---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubeshark.co/app: hub
    {{- include "kubeshark.labels" . | nindent 4 }}
  {{- if .Values.tap.annotations }}
  annotations:
    {{- toYaml .Values.tap.annotations | nindent 4 }}
  {{- end }}
  name: {{ include "kubeshark.name" . }}-hub
  namespace: {{ .Release.Namespace }}
spec:
  replicas: 1  # Set the desired number of replicas
  selector:
    matchLabels:
      app.kubeshark.co/app: hub
      {{- include "kubeshark.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        app.kubeshark.co/app: hub
        {{- include "kubeshark.labels" . | nindent 8 }}
    spec:
      dnsPolicy: ClusterFirstWithHostNet
      serviceAccountName: {{ include "kubeshark.serviceAccountName" . }}
      containers:
        - name: hub
          command:
            - ./hub
            - -port
            - "8080"
            - -loglevel
            - '{{ .Values.logLevel | default "warning" }}'
            {{- if .Values.tap.gitops.enabled }}
            - -gitops
            {{- end }}
          {{- if .Values.tap.secrets }}
          envFrom:
            {{- range .Values.tap.secrets }}
            - secretRef:
                name: {{ . }}
            {{- end }}
          {{- end }}
          env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: SENTRY_ENABLED
            value: '{{ (include "sentry.enabled" .) }}'
          - name: SENTRY_ENVIRONMENT
            value: '{{ .Values.tap.sentry.environment }}'
          - name: KUBESHARK_CLOUD_API_URL
            value: 'https://api.kubeshark.co'
          - name: PROFILING_ENABLED
            value: '{{ .Values.tap.pprof.enabled }}'
        {{- if .Values.tap.docker.overrideImage.hub }}
          image: '{{ .Values.tap.docker.overrideImage.hub }}'
        {{- else if .Values.tap.docker.overrideTag.hub }}
          image: '{{ .Values.tap.docker.registry }}/hub:{{ .Values.tap.docker.overrideTag.hub }}'
        {{ else }}
          image: '{{ .Values.tap.docker.registry }}/hub:{{ not (eq .Values.tap.docker.tag "") | ternary .Values.tap.docker.tag (include "kubeshark.defaultVersion" .) }}'
        {{- end }}
          imagePullPolicy: {{ .Values.tap.docker.imagePullPolicy }}
          readinessProbe:
            periodSeconds: {{ .Values.tap.probes.hub.periodSeconds }}
            failureThreshold: {{ .Values.tap.probes.hub.failureThreshold }}
            successThreshold: {{ .Values.tap.probes.hub.successThreshold }}
            initialDelaySeconds: {{ .Values.tap.probes.hub.initialDelaySeconds }}
            tcpSocket:
              port: 8080
          livenessProbe:
            periodSeconds: {{ .Values.tap.probes.hub.periodSeconds }}
            failureThreshold: {{ .Values.tap.probes.hub.failureThreshold }}
            successThreshold: {{ .Values.tap.probes.hub.successThreshold }}
            initialDelaySeconds: {{ .Values.tap.probes.hub.initialDelaySeconds }}
            tcpSocket:
              port: 8080
          resources:
            limits:
              {{ if ne (toString .Values.tap.resources.hub.limits.cpu) "0" }}
              cpu: {{ .Values.tap.resources.hub.limits.cpu }}
              {{ end }}
              {{ if ne (toString .Values.tap.resources.hub.limits.memory) "0" }}
              memory: {{ .Values.tap.resources.hub.limits.memory }}
              {{ end }}
            requests:
              {{ if ne (toString .Values.tap.resources.hub.requests.cpu) "0" }}
              cpu: {{ .Values.tap.resources.hub.requests.cpu }}
              {{ end }}
              {{ if ne (toString .Values.tap.resources.hub.requests.memory) "0" }}
              memory: {{ .Values.tap.resources.hub.requests.memory }}
              {{ end }}
          volumeMounts:
          - name: saml-x509-volume
            mountPath: "/etc/saml/x509"
            readOnly: true
{{- if gt (len .Values.tap.nodeSelectorTerms.hub) 0}}
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              {{- toYaml .Values.tap.nodeSelectorTerms.hub | nindent 12 }}
{{- end }}
      {{- if or .Values.tap.dns.nameservers .Values.tap.dns.searches .Values.tap.dns.options }}
      dnsConfig:
        {{- if .Values.tap.dns.nameservers }}
        nameservers:
        {{- range .Values.tap.dns.nameservers }}
          - {{ . | quote }}
        {{- end }}
        {{- end }}
        {{- if .Values.tap.dns.searches }}
        searches:
        {{- range .Values.tap.dns.searches }}
          - {{ . | quote }}
        {{- end }}
        {{- end }}
        {{- if .Values.tap.dns.options }}
        options:
        {{- range .Values.tap.dns.options }}
          - name: {{ .name | quote }}
            {{- if .value }}
            value: {{ .value | quote }}
            {{- end }}
        {{- end }}
        {{- end }}
      {{- end }}
      {{- if .Values.tap.tolerations.hub }}
      tolerations:
      {{- range .Values.tap.tolerations.hub }}
        - key: {{ .key | quote }}
          operator: {{ .operator | quote }}
          {{- if .value }}
          value: {{ .value | quote }}
          {{- end }}
          {{- if .effect }}
          effect: {{ .effect | quote }}
          {{- end }}
          {{- if .tolerationSeconds }}
          tolerationSeconds: {{ .tolerationSeconds }}
          {{- end }}
      {{- end }}
      {{- end }}
      volumes:
      - name: saml-x509-volume
        projected:
          sources:
          - secret:
              name: kubeshark-saml-x509-crt-secret
              items:
              - key: AUTH_SAML_X509_CRT
                path: kubeshark.crt
          - secret:
              name: kubeshark-saml-x509-key-secret
              items:
              - key: AUTH_SAML_X509_KEY
                path: kubeshark.key