apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "chartmuseum.fullname" . }}
  annotations:
{{ toYaml .Values.deployment.annotations | indent 4 }}
  labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 4 }}
{{- end }}
spec:
  selector:
    matchLabels:
      app: {{ template "chartmuseum.name" . }}
      release: {{ .Release.Name | quote }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 6 }}
{{- end }}
  replicas: {{ .Values.replicaCount }}
  strategy:
{{ toYaml .Values.strategy | indent 4 }}
  revisionHistoryLimit: 10
{{- if .Values.deployment.matchlabes }}
  selector:
    matchLabels:
{{ toYaml .Values.deployment.matchlabels | indent 6 }}
{{- end }}
  template:
    metadata:
      name: {{ include "chartmuseum.fullname" . }}
      annotations:
{{ toYaml .Values.replica.annotations | indent 8 }}
      labels:
        app: {{ template "chartmuseum.name" . }}
        release: {{ .Release.Name | quote }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 8 }}
{{- end }}
    spec:
      {{- if .Values.priorityClassName }}
      priorityClassName: "{{ .Values.priorityClassName }}"
      {{- end }}
      {{- if .Values.securityContext.enabled }}
      securityContext:
        fsGroup: {{ .Values.securityContext.fsGroup }}
        {{- if .Values.securityContext.runAsNonRoot }}
        runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
        {{- end }}
        {{- if .Values.securityContext.supplementalGroups }}
        supplementalGroups: {{ .Values.securityContext.supplementalGroups }}
        {{- end }}
      {{- else if .Values.persistence.enabled }}
      initContainers:
      - name: volume-permissions
        image: {{ template "chartmuseum.volumePermissions.image" . }}
        imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}"
        securityContext:
          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
        command: ['sh', '-c', 'chown -R {{ .Values.securityContext.fsGroup }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.path }}']
        volumeMounts:
        - mountPath: {{ .Values.persistence.path }}
          name: storage-volume
      {{- end }}
{{- include "chartmuseum.imagePullSecrets" . | indent 6 }}
      containers:
      - name: {{ .Chart.Name }}
        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        securityContext:
          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
        env:
{{- range $name, $value := .Values.env.open }}
{{- if not (empty $value) }}
        - name: {{ $name | quote }}
          value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- range $name, $value := .Values.env.field }}
{{- if not ( empty $value) }}
        - name: {{ $name | quote }}
          valueFrom:
            fieldRef:
              fieldPath: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.gcp.secret.enabled }}
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: "/etc/secrets/google/credentials.json"
{{- end }}
{{- if .Values.env.existingSecret }}
{{- $secret_name := .Values.env.existingSecret }}
{{- range $name, $key := .Values.env.existingSecretMappings }}
{{- if not ( empty $key) }}
        - name: {{ $name | quote }}
          valueFrom:
            secretKeyRef:
              name: {{ $secret_name | quote }}
              key: {{ $key | quote }}
{{- end }}
{{- end }}
{{- else }}
{{- $secret_name := include "chartmuseum.fullname" . }}
{{- range $name, $value := .Values.env.secret }}
{{- if not ( empty $value) }}
        - name: {{ $name | quote }}
          valueFrom:
            secretKeyRef:
              name: {{ $secret_name }}
              key: {{ $name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
        -  name: AUTH_CERT_PATH
           value: /var/keys/public-key.pem
{{ end }}
        args:
        - --port=8080
{{- if eq .Values.env.open.STORAGE "local" }}
        - --storage-local-rootdir={{ .Values.persistence.path }}
{{- end }}
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 8 }}
{{- end }}
        ports:
        - name: http
          containerPort: 8080
        livenessProbe:
          httpGet:
            path: {{ .Values.env.open.CONTEXT_PATH }}/health
            port: http
{{ toYaml .Values.probes.liveness | indent 10 }}
        readinessProbe:
          httpGet:
            path: {{ .Values.env.open.CONTEXT_PATH }}/health
            port: http
{{ toYaml .Values.probes.readiness | indent 10 }}
        volumeMounts:
{{- if eq .Values.env.open.STORAGE "local" }}
        - mountPath: {{ .Values.persistence.path }}
          name: storage-volume
{{- end }}
{{- if  .Values.gcp.secret.enabled }}
        - mountPath: /etc/secrets/google
          name: {{ include "chartmuseum.fullname" . }}-gcp
{{- end }}
{{- if  .Values.oracle.secret.enabled }}
        - mountPath: /home/chartmuseum/.oci
          name: {{ include "chartmuseum.fullname" . }}-oracle
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
        - name: public-key
          mountPath: /var/keys
          readOnly: true
{{- end }}
      {{- with .Values.resources }}
        resources:
{{ toYaml . | indent 10 }}
      {{- end }}
    {{- with .Values.nodeSelector }}
      nodeSelector:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.affinity }}
      affinity:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- if .Values.deployment.schedulerName }}
      schedulerName: {{ .Values.deployment.schedulerName }}
    {{- end -}}
    {{- if and .Values.serviceAccount.create .Values.serviceAccount.name }}
      serviceAccountName: {{ .Values.serviceAccount.name }}
    {{- else if .Values.serviceAccount.create }}
      serviceAccountName: {{ include "chartmuseum.fullname" . }}
    {{- else if .Values.serviceAccount.name }}
      serviceAccountName: {{ .Values.serviceAccount.name }}
    {{- end }}
      volumes:
      - name: storage-volume
      {{- if .Values.persistence.enabled }}
        persistentVolumeClaim:
          claimName: {{ .Values.persistence.existingClaim | default (include "chartmuseum.fullname" .) }}
      {{- else }}
        emptyDir: {}
      {{- end -}}
      {{ if .Values.gcp.secret.enabled }}
      - name: {{ include "chartmuseum.fullname" . }}-gcp
        secret:
      {{ if .Values.env.secret.GOOGLE_CREDENTIALS_JSON }}
          secretName: {{ include "chartmuseum.fullname" . }}
          items:
          - key: GOOGLE_CREDENTIALS_JSON
            path: credentials.json
      {{ else }}
          secretName: {{ .Values.gcp.secret.name }}
          items:
          - key: {{ .Values.gcp.secret.key }}
            path: credentials.json
      {{ end }}
      {{ end }}
      {{ if .Values.oracle.secret.enabled }}
      - name: {{ include "chartmuseum.fullname" . }}-oracle
        secret:
          secretName: {{ .Values.oracle.secret.name }}
          items:
          - key: {{ .Values.oracle.secret.config }}
            path: config
          - key: {{ .Values.oracle.secret.key_file }}
            path: oci.key
      {{ end }}
{{- if .Values.bearerAuth.secret.enabled }}
      - name: public-key
        secret:
          secretName: {{ .Values.bearerAuth.secret.publicKeySecret }}
{{- end }}