{{/*
Copyright 2019 HAProxy Technologies LLC

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}

{{- if eq .Values.controller.kind "Deployment" }}
{{- $useHostNetwork := .Values.controller.deployment.useHostNetwork -}}
{{- $useHostPort := .Values.controller.deployment.useHostPort -}}
{{- $hostPorts := .Values.controller.deployment.hostPorts -}}
{{- $hostIP := .Values.controller.deployment.hostIP -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "kubernetes-ingress.fullname" . }}
  namespace: {{ include "kubernetes-ingress.namespace" . }}
  {{- with .Values.controller.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  labels:
    {{- include "kubernetes-ingress.labels" . | nindent 4 }}
    {{- if .Values.controller.extraLabels }}
{{ toYaml .Values.controller.extraLabels | indent 4 }}
    {{- end }}
spec:
  {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }}
  replicas: {{ .Values.controller.replicaCount }}
  {{- end }}
  minReadySeconds: {{ .Values.controller.minReadySeconds }}
  selector:
    matchLabels:
      {{- include "kubernetes-ingress.selectorLabels" . | nindent 6 }}
  {{- with .Values.controller.strategy }}
  strategy:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  template:
    metadata:
      labels:
        {{- include "kubernetes-ingress.selectorLabels" . | nindent 8 }}
        {{- if .Values.controller.podLabels }}
{{ toYaml .Values.controller.podLabels | indent 8 }}
        {{- end }}
      {{- if .Values.controller.podAnnotations }}
      annotations:
{{- if eq "string" (printf "%T" .Values.controller.podAnnotations) }}
{{ tpl .Values.controller.podAnnotations . | indent 8 }}
{{- else }}
{{ toYaml .Values.controller.podAnnotations | indent 8 }}
{{- end }}
      {{- end }}
    spec:
      enableServiceLinks: {{ .Values.controller.enableServiceLinks }}
      serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }}
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
      {{- if $useHostNetwork }}
      hostNetwork: true
      {{- end }}
{{- with .Values.controller.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.dnsConfig }}
      dnsConfig:
{{ toYaml .Values.controller.dnsConfig | indent 8 }}
{{- end }}
      dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.controller.imageCredentials.registry }}
      imagePullSecrets:
      - name: {{ include "kubernetes-ingress.fullname" . }}
{{- else if .Values.controller.existingImagePullSecret }}
      imagePullSecrets:
      - name: {{ .Values.controller.existingImagePullSecret }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
      priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.runtimeClassName }}
      runtimeClassName: {{ .Values.controller.runtimeClassName }}
{{- end }}
{{- if or .Values.controller.unprivileged (gt (len (.Values.controller.sysctls | default dict)) 0) }}
      securityContext:
{{- if .Values.controller.unprivileged }}
        runAsNonRoot: true
        runAsUser:  1000
        runAsGroup: 1000
{{- end }}
{{ include "kubernetes-ingress.controller.sysctls" . | nindent 8 }}
{{- end }}
      containers:
        - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }}
          image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
          args:
{{- if .Values.controller.defaultTLSSecret.enabled -}}
{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }}
          - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }}
{{- else }}
          - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }}
{{- end }}
{{- end }}
          - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }}
          - --http-bind-port={{ .Values.controller.containerPort.http }}
          - --https-bind-port={{ .Values.controller.containerPort.https }}
{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
          - --quic-bind-port={{ .Values.controller.containerPort.https }}
          - --quic-announce-port={{ .Values.controller.service.ports.https }}
{{- end }}
{{- if .Values.controller.ingressClass }}
          - --ingress.class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }}
          - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }}
{{- end }}
{{- if .Values.controller.publishService.enabled }}
          - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }}
{{- end }}
{{- if .Values.controller.logging.level }}
          - --log={{ .Values.controller.logging.level }}
{{- end }}
{{- if .Values.controller.service.enablePorts.admin }}
          - --prometheus
          - --pprof
{{- end }}
{{- if eq .Values.controller.sync.mode "fetch" }}
  {{- if .Values.controller.sync.fetchParams.period }}
          - --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }}
  {{- end }}
  {{- if eq .Values.controller.sync.fetchParams.source "k8s" }}
          - --k8s-api-sync-type=k8s
  {{- else if eq .Values.controller.sync.fetchParams.source "proxy" }}
          - --k8s-api-sync-type=proxy
          - --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }}
  {{- end }}
{{- end }}
{{- range .Values.controller.extraArgs }}
          - {{ . }}
{{- end }}
          {{- if .Values.controller.unprivileged }}
          securityContext:
            runAsNonRoot: true
            runAsUser:  1000
            runAsGroup: 1000
            allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }}
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }}
            seccompProfile:
              type: RuntimeDefault
            {{- end }}
          {{- end }}
          ports:
          {{- range $key, $value := .Values.controller.containerPort }}
            - name: {{ $key }}
              containerPort: {{ $value }}
              protocol: TCP
              {{- if and $useHostPort (index $hostPorts $key) }}
              hostPort: {{ index $hostPorts $key }}
              {{- end }}
              {{- if $hostIP }}
              hostIP: {{ $hostIP }}
              {{- end }}
          {{- end }}
          {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }}
            - name: quic
              containerPort: {{ .Values.controller.containerPort.https }}
              protocol: UDP
              {{- if $useHostPort }}
              hostPort: {{ .Values.controller.deployment.hostPorts.https }}
              {{- end }}
              {{- if $hostIP }}
              hostIP: {{ $hostIP }}
              {{- end }}
          {{- end }}
          {{- range .Values.controller.service.tcpPorts }}
            - name: {{ .name | trunc 15 | trimSuffix "-" }}
              containerPort: {{ .targetPort }}
              protocol: TCP
              {{- if $useHostPort }}
              hostPort: {{ .port }}
              {{- end }}
              {{- if $hostIP }}
              hostIP: {{ $hostIP }}
              {{- end }}
          {{- end }}
          {{- with .Values.controller.livenessProbe }}
          livenessProbe:
            {{- toYaml . | trim | nindent 12 }}
          {{- end }}
          {{- with .Values.controller.readinessProbe }}
          readinessProbe:
            {{- toYaml . | trim | nindent 12 }}
          {{- end }}
          {{- with .Values.controller.startupProbe }}
          startupProbe:
            {{- toYaml . | trim | nindent 12 }}
          {{- end }}
          env:
          {{- if .Values.aws.licenseConfigSecretName }}
          - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
            value: "/var/run/secrets/product-license/license_token"
          - name: AWS_ROLE_ARN
            valueFrom:
              secretKeyRef:
                name: {{ .Values.aws.licenseConfigSecretName }}
                key: iam_role
          {{- end }}
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          {{- if .Values.controller.extraEnvs -}}
          {{- toYaml .Values.controller.extraEnvs | nindent 10 }}
          {{- end }}
          {{- with .Values.controller.extraEnvFrom }}
          envFrom:
            {{- toYaml . | trim | nindent 12 }}
          {{- end }}
          resources:
            {{- toYaml .Values.controller.resources | nindent 12 }}
          {{- if .Values.controller.lifecycle }}
          lifecycle:
            {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }}
{{ tpl .Values.controller.lifecycle . | indent 12 }}
            {{- else }}
{{ toYaml .Values.controller.lifecycle | indent 12 }}
            {{- end }}
          {{- end }}
          volumeMounts:
            - name: tmp
              mountPath: /tmp
              subPath: tmp
            - name: tmp
              mountPath: /run
              subPath: run
            {{- if .Values.aws.licenseConfigSecretName }}
            - name: aws-product-license
              readOnly: true
              mountPath: /var/run/secrets/product-license
            {{- end }}
            {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }}
{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }}
            {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }}
{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }}
            {{- end }}
        {{- if .Values.controller.extraContainers }}
          {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }}
{{ tpl .Values.controller.extraContainers . | indent 8 }}
          {{- else }}
{{ toYaml .Values.controller.extraContainers | indent 8 }}
          {{- end }}
        {{- end }}
      volumes:
        - name: tmp
          {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}
          emptyDir:
            medium: Memory
            sizeLimit: 64Mi
          {{- else }}
          emptyDir: {}
          {{- end }}
        {{- if .Values.aws.licenseConfigSecretName }}
        - name: aws-product-license
          secret:
            secretName: {{ .Values.aws.licenseConfigSecretName }}
            optional: true
        {{- end }}
        {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }}
{{ tpl .Values.controller.extraVolumes . | indent 8 }}
        {{- else if gt (len .Values.controller.extraVolumes) 0 }}
{{ toYaml .Values.controller.extraVolumes | indent 8 }}
        {{- end }}
      {{- if .Values.controller.initContainers }}
      initContainers:
        {{- if eq "string" (printf "%T" .Values.controller.initContainers) }}
{{ tpl .Values.controller.initContainers . | indent 8 }}
        {{- else }}
{{ toYaml .Values.controller.initContainers | indent 8 }}
        {{- end }}
      {{- end }}
      {{- with .Values.controller.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- with .Values.controller.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.controller.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
    {{- end }}
{{- end }}