{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
     Any settings from values.gateways should be here - these are options specific to the gateway.
     Global settings, like the image, various env vars and volumes, etc will be injected.
     The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ $gateway.name | default "istio-ingressgateway" }}
  namespace: {{ .Release.Namespace }}
  labels:
{{ $gateway.labels | toYaml | indent 4 }}
    release: {{ .Release.Name }}
    istio.io/rev: {{ .Values.revision | default "default" }}
    install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
  replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
  selector:
    matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
  strategy:
    rollingUpdate:
      maxSurge: {{ $gateway.rollingMaxSurge }}
      maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
  template:
    metadata:
      labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
        heritage: Tiller
        release: istio
        chart: gateways
{{- end }}
        install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
        operator.istio.io/component: "IngressGateways"
        sidecar.istio.io/inject: "true"
        {{- with .Values.revision }}
        istio.io/rev: {{ . }}
        {{- end }}
      annotations:
        {{- if .Values.meshConfig.enablePrometheusMerge }}
        prometheus.io/port: "15020"
        prometheus.io/scrape: "true"
        prometheus.io/path: "/stats/prometheus"
        {{- end }}
        sidecar.istio.io/inject: "true"
        inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
    spec:
{{- if not $gateway.runAsRoot }}
      securityContext:
        runAsUser: 1337
        runAsGroup: 1337
        runAsNonRoot: true
        fsGroup: 1337
{{- end }}
      serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
      priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
      containers:
        - name: istio-proxy
          image: auto
          ports:
            {{- range $key, $val := $gateway.ports }}
            - containerPort: {{ $val.targetPort | default $val.port }}
              protocol: {{ $val.protocol | default "TCP" }}
            {{- end }}
            - containerPort: 15090
              protocol: TCP
              name: http-envoy-prom
        {{- if not $gateway.runAsRoot }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
        {{- end }}
          resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
          env:
          {{- if not $gateway.runAsRoot }}
          - name: ISTIO_META_UNPRIVILEGED_POD
            value: "true"
          {{- end }}
          {{- range $key, $val := $gateway.env }}
          - name: {{ $key }}
            value: {{ $val }}
          {{- end }}
          volumeMounts:
          {{- range $gateway.secretVolumes }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- range $gateway.configVolumes }}
          {{- if .mountPath }}
          - name: {{ .name }}
            mountPath: {{ .mountPath | quote }}
            readOnly: true
          {{- end }}
          {{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
      volumes:
      {{- range $gateway.secretVolumes }}
      - name: {{ .name }}
        secret:
          secretName: {{ .secretName | quote }}
          optional: true
      {{- end }}
      {{- range $gateway.configVolumes }}
      - name: {{ .name }}
        configMap:
          name: {{ .configMapName | quote }}
          optional: true
      {{- end }}
      affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
      {{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
      tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
      tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}