#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")

---
apiVersion: v1
kind: Namespace
metadata:
  name: local-user-authenticator
  labels:
    name: local-user-authenticator
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1
kind: Secret
metadata:
  name: image-pull-secret
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
#@ end
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
spec:
  replicas: 1
  selector:
    matchLabels:
      app: local-user-authenticator
  template:
    metadata:
      labels:
        app: local-user-authenticator
    spec:
      serviceAccountName: local-user-authenticator
      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
      imagePullSecrets:
        - name: image-pull-secret
      #@ end
      containers:
        - name: local-user-authenticator
          #@ if data.values.image_digest:
          image:  #@ data.values.image_repo + "@" + data.values.image_digest
          #@ else:
          image: #@ data.values.image_repo + ":" + data.values.image_tag
          #@ end
          imagePullPolicy: IfNotPresent
          command: #! override the default entrypoint
            - /usr/local/bin/local-user-authenticator
---
apiVersion: v1
kind: Service
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
spec:
  type: ClusterIP
  selector:
    app: local-user-authenticator
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443