apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }}
    helm.sh/chart: {{ template "pomerium.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: proxy
  name: {{ template "pomerium.proxy.fullname" . }}
{{- if or .Values.proxy.deployment.annotations .Values.annotations }}
  annotations:
  {{- if .Values.proxy.deployment.annotations }}
    {{- range $key, $value := .Values.proxy.deployment.annotations }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- else if .Values.annotations }}
    {{- range $key, $value := .Values.annotations }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
  {{- end }}
{{- end }}
spec:
  {{- if (ne .Values.proxy.autoscaling.enabled true) }}
  replicas: {{ default .Values.replicaCount .Values.proxy.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
  template:
    metadata:
      annotations:
        checksum: {{ include "pomerium.static.checksum" . }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
{{- if .Values.proxy.deployment.podAnnotations }}
{{ toYaml .Values.proxy.deployment.podAnnotations | indent 8 }}
{{- end }}
      labels:
        app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }}
        helm.sh/chart: {{ template "pomerium.chart" . }}
        app.kubernetes.io/managed-by: {{ .Release.Service }}
        app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
    spec:
{{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
      containers:
      - name: {{ .Chart.Name }}
        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        args:
          - --config=/etc/pomerium/config.yaml
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
          - --{{ $key }}={{ $value }}
{{- else }}
          - --{{ $key }}
{{- end }}
{{- end }}
        env:
        - name: INSECURE_SERVER
          value: "{{ ternary "true" "false" (eq (include "pomerium.proxy.insecure" .) "true") }}"
{{- if and (not (include "pomerium.proxy.insecure" .)) .Values.proxy.redirectServer }}
        - name: HTTP_REDIRECT_ADDR
          value: :80
{{- end }}
        - name: ADDRESS
          value: {{ printf ":%s" (include "pomerium.proxy.trafficPort.number" . ) }}
{{- if or ( and .Values.proxy.tls.cert .Values.proxy.tls.key ) .Values.proxy.existingTLSSecret }}
{{- include "pomerium.tls.internal.envVars" . | indent 8 }}
{{- end }}
        - name: SERVICES
          value: proxy
        - name: SIGNING_KEY
          valueFrom:
            secretKeyRef:
              name: {{ template "pomerium.signingKeySecret.name" . }}
              key: signing-key
{{- include "pomerium.metrics.envVars" . | indent 8}}
{{- range $name, $value := .Values.extraEnv }}
        - name: {{ $name }}
          value: {{ quote $value }}
{{- end }}
{{- range $name, $value := .Values.proxy.deployment.extraEnv }}
        - name: {{ $name }}
          value: {{ quote $value }}
{{- end }}
        envFrom:
          - secretRef:
              name: {{ include "pomerium.sharedSecretName" . }}
{{- if .Values.extraEnvFrom }}
{{        toYaml .Values.extraEnvFrom | indent 10 }}
{{- end }}
        ports:
          - containerPort: {{ template "pomerium.proxy.trafficPort.number" . }}
            name: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
            protocol: TCP
{{- if and .Values.proxy.redirectServer (not (include "pomerium.proxy.insecure" .)) }}
          - name: http
            containerPort: 80
            protocol: TCP
{{- end }}
          - containerPort: {{ .Values.metrics.port }}
            name: metrics
            protocol: TCP
        livenessProbe:
          httpGet:
            path: /ping
            port: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
            scheme: {{ upper ( include "pomerium.proxy.httpTrafficPort.scheme" . ) }}
        readinessProbe:
          httpGet:
            path: /ping
            port: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
            scheme: {{ upper ( include "pomerium.proxy.httpTrafficPort.scheme" . ) }}
        resources:
{{ toYaml .Values.resources | indent 10 }}
        volumeMounts:
{{ include "pomerium.volumeMounts" . | indent 10 }}
      serviceAccountName: {{ template "pomerium.proxy.serviceAccountName" . }}
      volumes:
{{ include "pomerium.volumes.shared" . | indent 8 }}
{{- $ctx := . }}
{{- $_ := set $ctx "currentServiceName" "proxy" }}
{{ include "pomerium.volumes.service" $ctx | indent 8 }}
{{- if .Values.imagePullSecrets }}
      imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
      nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
      tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
      affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}