---
apiVersion: v1
kind: Namespace
metadata:
  name: ambassador
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ambassador-operator
  namespace: ambassador
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ambassador-operator
  namespace: ambassador
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - services
      - services/finalizers
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - secrets
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - apps
    resources:
      - deployments
      - daemonsets
      - replicasets
      - statefulsets
      - customresourcedefinitions
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - monitoring.coreos.com
    resources:
      - servicemonitors
    verbs:
      - get
      - create
  - apiGroups:
      - apps
    resourceNames:
      - ambassador-operator
    resources:
      - deployments/finalizers
    verbs:
      - update
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
  - apiGroups:
      - apps
    resources:
      - replicasets
      - deployments
    verbs:
      - get
  - apiGroups:
      - getambassador.io
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ambassador-operator-cluster
  namespace: ambassador
rules:
  - apiGroups: ['*']
    resources: ['*']
    verbs: ['*']
  - nonResourceURLs: ['*']
    verbs: ['*']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ambassador-operator
  namespace: ambassador
subjects:
  - kind: ServiceAccount
    name: ambassador-operator
roleRef:
  kind: Role
  name: ambassador-operator
  apiGroup: rbac.authorization.k8s.io

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ambassador-operator-cluster
  namespace: ambassador
subjects:
  - kind: ServiceAccount
    name: ambassador-operator
    namespace: ambassador
roleRef:
  kind: ClusterRole
  name: ambassador-operator-cluster
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: static-helm-values
  namespace: ambassador
data:
  values.yaml: |+
    deploymentTool: amb-oper-manifest
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ambassador-operator
  namespace: ambassador
  labels:
    getambassador.io/installer: operator
spec:
  replicas: 1
  selector:
    matchLabels:
      name: ambassador-operator
  template:
    metadata:
      labels:
        name: ambassador-operator
        getambassador.io/installer: operator
    spec:
      serviceAccountName: ambassador-operator
      containers:
        - name: ambassador-operator
          # Replace this with the built image name
          image: quay.io/datawire/ambassador-operator:v1.2.3
          command:
          - ambassador-operator
          imagePullPolicy: Always
          env:
            - name: WATCH_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: OPERATOR_NAME
              value: "ambassador-operator"
          volumeMounts:
            - name: static-helm-values
              mountPath: /tmp/helm
      volumes:
        - name: static-helm-values
          configMap:
            name: static-helm-values