apiVersion: v1
kind: Namespace
metadata:
  name: nginx-cluster-connector
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-cluster-connector
  namespace: nginx-cluster-connector
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nginx-cluster-connector
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
      - list
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - update
      - create
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nginx-cluster-connector
subjects:
  - kind: ServiceAccount
    name: nginx-cluster-connector
    namespace: nginx-cluster-connector
roleRef:
  kind: ClusterRole
  name: nginx-cluster-connector
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-cluster-connector
  namespace: nginx-cluster-connector
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-cluster-connector
  template:
    metadata:
      labels:
        app: nginx-cluster-connector
    spec:
      serviceAccountName: nginx-cluster-connector
      automountServiceAccountToken: true
      containers:
        - image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.1.0
          imagePullPolicy: IfNotPresent
          name: nginx-cluster-connector
          resources:
            requests:
              cpu: "100m"
              memory: "128Mi"
            #limits:
            #  cpu: "1"
            #  memory: "1Gi"
          securityContext:
            runAsUser: 101 #nginx
            runAsNonRoot: true
            capabilities:
              drop:
                - ALL
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
          args:
            - -nms-server-address=https://apigw.nms.svc.cluster.local:443/api/platform/v1
            - -nms-basic-auth-secret=nginx-cluster-connector/nms-basic-auth
#          - -cluster-display-name=my-cluster
#          - -v=3
#          - -skip-tls-verify
#          - -min-update-interval=24h