{{if .Values.identity -}}
---
###
### Identity Controller Service
###
{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}}
---
kind: Secret
apiVersion: v1
metadata:
  name: linkerd-identity-issuer
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/control-plane-component: identity
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    {{ include "partials.annotations.created-by" . }}
data:
  crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}}
  key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}}
{{- end}}
{{ if not (.Values.identity.externalCA) -}}
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: linkerd-identity-trust-roots
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/control-plane-component: identity
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    {{ include "partials.annotations.created-by" . }}
data:
  ca-bundle.crt: |-{{.Values.identityTrustAnchorsPEM | trim | nindent 4}}
{{- end}}
---
kind: Service
apiVersion: v1
metadata:
  name: linkerd-identity
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/control-plane-component: identity
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    {{ include "partials.annotations.created-by" . }}
spec:
  type: ClusterIP
  selector:
    linkerd.io/control-plane-component: identity
  ports:
  - name: grpc
    port: 8080
    targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
  name: linkerd-identity-headless
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/control-plane-component: identity
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    {{ include "partials.annotations.created-by" . }}
spec:
  clusterIP: None
  selector:
    linkerd.io/control-plane-component: identity
  ports:
  - name: grpc
    port: 8080
    targetPort: 8080
{{- if .Values.enablePodDisruptionBudget }}
---
kind: PodDisruptionBudget
apiVersion: policy/v1
metadata:
  name: linkerd-identity
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/control-plane-component: identity
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    {{ include "partials.annotations.created-by" . }}
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: identity
{{- end }}
---
{{- $tree := deepCopy . }}
{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}}
{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}}
{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    {{ include "partials.annotations.created-by" . }}
  labels:
    app.kubernetes.io/name: identity
    app.kubernetes.io/part-of: Linkerd
    app.kubernetes.io/version: {{.Values.linkerdVersion}}
    linkerd.io/control-plane-component: identity
    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  name: linkerd-identity
  namespace: {{ .Release.Namespace }}
spec:
  replicas: {{.Values.controllerReplicas}}
  selector:
    matchLabels:
      linkerd.io/control-plane-component: identity
      linkerd.io/control-plane-ns: {{.Release.Namespace}}
      {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}}
  {{- if .Values.deploymentStrategy }}
  strategy:
    {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  {{- end }}
  template:
    metadata:
      annotations:
        {{ include "partials.annotations.created-by" . }}
        {{- include "partials.proxy.annotations" . | nindent 8}}
        {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
        config.linkerd.io/default-inbound-policy: "all-unauthenticated"
      labels:
        linkerd.io/control-plane-component: identity
        linkerd.io/control-plane-ns: {{.Release.Namespace}}
        linkerd.io/workload-ns: {{.Release.Namespace}}
        {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}}
        {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
    spec:
      {{- with .Values.runtimeClassName }}
      runtimeClassName: {{ . | quote }}
      {{- end }}
      {{- if .Values.tolerations -}}
      {{- include "linkerd.tolerations" . | nindent 6 }}
      {{- end -}}
      {{- include "linkerd.node-selector" . | nindent 6 }}
      {{- $_ := set $tree "component" "identity" -}}
      {{- include "linkerd.affinity" $tree | nindent 6 }}
      containers:
      - args:
        - identity
        - -log-level={{.Values.controllerLogLevel}}
        - -log-format={{.Values.controllerLogFormat}}
        - -controller-namespace={{.Release.Namespace}}
        - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
        - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}}
        - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}}
        - -identity-scheme={{.Values.identity.issuer.scheme}}
        - -enable-pprof={{.Values.enablePprof | default false}}
        {{- include "partials.linkerd.trace" . | nindent 8 -}}
        env:
        - name: LINKERD_DISABLED
          value: "linkerd-await cannot block the identity controller"
        image: {{.Values.controllerImage}}:{{.Values.linkerdVersion}}
        imagePullPolicy: {{.Values.imagePullPolicy}}
        livenessProbe:
          httpGet:
            path: /ping
            port: 9990
          initialDelaySeconds: 10
        name: identity
        ports:
        - containerPort: 8080
          name: grpc
        - containerPort: 9990
          name: admin-http
        readinessProbe:
          failureThreshold: 7
          httpGet:
            path: /ready
            port: 9990
        {{- if .Values.identityResources -}}
        {{- include "partials.resources" .Values.identityResources | nindent 8 }}
        {{- end }}
        securityContext:
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: {{.Values.controllerUID}}
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /var/run/linkerd/identity/issuer
          name: identity-issuer
        - mountPath: /var/run/linkerd/identity/trust-roots/
          name: trust-roots
      {{- if not (empty .Values.identityProxyResources) }}
      {{- $r := merge .Values.identityProxyResources .Values.proxy.resources }}
      {{- $_ := set $tree.Values.proxy "resources" $r }}
      {{- end }}
      {{- $_ := set $tree.Values.proxy "await" false }}
      {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
      {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }}
      {{- /*
        The identity controller cannot discover policies, so we configure it with defaults that
        enforce TLS on the identity service.
      */}}
      {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
      {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
      {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
      {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }}
      {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }}
      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
      initContainers:
      {{ if .Values.cniEnabled -}}
      - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
      {{ else -}}
      {{- /*
        The identity controller needs to connect to the Kubernetes API before the proxy is able to
        proxy requests, so we always skip these connections. The identity controller makes no other
        outbound connections (so it's not important to persist any other skip ports here)
      */}}
      {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
      - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
      {{ end -}}
      {{- if .Values.priorityClassName -}}
      priorityClassName: {{ .Values.priorityClassName }}
      {{ end -}}
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: linkerd-identity
      volumes:
      - name: identity-issuer
        secret:
          secretName: linkerd-identity-issuer
      - configMap:
          name: linkerd-identity-trust-roots
        name: trust-roots
      {{ if not .Values.cniEnabled -}}
      - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
      {{ end -}}
      {{if .Values.identity.serviceAccountTokenProjection -}}
      - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
      {{ end -}}
      - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{end -}}