# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.106.0
    iam.gke.io/gcp-service-account: cnrm-system-${NAMESPACE?}@${PROJECT_ID?}.iam.gserviceaccount.com
  labels:
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
  name: cnrm-controller-manager-${NAMESPACE?}
  namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.106.0
  labels:
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
  name: cnrm-admin-binding-${NAMESPACE?}
  namespace: ${NAMESPACE?}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnrm-admin
subjects:
- kind: ServiceAccount
  name: cnrm-controller-manager-${NAMESPACE?}
  namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.106.0
  labels:
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-ns-binding-${NAMESPACE?}
  namespace: ${NAMESPACE?}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnrm-manager-ns-role
subjects:
- kind: ServiceAccount
  name: cnrm-controller-manager-${NAMESPACE?}
  namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.106.0
  labels:
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-ns-binding-${NAMESPACE?}
  namespace: cnrm-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnrm-manager-ns-role
subjects:
- kind: ServiceAccount
  name: cnrm-controller-manager-${NAMESPACE?}
  namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.106.0
  labels:
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-cluster-binding-${NAMESPACE?}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnrm-manager-cluster-role
subjects:
- kind: ServiceAccount
  name: cnrm-controller-manager-${NAMESPACE?}
  namespace: cnrm-system
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.106.0
    prometheus.io/port: "8888"
    prometheus.io/scrape: "true"
  labels:
    cnrm.cloud.google.com/monitored: "true"
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
  name: cnrm-manager-${NAMESPACE?}
  namespace: cnrm-system
spec:
  ports:
  - name: controller-manager
    port: 443
  - name: metrics
    port: 8888
  selector:
    cnrm.cloud.google.com/component: cnrm-controller-manager
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  annotations:
    cnrm.cloud.google.com/version: 1.106.0
  labels:
    cnrm.cloud.google.com/component: cnrm-controller-manager
    cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
    cnrm.cloud.google.com/system: "true"
  name: cnrm-controller-manager-${NAMESPACE?}
  namespace: cnrm-system
spec:
  selector:
    matchLabels:
      cnrm.cloud.google.com/component: cnrm-controller-manager
      cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
      cnrm.cloud.google.com/system: "true"
  serviceName: cnrm-manager-${NAMESPACE?}
  template:
    metadata:
      annotations:
        cnrm.cloud.google.com/version: 1.106.0
      labels:
        cnrm.cloud.google.com/component: cnrm-controller-manager
        cnrm.cloud.google.com/scoped-namespace: ${NAMESPACE?}
        cnrm.cloud.google.com/system: "true"
    spec:
      containers:
      - args:
        - --scoped-namespace=${NAMESPACE?}
        - --prometheus-scrape-endpoint=:8888
        command:
        - /configconnector/manager
        image: gcr.io/cnrm-eap/controller:2b4f8d7
        imagePullPolicy: Always
        name: manager
        ports:
        - containerPort: 23232
        readinessProbe:
          httpGet:
            path: /ready
            port: 23232
          initialDelaySeconds: 7
          periodSeconds: 3
        resources:
          limits:
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 512Mi
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          runAsNonRoot: true
          runAsUser: 1000
      enableServiceLinks: false
      serviceAccountName: cnrm-controller-manager-${NAMESPACE?}
      terminationGracePeriodSeconds: 10