---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: external-secrets
    app.kubernetes.io/name: external-secrets-cert-controller
    app.kubernetes.io/version: v0.15.1
  name: external-secrets-cert-controller
  namespace: external-secrets
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/instance: external-secrets
      app.kubernetes.io/name: external-secrets-cert-controller
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: external-secrets
        app.kubernetes.io/name: external-secrets-cert-controller
        app.kubernetes.io/version: v0.15.1
    spec:
      automountServiceAccountToken: true
      containers:
        - args:
            - certcontroller
            - --crd-requeue-interval=5m
            - --service-name=external-secrets-webhook
            - --service-namespace=external-secrets
            - --secret-name=external-secrets-webhook
            - --secret-namespace=external-secrets
            - --metrics-addr=:8080
            - --healthz-addr=:8081
            - --loglevel=info
            - --zap-time-encoding=epoch
            - --enable-partial-cache=true
          image: oci.external-secrets.io/external-secrets/external-secrets:v0.15.1
          imagePullPolicy: IfNotPresent
          name: cert-controller
          ports:
            - containerPort: 8080
              name: metrics
              protocol: TCP
          readinessProbe:
            httpGet:
              path: /readyz
              port: 8081
            initialDelaySeconds: 20
            periodSeconds: 5
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
      hostNetwork: false
      serviceAccountName: external-secrets-cert-controller