# Here we deploy cloudflared images. The tunnel credentials are stored in
# a k8s secret, and the configuration is stored in a k8s configmap.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "cloudflare-tunnel.fullname" . }}
  labels:
    {{- include "cloudflare-tunnel.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "cloudflare-tunnel.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      annotations:
        # These are here so the deployment rolls when the config or secret change.
        checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      labels:
        {{- include "cloudflare-tunnel.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "cloudflare-tunnel.fullname" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
            - tunnel
            # Points cloudflared to the config file, which configures what
            # cloudflared will actually do. This file is created by a ConfigMap.
            - --config
            - /etc/cloudflared/config/config.yaml
            - run
          livenessProbe:
            httpGet:
              # Cloudflared has a /ready endpoint which returns 200 if and only if
              # it has an active connection to the edge.
              path: /ready
              port: 2000
            failureThreshold: 1
            initialDelaySeconds: 10
            periodSeconds: 10
          volumeMounts:
            - name: config
              mountPath: /etc/cloudflared/config
              readOnly: true
            # Each tunnel has an associated "credentials file" which authorizes machines
            # to run the tunnel. cloudflared will read this file from its local filesystem,
            # and it'll be stored in a k8s secret.
            - name: creds
              mountPath: /etc/cloudflared/creds
              readOnly: true
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      volumes:
        - name: creds
          secret:
            secretName: {{ include "cloudflare-tunnel.fullname" . }}
        - name: config
          configMap:
            name: {{ include "cloudflare-tunnel.fullname" . }}
            items:
              - key: config.yaml
                path: config.yaml
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      affinity:
        {{- with .Values.affinity }}
        {{- toYaml . | nindent 8 }}
        {{- else }}
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 10
              podAffinityTerm:
                topologyKey: kubernetes.io/hostname
                labelSelector:
                  matchExpressions:
                  {{- range $k, $v := include "cloudflare-tunnel.selectorLabels" . | fromYaml }}
                    - key: {{ $k }}
                      operator: In
                      values:
                        - {{ $v }}
                  {{- end }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}