{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.oauth2Plugin.enabled }}
---

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: {{ template "openfaas.name" . }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    component: oauth2-plugin
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: oauth2-plugin
  namespace: {{ .Release.Namespace | quote }}
spec:
  replicas: {{ .Values.oauth2Plugin.replicas }}
  selector:
    matchLabels:
      app: oauth2-plugin
  template:
    metadata:
      annotations:
        prometheus.io.scrape: "false"
      labels:
        app: oauth2-plugin
    spec:
      volumes:
      - name: oauth2-plugin-temp-volume
        emptyDir: {}
      {{- if .Values.basic_auth }}
      - name: auth
        secret:
          secretName: basic-auth
      {{- end }}
      containers:
      - name:  oauth2-plugin
        resources:
          {{- .Values.oauth2Plugin.resources | toYaml | nindent 12 }}
        image: {{ .Values.oauth2Plugin.image }}
        imagePullPolicy: {{ .Values.openfaasImagePullPolicy }}
        {{- if .Values.securityContext }}
        securityContext:
          readOnlyRootFilesystem: true
          runAsUser: 10001
        {{- end }}
        livenessProbe:
          {{- if .Values.httpProbe }}
          httpGet:
            path: /health
            port: 8080
          {{- else }}
          exec:
            command:
            - wget
            - --quiet
            - --tries=1
            - --timeout=5
            - --spider
            - http://localhost:8080/health
          {{- end }}
          timeoutSeconds: 5
        readinessProbe:
          {{- if .Values.httpProbe }}
          httpGet:
            path: /health
            port: 8080
          {{- else }}
          exec:
            command:
            - wget
            - --quiet
            - --tries=1
            - --timeout=5
            - --spider
            - http://localhost:8080/health
          {{- end }}
          timeoutSeconds: 5
        args:
        - "-license={{- .Values.oauth2Plugin.license}}"
        - "-provider={{- .Values.oauth2Plugin.provider}}"
        env:
        - name: client_id
          value: "{{- .Values.oauth2Plugin.clientID}}"
        - name: client_secret
          value: "{{- .Values.oauth2Plugin.clientSecret}}"
        - name: cookie_domain
          value: "{{- .Values.oauth2Plugin.cookieDomain}}"
        - name: base_host
          value: "{{- .Values.oauth2Plugin.baseHost}}"
        - name: port
          value: "8080"
        - name: authorize_url
          value: "{{- .Values.oauth2Plugin.authorizeURL}}"
        - name: welcome_page_url
          value: "{{- .Values.oauth2Plugin.welcomePageURL}}"
        - name: public_key_path
          value: ""  # leave blank if using jwks
        - name: audience
          value: "{{- .Values.oauth2Plugin.audience}}"
        - name: token_url
          value: "{{- .Values.oauth2Plugin.tokenURL}}"
        - name: scopes
          value: "{{- .Values.oauth2Plugin.scopes}}"
        - name: jwks_url
          value: "{{- .Values.oauth2Plugin.jwksURL}}"
        - name: insecure_tls
          value: "{{- .Values.oauth2Plugin.insecureTLS}}"
        {{- if .Values.basic_auth }}
        - name: secret_mount_path
          value: "/var/secrets"
        {{- end }}
        volumeMounts:
        - name: oauth2-plugin-temp-volume
          mountPath: /tmp
        {{- if .Values.basic_auth }}
        - name: auth
          readOnly: true
          mountPath: "/var/secrets"
        {{- end }}
        ports:
        - name: http
          containerPort: 8080
          protocol: TCP

    {{- with .Values.nodeSelector }}
      nodeSelector:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.affinity }}
      affinity:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
{{ toYaml . | indent 8 }}
    {{- end }}

{{- end }}