---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    io.cilium/app: operator
    name: cilium-operator
  name: cilium-operator
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      io.cilium/app: operator
      name: cilium-operator
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        io.cilium/app: operator
        name: cilium-operator
    spec:
      containers:
        - args:
            - --debug=$(CILIUM_DEBUG)
            - --kvstore=etcd
            - --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config
          command:
            - cilium-operator
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: K8S_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: CILIUM_DEBUG
              valueFrom:
                configMapKeyRef:
                  key: debug
                  name: cilium-config
                  optional: true
            - name: CILIUM_CLUSTER_NAME
              valueFrom:
                configMapKeyRef:
                  key: cluster-name
                  name: cilium-config
                  optional: true
            - name: CILIUM_CLUSTER_ID
              valueFrom:
                configMapKeyRef:
                  key: cluster-id
                  name: cilium-config
                  optional: true
            - name: CILIUM_DISABLE_ENDPOINT_CRD
              valueFrom:
                configMapKeyRef:
                  key: disable-endpoint-crd
                  name: cilium-config
                  optional: true
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: AWS_ACCESS_KEY_ID
                  name: cilium-aws
                  optional: true
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: AWS_SECRET_ACCESS_KEY
                  name: cilium-aws
                  optional: true
            - name: AWS_DEFAULT_REGION
              valueFrom:
                secretKeyRef:
                  key: AWS_DEFAULT_REGION
                  name: cilium-aws
                  optional: true
          image: "{{ cilium_operator_image_repo }}:{{ cilium_operator_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          name: cilium-operator
          livenessProbe:
            httpGet:
{% if cilium_enable_ipv4 %}
              host: 127.0.0.1
{% else %}
              host: host: '[::1]'
{% endif %}
              path: /healthz
              port: 9234
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 3
          volumeMounts:
            - mountPath: /var/lib/etcd-config
              name: etcd-config-path
              readOnly: true
            - mountPath: "{{cilium_cert_dir}}"
              name: etcd-secrets
              readOnly: true
      dnsPolicy: ClusterFirst
      priorityClassName: system-node-critical
      restartPolicy: Always
      serviceAccount: cilium-operator
      serviceAccountName: cilium-operator
      hostNetwork: true
      volumes:
        # To read the etcd config stored in config maps
        - configMap:
            defaultMode: 420
            items:
              - key: etcd-config
                path: etcd.config
            name: cilium-config
          name: etcd-config-path
          # To read the k8s etcd secrets in case the user might want to use TLS
        - name: etcd-secrets
          hostPath:
            path: "{{cilium_cert_dir}}"