apiVersion: v1
kind: Service
metadata:
  name: cpx-sidecar-injector
  namespace: {{ .Release.Namespace }}
  labels:
    istio: sidecar-injector
    app: cpx-sidecar-injector
spec:
  ports:
  - port: 443
  selector:
    istio: sidecar-injector

---
# Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cpx-sidecar-injector
  namespace: {{ .Release.Namespace }}
  labels:
    app: sidecarInjectorWebhook
    istio: sidecar-injector
    app: cpx-sidecar-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cpx-sidecar-injector
      istio: sidecar-injector
  template:
    metadata:
      labels:
        istio: sidecar-injector
        app: cpx-sidecar-injector
      annotations:
        sidecar.istio.io/inject: "false"
        scheduler.alpha.kubernetes.io/critical-pod: ""
    spec:
      serviceAccountName: cpx-sidecar-injector-service-account
      initContainers:
        - name: sidecar-certs-generator
          image: {{ tpl .Values.sidecarCertsGenerator.image . }}
          imagePullPolicy: {{ .Values.sidecarCertsGenerator.imagePullPolicy }}
          securityContext:
            privileged: true
          volumeMounts:
          - name: certs
            mountPath: /tmp
      containers:
        - name: sidecar-injector-webhook
          image: {{ tpl .Values.sidecarWebHook.webhookImage . }}
          imagePullPolicy: {{ .Values.sidecarWebHook.imagePullPolicy }}
          securityContext:
            privileged: true
          args:
            - --caCertFile=/etc/istio/certs/cert.pem
            - --tlsCertFile=/etc/istio/certs/cert.pem
            - --tlsKeyFile=/etc/istio/certs/key.pem
            - --injectConfig=/etc/istio/inject/config
            - --meshConfig=/etc/istio/config/mesh
            - --healthCheckInterval=10s
            - --webhookConfigName=cpx-sidecar-injector
            - --webhookName=cpx-sidecar-injector.citrix.io
            - --objectWebhookName=object.cpx-sidecar-injector.citrix.io
          volumeMounts:
          - name: config-volume
            mountPath: /etc/istio/config
            readOnly: true
          - name: certs
            mountPath: /etc/istio/certs
            readOnly: true
          - name: inject-config
            mountPath: /etc/istio/inject
            readOnly: true
          livenessProbe:
            exec:
              command:
                - cat
                - /health
            failureThreshold: 5
            initialDelaySeconds: 4
            periodSeconds: 10
          readinessProbe:
            exec:
              command:
                - cat
                - /health
            failureThreshold: 5
            initialDelaySeconds: 4
            periodSeconds: 10
            initialDelaySeconds: 4
          resources:
            requests:
              cpu: 10m
            
      volumes:
      - name: config-volume
        configMap:
          name: istio
      - name: certs
        emptyDir: {}
      - name: inject-config
        configMap:
          name: cpx-istio-sidecar-injector
          items:
          - key: config
            path: config
          - key: values
            path: values
---