{{- if .Values.controller.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ template "metallb.fullname" . }}-controller
  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
    app.kubernetes.io/component: controller
    {{- range $key, $value := .Values.controller.labels }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
spec:
  {{- if .Values.controller.strategy }}
  strategy: {{- toYaml .Values.controller.strategy | nindent 4 }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "metallb.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: controller
  template:
    metadata:
      {{- if or .Values.prometheus.scrapeAnnotations .Values.controller.podAnnotations }}
      annotations:
        {{- if .Values.prometheus.scrapeAnnotations }}
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
        {{- end }}
        {{- with .Values.controller.podAnnotations }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
      labels:
        {{- include "metallb.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: controller
        {{- range $key, $value := .Values.controller.labels }}
        {{ $key }}: {{ $value | quote }}
        {{- end }}
    spec:
      {{- with .Values.controller.runtimeClassName }}
      runtimeClassName: {{ . | quote }}
      {{- end }}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ template "metallb.controller.serviceAccountName" . }}
      terminationGracePeriodSeconds: 0
{{- if .Values.controller.securityContext }}
      securityContext:
{{ toYaml .Values.controller.securityContext | indent 8 }}
{{- end }}
      containers:
      - name: controller
        image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}
        {{- if .Values.controller.image.pullPolicy }}
        imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
        {{- end }}
        {{- if .Values.controller.command }}
        command:
          - {{ .Values.controller.command }}
        {{- end }}
        args:
        - --port={{ .Values.prometheus.metricsPort }}
        {{- with .Values.controller.logLevel }}
        - --log-level={{ . }}
        {{- end }}
        {{- if .Values.loadBalancerClass }}
        - --lb-class={{ .Values.loadBalancerClass }}
        {{- end }}
        {{- if .Values.controller.webhookMode }}
        - --webhook-mode={{ .Values.controller.webhookMode }}
        {{- end }}
        {{- if .Values.controller.tlsMinVersion }}
        - --tls-min-version={{ .Values.controller.tlsMinVersion }}
        {{- end }}
        {{- if .Values.controller.tlsCipherSuites }}
        - --tls-cipher-suites={{ .Values.controller.tlsCipherSuites }}
        {{- end }}
        env:
        {{- if and .Values.speaker.enabled .Values.speaker.memberlist.enabled }}
        - name: METALLB_ML_SECRET_NAME
          value: {{ include "metallb.secretName" . }}
        - name: METALLB_DEPLOYMENT
          value: {{ template "metallb.fullname" . }}-controller
        {{- end }}
        {{- if .Values.speaker.frr.enabled }}
        - name: METALLB_BGP_TYPE
          value: frr
        {{- end }}
        {{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
        - name: METALLB_BGP_TYPE
          value: frr-k8s
        {{- end }}
        ports:
        - name: monitoring
          containerPort: {{ .Values.prometheus.metricsPort }}
        - containerPort: 9443
          name: webhook-server
          protocol: TCP
        volumeMounts:
        - mountPath: /tmp/k8s-webhook-server/serving-certs
          name: cert
          readOnly: true
        {{- if .Values.controller.livenessProbe.enabled }}
        livenessProbe:
          httpGet:
            path: /metrics
            port: monitoring
          initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
          failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
        {{- end }}
        {{- if .Values.controller.readinessProbe.enabled }}
        readinessProbe:
          httpGet:
            path: /metrics
            port: monitoring
          initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
          periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
          timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
          successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
          failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
        {{- end }}
        {{- with .Values.controller.resources }}
        resources:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL
      {{- if .Values.prometheus.secureMetricsPort }}
      - name: kube-rbac-proxy
        image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
        imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
        args:
          - --logtostderr
          - --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
          - --upstream=http://127.0.0.1:{{ .Values.prometheus.metricsPort }}/
          - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        {{- if .Values.prometheus.controllerMetricsTLSSecret }}
          - --tls-private-key-file=/etc/metrics/tls.key
          - --tls-cert-file=/etc/metrics/tls.crt
        {{- end }}
        ports:
          - containerPort: {{ .Values.prometheus.secureMetricsPort }}
            name: metricshttps
        resources:
          requests:
            cpu: 10m
            memory: 20Mi
        terminationMessagePolicy: FallbackToLogsOnError
        {{- if .Values.prometheus.controllerMetricsTLSSecret }}
        volumeMounts:
          - name: metrics-certs
            mountPath: /etc/metrics
            readOnly: true
        {{- end }}
      {{ end }}
      {{- if .Values.controller.extraContainers }}
      {{- toYaml .Values.controller.extraContainers | nindent 6 }}
      {{- end }}
      nodeSelector:
        "kubernetes.io/os": linux
        {{- with .Values.controller.nodeSelector }}
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.controller.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.controller.tolerations }}
      tolerations:
        {{- toYaml . | nindent 6 }}
      {{- end }}
      {{- with .Values.controller.priorityClassName }}
      priorityClassName: {{ . | quote }}
      {{- end }}
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: metallb-webhook-cert
      {{- if .Values.prometheus.controllerMetricsTLSSecret }}
      - name: metrics-certs
        secret:
          secretName: {{ .Values.prometheus.controllerMetricsTLSSecret }}
      {{- end }}
{{- end }}