apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "secretumvault.fullname" . }}
  namespace: {{ .Values.global.namespace }}
  labels:
    {{- include "secretumvault.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.vault.replicas }}
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      {{- include "secretumvault.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "secretumvault.selectorLabels" . | nindent 8 }}
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ .Values.vault.service.metricsPort }}"
        prometheus.io/path: "/metrics"
    spec:
      serviceAccountName: {{ include "secretumvault.fullname" . }}
      securityContext:
        fsGroup: {{ .Values.vault.securityContext.fsGroup }}
        runAsNonRoot: {{ .Values.vault.securityContext.runAsNonRoot }}
        runAsUser: {{ .Values.vault.securityContext.runAsUser }}

      {{- if .Values.vault.affinity }}
      affinity:
        {{- toYaml .Values.vault.affinity | nindent 8 }}
      {{- end }}

      containers:
      - name: vault
        image: "{{ .Values.vault.image.repository }}:{{ .Values.vault.image.tag }}"
        imagePullPolicy: {{ .Values.vault.image.pullPolicy }}

        ports:
        - name: api
          containerPort: 8200
          protocol: TCP
        - name: metrics
          containerPort: {{ .Values.vault.service.metricsPort }}
          protocol: TCP

        env:
        - name: RUST_LOG
          value: "{{ .Values.vault.config.logging.level }}"
        - name: VAULT_CONFIG
          value: "/etc/secretumvault/svault.toml"

        volumeMounts:
        - name: config
          mountPath: /etc/secretumvault
          readOnly: true
        - name: data
          mountPath: /var/lib/secretumvault

        livenessProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: {{ .Values.vault.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.vault.livenessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.vault.livenessProbe.timeoutSeconds }}
          failureThreshold: {{ .Values.vault.livenessProbe.failureThreshold }}

        readinessProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: {{ .Values.vault.readinessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.vault.readinessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.vault.readinessProbe.timeoutSeconds }}
          failureThreshold: {{ .Values.vault.readinessProbe.failureThreshold }}

        startupProbe:
          httpGet:
            path: /v1/sys/health
            port: api
          initialDelaySeconds: {{ .Values.vault.startupProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.vault.startupProbe.periodSeconds }}
          failureThreshold: {{ .Values.vault.startupProbe.failureThreshold }}

        resources:
          {{- toYaml .Values.vault.resources | nindent 12 }}

        securityContext:
          allowPrivilegeEscalation: {{ .Values.vault.securityContext.allowPrivilegeEscalation }}
          readOnlyRootFilesystem: {{ .Values.vault.securityContext.readOnlyRootFilesystem }}
          capabilities:
            drop:
            - ALL

      volumes:
      - name: config
        configMap:
          name: {{ include "secretumvault.fullname" . }}-config
      - name: data
        emptyDir:
          sizeLimit: 1Gi

      terminationGracePeriodSeconds: 30