apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: {{ template "vault.fullname" . }}
  labels:
    app: {{ template "vault.name" . }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: {{ template "vault.name" . }}
        release: {{ .Release.Name }}
{{- if .Values.podAnnotations }}
      annotations:
      {{- range $key, $value := .Values.podAnnotations }}
        {{ $key }}: {{ $value | quote }}
      {{- end }}
{{- end }}
    spec:
      containers:
      - name: {{ .Chart.Name }}
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        {{- if .Values.vault.dev }}
        command: ["vault", "server", "-dev", "-dev-listen-address", "[::]:8200"]
        {{- else }}
        command: ["vault", "server", "-config", "/vault/config/config.json"]
        {{- end }}
        ports:
        - containerPort: {{ .Values.service.port }}
          name: api
        - containerPort: 8201
          name: cluster-address
        livenessProbe:
          # Alive if it is listening for clustering traffic
          tcpSocket:
            port: {{ .Values.service.port }}
        readinessProbe:
          # Ready depends on preference
          httpGet:
            path: /v1/sys/health?
              {{- if .Values.vault.readiness.readyIfSealed -}}sealedcode=204&{{- end }}
              {{- if .Values.vault.readiness.readyIfStandby -}}standbycode=204&{{- end }}
              {{- if .Values.vault.readiness.readyIfUninitialized -}}uninitcode=204&{{- end }}
            port: {{ .Values.service.port }}
            scheme: {{ if .Values.vault.config.listener.tcp.tls_disable -}}HTTP{{- else -}}HTTPS{{- end }}
        securityContext:
          readOnlyRootFilesystem: true
          capabilities:
            add:
            - IPC_LOCK
        env:
          - name: POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: VAULT_CLUSTER_ADDR
            value: "https://$(POD_IP):8201"
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: "{{ template "vault.fullname" . }}-secret"
                key: AWS_ACCESS_KEY_ID
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: "{{ template "vault.fullname" . }}-secret"
                key: AWS_SECRET_ACCESS_KEY
          - name: AWS_S3_BUCKET
            valueFrom:
              secretKeyRef:
                name: "{{ template "vault.fullname" . }}-secret"
                key:  AWS_S3_BUCKET
          - name: AWS_REGION
            valueFrom:
              secretKeyRef:
                name: "{{ template "vault.fullname" . }}-secret"
                key: AWS_REGION
        volumeMounts:
        - name: vault-config
          mountPath: /vault/config/
        - name: vault-root
          mountPath: /root/
        {{- range .Values.vault.customSecrets }}
        - name: {{ .secretName }}
          mountPath: {{ .mountPath }}
        {{- end }}
        resources:
{{ toYaml .Values.resources | indent 10 }}
      {{- if .Values.affinity }}
      affinity:
{{ tpl .Values.affinity . | indent 8 }}
      {{- end }}
      volumes:
        - name: vault-config
          configMap:
            name: "{{ template "vault.fullname" . }}-config"
        - name: vault-root
          emptyDir: {}
        {{- range .Values.vault.customSecrets }}
        - name: {{ .secretName }}
          secret:
            secretName: {{ .secretName }}
        {{- end }}