apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "cloudflare-tunnel-remote.fullname" . }}
  labels:
    {{- include "cloudflare-tunnel-remote.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      pod: cloudflared
  template:
    metadata:
      creationTimestamp: null
      annotations:
        # These are here so the deployment rolls when the config or secret change.
        checksum/secret: {{ .Values.cloudflare.tunnel_token | sha256sum }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      labels:
        pod: cloudflared
    spec:
      serviceAccountName: {{ include "cloudflare-tunnel-remote.fullname" . }}
      containers:
      - name: cloudflared
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default "latest" }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        command:
          - cloudflared
          - tunnel
          # We can regulate the cloudflared version via an image tag.
          - --no-autoupdate
          # In a k8s environment, the metrics server needs to listen outside the pod it runs on.
          # The address 0.0.0.0:2000 allows any pod in the namespace.
          - --metrics
          - 0.0.0.0:2000
          - run
        env:
        - name: TUNNEL_TOKEN
          valueFrom:
            secretKeyRef:
              name: {{ include "cloudflare-tunnel-remote.fullname" . }}
              key: tunnelToken
        livenessProbe:
          httpGet:
            # Cloudflared has a /ready endpoint which returns 200 if and only if
            # it has an active connection to the edge.
            path: /ready
            port: 2000
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10