# This patch configures the controller manager to expose metrics securely
# using controller-runtime's built-in authentication and authorization.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: system
spec:
  template:
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                - key: kubernetes.io/arch
                  operator: In
                  values:
                    - amd64
                    - arm64
                    - ppc64le
                    - s390x
                - key: kubernetes.io/os
                  operator: In
                  values:
                    - linux
      containers:
      - name: manager
        args:
        - "--health-probe-bind-address=:8081"
        - "--metrics-bind-address=:8443"
        - "--metrics-secure"
        - "--leader-elect"
        ports:
        - containerPort: 8443
          protocol: TCP
          name: https