---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: {{ .Values.namespace }}
  name: headscale
  labels: {{ include "common.app.labels" . | nindent 4 }}
spec:
  replicas: 1
  selector:
    matchLabels: {{ include "common.app.labels" . | nindent 6 }}
  template:
    spec:
      containers:
        - name: headscale
          image: "{{ .Values.image }}:{{ .Values.imageTag }}"
          ports:
            - containerPort: 8080
              name: http
              protocol: TCP
            - containerPort: 9090
              name: metrics
              protocol: TCP
          args:
            - --config
            - /etc/headscale/config/config.yaml
            - serve
          volumeMounts:
            - mountPath: /etc/headscale/config
              name: config
              readOnly: true
            - mountPath: /var/run
              name: tmp
            {{- if .Values.secrets }}
            - mountPath: /etc/headscale/secrets
              name: secrets
              readOnly: true
            {{- end }}
          securityContext:
            capabilities:
              drop:
                - ALL
      volumes:
        - name: config
          configMap:
            name: headscale
        - name: tmp
          emptyDir:
            medium: Memory
        - name: data
          {{- .Values.mounts.data | toYaml | nindent 10 }}
        {{- if .Values.secrets }}
        - name: secrets
          secret:
            secretName: {{ .Values.secrets.secretName }}
        {{- end }}
      securityContext:
        runAsNonRoot: true
        runAsUser: 10000
        runAsGroup: 10000