{{- define "istio-private-ingress-values" }}

gateway:
  name: istio-private-ingressgateway

  {{- if ne .Values.global.platform "gke" }}
  priorityClassName: "system-cluster-critical"
  {{- end }}

  {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }}
  replicaCount: {{ . }}
  {{- if gt (int .) 1 }}
  podDisruptionBudget:
    minAvailable: 1
  {{- end }}
  {{- end }}

  {{- if eq .Values.global.platform "aws" }}
  # Only nodes who are fronted with matching LB
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: node.kubernetes.io/ingress.private
            operator: Exists
  {{- end }}

  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: topology.kubernetes.io/zone
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          app: istio-private-ingressgateway
          istio: private-ingressgateway
    - maxSkew: 1
      topologyKey: kubernetes.io/hostname
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          app: istio-private-ingressgateway
          istio: private-ingressgateway

  service:
    ports:
    - name: status-port
      port: 15021
      nodePort: 31021
      noGateway: true
    - name: http2
      port: 80
      targetPort: 8080
      nodePort: 31080
      gatewayProtocol: HTTP2
      tls:
        httpsRedirect: true
    - name: https
      port: 443
      targetPort: 8443
      nodePort: 31443
      gatewayProtocol: HTTPS
      tls:
        mode: SIMPLE
  {{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }}
  {{- toYaml . | nindent 4 }}
  {{- end }}

  # custom hardened bootstrap config
  env:
    ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
  volumes:
    - name: custom-bootstrap-volume
      configMap:
        name: private-ingressgateway-bootstrap-config
  volumeMounts:
    - mountPath: /etc/istio/custom-bootstrap
      name: custom-bootstrap-volume
      readOnly: true

telemetry:
  enabled: {{ $.Values.metrics.enabled }}
certificates:
{{- range $cert := index .Values "istio-private-ingress" "certificates" }}
- name: {{ $cert.name }}
  dnsNames:
  {{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }}
{{- with (index .Values "istio-private-ingress" "hardening") }}
hardening:
  {{- toYaml . | nindent 2 }}
{{- end }}

{{- end }}


{{- define "istio-private-ingress-argo" }}
{{- end }}

{{ include "kubezero-app.app" . }}