{{- if (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: clustermesh-apiserver
  namespace: {{ .Release.Namespace }}
  labels:
    k8s-app: clustermesh-apiserver
spec:
  replicas: {{ .Values.clustermesh.apiserver.replicas }}
  selector:
    matchLabels:
      k8s-app: clustermesh-apiserver
  {{- with .Values.clustermesh.apiserver.updateStrategy }}
  strategy:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  template:
    metadata:
      annotations:
        {{- with .Values.clustermesh.apiserver.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      labels:
        k8s-app: clustermesh-apiserver
        {{- with .Values.clustermesh.apiserver.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      initContainers:
      - name: etcd-init
        image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }}
        imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }}
        command: ["/bin/sh", "-c"]
        args:
        - |
          rm -rf /var/run/etcd/*;
          /usr/local/bin/etcd --data-dir=/var/run/etcd --name=clustermesh-apiserver --listen-client-urls=http://127.0.0.1:2379 --advertise-client-urls=http://127.0.0.1:2379 --initial-cluster-token=clustermesh-apiserver --initial-cluster-state=new --auto-compaction-retention=1 &
          export rootpw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
          echo $rootpw | etcdctl --interactive=false user add root;
          etcdctl user grant-role root root;
          export vmpw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
          echo $vmpw | etcdctl --interactive=false user add externalworkload;
          etcdctl role add externalworkload;
          etcdctl role grant-permission externalworkload --from-key read '';
          etcdctl role grant-permission externalworkload readwrite --prefix cilium/state/noderegister/v1/;
          etcdctl role grant-permission externalworkload readwrite --prefix cilium/.initlock/;
          etcdctl user grant-role externalworkload externalworkload;
          export remotepw=`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
          echo $remotepw | etcdctl --interactive=false user add remote;
          etcdctl role add remote;
          etcdctl role grant-permission remote --from-key read '';
          etcdctl user grant-role remote remote;
          etcdctl auth enable;
          exit
        env:
        - name: ETCDCTL_API
          value: "3"
        - name: HOSTNAME_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        volumeMounts:
        - name: etcd-data-dir
          mountPath: /var/run/etcd
      containers:
      - name: etcd
        image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }}
        imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }}
        command:
        - /usr/local/bin/etcd
        args:
        - --data-dir=/var/run/etcd
        - --name=clustermesh-apiserver
        - --client-cert-auth
        - --trusted-ca-file=/var/lib/etcd-secrets/ca.crt
        - --cert-file=/var/lib/etcd-secrets/tls.crt
        - --key-file=/var/lib/etcd-secrets/tls.key
        - --listen-client-urls=https://127.0.0.1:2379,https://$(HOSTNAME_IP):2379
        - --advertise-client-urls=https://$(HOSTNAME_IP):2379
        - --initial-cluster-token=clustermesh-apiserver
        - --auto-compaction-retention=1
        env:
        - name: ETCDCTL_API
          value: "3"
        - name: HOSTNAME_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        volumeMounts:
        - name: etcd-server-secrets
          mountPath: /var/lib/etcd-secrets
          readOnly: true
        - name: etcd-data-dir
          mountPath: /var/run/etcd
      - name: apiserver
        image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }}
        imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }}
        command:
        - /usr/bin/clustermesh-apiserver
        args:
        {{- if .Values.debug.enabled }}
        - --debug
        {{- end }}
        - --cluster-name=$(CLUSTER_NAME)
        - --cluster-id=$(CLUSTER_ID)
        - --kvstore-opt
        - etcd.config=/var/lib/cilium/etcd-config.yaml
        env:
        - name: CLUSTER_NAME
          valueFrom:
            configMapKeyRef:
              name: cilium-config
              key: cluster-name
        - name: CLUSTER_ID
          valueFrom:
            configMapKeyRef:
              name: cilium-config
              key: cluster-id
              optional: true
        - name: IDENTITY_ALLOCATION_MODE
          valueFrom:
            configMapKeyRef:
              name: cilium-config
              key: identity-allocation-mode
        - name: ENABLE_K8S_ENDPOINT_SLICE
          valueFrom:
            configMapKeyRef:
              name: cilium-config
              key: enable-k8s-endpoint-slice
              optional: true
        {{- with .Values.clustermesh.apiserver.extraEnv }}
        {{- toYaml . | trim | nindent 8 }}
        {{- end }}
        {{- with .Values.clustermesh.apiserver.resources }}
        resources:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        volumeMounts:
        - name: etcd-admin-client
          mountPath: /var/lib/cilium/etcd-secrets
          readOnly: true
      volumes:
      - name: etcd-server-secrets
        secret:
          secretName: clustermesh-apiserver-server-cert
          # note: the leading zero means this number is in octal representation: do not remove it
          defaultMode: 0400
      - name: etcd-admin-client
        secret:
          secretName: clustermesh-apiserver-admin-cert
          # note: the leading zero means this number is in octal representation: do not remove it
          defaultMode: 0400
      - name: etcd-data-dir
        emptyDir: {}
      restartPolicy: Always
      priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }}
      serviceAccount: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }}
      serviceAccountName: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }}
      {{- with .Values.clustermesh.apiserver.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.clustermesh.apiserver.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.clustermesh.apiserver.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
{{- end }}