apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ template "k8s-triliovault-operator.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: k8s-triliovault-operator
    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
spec:
  selector:
    matchLabels:
      app: {{ template "k8s-triliovault-operator.fullname" . }}
      release: "{{ .Release.Name }}"
  replicas: {{ .Values.replicaCount }}
  template:
    metadata:
      labels:
        app: {{ template "k8s-triliovault-operator.fullname" . }}
        chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
        release: "{{ .Release.Name }}"
        heritage: "{{ .Release.Service }}"
    spec:
      containers:
        - name: k8s-triliovault-operator
          image: {{ .Values.registry }}/{{ index .Values "k8s-triliovault-operator" "repository" }}:{{ .Values.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
          env:
            - name: TVK_ENV
              value: {{ .Values.tvkEnv }}
          volumeMounts:
          {{- if .Values.tls.enable }}
          - name: helm-tls-certs
            mountPath: /root/.helm
            readOnly: true
          {{- if .Values.tls.verify }}
          - name: helm-tls-ca
            mountPath: /root/.helm/ca.crt
            readOnly: true
          {{- end }}
          {{- end }}
          - mountPath: /tmp/k8s-webhook-server/serving-certs
            name: webhook-certs
            readOnly: true
          resources:
            limits:
              cpu: 200m
              memory: 512Mi
            requests:
              cpu: 10m
              memory: 10Mi
      initContainers:
        - name: webhook-init
          image: {{ .Values.registry }}/{{ index .Values "operator-webhook-init" "repository" }}:{{ .Values.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
          env:
            - name: MUTATE_CONFIG
              value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration
            - name: VALIDATE_CONFIG
              value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration
            - name: WEBHOOK_SERVICE
              value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service
            - name: WEBHOOK_NAMESPACE
              value: {{ .Release.Namespace }}
            - name: SECRET_NAME
              value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs
      volumes:
      {{- if .Values.tls.enable }}
      - name: helm-tls-certs
        secret:
          secretName: {{ .Values.tls.secretName }}
          defaultMode: 0400
      {{- if .Values.tls.verify }}
      - name: helm-tls-ca
        configMap:
          name: {{ template "helm-operator.fullname" . }}-helm-tls-ca-config
          defaultMode: 0600
      {{- end }}
      {{- end }}
      - name: webhook-certs
        secret:
          defaultMode: 420
          secretName: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs