apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: {{.Values.operatorNamespace}}
  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
spec:
  replicas: 1
  selector:
    matchLabels:
      name: istio-operator
  template:
    metadata:
      labels:
        name: istio-operator
    spec:
      serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
      nodeSelector:
        kubernetes.io/os: linux
        node-role.kubernetes.io/master: ""
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      containers:
        - name: istio-operator
          image: {{.Values.hub}}/operator:{{.Values.tag}}
          command:
          - operator
          - server
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 1337
            runAsUser: 1337
            runAsNonRoot: true
          imagePullPolicy: IfNotPresent
          resources:
{{ toYaml .Values.operator.resources | trim | indent 12 }}
          env:
            - name: WATCH_NAMESPACE
              value: {{.Values.watchedNamespaces | quote}}
            - name: LEADER_ELECTION_NAMESPACE
              value: {{.Values.operatorNamespace | quote}}
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: OPERATOR_NAME
              value: {{.Values.operatorNamespace | quote}}
            - name: WAIT_FOR_RESOURCES_TIMEOUT
              value: {{.Values.waitForResourcesTimeout | quote}}
            - name: REVISION
              value: {{.Values.revision | quote}}
---