{{- if .Values.es.nodeSets }}
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: {{ template "kubezero-lib.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
  version: {{ .Values.version }}
  nodeSets:
  {{- range .Values.es.nodeSets }}
  - name: {{ .name }}
    config:
      node.roles: [ master, data, ingest ]
      {{- if $.Values.es.prometheus }}
      prometheus.indices: false
      {{- end }}
      {{- if .zone }}
      node.attr.zone: {{ .zone }}
      cluster.routing.allocation.awareness.attributes: k8s_node_name,zone
      {{- end }}
      transport.compress: true
      {{- if .processors }}
      node.processors: {{ .processors }}
      {{- end }}
      indices.memory.index_buffer_size: "20%"
    podTemplate:
      # Remove once https://github.com/elastic/elasticsearch/pull/65923 is merged
      {{- if $.Values.es.s3Snapshot.iamrole }}
      metadata:
        annotations:
          iam.amazonaws.com/role: {{ $.Values.es.s3Snapshot.iamrole }}
      {{- end }}
      spec:
        {{- if or $.Values.es.prometheus $.Values.es.s3Snapshot.enabled }}
        initContainers:
        - name: install-plugins
          command:
          - sh
          - -c
          - |
            {{- if $.Values.es.s3Snapshot.enabled }}
            bin/elasticsearch-plugin install --batch repository-s3;
            {{- end }}
            {{- if $.Values.es.prometheus }}
            bin/elasticsearch-plugin install --batch https://github.com/vvanholl/elasticsearch-prometheus-exporter/releases/download/{{ $.Values.version }}.0/prometheus-exporter-{{ $.Values.version }}.0.zip;
            {{- end }}
        {{- end }}
        containers:
        - name: elasticsearch
          securityContext:
            capabilities:
              add: ["SYS_CHROOT"]
          {{- with .resources }}
          resources: {{ toYaml . | nindent 12 }}
          {{- end }}
        #  {{- if or .jvm_heap $.Values.es.s3Snapshot.iamrole }}
        #  env:
        #  {{- end }}
          {{- if .jvm_heap }}
          env:
          - name: ES_JAVA_OPTS
            value: -Xms{{ .jvm_heap }}g -Xmx{{ .jvm_heap }}g
          {{- end }}
        #{{- if $.Values.es.s3Snapshot.iamrole }}
        #  - name: AWS_ROLE_ARN
        #    value: {{ $.Values.es.s3Snapshot.iamrole }}
        #  - name: AWS_WEB_IDENTITY_TOKEN_FILE
        #    value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
        #  - name: AWS_STS_REGIONAL_ENDPOINTS
        #    value: regional
        #  volumeMounts:
        #  - name: aws-token
        #    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
        #    readOnly: true
        #volumes:
        #- name: aws-token
        #  projected:
        #    sources:
        #    - serviceAccountToken:
        #        path: token
        #        expirationSeconds: 86400
        #        audience: "sts.amazonaws.com"
        #{{- end }}
        affinity:
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  elasticsearch.k8s.elastic.co/cluster-name: {{ template "kubezero-lib.fullname" $ }}
              topologyKey: kubernetes.io/hostname
          {{- if or .zone .nodeAffinity }}
          nodeAffinity:
            {{- if .zone }}
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: topology.kubernetes.io/zone
                  operator: In
                  values:
                  - {{ .zone }}
            {{- end }}
            {{- if .nodeAffinity }}
            preferredDuringSchedulingIgnoredDuringExecution:
              - weight: 1
                preference:
                  matchExpressions:
                  - key: {{ .nodeAffinity.key }}
                    operator: In
                    values:
                    - {{ .nodeAffinity.value }}
            {{- end }}
          {{- end }}
    count: {{ .count }}
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: {{ .storage.size }}
        {{- with .storage.class }}
        storageClassName: {{ . }}
        {{- end }}
  {{- end }}
  http:
    tls:
      selfSignedCertificate:
        disabled: true
{{- end }}