{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
{{- if .Values.client.snapshotAgent.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ template "consul.fullname" . }}-snapshot-agent
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "consul.name" . }}
    chart: {{ template "consul.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  replicas: {{ .Values.client.snapshotAgent.replicas }}
  selector:
    matchLabels:
      app: {{ template "consul.name" . }}
      chart: {{ template "consul.chart" . }}
      release: {{ .Release.Name }}
      component: client-snapshot-agent
  template:
    metadata:
      labels:
        app: {{ template "consul.name" . }}
        chart: {{ template "consul.chart" . }}
        release: {{ .Release.Name }}
        component: client-snapshot-agent
      annotations:
        "consul.hashicorp.com/connect-inject": "false"
    spec:
      {{- if .Values.client.tolerations }}
      tolerations:
        {{ tpl .Values.client.tolerations . | nindent 8 | trim }}
      {{- end }}
      terminationGracePeriodSeconds: 10
      serviceAccountName: {{ template "consul.fullname" . }}-snapshot-agent
      {{- if .Values.client.priorityClassName }}
      priorityClassName: {{ .Values.client.priorityClassName | quote }}
      {{- end }}
      {{- if (or .Values.global.bootstrapACLs .Values.global.tls.enabled (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey)) }}
      volumes:
        {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) }}
        - name: snapshot-config
          secret:
            secretName: {{ .Values.client.snapshotAgent.configSecret.secretName }}
            items:
            - key: {{ .Values.client.snapshotAgent.configSecret.secretKey }}
              path: snapshot-config.json
        {{- end }}
        {{- if .Values.global.bootstrapACLs }}
        - name: aclconfig
          emptyDir: {}
        {{- end }}
        {{- if .Values.global.tls.enabled }}
        - name: consul-ca-cert
          secret:
            {{- if .Values.global.tls.caCert.secretName }}
            secretName: {{ .Values.global.tls.caCert.secretName }}
            {{- else }}
            secretName: {{ template "consul.fullname" . }}-ca-cert
            {{- end }}
            items:
            - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
              path: tls.crt
        {{- end }}
      {{- end }}
      containers:
        - name: consul-snapshot-agent
          image: "{{ default .Values.global.image .Values.client.image }}"
          env:
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            {{- if .Values.global.tls.enabled }}
            - name: CONSUL_HTTP_ADDR
              value: https://$(HOST_IP):8501
            - name: CONSUL_CACERT
              value: /consul/tls/ca/tls.crt
            {{- else }}
            - name: CONSUL_HTTP_ADDR
              value: http://$(HOST_IP):8500
            {{- end }}
            {{- if .Values.global.bootstrapACLs }}
            - name: CONSUL_HTTP_TOKEN
              valueFrom:
                secretKeyRef:
                  name: "{{ template "consul.fullname" . }}-client-snapshot-agent-acl-token"
                  key: "token"
            {{- end}}
          command:
            - "/bin/sh"
            - "-ec"
            - |
              exec /bin/consul snapshot agent \
                {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) }}
                -config-dir=/consul/config \
                {{- end }}
                {{- if .Values.global.bootstrapACLs}}
                -config-dir=/consul/aclconfig \
                {{- end }}
          {{- if (or .Values.global.bootstrapACLs .Values.global.tls.enabled (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) ) }}
          volumeMounts:
            {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) }}
            - name: snapshot-config
              readOnly: true
              mountPath: /consul/config
            {{- end }}
            {{- if .Values.global.bootstrapACLs}}
            - name: aclconfig
              mountPath: /consul/aclconfig
            {{- end }}
            {{- if .Values.global.tls.enabled }}
            - name: consul-ca-cert
              mountPath: /consul/tls/ca
              readOnly: true
            {{- end }}
          {{- end }}
      {{- if .Values.global.bootstrapACLs }}
      initContainers:
      - name: client-snapshot-agent-acl-init
        image: {{ .Values.global.imageK8S }}
        command:
          - "/bin/sh"
          - "-ec"
          - |
            consul-k8s acl-init \
              -secret-name="{{ template "consul.fullname" . }}-client-snapshot-agent-acl-token" \
              -k8s-namespace={{ .Release.Namespace }} \
              -init-type="sync"
        volumeMounts:
          - name: aclconfig
            mountPath: /consul/aclconfig
      {{- end }}
      {{- if .Values.client.nodeSelector }}
      nodeSelector:
        {{ tpl .Values.client.nodeSelector . | indent 8 | trim }}
      {{- end }}
{{- end }}
{{- end }}