# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
  labels:
    {{- include "amazon-eks-pod-identity-webhook.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "amazon-eks-pod-identity-webhook.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "amazon-eks-pod-identity-webhook.selectorLabels" . | nindent 8 }}
    spec:
      serviceAccountName: {{ include "amazon-eks-pod-identity-webhook.fullname" . }}
      {{- if .Values.fargate }}
      initContainers:
      - name: sleep
        image: {{ .Values.baseImage }}
        imagePullPolicy: Always
        command:
        - sleep
        - {{ .Values.sleep | quote }}
      {{- end }}
      containers:
      - name: webhook
        image: {{ .Values.image }}
        imagePullPolicy: Always
        command:
        - /webhook
        - --in-cluster
        - --namespace={{ .Release.Namespace }}
        - --service-name={{ include "amazon-eks-pod-identity-webhook.fullname" . }}
        - --tls-secret={{ include "amazon-eks-pod-identity-webhook.fullname" . }}
        - --annotation-prefix=eks.amazonaws.com
        - --token-audience=sts.amazonaws.com
        - --token-expiration={{ .Values.webhook.tokenExpiration }}
        - --aws-default-region={{ .Values.webhook.defaultRegion }}
        - --sts-regional-endpoint={{ .Values.webhook.stsRegionalEndpoint }}
        - --metrics-port={{ .Values.webhook.metricsPort }}
        - --port={{ .Values.webhook.port }}
        - --logtostderr
        volumeMounts:
        - name: webhook-certs
          mountPath: /var/run/app/certs
          readOnly: false
      volumes:
      - name: webhook-certs
        emptyDir: {}
    {{- with .Values.affinity }}
      affinity:
{{ toYaml . | indent 8 }}
    {{- end }}