okd/roles/kuryr/templates/controller-deployment.yaml.j2

# More info about the template: https://docs.openstack.org/kuryr-kubernetes/latest/installation/containerized.html#generating-kuryr-resource-definitions-for-kubernetes

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  labels:
    name: kuryr-controller
  name: kuryr-controller
  namespace: {{ kuryr_namespace }}
spec:
  replicas: 1
  template:
    metadata:
      labels:
        name: kuryr-controller
      name: kuryr-controller
    spec:
      serviceAccountName: kuryr-controller
      automountServiceAccountToken: true
      hostNetwork: true
      containers:
      - image: {{ openshift_openstack_kuryr_controller_image }}
        imagePullPolicy: IfNotPresent
        name: controller
{% if enable_kuryr_controller_probes|default(true)|bool %}
        readinessProbe:
          httpGet:
            path: /ready
            port: {{ kuryr_controller_healthcheck_port }}
            scheme: HTTP
          timeoutSeconds: 5
        livenessProbe:
          httpGet:
            path: /alive
            port: {{ kuryr_controller_healthcheck_port }}
          initialDelaySeconds: 15
{% endif %}
        terminationMessagePath: "/dev/termination-log"
        # FIXME(dulek): This shouldn't be required, but without it selinux is
        #               complaining about access to kuryr.conf.
        securityContext:
          privileged: true
          runAsUser: 0
        volumeMounts:
        - name: config-volume
          mountPath: "/etc/kuryr/kuryr.conf"
          subPath: kuryr.conf
        - name: certificates-volume
          mountPath: "/etc/ssl/certs/kuryr-ca-bundle.crt"
          subPath: kuryr-ca-bundle.crt
          readOnly: true
      volumes:
      - name: config-volume
        configMap:
          name: kuryr-config
          defaultMode: 0666
      - name: certificates-volume
        secret:
          secretName: kuryr-certificates
      restartPolicy: Always