apiVersion: v1
kind: Service
metadata:
  name: tolerator
  namespace: tolerator
  labels:
    app: tolerator
spec:
  selector:
    app: tolerator
  ports:
  - port: 443
    targetPort: 8443
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tolerator
  namespace: tolerator
  labels:
    app: tolerator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tolerator
  labels:
    app: tolerator
rules:
- resources: ["mutatingwebhookconfigurations"]
  apiGroups: ["admissionregistration.k8s.io"]
  verbs: ["create", "get", "delete", "list", "patch", "update", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tolerator
  labels:
    app: tolerator
roleRef:
  name: tolerator
  kind: ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- name: tolerator
  namespace: tolerator
  kind: ServiceAccount
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tolerator
  namespace: tolerator
  labels:
    app: tolerator
spec:
  selector:
    matchLabels:
      app: tolerator
  template:
    metadata:
      labels:
        app: tolerator
    spec:
      serviceAccountName: tolerator
      priorityClassName: edge-p1-critical-infra
      containers:
      - name: tolerator
        image: bzl://cmd/sds/tolerator:container_push
        args:
        - -service-name=tolerator
        ports:
        - containerPort: 8443
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: cert
          readOnly: true
          mountPath: "/var/cert"
        lifecycle:
          preStop:
            exec:
              command: ["/bin/sh", "-c", "/prestop.sh"]
        imagePullPolicy: IfNotPresent
      volumes:
      - name: cert
        secret:
          secretName: tolerator-webhook-certificate
      imagePullSecrets:
      - name: edge-docker-pull-secret