{{- if .Values.updater.enabled -}}
{{- $updater := mustMergeOverwrite (mustDeepCopy .Values) .Values.updater -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-updater
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ .Release.Name }}-updater
{{- if $updater.extraLabels.deployment }}
    {{- toYaml $updater.extraLabels.deployment | nindent 4 }}
{{- end }}
{{- if $updater.annotations.deployment }}
  annotations: {{- toYaml $updater.annotations.deployment | nindent 4 }}
{{- end }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: {{ .Release.Name }}-updater
  template:
    metadata:
      annotations:
{{- if $updater.annotations.pod }}
  {{- toYaml $updater.annotations.pod | nindent 8 }}
{{- end }}
      labels:
        app: {{ .Release.Name }}-updater
{{- if $updater.extraLabels.pod }}
  {{- toYaml $updater.extraLabels.pod | nindent 8 }}
{{- end }}
    spec:
{{- if $updater.affinity }}
      affinity: {{- toYaml $updater.affinity | nindent 8 }}
{{- end }}
{{- if $updater.tolerations }}
      tolerations: {{- toYaml $updater.tolerations | nindent 8 }}
{{- end }}
{{- if $updater.imagePullSecrets }}
      imagePullSecrets: {{- toYaml $updater.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if $updater.nodeSelector }}
      nodeSelector: {{- toYaml $updater.nodeSelector | nindent 8 }}
{{- end }}
      containers:
      - name: "kube-agent-updater"
        image: "{{ $updater.image }}:{{ include "teleport-kube-agent.version" . }}"
{{- if $updater.imagePullPolicy }}
        imagePullPolicy: {{ toYaml $updater.imagePullPolicy }}
{{- end }}
{{- if or $updater.extraEnv $updater.tls.existingCASecretName }}
        env:
  {{- if (gt (len $updater.extraEnv) 0) }}
    {{- toYaml $updater.extraEnv | nindent 8 }}
  {{- end }}
  {{- if $updater.tls.existingCASecretName }}
        - name: SSL_CERT_FILE
          value: /etc/teleport-tls-ca/ca.pem
        # Used to track whether a Teleport agent was installed using this method.
        - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
          value: true
  {{- end }}
{{- end }}
        args:
          - "--agent-name={{ .Release.Name }}"
          - "--agent-namespace={{ .Release.Namespace }}"
          - "--base-image={{ include "teleport-kube-agent.baseImage" . }}"
          - "--version-server={{ $updater.versionServer }}"
          - "--version-channel={{ $updater.releaseChannel }}"
{{- if $updater.securityContext }}
        securityContext: {{- toYaml $updater.securityContext | nindent 10 }}
{{- end }}
        ports:
        - name: metrics
          containerPort: 8080
          protocol: TCP
        - name: healthz
          containerPort: 8081
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /healthz
            port: healthz
          initialDelaySeconds: 5
          periodSeconds: 5
          failureThreshold: 6 # consider agent unhealthy after 30s (6 * 5s)
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
            path: /readyz
            port: healthz
          initialDelaySeconds: 5
          periodSeconds: 5
          failureThreshold: 6 # consider unready after 30s
          timeoutSeconds: 5
{{- if $updater.resources }}
        resources: {{- toYaml $updater.resources | nindent 10 }}
{{- end }}
{{- if $updater.tls.existingCASecretName }}
        volumeMounts:
        - mountPath: /etc/teleport-tls-ca
          name: "teleport-tls-ca"
          readOnly: true
      volumes:
      - name: "teleport-tls-ca"
        secret:
          secretName: {{ $updater.tls.existingCASecretName }}
{{- end }}
{{- if $updater.priorityClassName }}
      priorityClassName: {{ $updater.priorityClassName }}
{{- end }}
      serviceAccountName: {{ template "teleport-kube-agent-updater.serviceAccountName" . }}
{{- end -}}