---
# Scoped service account
apiVersion: v1
kind: ServiceAccount
metadata:
  name: controller
  namespace: default
automountServiceAccountToken: true

---
# Access for the service account (cluster scoped list)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: controller
rules:
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - get
    - watch
    - list

---
# Binding the role to the account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: controller
subjects:
- kind: ServiceAccount
  name: controller
  namespace: default
roleRef:
  kind: ClusterRole
  name: controller
  apiGroup: rbac.authorization.k8s.io

---
# Expose the http port of the service
apiVersion: v1
kind: Service
metadata:
  name: controller
  namespace: default
  labels:
    app: controller
spec:
  ports:
  - port: 80
    targetPort: 8000
    protocol: TCP
    name: http
  selector:
    app: controller

---
# Main deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller
  namespace: default
  labels:
    app: controller
spec:
  replicas: 1
  selector:
    matchLabels:
      app: controller
  template:
    metadata:
      labels:
        app: controller
    spec:
      serviceAccountName: controller
      containers:
      - name: controller
        image: ghcr.io/kube-rs/version-rs:1.16.2
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 100m
            memory: 128Mi
          requests:
            cpu: 50m
            memory: 100Mi
        ports:
        - name: http
          containerPort: 8000
          protocol: TCP
        readinessProbe:
          httpGet:
            path: /health
            port: http
          initialDelaySeconds: 5
          periodSeconds: 5