{{- $fullName := include "wg-access-server.fullname" . -}}
{{ $secretName := $fullName }}
{{- if .Values.config.existingSecret -}}
{{ $secretName = .Values.config.existingSecret }}
{{ end -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "wg-access-server.fullname" . }}
  labels:
    {{- include "wg-access-server.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicas }}
  strategy:
    {{- if .Values.persistence.enabled  }}
    type: {{ .Values.strategy.type | default "Recreate" | quote }}
    {{- else }}
    type: {{ .Values.strategy.type | default "RollingUpdate" | quote }}
    {{- end }}
  selector:
    matchLabels:
      {{- include "wg-access-server.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      annotations:
        checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
      labels:
        {{- include "wg-access-server.selectorLabels" . | nindent 8 }}
    spec:
    {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
    {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            capabilities:
              add: ['NET_ADMIN']
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
            - name: wireguard
              containerPort: 51820
              protocol: UDP
          env:
            {{- if .Values.wireguard.config.privateKey }}
            - name: WG_WIREGUARD_PRIVATE_KEY
              valueFrom:
                secretKeyRef:
                  name: "{{ $secretName }}"
                  key: privateKey
            {{- end }}
            {{- if .Values.web.config.adminUsername }}
            - name: WG_ADMIN_USERNAME
              valueFrom:
                secretKeyRef:
                  name: "{{ $secretName }}"
                  key: adminUsername
            {{- end}}
            {{- if .Values.web.config.adminPassword }}
            - name: WG_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ $secretName }}"
                  key: adminPassword
            {{- end}}
          volumeMounts:
            - name: tun
              mountPath: /dev/net/tun
            - name: data
              mountPath: /data
            {{- if .Values.config.csiSecretsStore }}
            - name: config
              mountPath: /config.yaml
            {{- else }}
            - name: config
              mountPath: /config.yaml
              subPath: config.yaml
            {{- end}}
          readinessProbe:
            httpGet:
              path: /
              port: http
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      volumes:
        - name: tun
          hostPath:
            type: 'CharDevice'
            path: /dev/net/tun
        - name: data
        {{- if .Values.persistence.enabled }}
          persistentVolumeClaim:
            claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ $fullName }}{{- end }}
        {{- end }}
        {{- if not .Values.persistence.enabled }}
          emptyDir: {}
        {{- end }}
        {{- if .Values.config.csiSecretsStore }}
        - name: config
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: app-secrets
        {{- else }}
        - name: config
          configMap:
            name: "{{ $fullName }}"
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
    {{- end }}