---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    io.cilium/app: operator
    name: cilium-operator
  name: cilium-operator
  namespace: kube-system
spec:
  replicas: {{ cilium_operator_replicas }}
  selector:
    matchLabels:
      io.cilium/app: operator
      name: cilium-operator
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
{% if cilium_enable_prometheus %}
      annotations:
        prometheus.io/port: "6942"
        prometheus.io/scrape: "true"
{% endif %}
      labels:
        io.cilium/app: operator
        name: cilium-operator
    spec:
      # In HA mode, cilium-operator pods must not be scheduled on the same
      # node as they will clash with each other.
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: io.cilium/app
                operator: In
                values:
                - operator
            topologyKey: "kubernetes.io/hostname"
      containers:
        - args:
            - --debug=$(CILIUM_DEBUG)
            - --config-dir=/tmp/cilium/config-map
{% if cilium_operator_custom_args is string %}
            - {{ cilium_operator_custom_args }}
{% else %}
{% for flag in cilium_operator_custom_args %}
            - {{ flag }}
{% endfor %}
{% endif %}
          command:
            - cilium-operator
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: K8S_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: CILIUM_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: CILIUM_DEBUG
              valueFrom:
                configMapKeyRef:
                  key: debug
                  name: cilium-config
                  optional: true
# We are already mounting the whole ConfigMap as a directory.
# https://github.com/cilium/cilium/pull/10347
{% if cilium_version | regex_replace('v') is version('1.8', '<') %}
            - name: CILIUM_CLUSTER_NAME
              valueFrom:
                configMapKeyRef:
                  key: cluster-name
                  name: cilium-config
                  optional: true
            - name: CILIUM_CLUSTER_ID
              valueFrom:
                configMapKeyRef:
                  key: cluster-id
                  name: cilium-config
                  optional: true
            - name: CILIUM_DISABLE_ENDPOINT_CRD
              valueFrom:
                configMapKeyRef:
                  key: disable-endpoint-crd
                  name: cilium-config
                  optional: true
{% endif %}
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: AWS_ACCESS_KEY_ID
                  name: cilium-aws
                  optional: true
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: AWS_SECRET_ACCESS_KEY
                  name: cilium-aws
                  optional: true
            - name: AWS_DEFAULT_REGION
              valueFrom:
                secretKeyRef:
                  key: AWS_DEFAULT_REGION
                  name: cilium-aws
                  optional: true
{% if cilium_kube_proxy_replacement == 'strict' %}
            - name: KUBERNETES_SERVICE_HOST
              value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
            - name: KUBERNETES_SERVICE_PORT
              value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
{% endif %}
          image: "{{ cilium_operator_image_repo }}:{{ cilium_operator_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          name: cilium-operator
{% if cilium_enable_prometheus %}
          ports:
            - containerPort: 6942
              hostPort: 6942
              name: prometheus
              protocol: TCP
{% endif %}
          livenessProbe:
            httpGet:
{% if cilium_enable_ipv4 %}
              host: 127.0.0.1
{% else %}
              host: '::1'
{% endif %}
              path: /healthz
              port: 9234
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 3
          volumeMounts:
{% if cilium_identity_allocation_mode == "kvstore" %}
            - mountPath: /var/lib/etcd-config
              name: etcd-config-path
              readOnly: true
            - mountPath: "{{cilium_cert_dir}}"
              name: etcd-secrets
              readOnly: true
{% endif %}
            - mountPath: /tmp/cilium/config-map
              name: cilium-config-path
              readOnly: true
{% for volume_mount in cilium_operator_extra_volume_mounts %}
            - {{ volume_mount | to_nice_yaml(indent=2) | indent(14) }}
{% endfor %}
      dnsPolicy: ClusterFirst
      priorityClassName: system-node-critical
      restartPolicy: Always
      serviceAccount: cilium-operator
      serviceAccountName: cilium-operator
      hostNetwork: true
      tolerations:
        - operator: Exists
      volumes:
{% if cilium_identity_allocation_mode == "kvstore" %}
        # To read the etcd config stored in config maps
        - configMap:
            defaultMode: 420
            items:
              - key: etcd-config
                path: etcd.config
            name: cilium-config
          name: etcd-config-path
          # To read the k8s etcd secrets in case the user might want to use TLS
        - name: etcd-secrets
          hostPath:
            path: "{{cilium_cert_dir}}"
{% endif %}
        - configMap:
            name: cilium-config
          name: cilium-config-path
{% for volume in cilium_operator_extra_volumes %}
        - {{ volume | to_nice_yaml(indent=2) | indent(10) }}
{% endfor %}