apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: storage
    app.kubernetes.io/managed-by: cdi-operator
    cdi.kubevirt.io: cdi-uploadproxy
  name: cdi-uploadproxy
  namespace: "{{ namespace }}"
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      cdi.kubevirt.io: cdi-uploadproxy
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: storage
        app.kubernetes.io/managed-by: cdi-operator
        cdi.kubevirt.io: cdi-uploadproxy
    spec:
      containers:
        - args:
            - -v=1
          env:
            - name: APISERVER_PUBLIC_KEY
              valueFrom:
                secretKeyRef:
                  key: publickey.pem
                  name: cdi-api-signing-key
          image: quay.io/kubevirt/cdi-uploadproxy@sha256:551221d79902a5053d1c734b81163d69f087217e2ac13c49bdf6900336ef0786
          imagePullPolicy: IfNotPresent
          name: cdi-uploadproxy
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 8443
              scheme: HTTPS
            initialDelaySeconds: 2
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 10m
              memory: 150Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /var/run/certs/cdi-uploadproxy-server-cert
              name: server-cert
              readOnly: true
            - mountPath: /var/run/certs/cdi-uploadserver-client-cert
              name: client-cert
              readOnly: true
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: cdi-cluster-critical
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        runAsNonRoot: true
      serviceAccount: cdi-uploadproxy
      serviceAccountName: cdi-uploadproxy
      terminationGracePeriodSeconds: 30
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
      volumes:
        - name: server-cert
          secret:
            defaultMode: 420
            items:
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key
            secretName: cdi-uploadproxy-server-cert
        - name: client-cert
          secret:
            defaultMode: 420
            items:
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key
            secretName: cdi-uploadserver-client-cert