{{- if eq .Values.controller.kind "daemonset" }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: {{ default (include "nginx-ingress.name" .) .Values.controller.name }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "nginx-ingress.labels" . | nindent 4 }}
spec:
  selector:
    matchLabels:
      app: {{ include "nginx-ingress.appName" . }}
  template:
    metadata:
      labels:
        app: {{ include "nginx-ingress.appName" . }}
{{- if .Values.nginxServiceMesh.enable }}
        nsm.nginx.com/daemonset: {{ default (include "nginx-ingress.name" .) .Values.controller.name }}
        spiffe.io/spiffeid: "true"
{{- end }}
{{- if .Values.controller.pod.extraLabels }}
{{ toYaml .Values.controller.pod.extraLabels | indent 8 }}
{{- end }}
{{- if or .Values.prometheus.create (or .Values.controller.pod.annotations .Values.nginxServiceMesh.enable) }}
      annotations:
{{- if .Values.prometheus.create }}
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ .Values.prometheus.port }}"
        prometheus.io/scheme: "{{ .Values.prometheus.scheme }}"
{{- end }}
{{- if .Values.nginxServiceMesh.enable }}
        nsm.nginx.com/enable-ingress: "true"
        nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}"
{{- end }}
{{- if .Values.controller.pod.annotations }}
{{ toYaml .Values.controller.pod.annotations | indent 8 }}
{{- end }}
{{- end }}
    spec:
      serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }}
      automountServiceAccountToken: true
      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if .Values.controller.nodeSelector }}
      nodeSelector:
{{ toYaml .Values.controller.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
      tolerations:
{{ toYaml .Values.controller.tolerations | indent 6 }}
{{- end }}
{{- if .Values.controller.affinity }}
      affinity:
{{ toYaml .Values.controller.affinity | indent 8 }}
{{- end }}
{{- if or .Values.controller.volumes .Values.nginxServiceMesh.enable }}
      volumes:
{{- end }}
{{- if .Values.nginxServiceMesh.enable }}
      - hostPath:
          path: /run/spire/sockets
          type: DirectoryOrCreate
        name: spire-agent-socket
{{- end }}
{{- if .Values.controller.volumes }}
{{ toYaml .Values.controller.volumes | indent 6 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
      priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
      hostNetwork: {{ .Values.controller.hostNetwork }}
      containers:
      - name: {{ include "nginx-ingress.name" . }}
        image: {{ include "nginx-ingress.image" . }}
        imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
{{- if .Values.controller.lifecycle }}
        lifecycle:
{{ toYaml .Values.controller.lifecycle | indent 10 }}
{{- end }}
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
{{ if .Values.controller.customPorts }}
{{ toYaml .Values.controller.customPorts | indent 8 }}
{{ end }}
{{- if .Values.prometheus.create }}
        - name: prometheus
          containerPort: {{ .Values.prometheus.port }}
{{- end }}
{{- if .Values.controller.readyStatus.enable }}
        - name: readiness-port
          containerPort: {{ .Values.controller.readyStatus.port }}
        readinessProbe:
          httpGet:
            path: /nginx-ready
            port: readiness-port
          periodSeconds: 1
          initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }}
{{- end }}
        securityContext:
          allowPrivilegeEscalation: true
          runAsUser: 101 #nginx
          runAsNonRoot: true
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
{{- if or .Values.controller.volumeMounts .Values.nginxServiceMesh.enable }}
        volumeMounts:
{{- end }}
{{- if .Values.nginxServiceMesh.enable }}
        - mountPath: /run/spire/sockets
          name: spire-agent-socket
{{- end }}
{{- if .Values.controller.volumeMounts }}
{{ toYaml .Values.controller.volumeMounts | indent 8 }}
{{- end }}
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
{{- if .Values.nginxServiceMesh.enable }}
        - name: POD_SERVICEACCOUNT
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
{{- end }}
        resources:
{{ toYaml .Values.controller.resources | indent 10 }}
        args:
          - -nginx-plus={{ .Values.controller.nginxplus }}
          - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }}
          - -enable-app-protect={{ .Values.controller.appprotect.enable }}
{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }}
          - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }}
{{ end }}
          - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }}
  {{- if .Values.controller.appprotectdos.enable }}
          - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }}
          - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxWorkers }}
          - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxDaemons }}
          - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }}
  {{ end }}
          - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }}
{{- if .Values.controller.defaultTLS.secret }}
          - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }}
{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }}
          - -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }}
{{- end }}
          - -ingress-class={{ .Values.controller.ingressClass }}
{{- if .Values.controller.watchNamespace }}
          - -watch-namespace={{ .Values.controller.watchNamespace }}
{{- end }}
          - -health-status={{ .Values.controller.healthStatus }}
          - -health-status-uri={{ .Values.controller.healthStatusURI }}
          - -nginx-debug={{ .Values.controller.nginxDebug }}
          - -v={{ .Values.controller.logLevel }}
          - -nginx-status={{ .Values.controller.nginxStatus.enable }}
{{- if .Values.controller.nginxStatus.enable }}
          - -nginx-status-port={{ .Values.controller.nginxStatus.port }}
          - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }}
{{- end }}
{{- if .Values.controller.reportIngressStatus.enable }}
          - -report-ingress-status
{{- if .Values.controller.reportIngressStatus.ingressLink }}
          - -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }}
{{- else if .Values.controller.reportIngressStatus.externalService }}
          - -external-service={{ .Values.controller.reportIngressStatus.externalService }}
{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }}
          - -external-service={{ include "nginx-ingress.serviceName" . }}
{{- end }}
          - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }}
          - -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }}
{{- end }}
{{- if .Values.controller.wildcardTLS.secret }}
          - -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }}
{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }}
          - -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }}
{{- end }}
          - -enable-prometheus-metrics={{ .Values.prometheus.create }}
          - -prometheus-metrics-listen-port={{ .Values.prometheus.port }}
          - -prometheus-tls-secret={{ .Values.prometheus.secret }}
          - -enable-custom-resources={{ .Values.controller.enableCustomResources }}
          - -enable-snippets={{ .Values.controller.enableSnippets }}
          - -include-year={{ .Values.controller.includeYear }}
          - -disable-ipv6={{ .Values.controller.disableIPV6 }}
{{- if .Values.controller.enableCustomResources }}
          - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
          - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
          - -enable-cert-manager={{ .Values.controller.enableCertManager }}
          - -enable-oidc={{ .Values.controller.enableOIDC }}
          - -enable-external-dns={{ .Values.controller.enableExternalDNS }}
{{- if .Values.controller.globalConfiguration.create }}
          - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.name" . }}
{{- end }}
{{- end }}
          - -ready-status={{ .Values.controller.readyStatus.enable }}
          - -ready-status-port={{ .Values.controller.readyStatus.port }}
          - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }}
{{- if .Values.nginxServiceMesh.enable }}
          - -spire-agent-address=/run/spire/sockets/agent.sock
          - -enable-internal-routes={{ .Values.nginxServiceMesh.enableEgress }}
{{- end }}
{{- if .Values.controller.extraContainers }}
      {{ toYaml .Values.controller.extraContainers | nindent 6 }}
{{- end }}
{{- if .Values.controller.initContainers }}
      initContainers: {{ toYaml .Values.controller.initContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.strategy }}
  updateStrategy:
{{ toYaml .Values.controller.strategy | indent 4 }}
{{- end }}
{{- if .Values.controller.minReadySeconds }}
  minReadySeconds: {{ .Values.controller.minReadySeconds }}
{{- end }}
{{- end }}