apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubelet-csr-approver
  namespace: kube-system
spec:
  replicas: 2
  selector:
    matchLabels:
      app: kubelet-csr-approver

  template:
    metadata:
      annotations:
        prometheus.io/port: '8080'
        prometheus.io/scrape: 'true'
      labels:
        app: kubelet-csr-approver

    spec:
      serviceAccountName: kubelet-csr-approver
      containers:
        - name: kubelet-csr-approver
          image: postfinance/kubelet-csr-approver:latest
          resources:
            limits:
              memory: "128Mi"
              cpu: "500m"

          args:
            - -metrics-bind-address
            - ":8080"
            - -health-probe-bind-address
            - ":8081"
            - -leader-election

          livenessProbe:
            httpGet:
              path: /healthz
              port: 8081

          env:
            - name: PROVIDER_REGEX
              value: ^[abcdef]\.test\.ch$
            - name: PROVIDER_IP_PREFIXES
              value: "0.0.0.0/0,::/0"
            - name: MAX_EXPIRATION_SEC
              value: "31622400" # 366 days

      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
          operator: Equal