{{- if .Values.ingress.private }}
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: kubezero-istio-private-ingress
  namespace: istio-system
spec:
  profile: empty
  components:
    ingressGateways:
    - name: istio-private-ingressgateway
      enabled: true
      namespace: istio-system
      k8s:
        replicaCount: {{ .Values.ingress.replicaCount }}
        {{- if .Values.ingress.autoscaleEnabled }}
        hpaSpec:
          maxReplicas: 5
          metrics:
          - resource:
              name: cpu
              targetAverageUtilization: 80
            type: Resource
          minReplicas: 1
          scaleTargetRef:
            apiVersion: apps/v1
            kind: Deployment
            name: istio-private-ingressgateway
        {{- end }}
        env:
        - name: ISTIO_META_HTTP10
          value: '"1"'
        - name: ISTIO_META_ROUTER_MODE
          value: standard
        {{- if eq .Values.ingress.type "NodePort" }}
        nodeSelector:
          node.kubernetes.io/ingress.private: "31080_31443_30671_30672_31224"
        {{- end }}
        resources:
          limits:
            cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 100m
            memory: 128Mi
        strategy:
          rollingUpdate:
            maxSurge: 100%
            maxUnavailable: 25%
  values:
    gateways:
      istio-ingressgateway:
        autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
        externalTrafficPolicy: Local
        labels:
          app: istio-private-ingressgateway
          istio: private-ingressgateway
        meshExpansionPorts: []
        podAntiAffinityLabelSelector:
        - key: app
          operator: In
          topologyKey: kubernetes.io/hostname
          values: istio-private-ingressgateway
        type: {{ default "NodePort" .Values.ingress.type }}
        ports:
        - name: http2
          port: 80
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 31080
          {{- end }}
        - name: https
          port: 443
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 31443
          {{- end }}
        - name: amqp
          port: 5672
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 30672
          {{- end }}
        - name: amqps
          port: 5671
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 30671
          {{- end }}
        - name: fluentd-forward
          port: 24224
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 31224
          {{- end }}
        sds:
          enabled: true
          image: node-agent-k8s
          resources:
            limits:
              cpu: 2000m
              memory: 1024Mi
            requests:
              cpu: 100m
              memory: 128Mi
        secretVolumes:
        - mountPath: /etc/istio/ingressgateway-certs
          name: ingressgateway-certs
          secretName: istio-ingressgateway-certs
        - mountPath: /etc/istio/ingressgateway-ca-certs
          name: ingressgateway-ca-certs
          secretName: istio-ingressgateway-ca-certs

    global:
      jwtPolicy: first-party-jwt
{{- end }}