apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "bascule.fullname" . }}
  labels:
    {{- include "bascule.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "bascule.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "bascule.selectorLabels" . | nindent 8 }}
    spec:
      serviceAccountName: {{ include "bascule.serviceAccountName" . }}
      containers:
        - name: bascule
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: ssh
              containerPort: 2222
              protocol: TCP
          env:
            - name: BASCULE_CONFIG
              value: /etc/bascule/config.toml
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: BASCULE_SHELL_CONTAINER
              value: shell
            {{- range .Values.extraEnv }}
            - name: {{ .name }}
              value: {{ .value | quote }}
            {{- end }}
          volumeMounts:
            - name: config
              mountPath: /etc/bascule
              readOnly: true
            {{- if .Values.hostKey.persistence }}
            - name: hostkey
              mountPath: /var/lib/bascule
            {{- end }}
            {{- if .Values.auth.authorizedKeysSecret }}
            - name: authorized-keys
              mountPath: /etc/bascule/keys
              readOnly: true
            {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          livenessProbe:
            tcpSocket:
              port: ssh
            initialDelaySeconds: 5
            periodSeconds: 30
          readinessProbe:
            tcpSocket:
              port: ssh
            initialDelaySeconds: 3
            periodSeconds: 10
        {{- if .Values.shell.enabled }}
        - name: shell
          image: "{{ .Values.shell.image.repository }}:{{ .Values.shell.image.tag }}"
          imagePullPolicy: {{ .Values.shell.image.pullPolicy }}
          command: ["sleep", "infinity"]
          resources:
            {{- toYaml .Values.shell.resources | nindent 12 }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
              add: ["SETUID", "SETGID"]
        {{- end }}
      volumes:
        - name: config
          configMap:
            name: {{ include "bascule.fullname" . }}-config
        {{- if .Values.hostKey.persistence }}
        - name: hostkey
          emptyDir: {}
        {{- end }}
        {{- if .Values.auth.authorizedKeysSecret }}
        - name: authorized-keys
          secret:
            secretName: {{ .Values.auth.authorizedKeysSecret }}
            defaultMode: 0600
        {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}