---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Chart.Name }}
  labels:
    {{- include "install.labels" . | nindent 4 }}
    {{- include "install.clusterLabels" . | nindent 4 }}
spec:
  replicas: 1
  strategy: { type: Recreate }
  selector:
    matchLabels:
      {{- include "install.clusterLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "install.clusterLabels" . | nindent 8 }}
    spec:
      {{- include "install.imagePullSecrets" . | indent 6 }}
      serviceAccountName: {{ include "install.serviceAccountName" . }}
      containers:
      - name: operator
        image: {{ required ".Values.controllerImages.cluster is required" .Values.controllerImages.cluster | quote }}
        env:
        - name: CRUNCHY_DEBUG
          value: {{ .Values.debug | ne false | quote }}
        - name: PGO_NAMESPACE
          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
        {{- if .Values.singleNamespace }}
        - name: PGO_TARGET_NAMESPACE
          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }
        {{- end }}
        {{- if .Values.workers }}
        - name: PGO_WORKERS
          value: {{ .Values.workers | quote }}
        {{- end }}
        {{- include "install.relatedImages" . | indent 8 }}
        {{- if .Values.disable_check_for_upgrades }}
        - name: CHECK_FOR_UPGRADES
          value: "false"
        {{- end }}
        {{- if .Values.resources.controller }}
        resources:
        {{- toYaml .Values.resources.controller | nindent 10 }}
        {{- end }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities: { drop: [ALL] }
          readOnlyRootFilesystem: true
          runAsNonRoot: true