apiVersion: apps/v1
kind: Deployment
metadata:
  name: ctlfish
spec:
  replicas: 1
  selector:
    matchLabels:
      platform.edge.ncr.com/component: ctlfish
  template:
    metadata:
      labels:
        platform.edge.ncr.com/component: ctlfish
    spec:
      serviceAccountName: ctlfish
      priorityClassName: edge-p4-operability-services
      containers:
      - name: ctlfish
        image: bzl://cmd/edge/ctlfish:container_push
        ports:
        - name: http-metrics
          containerPort: 5001
        envFrom:
        - secretRef:
            name: ldkey
        resources:
          limits:
            cpu: "500m"
            memory: "512Mi"
          requests:
            cpu: "10m"
            memory: "256Mi"
        volumeMounts:
        - name: config-volume
          mountPath: /opt
        imagePullPolicy: IfNotPresent
      volumes:
      - name: config-volume
        configMap:
          name: ctlfish-config
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - preference:
              matchExpressions:
              - key: node.ncr.com/class
                operator: In
                values:
                - server
            weight: 100
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ctlfish
imagePullSecrets:
- name: edge-docker-pull-secret
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: http-metrics
spec:
  port: http-metrics
  podSelector:
    matchLabels:
      platform.edge.ncr.com/component: ctlfish
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: http-metrics-auth
spec:
  client:
    meshTLS:
      serviceAccounts:
      - name: prometheus
        namespace: prometheus
  server:
    name: http-metrics
---
apiVersion: v1
kind: Service
metadata:
  name: ctlfish-service
spec:
  selector:
    platform.edge.ncr.com/component: ctlfish
  ports:
  - name: metrics
    port: 8080
    targetPort: 5001
  clusterIP: None
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: ctlfish-monitoring
  annotations:
    monitoring.edge.ncr.com/allowed-metrics: |
      ctlfish_resource_creations
      ctlfish_resource_deletions
      ctlfish_resource_updates
spec:
  selector:
    matchLabels:
      platform.edge.ncr.com/component: ctlfish
  endpoints:
  - port: metrics
---
apiVersion: v1
kind: Namespace
metadata:
  name: ctlfish
  labels:
    workload.edge.ncr.com: 'platform'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metrics-admin
rules:
- resources:
  - "*"
  apiGroups:
  - "*"
  verbs:
  - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics-admins
roleRef:
  name: metrics-admin
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- name: ctlfish
  namespace: ctlfish
  kind: ServiceAccount
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ldkey
spec:
  data:
  - remoteRef:
      key: edge-backend-launch-darkly-sdk-key
    secretKey: LD_KEY
  refreshInterval: 1m
  secretStoreRef:
    name: gcp-provider
    kind: ClusterSecretStore
  target:
    name: ldkey
    creationPolicy: Owner
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-edge-backend-launch-darkly-sdk-key
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/edge-backend-launch-darkly-sdk-key
  role: roles/secretmanager.secretAccessor