{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
# StatefulSet to run the actual Consul server cluster.
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ template "consul.fullname" . }}-server-config
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "consul.name" . }}
    chart: {{ template "consul.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
    component: server
data:
  server.json: |
    {
      {{- if and .Values.global.secretsBackend.vault.enabled }}
      "auto_reload_config": true,
      {{- end }}
      "bind_addr": "0.0.0.0",
      "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }},
      "client_addr": "0.0.0.0",
      "connect": {
        "enabled": {{ .Values.server.connect }}
      },
      "datacenter": "{{ .Values.global.datacenter }}",
      "data_dir": "/consul/data",
      "domain": "{{ .Values.global.domain }}",
      "ports": {
        {{- if not .Values.global.tls.enabled }}
        "grpc": 8502,
        "grpc_tls": -1,
        {{- end }}
        {{- if .Values.global.tls.enabled }}
        "grpc": -1,
        "grpc_tls": 8502,
        {{- end }}
        "serf_lan": {{ .Values.server.ports.serflan.port }}
      },
      "recursors": {{ .Values.global.recursors | toJson }},
      "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"],
      {{- if .Values.global.peering.enabled }}
      "peering": {
        "enabled": true
      },
      {{- end }}
      "server": true
    }
  {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}}
  {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }}
  {{- with .Values.global.secretsBackend.vault }}
  connect-ca-config.json: |
    {
      "connect": [
        {
          "ca_config": [
            {
              "address": "{{ .connectCA.address }}",
              {{- if and .ca.secretName .ca.secretKey }}
              "ca_file": "/consul/vault-ca/tls.crt",
              {{- end }}
              "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}",
              "root_pki_path": "{{ .connectCA.rootPKIPath }}",
              "auth_method": {
                "type": "kubernetes",
                "mount_path": "{{ .connectCA.authMethodPath }}",
                "params": {
                  "role": "{{ .consulServerRole }}"
                }
              }
            }
          ],
          "ca_provider": "vault"
        }
      ]
    }
  {{- if .connectCA.additionalConfig }}
  additional-connect-ca-config.json: |
{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }}
  {{- end }}
  {{- end }}
  {{- end }}
  extra-from-values.json: |-
{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }}
  {{- if .Values.global.acls.manageSystemACLs }}
  acl-config.json: |-
    {
      "acl": {
        "enabled": true,
        "default_policy": "deny",
        "down_policy": "extend-cache",
        {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }}
        "enable_token_replication": true,
        {{- end }}
        "enable_token_persistence": true
      }
    }
  {{- end }}
  {{- if .Values.global.tls.enabled }}
  tls-config.json: |-
    {
      "tls": {
        {{- if .Values.global.tls.verify }}
        "internal_rpc": {
          "verify_incoming": true,
          "verify_server_hostname": true
        },
        "grpc": {
          "verify_incoming": false
        },
        {{- end }}
        "defaults": {
          {{- if .Values.global.tls.verify }}
          "verify_outgoing": true,
          {{- end }}
          {{- if .Values.global.secretsBackend.vault.enabled }}
          "ca_file": "/vault/secrets/serverca.crt",
          "cert_file": "/vault/secrets/servercert.crt",
          "key_file": "/vault/secrets/servercert.key"
          {{- else }}
          "ca_file": "/consul/tls/ca/tls.crt",
          "cert_file": "/consul/tls/server/tls.crt",
          "key_file": "/consul/tls/server/tls.key"
          {{- end }}
        }
      },
      {{- if .Values.global.tls.enableAutoEncrypt }}
      "auto_encrypt": {
        "allow_tls": true
      },
      {{- end }}
      "ports": {
        {{- if .Values.global.tls.httpsOnly }}
        "http": -1,
        {{- end }}
        "https": 8501
      }
    }
  {{- end }}
  {{- if .Values.ui.enabled }}
  ui-config.json: |-
    {
      "ui_config": {
        {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }}
        "metrics_provider": "{{ .Values.ui.metrics.provider }}",
        "metrics_proxy": {
          "base_url": "{{ .Values.ui.metrics.baseURL }}"
        },
        {{- end }}
        {{- if .Values.ui.dashboardURLTemplates.service }}
        "dashboard_url_templates": {
          "service": "{{ .Values.ui.dashboardURLTemplates.service }}"
        },
        {{- end }}
        "enabled": true
      }
    }
  {{- end }}
  central-config.json: |-
    {
      "enable_central_service_config": true
    }
  {{- if .Values.global.federation.enabled }}
  federation-config.json: |-
    {
      "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}",
      "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }},
      "connect": {
        "enable_mesh_gateway_wan_federation": true
      }
    }
  {{- end }}
  {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}
  telemetry-config.json: |-
    {
      "telemetry": {
        "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}"
      }
    }
  {{- end }}
{{- end }}