abutcher/02-deployment.yaml

## 02-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-operator
  namespace: openshift-ingress-operator
  annotations:
    config.openshift.io/inject-proxy: ingress-operator
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      name: ingress-operator
  template:
    metadata:
      annotations:
        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
      labels:
        name: ingress-operator
    spec:
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
        node-role.kubernetes.io/master: ""
      tolerations:
      - key: "node-role.kubernetes.io/master"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node.kubernetes.io/unreachable"
        operator: "Exists"
        effect: "NoExecute"
        tolerationSeconds: 120
      - key: "node.kubernetes.io/not-ready"
        operator: "Exists"
        effect: "NoExecute"
        tolerationSeconds: 120
      serviceAccountName: ingress-operator
      priorityClassName: system-cluster-critical
      containers:
        - name: ingress-operator
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
          terminationMessagePolicy: FallbackToLogsOnError
          imagePullPolicy: IfNotPresent
          image: quay.io/abutcher/cluster-ingress-operator:ededabfc
          command:
          - ingress-operator
          - start
          - --namespace
          - "$(WATCH_NAMESPACE)"
          - --image
          - "$(IMAGE)"
          - --canary-image
          - "$(CANARY_IMAGE)"
          - --release-version
          - "$(RELEASE_VERSION)"
          env:
            - name: RELEASE_VERSION
              value: "0.0.1-snapshot"
            - name: WATCH_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: IMAGE
              value: openshift/origin-haproxy-router:v4.0
            - name: CANARY_IMAGE
              value: quay.io/abutcher/cluster-ingress-operator:ededabfc
          resources:
            requests:
              cpu: 10m
              memory: 56Mi
          volumeMounts:
          - name: trusted-ca
            mountPath: /etc/pki/ca-trust/extracted/pem
            readOnly: true
          - name: bound-sa-token
            mountPath: /var/run/secrets/openshift/serviceaccount
            readOnly: true
        - name: kube-rbac-proxy
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
          image: quay.io/openshift/origin-kube-rbac-proxy:latest
          args:
          - --logtostderr
          - --secure-listen-address=:9393
          - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          - --upstream=http://127.0.0.1:60000/
          - --tls-cert-file=/etc/tls/private/tls.crt
          - --tls-private-key-file=/etc/tls/private/tls.key
          ports:
          - containerPort: 9393
            name: metrics
          resources:
            requests:
              cpu: 10m
              memory: 40Mi
          volumeMounts:
          - mountPath: /etc/tls/private
            name: metrics-tls
            readOnly: true
      volumes:
      - name: metrics-tls
        secret:
          secretName: metrics-tls
      - name: trusted-ca
        configMap:
          name: trusted-ca
          items:
            - key: ca-bundle.crt
              path: tls-ca-bundle.pem
      # This service account token can be used to provide identity outside the cluster.
      # For example, this token can be used with AssumeRoleWithWebIdentity to authenticate with AWS using IAM OIDC provider and STS.
      - name: bound-sa-token
        projected:
          sources:
          - serviceAccountToken:
              path: token
              audience: openshift
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: ingress-operator
	namespace: openshift-ingress-operator
	annotations:
	config.openshift.io/inject-proxy: ingress-operator
	include.release.openshift.io/self-managed-high-availability: "true"
	include.release.openshift.io/single-node-developer: "true"
	spec:
	replicas: 1
	strategy:
	type: Recreate
	selector:
	matchLabels:
	name: ingress-operator
	template:
	metadata:
	annotations:
	target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
	labels:
	name: ingress-operator
	spec:
	securityContext:
	runAsNonRoot: true
	seccompProfile:
	type: RuntimeDefault
	nodeSelector:
	kubernetes.io/os: linux
	node-role.kubernetes.io/master: ""
	tolerations:
	- key: "node-role.kubernetes.io/master"
	operator: "Exists"
	effect: "NoSchedule"
	- key: "node.kubernetes.io/unreachable"
	operator: "Exists"
	effect: "NoExecute"
	tolerationSeconds: 120
	- key: "node.kubernetes.io/not-ready"
	operator: "Exists"
	effect: "NoExecute"
	tolerationSeconds: 120
	serviceAccountName: ingress-operator
	priorityClassName: system-cluster-critical
	containers:
	- name: ingress-operator
	securityContext:
	allowPrivilegeEscalation: false
	capabilities:
	drop: ["ALL"]
	terminationMessagePolicy: FallbackToLogsOnError
	imagePullPolicy: IfNotPresent
	image: quay.io/abutcher/cluster-ingress-operator:ededabfc
	command:
	- ingress-operator
	- start
	- --namespace
	- "$(WATCH_NAMESPACE)"
	- --image
	- "$(IMAGE)"
	- --canary-image
	- "$(CANARY_IMAGE)"
	- --release-version
	- "$(RELEASE_VERSION)"
	env:
	- name: RELEASE_VERSION
	value: "0.0.1-snapshot"
	- name: WATCH_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	- name: IMAGE
	value: openshift/origin-haproxy-router:v4.0
	- name: CANARY_IMAGE
	value: quay.io/abutcher/cluster-ingress-operator:ededabfc
	resources:
	requests:
	cpu: 10m
	memory: 56Mi
	volumeMounts:
	- name: trusted-ca
	mountPath: /etc/pki/ca-trust/extracted/pem
	readOnly: true
	- name: bound-sa-token
	mountPath: /var/run/secrets/openshift/serviceaccount
	readOnly: true
	- name: kube-rbac-proxy
	securityContext:
	allowPrivilegeEscalation: false
	capabilities:
	drop: ["ALL"]
	image: quay.io/openshift/origin-kube-rbac-proxy:latest
	args:
	- --logtostderr
	- --secure-listen-address=:9393
	- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
	- --upstream=http://127.0.0.1:60000/
	- --tls-cert-file=/etc/tls/private/tls.crt
	- --tls-private-key-file=/etc/tls/private/tls.key
	ports:
	- containerPort: 9393
	name: metrics
	resources:
	requests:
	cpu: 10m
	memory: 40Mi
	volumeMounts:
	- mountPath: /etc/tls/private
	name: metrics-tls
	readOnly: true
	volumes:
	- name: metrics-tls
	secret:
	secretName: metrics-tls
	- name: trusted-ca
	configMap:
	name: trusted-ca
	items:
	- key: ca-bundle.crt
	path: tls-ca-bundle.pem
	# This service account token can be used to provide identity outside the cluster.
	# For example, this token can be used with AssumeRoleWithWebIdentity to authenticate with AWS using IAM OIDC provider and STS.
	- name: bound-sa-token
	projected:
	sources:
	- serviceAccountToken:
	path: token
	audience: openshift