{{- if .Values.enforcer.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: DaemonSet
metadata:
  name: neuvector-enforcer-pod
  namespace: {{ .Release.Namespace }}
  labels:
    chart: {{ template "neuvector.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  updateStrategy:
    type: RollingUpdate  
  selector:
    matchLabels:
      app: neuvector-enforcer-pod
  template:
    metadata:
      labels:
        app: neuvector-enforcer-pod
        release: {{ .Release.Name }}
    spec:
    {{- if .Values.imagePullSecrets }}
      imagePullSecrets:
        - name: {{ .Values.imagePullSecrets }}
    {{- end }}
    {{- if .Values.enforcer.tolerations }}
      tolerations:
{{ toYaml .Values.enforcer.tolerations | indent 8 }}
    {{- end }}
      hostPID: true
    {{- if .Values.enforcer.priorityClassName }}
      priorityClassName: {{ .Values.enforcer.priorityClassName }}
    {{- end }}
      serviceAccountName: {{ .Values.serviceAccount }}
      serviceAccount: {{ .Values.serviceAccount }}
      containers:
        - name: neuvector-enforcer-pod
          image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }}
          securityContext:
            privileged: true
          resources:
          {{- if .Values.enforcer.resources }}
{{ toYaml .Values.enforcer.resources | indent 12 }}
          {{- else }}
{{ toYaml .Values.resources | indent 12 }}
          {{- end }}
          env:
            - name: CLUSTER_JOIN_ADDR
              value: neuvector-svc-controller.{{ .Release.Namespace }}
            - name: CLUSTER_ADVERTISED_ADDR
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: CLUSTER_BIND_ADDR
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          volumeMounts:
          {{- if .Values.containerd.enabled }}
            - mountPath: /var/run/containerd/containerd.sock
          {{- else if .Values.k3s.enabled }}
            - mountPath: /var/run/containerd/containerd.sock
          {{- else if .Values.bottlerocket.enabled }}
            - mountPath: /var/run/containerd/containerd.sock
          {{- else if .Values.crio.enabled }}
            - mountPath: /var/run/crio/crio.sock
          {{- else }}
            - mountPath: /var/run/docker.sock
          {{- end }}
              name: runtime-sock
              readOnly: true
            - mountPath: /host/proc
              name: proc-vol
              readOnly: true
            - mountPath: /host/cgroup
              name: cgroup-vol
              readOnly: true
            - mountPath: /lib/modules
              name: modules-vol
              readOnly: true
      terminationGracePeriodSeconds: 1200
      restartPolicy: Always
      volumes:
        - name: runtime-sock
          hostPath:
          {{- if .Values.containerd.enabled }}
            path: {{ .Values.containerd.path }}
          {{- else if .Values.crio.enabled }}
            path: {{ .Values.crio.path }}
          {{- else if .Values.k3s.enabled }}
            path: {{ .Values.k3s.runtimePath }}
          {{- else if .Values.bottlerocket.enabled }}
            path: {{ .Values.bottlerocket.runtimePath }}
          {{- else }}
            path: {{ .Values.docker.path }}
          {{- end }}
        - name: proc-vol
          hostPath:
            path: /proc
        - name: cgroup-vol
          hostPath:
            path: /sys/fs/cgroup
        - name: modules-vol
          hostPath:
            path: /lib/modules
{{- end }}