']
          image: quay.io/kubevirt/cdi-apiserver@sha256:e9e39408413b1478d2e98eba68913f9e20c93000558b190b47de73bdfd1d9ac4
          imagePullPolicy: IfNotPresent
          name: cdi-apiserver
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 8443
              scheme: HTTPS
            initialDelaySeconds: 2
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 10m
              memory: 150Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /var/run/certs/cdi-apiserver-signer-bundle
              name: ca-bundle
              readOnly: true
            - mountPath: /var/run/certs/cdi-apiserver-server-cert
              name: server-cert
              readOnly: true
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: cdi-cluster-critical
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        runAsNonRoot: true
      serviceAccount: cdi-apiserver
      serviceAccountName: cdi-apiserver
      terminationGracePeriodSeconds: 30
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
      volumes:
        - secret:
            defaultMode: 420
            items:
              - key: ca.crt
                path: ca-bundle.crt
            secretName: cdi-apiserver-server-cert
          name: ca-bundle
        - name: server-cert
          secret:
            defaultMode: 420
            items:
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key
            secretName: cdi-apiserver-server-cert