# services/maintenance/metis-sentinel-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: metis-sentinel
  namespace: maintenance
spec:
  selector:
    matchLabels:
      app: metis-sentinel
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: metis-sentinel
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
    spec:
      serviceAccountName: metis
      nodeSelector:
        kubernetes.io/os: linux
        node-role.kubernetes.io/worker: "true"
      containers:
        - name: metis-sentinel
          image: registry.bstein.dev/bstein/metis-sentinel:latest
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
                name: metis
          env:
            - name: METIS_SENTINEL_NODE
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          ports:
            - name: http
              containerPort: 8080
          volumeMounts:
            - name: host-root
              mountPath: /host
              readOnly: true
            - name: sentinel-output
              mountPath: /var/run/metis-sentinel
          resources:
            requests:
              cpu: 25m
              memory: 64Mi
            limits:
              cpu: 250m
              memory: 256Mi
          securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 0
            capabilities:
              drop: ["ALL"]
      volumes:
        - name: host-root
          hostPath:
            path: /
        - name: sentinel-output
          emptyDir: {}