apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "defguard.fullname" . }}
  labels:
    {{- include "defguard.labels" . | nindent 4 }}
spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "defguard.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "defguard.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "defguard.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
        - name: {{ .Chart.Name }}
          env:
            - name: DEFGUARD_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.postgresql.auth.existingSecret }}
                  key: {{ .Values.postgresql.auth.existingSecretPasswordKey | default "password" }}
            - name: DEFGUARD_AUTH_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
                  key: auth
            - name: DEFGUARD_GATEWAY_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
                  key: gateway
            - name: DEFGUARD_YUBIBRIDGE_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
                  key: yubi-bridge
            - name: DEFGUARD_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
                  key: secret-key
            - name: DEFGUARD_OPENID_KEY
              value: "/etc/defguard-openid-key.pem"
          envFrom:
            - configMapRef:
                name: {{ include "defguard.fullname" . }}-config
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
            - name: grpc
              containerPort: 50055
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /api/v1/health
              port: http
          readinessProbe:
            httpGet:
              path: /api/v1/health
              port: http
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - name: openid-key
              mountPath: "/etc/defguard-openid-key.pem"
              readOnly: true
              subPath: openid-key
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      volumes:
        - name: openid-key
          secret:
            secretName: {{ .Values.existingOpenIdSecret | default (include "defguard.openidSecretName" .) }}
            optional: false