---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: metrics-server
  namespace: kube-system
  labels:
    app.kubernetes.io/name: metrics-server
    addonmanager.kubernetes.io/mode: Reconcile
    version: {{ metrics_server_version }}
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: metrics-server
      version: {{ metrics_server_version }}
  strategy:
    rollingUpdate:
      maxUnavailable: 0
  template:
    metadata:
      name: metrics-server
      labels:
        app.kubernetes.io/name: metrics-server
        version: {{ metrics_server_version }}
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: metrics-server
      containers:
      - name: metrics-server
        image: {{ metrics_server_image_repo }}:{{ metrics_server_image_tag }}
        imagePullPolicy: {{ k8s_image_pull_policy }}
        args:
        - --logtostderr
        - --cert-dir=/tmp
        - --secure-port={{ metrics_server_container_port }}
{% if metrics_server_kubelet_preferred_address_types %}
        - --kubelet-preferred-address-types={{ metrics_server_kubelet_preferred_address_types }}
{% endif %}
        - --kubelet-use-node-status-port
{% if metrics_server_kubelet_insecure_tls %}
        - --kubelet-insecure-tls
{% endif %}
        - --metric-resolution={{ metrics_server_metric_resolution }}
        ports:
        - containerPort: {{ metrics_server_container_port }}
          name: https
          protocol: TCP
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        livenessProbe:
          httpGet:
            path: /livez
            port: https
            scheme: HTTPS
          periodSeconds: 10
          failureThreshold: 3
          initialDelaySeconds: 40
        readinessProbe:
          httpGet:
            path: /readyz
            port: https
            scheme: HTTPS
          periodSeconds: 10
          failureThreshold: 3
          initialDelaySeconds: 40
        securityContext:
          readOnlyRootFilesystem: true
          runAsGroup: 10001
          runAsNonRoot: true
          runAsUser: 10001
          allowPrivilegeEscalation: false
        resources:
          limits:
            cpu: {{ metrics_server_limits_cpu }}
            memory: {{ metrics_server_limits_memory }}
          requests:
            cpu: {{ metrics_server_requests_cpu }}
            memory: {{ metrics_server_requests_memory }}
      volumes:
        - name: tmp
          emptyDir: {}
{% if not masters_are_not_tainted %}
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
{% endif %}
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: node-role.kubernetes.io/control-plane
                operator: In
                values:
                - ""