{{- if .Values.epinioUI.enabled }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: epinio-ui
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: epinio-ui
    app.kubernetes.io/instance: {{ .Release.Name }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: epinio-ui
      app.kubernetes.io/instance: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app.kubernetes.io/name: epinio-ui
        app.kubernetes.io/instance: {{ .Release.Name }}
    spec:
      nodeSelector:
        {{- include "linux-node-selector" . | nindent 8 }}
      tolerations:
        {{- include "linux-node-tolerations" . | nindent 8 }}
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
{{- if .Values.global.rbac.pspEnabled }}
      serviceAccountName: epinio-ui
{{- end }}
{{- end }}
      containers:
      - name: epinio-ui
        {{ $epinioUiImage := index .Values "image" "epinio-ui" -}}
        image: "{{ default $epinioUiImage.registry (include "registry-url" .) }}{{ $epinioUiImage.repository }}:{{ $epinioUiImage.tag }}"
        imagePullPolicy: {{ .Values.epinioUI.imagePullPolicy }}
        workingDir: /db

        env:
        - name: ALLOWED_ORIGINS
          value: {{ default (printf "https://epinio.%s" .Values.global.domain) .Values.epinioUI.allowedOrigins }}
        - name: EPINIO_API_URL
          value: {{ default (printf "http://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioUI.apiURL }}
        - name: EPINIO_WSS_URL
          value: {{ default (printf "ws://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioUI.wssURL }}
        - name: EPINIO_UI_URL
          value: {{ default (printf "https://epinio.%s" .Values.global.domain) .Values.epinioUI.uiURL }}
        - name: EPINIO_API_SKIP_SSL
          value: {{ (default "false" .Values.epinioUI.apiSkipSSL) | quote }}
        - name: EPINIO_THEME
          value: {{ (default "light" .Values.epinioUI.theme) | quote }}
        {{- if .Values.global.dex.enabled }}
        - name: EPINIO_DEX_AUTH_URL
          value: {{ default (printf "http://dex.%s.svc.cluster.local:5556" .Release.Namespace) .Values.epinioUI.dexURL }}
        - name: EPINIO_DEX_ISSUER
          value: {{ printf "https://auth.%s" .Values.global.domain }}
        - name: EPINIO_DEX_ENABLED
          value: "true"
        - name: EPINIO_DEX_SECRET
          valueFrom:
            secretKeyRef:
              name: dex-config
              key: uiClientSecret
        {{- end }}
        - name: HTTP_CLIENT_TIMEOUT_IN_SECS
          value: "120"
        - name: SESSION_STORE_SECRET
          valueFrom:
            secretKeyRef:
              name: epinio-ui
              key: sessionSecret
        - name: SESSION_STORE_EXPIRY
          value: "1440"
        - name: UI_PATH
          value: "/ui"
        - name: AUTH_ENDPOINT_TYPE
          value: epinio
        - name: ENCRYPTION_KEY
          valueFrom:
            secretKeyRef:
              name: epinio-ui
              key: encryptionKey

        - name: DATABASE_PROVIDER
          value: sqlite
        - name: HTTPS
          value: "false"
        - name: CONSOLE_PROXY_TLS_ADDRESS
          value: 0.0.0.0:8000
        - name: LOG_LEVEL
          value: {{ .Values.epinioUI.logLevel | quote }}
        volumeMounts:
          - name: tmp
            mountPath: /tmp
            readOnly: false
          - name: db
            mountPath: /db
            readOnly: false

        securityContext:
          runAsUser: 1000
          runAsNonRoot: true
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        livenessProbe:
          tcpSocket:
            port: 8000
          initialDelaySeconds: 15
          periodSeconds: 20
        readinessProbe:
          tcpSocket:
            port: 8000
          initialDelaySeconds: 5
          periodSeconds: 5
      volumes:
        - name: tmp
          emptyDir: {}
        - name: db
          emptyDir: {}

{{- end }}