apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: {{ template "k8s-prometheus-adapter.name" . }}
    chart: {{ template "k8s-prometheus-adapter.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
  name: {{ template "k8s-prometheus-adapter.fullname" . }}
  namespace: {{ .Release.Namespace }}
spec:
  replicas: {{ .Values.replicas }}
  selector:
    matchLabels:
      app: {{ template "k8s-prometheus-adapter.name" . }}
      release: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app: {{ template "k8s-prometheus-adapter.name" . }}
        chart: {{ template "k8s-prometheus-adapter.chart" . }}
        release: {{ .Release.Name }}
        heritage: {{ .Release.Service }}
        {{- with .Values.podLabels }}
        {{- toYaml . | trim | nindent 8 }}
        {{- end }}
      name: {{ template "k8s-prometheus-adapter.name" . }}
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | trim | nindent 8 }}
        {{- end }}
    spec:
      serviceAccountName: {{ template "k8s-prometheus-adapter.serviceAccountName" . }}
      {{- if .Values.hostNetwork.enabled }}
      hostNetwork: true
      {{- end }}
      {{- if .Values.dnsPolicy }}
      dnsPolicy: {{ .Values.dnsPolicy }}
      {{- end}}
      containers:
      - name: {{ .Chart.Name }}
        image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        args:
        - /adapter
        - --secure-port={{ .Values.listenPort }}
        {{- if or .Values.tls.enable .Values.certManager.enabled }}
        - --tls-cert-file=/var/run/serving-cert/tls.crt
        - --tls-private-key-file=/var/run/serving-cert/tls.key
        {{- end }}
        - --cert-dir=/tmp/cert
        - --logtostderr=true
        - --prometheus-url={{ tpl .Values.prometheus.url . }}{{ if .Values.prometheus.port }}:{{ .Values.prometheus.port }}{{end}}{{ .Values.prometheus.path }}
        - --metrics-relist-interval={{ .Values.metricsRelistInterval }}
        - --v={{ .Values.logLevel }}
        - --config=/etc/adapter/config.yaml
        {{- if .Values.extraArguments }}
        {{- toYaml .Values.extraArguments | trim | nindent 8 }}
        {{- end }}
        ports:
        - containerPort: {{ .Values.listenPort }}
          name: https
        livenessProbe:
          httpGet:
            path: /healthz
            port: https
            scheme: HTTPS
          initialDelaySeconds: 30
        readinessProbe:
          httpGet:
            path: /healthz
            port: https
            scheme: HTTPS
          initialDelaySeconds: 30
        {{- if .Values.resources }}
        resources:
          {{- toYaml .Values.resources | nindent 10 }}
        {{- end }}
        {{- with .Values.dnsConfig }}
        dnsConfig:
        {{ toYaml . | indent 8 }}
        {{- end }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["all"]
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
        volumeMounts:
        {{- if .Values.extraVolumeMounts }}
        {{ toYaml .Values.extraVolumeMounts | trim | nindent 8 }}
        {{ end }}
        - mountPath: /etc/adapter/
          name: config
          readOnly: true
        - mountPath: /tmp
          name: tmp
        {{- if or .Values.tls.enable .Values.certManager.enabled }}
        - mountPath: /var/run/serving-cert
          name: volume-serving-cert
          readOnly: true
        {{- end }}
      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{- toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
      affinity:
        {{- toYaml .Values.affinity | nindent 8 }}
      priorityClassName: {{ .Values.priorityClassName }}
      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{- toYaml .Values.tolerations | nindent 8 }}
{{- end }}
      {{- if .Values.image.pullSecrets }}
      imagePullSecrets:
        {{- range .Values.image.pullSecrets }}
        - name: {{ . }}
        {{- end }}
      {{- end }}
      volumes:
      {{- if .Values.extraVolumes  }}
      {{ toYaml .Values.extraVolumes | trim | nindent 6 }}
      {{ end }}
      - name: config
        configMap:
          name: {{ .Values.rules.existing | default (include "k8s-prometheus-adapter.fullname" . ) }}
      - name: tmp
        emptyDir: {}
      {{- if or .Values.tls.enable .Values.certManager.enabled }}
      - name: volume-serving-cert
        secret:
          secretName: {{ template "k8s-prometheus-adapter.fullname" . }}
      {{- end }}