apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-agent
  namespace: sds
  labels:
    platform.edge.ncr.com/component: nodeagent
spec:
  selector:
    matchLabels:
      platform.edge.ncr.com/component: nodeagent
  template:
    metadata:
      labels:
        platform.edge.ncr.com/component: nodeagent
    spec:
      hostNetwork: true
      hostPID: true
      initContainers:
      - name: control-plane-guardian-image-init
        image: bzl://cmd/sds/controlplaneguardian:container_push
        args: ["version"]
      - name: control-plane-promoter-image-init
        image: bzl://cmd/sds/controlplanepromoter:container_push
        args: ["version"]
      - name: device-agent
        image: bzl://cmd/sds/devices/device-agent:container_push
        args:
        - --start=false
      - name: etcd-manager-image-init
        image: bzl://cmd/sds/etcd/manager:container_push
        args: ["version"]
      - name: k8s-admission
        image: bzl://cmd/sds/admission/controller:container_push
        args: ["version"]
      - name: k8s-admission-init
        image: bzl://cmd/sds/admission/init:container_push
        args: ["version"]
      - name: lan-outage-detector-image-init
        image: bzl://cmd/sds/lanoutage/detector:container_push
        args: ["version"]
      - name: lan-outage-scheduler-image-init
        image: bzl://cmd/sds/lanoutage/scheduler:container_push
        args: ["version"]
      containers:
      - name: nodeagent
        image: bzl://cmd/sds/nodeagent:container_push
        envFrom: []
        env:
        - name: CONTROL_PLANE_GUARDIAN_IMAGE
          value: bzl://cmd/sds/controlplaneguardian:container_push
        - name: CONTROL_PLANE_PROMOTER_IMAGE
          value: bzl://cmd/sds/controlplanepromoter:container_push
        - name: LAN_OUTAGE_DETECTOR_IMAGE
          value: bzl://cmd/sds/lanoutage/detector:container_push
        - name: LAN_OUTAGE_SCHEDULER_IMAGE
          value: bzl://cmd/sds/lanoutage/scheduler:container_push
        - name: ETCD_MANAGER_IMAGE
          value: bzl://cmd/sds/etcd/manager:container_push
        - name: K8S_ADMISSION_IMAGE
          value: bzl://cmd/sds/admission/controller:container_push
        - name: K8S_ADMISSION_INIT_IMAGE
          value: bzl://cmd/sds/admission/init:container_push
        - name: ADMISSION_WEBHOOK_NAME
          value: admission
        - name: DEVICE_AGENT_IMAGE
          value: bzl://cmd/sds/devices/device-agent:container_push
        volumeMounts:
        - name: root
          readOnly: true # Mount root system as read only
          mountPath: /host
        - name: etc-volume
          mountPath: /host-etc
        - name: rofs-volume
          readOnly: true
          mountPath: /host-rofs
        - name: network-service-ips
          readOnly: true
          mountPath: /run/network-service-ips
        - name: gateway-cni-script
          readOnly: false
          mountPath: /opt/cni/bin/gateway
        - name: calico-config-list
          readOnly: false
          mountPath: /etc/cni/net.d/10-calico.conflist
        - name: fw-dir
          readOnly: false
          mountPath: /etc/ien-fw/ipv4/dynamic
        - name: xtables-lock
          mountPath: /run/xtables.lock
        - name: dhcp-dir
          readOnly: false
          mountPath: /etc/dhcp/
        - name: boot
          readOnly: false
          mountPath: /host-boot
        - name: bin-dir
          readOnly: true
          mountPath: /usr/local/bin
        - name: data-volume
          mountPath: /host-data
        - name: dbus-socket
          mountPath: /var/run/dbus/system_bus_socket
        - name: kubernetes-manifests
          mountPath: /etc/kubernetes/manifests
        - name: zynstra-config
          mountPath: /zynstra/config
        - name: run-systemd
          mountPath: /run/systemd
        securityContext:
          capabilities:
            add:
            - CAP_DAC_OVERRIDE # Root permissions to read/write to files on IEN
            # TODO: we should look to replace chroot with dbus - https://github.com/ncrvoyix-swt-retail/edge-infra/pull/6348
            - CAP_SYS_CHROOT # Allows chroot (for use by os.exec commands)
            - CAP_NET_ADMIN # required for tc and netlink
            drop:
            - all # Drop all linux capabilities
          privileged: true
      volumes:
      - name: bin-dir
        hostPath:
          type: Directory
          path: /usr/local/bin
      - name: boot
        hostPath:
          type: DirectoryOrCreate
          path: /boot
      - name: calico-config-list
        hostPath:
          type: File
          path: /etc/cni/net.d/10-calico.conflist
      - name: data-volume
        hostPath:
          type: DirectoryOrCreate
          path: /data
      - name: dbus-socket
        hostPath:
          type: Socket
          path: /var/run/dbus/system_bus_socket
      - name: dhcp-dir
        hostPath:
          type: ""
          path: /etc/dhcp/
      - name: etc-volume
        hostPath:
          type: Directory
          path: /etc
      - name: fw-dir
        hostPath:
          type: DirectoryOrCreate
          path: /etc/ien-fw/ipv4/dynamic
      - name: gateway-cni-script
        hostPath:
          type: FileOrCreate
          path: /opt/cni/bin/gateway
      - name: kubernetes-manifests
        hostPath:
          type: Directory
          path: /etc/kubernetes/manifests
      - name: network-service-ips
        configMap:
          name: network-service-ips
          optional: true
      - name: rofs-volume
        hostPath:
          type: Directory
          path: /rofs
      - name: root
        hostPath:
          path: /
      - name: run-systemd
        hostPath:
          type: Directory
          path: /run/systemd
      - name: xtables-lock
        hostPath:
          type: FileOrCreate
          path: /run/xtables.lock
      - name: zynstra-config
        hostPath:
          type: Directory
          path: /zynstra/config