apiVersion: apps/v1beta2
kind: Deployment
metadata:
  name: {{ template "elasticsearch-exporter.fullname" . }}
  labels:
    chart: {{ template "elasticsearch-exporter.chart" . }}
    k8s-app: {{ template "elasticsearch-exporter.name" . }}
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      k8s-app: {{ template "elasticsearch-exporter.name" . }}
      release: "{{ .Release.Name }}"
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        k8s-app: {{ template "elasticsearch-exporter.name" . }}
        release: "{{ .Release.Name }}"
      {{- if .Values.podAnnotations }}
      annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
      {{- end }}
    spec:
{{- if .Values.priorityClassName }}
      priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
      restartPolicy: {{ .Values.restartPolicy }}
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command: ["elasticsearch_exporter",
                    "-es.uri={{ .Values.es.uri }}",
                    "-es.all={{ .Values.es.all }}",
                    "-es.indices={{ .Values.es.indices }}",
                    "-es.timeout={{ .Values.es.timeout }}",
                    {{- if .Values.es.ssl.enabled }}
                    "-es.ca=/ssl/ca.pem",
                    "-es.client-cert=/ssl/client.pem",
                    "-es.client-private-key=/ssl/client.key",
                    {{- end }}
                    "-web.listen-address=:{{ .Values.service.httpPort }}",
                    "-web.telemetry-path={{ .Values.web.path }}"]
          securityContext:
            capabilities:
              drop:
                - SETPCAP
                - MKNOD
                - AUDIT_WRITE
                - CHOWN
                - NET_RAW
                - DAC_OVERRIDE
                - FOWNER
                - FSETID
                - KILL
                - SETGID
                - SETUID
                - NET_BIND_SERVICE
                - SYS_CHROOT
                - SETFCAP
            readOnlyRootFilesystem: true
          resources:
{{ toYaml .Values.resources | indent 12 }}
          ports:
            - containerPort: {{ .Values.service.httpPort }}
              name: http
          livenessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 30
            timeoutSeconds: 10
          readinessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 10
            timeoutSeconds: 10
          volumeMounts:
            {{- if .Values.es.ssl.enabled }}
            - mountPath: /ssl
              name: ssl
            {{- end }}
{{- if .Values.nodeSelector }}
      nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
      tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
      volumes:
        {{- if .Values.es.ssl.enabled }}
        - name: ssl
          secret:
            secretName: {{ template "elasticsearch-exporter.fullname" . }}-cert
        {{- end }}