apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: {{ include "credential-provider.fullname" . }}
  namespace: {{ .Release.Namespace | default .Values.defaultNamespace | quote }}
  labels:
    {{- include "credential-provider.labels" . | nindent 4 }}
spec:
  selector:
    matchLabels:
      {{- include "credential-provider.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "credential-provider.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "credential-provider.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
        - name: credential-provider
          image: {{ .Values.sourceRegistry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          securityContext:
            privileged: true
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - name: aws-creds
              mountPath: /secrets/aws-creds
            {{ $os := include "template.getOSType" .}}
            {{- if eq $os "bottlerocket" }}
            - mountPath: /run/api.sock
              name: socket
            {{- else}}
            - mountPath: /node-files/kubelet-extra-args
              name: kubelet-extra-args
            - name: package-mounts
              mountPath: /eksa-packages
            {{- end}}
          env:
            - name: OS_TYPE
              value: {{ $os }}
            - name: AWS_PROFILE
              value: {{(index .Values.credential 0).profile}}
            - name: MATCH_IMAGES
              value: '{{ join "," (index .Values.credential 0).matchImages }}'
            - name: DEFAULT_CACHE_DURATION
              value: {{(index .Values.credential 0).defaultCacheDuration}}
            - name: K8S_VERSION
              value: "v{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}"
      volumes:
        # Currently only one secret (aws-secret) is supported at this time
        - name: aws-creds
          secret:
            secretName: {{(index .Values.credential 0).secretName}}
            optional: false
        {{- if eq $os "bottlerocket" }}
        - name: socket
          hostPath:
            path: /run/api.sock
        {{- else if eq $os "default"}}
        - name: kubelet-extra-args
          hostPath:
            path: /etc/default/kubelet
            type: FileOrCreate
        {{- else}}
        - name: kubelet-extra-args
          hostPath:
            path: /etc/sysconfig/kubelet
            type: FileOrCreate
        {{- end }}
        {{- if ne $os "bottlerocket" }}
        - name: package-mounts
          hostPath:
            path: /eksa-packages
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      hostPID: true