---
###
### Proxy Injector
###
{{- $tree := deepCopy . }}
{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
{{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}}
{{ include "linkerd.proxy.validation" .Values.proxy -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    {{ include "partials.annotations.created-by" . }}
  labels:
    app.kubernetes.io/name: proxy-injector
    app.kubernetes.io/part-of: Linkerd
    app.kubernetes.io/version: {{default .Values.linkerdVersion .Values.controllerImageVersion}}
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Values.namespace}}
  name: linkerd-proxy-injector
  namespace: {{.Values.namespace}}
spec:
  replicas: {{.Values.controllerReplicas}}
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
  {{- if .Values.enablePodAntiAffinity }}
  strategy:
    rollingUpdate:
      maxUnavailable: 1
  {{- end }}
  template:
    metadata:
      annotations:
        {{- if (or (empty .Values.cliVersion) (not (eq (.Values.stage | toString) "control-plane"))) }}
        checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }}
        {{- end }}
        {{ include "partials.annotations.created-by" . }}
        {{- include "partials.proxy.annotations" . | nindent 8}}
        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
        config.linkerd.io/opaque-ports: "8443"
        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
      labels:
        linkerd.io/control-plane-component: proxy-injector
        linkerd.io/control-plane-ns: {{.Values.namespace}}
        linkerd.io/workload-ns: {{.Values.namespace}}
        {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
        {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
    spec:
      {{- if .Values.tolerations -}}
      {{- include "linkerd.tolerations" . | nindent 6 }}
      {{- end -}}
      {{- include "linkerd.node-selector" . | nindent 6 }}
      {{- if .Values.enablePodAntiAffinity -}}
      {{- $local := dict "component" "proxy-injector" "label" -}}
      {{- include "linkerd.pod-affinity" $local | nindent 6 -}}
      {{- end }}
      containers:
      {{- if not (empty .Values.proxyInjectorProxyResources) }}
      {{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }}
      {{- $_ := set $tree.Values.proxy "resources" $r }}
      {{- end }}
      {{- $_ := set $tree.Values.proxy "await" true }}
      {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
      {{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }}
      {{- /*
        The pod needs to accept webhook traffic, and we can't rely on that originating in the
        cluster network.
      */}}
      {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
      - args:
        - proxy-injector
        - -log-level={{.Values.controllerLogLevel}}
        - -log-format={{.Values.controllerLogFormat}}
        image: {{.Values.controllerImage}}:{{default .Values.linkerdVersion .Values.controllerImageVersion}}
        imagePullPolicy: {{.Values.imagePullPolicy}}
        livenessProbe:
          httpGet:
            path: /ping
            port: 9995
          initialDelaySeconds: 10
        name: proxy-injector
        ports:
        - containerPort: 8443
          name: proxy-injector
        - containerPort: 9995
          name: admin-http
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9995
        {{- if .Values.proxyInjectorResources -}}
        {{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }}
        {{- end }}
        securityContext:
          runAsUser: {{.Values.controllerUID}}
        volumeMounts:
        - mountPath: /var/run/linkerd/config
          name: config
        - mountPath: /var/run/linkerd/identity/trust-roots
          name: trust-roots
        - mountPath: /var/run/linkerd/tls
          name: tls
          readOnly: true
      {{ if not .Values.cniEnabled -}}
      initContainers:
      - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
      {{ end -}}
      serviceAccountName: linkerd-proxy-injector
      volumes:
      - configMap:
          name: linkerd-config
        name: config
      - configMap:
          name: linkerd-identity-trust-roots
        name: trust-roots
      - name: tls
        secret:
          secretName: linkerd-proxy-injector-k8s-tls
      {{ if not .Values.cniEnabled -}}
      - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
      {{ end -}}
      - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
---
kind: Service
apiVersion: v1
metadata:
  name: linkerd-proxy-injector
  namespace: {{.Values.namespace}}
  labels:
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Values.namespace}}
  annotations:
    {{ include "partials.annotations.created-by" . }}
    config.linkerd.io/opaque-ports: "443"
spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: proxy-injector
  ports:
  - name: proxy-injector
    port: 443
    targetPort: proxy-injector
{{- if .Values.enablePodAntiAffinity }}
---
kind: PodDisruptionBudget
apiVersion: policy/v1beta1
metadata:
  name: linkerd-proxy-injector
  namespace: {{.Values.namespace}}
  labels:
    linkerd.io/control-plane-component: proxy-injector
    linkerd.io/control-plane-ns: {{.Values.namespace}}
  annotations:
    {{ include "partials.annotations.created-by" . }}
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: proxy-injector
{{- end }}