---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    io.cilium/app: operator
    name: cilium-operator
  name: cilium-operator
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      io.cilium/app: operator
      name: cilium-operator
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
{% if cilium_enable_prometheus %}
      annotations:
        prometheus.io/port: "6942"
        prometheus.io/scrape: "true"
{% endif %}
      labels:
        io.cilium/app: operator
        name: cilium-operator
    spec:
      # In HA mode, cilium-operator pods must not be scheduled on the same
      # node as they will clash with each other.
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: io.cilium/app
                operator: In
                values:
                - operator
            topologyKey: "kubernetes.io/hostname"
      containers:
        - args:
            - --debug=$(CILIUM_DEBUG)
            - --config-dir=/tmp/cilium/config-map
          command:
            - cilium-operator
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: K8S_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
            - name: CILIUM_K8S_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: CILIUM_DEBUG
              valueFrom:
                configMapKeyRef:
                  key: debug
                  name: cilium-config
                  optional: true
            - name: CILIUM_CLUSTER_NAME
              valueFrom:
                configMapKeyRef:
                  key: cluster-name
                  name: cilium-config
                  optional: true
            - name: CILIUM_CLUSTER_ID
              valueFrom:
                configMapKeyRef:
                  key: cluster-id
                  name: cilium-config
                  optional: true
            - name: CILIUM_DISABLE_ENDPOINT_CRD
              valueFrom:
                configMapKeyRef:
                  key: disable-endpoint-crd
                  name: cilium-config
                  optional: true
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: AWS_ACCESS_KEY_ID
                  name: cilium-aws
                  optional: true
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: AWS_SECRET_ACCESS_KEY
                  name: cilium-aws
                  optional: true
            - name: AWS_DEFAULT_REGION
              valueFrom:
                secretKeyRef:
                  key: AWS_DEFAULT_REGION
                  name: cilium-aws
                  optional: true
{% if cilium_kube_proxy_replacement == 'strict' %}
            - name: KUBERNETES_SERVICE_HOST
              value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
            - name: KUBERNETES_SERVICE_PORT
              value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
{% endif %}
          image: "{{ cilium_operator_image_repo }}:{{ cilium_operator_image_tag }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
          name: cilium-operator
{% if cilium_enable_prometheus %}
          ports:
            - containerPort: 6942
              hostPort: 6942
              name: prometheus
              protocol: TCP
{% endif %}
          livenessProbe:
            httpGet:
{% if cilium_enable_ipv4 %}
              host: 127.0.0.1
{% else %}
              host: '::1'
{% endif %}
              path: /healthz
              port: 9234
              scheme: HTTP
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 3
          volumeMounts:
            - mountPath: /var/lib/etcd-config
              name: etcd-config-path
              readOnly: true
            - mountPath: "{{cilium_cert_dir}}"
              name: etcd-secrets
              readOnly: true
            - mountPath: /tmp/cilium/config-map
              name: cilium-config-path
              readOnly: true
      dnsPolicy: ClusterFirst
      priorityClassName: system-node-critical
      restartPolicy: Always
      serviceAccount: cilium-operator
      serviceAccountName: cilium-operator
      hostNetwork: true
      tolerations:
        - operator: Exists
      volumes:
        # To read the etcd config stored in config maps
        - configMap:
            defaultMode: 420
            items:
              - key: etcd-config
                path: etcd.config
            name: cilium-config
          name: etcd-config-path
          # To read the k8s etcd secrets in case the user might want to use TLS
        - name: etcd-secrets
          hostPath:
            path: "{{cilium_cert_dir}}"
        - configMap:
            name: cilium-config
          name: cilium-config-path