apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: resource-governance
  namespace: resource-governance
  labels:
    app.kubernetes.io/name: resource-governance
    app.kubernetes.io/component: governance
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: resource-governance
      app.kubernetes.io/component: governance
  template:
    metadata:
      labels:
        app.kubernetes.io/name: resource-governance
        app.kubernetes.io/component: governance
    spec:
      serviceAccountName: resource-governance-sa
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000940000
        fsGroup: 1000940000
      initContainers:
      - name: download-app
        image: alpine/git:latest
        command: ['sh', '-c']
        args:
        - |
          git clone https://github.com/andersonid/openshift-resource-governance.git /tmp/app
          cp -r /tmp/app/app /shared/
          cp /tmp/app/requirements.txt /shared/
        volumeMounts:
        - name: app-code
          mountPath: /shared
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          seccompProfile:
            type: RuntimeDefault
      containers:
      - name: resource-governance
        image: python:3.11-slim
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          seccompProfile:
            type: RuntimeDefault
        command: ['sh', '-c']
        args:
        - |
          pip install --no-cache-dir -r /app/requirements.txt
          python -m uvicorn app.main:app --host 0.0.0.0 --port 8080
        volumeMounts:
        - name: app-code
          mountPath: /app
        env:
        - name: KUBECONFIG
          value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
        - name: CPU_LIMIT_RATIO
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: CPU_LIMIT_RATIO
        - name: MEMORY_LIMIT_RATIO
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: MEMORY_LIMIT_RATIO
        - name: PROMETHEUS_URL
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: PROMETHEUS_URL
        - name: VPA_NAMESPACES
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: VPA_NAMESPACES
        - name: LOG_LEVEL
          valueFrom:
            configMapKeyRef:
              name: resource-governance-config
              key: LOG_LEVEL
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "500m"
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
      volumes:
      - name: app-code
        emptyDir: {}
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
      - operator: Exists
        effect: NoSchedule