apiVersion: apps/v1
kind: Deployment
metadata:
  name: istio-sidecar-injector
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "sidecar-injector.name" . }}
    chart: {{ template "sidecar-injector.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
    istio: sidecar-injector
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      istio: sidecar-injector
  strategy:
    rollingUpdate:
      maxSurge: {{ .Values.rollingMaxSurge }}
      maxUnavailable: {{ .Values.rollingMaxUnavailable }}
  template:
    metadata:
      labels:
        app: {{ template "sidecar-injector.name" . }}
        chart: {{ template "sidecar-injector.chart" . }}
        heritage: {{ .Release.Service }}
        release: {{ .Release.Name }}
        istio: sidecar-injector
      annotations:
        sidecar.istio.io/inject: "false"
        {{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
        {{- end }}
    spec:
      serviceAccountName: istio-sidecar-injector-service-account
{{- if .Values.global.priorityClassName }}
      priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
      containers:
        - name: sidecar-injector-webhook
{{- if contains "/" .Values.image }}
          image: "{{ .Values.image }}"
{{- else }}
          image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
          args:
            - --caCertFile=/etc/istio/certs/root-cert.pem
            - --tlsCertFile=/etc/istio/certs/cert-chain.pem
            - --tlsKeyFile=/etc/istio/certs/key.pem
            - --injectConfig=/etc/istio/inject/config
            - --meshConfig=/etc/istio/config/mesh
            - --healthCheckInterval=2s
            - --healthCheckFile=/health
{{- if .Values.global.operatorManageWebhooks }}
            - --reconcileWebhookConfig=false
{{- else }}
            - --reconcileWebhookConfig=true
{{- end }}
          volumeMounts:
          - name: config-volume
            mountPath: /etc/istio/config
            readOnly: true
          - name: certs
            mountPath: /etc/istio/certs
            readOnly: true
          - name: inject-config
            mountPath: /etc/istio/inject
            readOnly: true
          livenessProbe:
            exec:
              command:
                - /usr/local/bin/sidecar-injector
                - probe
                - --probe-path=/health
                - --interval=4s
            initialDelaySeconds: 4
            periodSeconds: 4
          readinessProbe:
            exec:
              command:
                - /usr/local/bin/sidecar-injector
                - probe
                - --probe-path=/health
                - --interval=4s
            initialDelaySeconds: 4
            periodSeconds: 4
          resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
      volumes:
      - name: config-volume
        configMap:
          name: istio
      - name: certs
        secret:
{{- if .Values.global.certificates }}
          secretName: dns.istio-sidecar-injector-service-account
{{- else }}
          secretName: istio.istio-sidecar-injector-service-account
{{- end }}
      - name: inject-config
        configMap:
          name: istio-sidecar-injector
          items:
          - key: config
            path: config
          - key: values
            path: values
      affinity:
      {{- include "nodeaffinity" . | indent 6 }}
      {{- include "podAntiAffinity" . | indent 6 }}
      {{- if .Values.tolerations }}
      tolerations:
{{ toYaml .Values.tolerations | indent 6 }}
      {{- else if .Values.global.defaultTolerations }}
      tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
      {{- end }}