apiVersion: v1
kind: Pod
metadata:
  name: security-scan-runner-{{ .Release.Name }}
  {{- if ne .Values.owner "" }}
  annotations:
    field.cattle.io/clusterScanOwner: "{{ .Values.owner }}"
  {{- end }}
  labels:
    app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }}
    helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    run: sonobuoy-master
spec:
  serviceAccountName: s-sa-{{ .Release.Name }}
  volumes:
    - configMap:
        name: s-config-cm-{{ .Release.Name }}
      name: s-config-volume
    - configMap:
        name: s-plugins-cm-{{ .Release.Name }}
      name: s-plugins-volume
    - emptyDir: {}
      name: output-volume
    {{- if ne .Values.skipConfigMapName "" }}
    - configMap:
        name: {{ .Values.skipConfigMapName }}
      name: s-skip-info-volume
    {{- end }}
  containers:
    - name: {{ .Chart.Name }}
      restartPolicy: Never
      env:
        {{- if .Values.overrideBenchmarkVersion }}
        - name: OVERRIDE_BENCHMARK_VERSION
          value: {{ .Values.overrideBenchmarkVersion }}
        {{- end }}
        - name: SONOBUOY_NS
          value: {{ .Release.Namespace }}
        - name: SONOBUOY_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: SONOBUOY_ADVERTISE_IP
          value: {{ include "rancher-cis-benchmark.fullname" . }}
        {{- if ne .Values.owner "" }}
        - name: OUTPUT_CONFIGMAPNAME
          value: {{ .Release.Name }}
        {{- end }}
        {{- if .Values.debugMaster }}
        - name: DEBUG
          value: "true"
        - name: DEBUG_TIME_IN_SEC
          value: {{ .Values.debugTime }}
        {{- end }}
      image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
      imagePullPolicy: {{ .Values.image.pullPolicy }}
      ports:
        - containerPort: 8080
          protocol: TCP
      volumeMounts:
        - mountPath: /etc/sonobuoy
          name: s-config-volume
        - mountPath: /plugins.d
          name: s-plugins-volume
        - mountPath: /tmp/sonobuoy
          name: output-volume
        {{- if ne .Values.skipConfigMapName "" }}
        - mountPath: /etc/kbs
          name: s-skip-info-volume
        {{- end }}
      resources:
        {{- toYaml .Values.resources | nindent 12 }}
  {{- with .Values.nodeSelector }}
  nodeSelector:
    {{- toYaml . | nindent 8 }}
  {{- end }}
{{- with .Values.affinity }}
  affinity:
    {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
  tolerations:
    {{- toYaml . | nindent 8 }}
{{- end }}