apiVersion: v1
kind: Pod
metadata:
  name: k8s-admission
  namespace: secure-delivery
  labels:
    run: k8s-admission
    app.kubernetes.io/component: k8s-admission-controller
    app.kubernetes.io/managed-by: nodeagent
    app.kubernetes.io/name: k8s-admission-controller
    app.kubernetes.io/part-of: secure-delivery
    platform.edge.ncr.com/component: k8s-admission-controller
  annotations:
    prometheus.io/path: /metrics
    prometheus.io/port: http-metrics
    prometheus.io/scrape: "true"
    pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
    pallet.edge.ncr.com/name: k8s-admission-controller
    pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-minions'
    pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
spec:
  terminationGracePeriodSeconds: 30
  dnsPolicy: ClusterFirstWithHostNet
  hostNetwork: true
  hostname: k8s-admissions-controller
  initContainers:
  - name: init-admission-controller-tls-generate
    image: us-east1-docker.pkg.dev/ret-edge-pltf-infra/workloads/admission_tls_generate@sha256:25f705c1603fb72ef291517afc636fa1a4d4a0a358790c6dc644bcc2ad739207
    command: ["/bin/sh", "/root/generate-tls.sh"]
    volumeMounts:
    - name: ca-cert
      mountPath: /etc/ca/ca.crt
    - name: ca-key
      mountPath: /etc/ca/ca.key
    - name: tls-certs
      mountPath: /var/certs
  containers:
  - name: k8s-admission
    image: us-east1-docker.pkg.dev/ret-edge-pltf-infra/workloads/admission@sha256:bd5a3e3081e4bf2391c5371af7fa2a86546fe6b6380164c8ae054e1fe064db5d
    args:
    - run
    ports:
    - protocol: TCP
      containerPort: 8543
    env:
    - name: KUBECONFIG
      value: /root/.kube/config
    - name: PULLSECRET_NAMESPACE
      value: external-secrets
    - name: PULLSECRET_NAME
      value: edge-docker-pull-secret
    - name: WEBHOOK_NAME
      value: admission
    - name: WEBHOOK_DOMAIN
      value: edge.ncr.com
    - name: OLD_WEBHOOK_NAME
      value: admission-old
    - name: COSIGN_PUB_KEY
      value: /data/admission/public-keys/us-east1-docker.pkg.dev/edge-production.crt
    resources:
      limits:
        cpu: "100m"
        memory: 150Mi
      requests:
        cpu: 10m
        memory: 15Mi
    volumeMounts:
    - name: ca-cert
      mountPath: /ca/ca.crt
    - name: tls-certs
      mountPath: /var/certs
    - name: cosign
      mountPath: /data/admission/public-keys
    - name: kubeconfig
      mountPath: /root/.kube/config
    - name: etcd-certs
      mountPath: /etc/kubernetes/pki/etcd/
    imagePullPolicy: IfNotPresent
  volumes:
  - name: ca-cert
    hostPath:
      type: File
      path: /etc/kubernetes/pki/ca.crt
  - name: ca-key
    hostPath:
      type: File
      path: /etc/kubernetes/pki/ca.key
  - name: cosign
    hostPath:
      type: DirectoryOrCreate
      path: /data/admission/public-keys
  - name: etcd-certs
    hostPath:
      type: Directory
      path: /etc/kubernetes/pki/etcd/
  - name: kubeconfig
    hostPath:
      type: File
      path: /etc/kubernetes/zylevel0.conf
  - name: tls-certs
    emptyDir: {}