{{- $auth := .Values.auth | default dict }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: rancher-webhook
spec:
  selector:
    matchLabels:
      app: rancher-webhook
  template:
    metadata:
      labels:
        app: rancher-webhook
    spec:
      {{- if or .Values.capi.enabled $auth.clientCA }}
      volumes:
      {{- end }}
      {{- if .Values.capi.enabled }}
      - name: tls
        secret:
          secretName: rancher-webhook-tls
      {{- end }}
      {{- if $auth.clientCA }}
      - name: client-ca
        secret:
          secretName: client-ca
      {{- end }}
      {{- if .Values.global.hostNetwork }}
      hostNetwork: true
      {{- end }}
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
      {{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
      {{- end }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
      {{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 6 }}
      {{- end }}
      containers:
      - env:
        - name: STAMP
          value: "{{.Values.stamp}}"
        - name: ENABLE_CAPI
          value: "{{.Values.capi.enabled}}"
        - name: ENABLE_MCM
          value: "{{.Values.mcm.enabled}}"
        - name: CATTLE_PORT
          value: {{.Values.port | default 9443 | quote}}
        - name: CATTLE_CAPI_PORT
          value: {{.Values.capi.port | default 8777 | quote}}
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        {{- if $auth.allowedCNs }}
        - name: ALLOWED_CNS
          value: '{{ join "," $auth.allowedCNs }}'
        {{- end }}
        image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
        name: rancher-webhook
        imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
        ports:
        - name: https
          containerPort: {{ .Values.port | default 9443 }}
        - name: capi-https
          containerPort: {{ .Values.capi.port | default 8777}}
        startupProbe:
          httpGet:
            path: "/healthz"
            port: "https"
            scheme: "HTTPS"
          failureThreshold: 60
          periodSeconds: 5
        livenessProbe:
          httpGet:
            path: "/healthz"
            port: "https"
            scheme: "HTTPS"
          periodSeconds: 5
        {{- if or .Values.capi.enabled $auth.clientCA }}
        volumeMounts:
        {{- end }}
        {{- if .Values.capi.enabled }}
        - name: tls
          mountPath: /tmp/k8s-webhook-server/serving-certs
          readOnly: true
        {{- end }}
        {{- if $auth.clientCA }}
        - name: client-ca
          mountPath: /tmp/k8s-webhook-server/client-ca
          readOnly: true
        {{- end }}
        {{- if .Values.capNetBindService }}
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE
        {{- end }}
      serviceAccountName: rancher-webhook
      {{- if .Values.priorityClassName }}
      priorityClassName: "{{.Values.priorityClassName}}"
      {{- end }}