{{if .Values.gateway.enabled -}}
---
{{- $tree := deepCopy . }}
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    {{ include "partials.annotations.created-by" . }}
  labels:
    app.kubernetes.io/name: gateway
    app.kubernetes.io/part-of: Linkerd
    app.kubernetes.io/version: {{.Values.linkerdVersion}}
    component: gateway
    app: {{.Values.gateway.name}}
    linkerd.io/extension: multicluster
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  name: {{.Values.gateway.name}}
  namespace: {{ .Release.Namespace }}
spec:
  replicas: {{.Values.gateway.replicas}}
  revisionHistoryLimit: {{.Values.revisionHistoryLimit}}
  selector:
    matchLabels:
      app: {{.Values.gateway.name}}
  {{- if .Values.enablePodAntiAffinity }}
  strategy:
    rollingUpdate:
      maxUnavailable: 1
  {{- end }}
  template:
    metadata:
      annotations:
        {{ include "partials.annotations.created-by" . }}
        linkerd.io/inject: enabled
        config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gateway.port}}"
        config.linkerd.io/enable-gateway: "true"
        config.linkerd.io/default-inbound-policy: all-authenticated
        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
        {{- with .Values.gateway.deploymentAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }}
      labels:
        app: {{.Values.gateway.name}}
        linkerd.io/extension: multicluster
        {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
    spec:
      {{- $_ := set $tree "component" .Values.gateway.name -}}
      {{- $_ := set $tree "label" "app" -}}
      {{- include "linkerd.affinity" $tree | nindent 6 }}
      {{- if .Values.gateway.terminationGracePeriodSeconds }}
      terminationGracePeriodSeconds: {{.Values.gateway.terminationGracePeriodSeconds}}
      {{- end }}
      containers:
        - name: pause
          image: {{ .Values.gateway.pauseImage }}
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: {{.Values.gateway.UID}}
            runAsGroup: {{.Values.gateway.GID}}
            seccompProfile:
              type: RuntimeDefault
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: {{.Values.gateway.name}}
      {{- with .Values.gateway.nodeSelector }}
      nodeSelector: {{ toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.gateway.tolerations }}
      tolerations: {{ toYaml . | nindent 6 }}
      {{- end }}
{{- if .Values.enablePodAntiAffinity }}
---
kind: PodDisruptionBudget
apiVersion: policy/v1
metadata:
  name: {{.Values.gateway.name}}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{.Values.gateway.name}}
    linkerd.io/extension: multicluster
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    {{ include "partials.annotations.created-by" . }}
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: {{.Values.gateway.name}}
{{- end }}
---
apiVersion: v1
kind: Service
metadata:
  name: {{.Values.gateway.name}}
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/extension: multicluster
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
  annotations:
    mirror.linkerd.io/gateway-identity: {{.Values.gateway.name}}.{{.Release.Namespace}}.serviceaccount.identity.{{.Values.linkerdNamespace}}.{{.Values.identityTrustDomain}}
    mirror.linkerd.io/probe-period: "{{.Values.gateway.probe.seconds}}"
    mirror.linkerd.io/probe-path: {{.Values.gateway.probe.path}}
    mirror.linkerd.io/multicluster-gateway: "true"
    component: gateway
    {{ include "partials.annotations.created-by" . }}
    {{- with .Values.gateway.serviceAnnotations }}{{ toYaml . | trim | nindent 4 }}{{- end }}
spec:
  ports:
  {{- $setNodePorts := (or (eq .Values.gateway.serviceType "NodePort") (eq .Values.gateway.serviceType "LoadBalancer")) }}
  - name: mc-gateway
    port: {{.Values.gateway.port}}
    protocol: TCP
  {{- if (and $setNodePorts .Values.gateway.nodePort) }}
    nodePort: {{ .Values.gateway.nodePort }}
  {{- end }}
  - name: mc-probe
    port: {{.Values.gateway.probe.port}}
    protocol: TCP
  {{- if (and $setNodePorts .Values.gateway.probe.nodePort) }}
    nodePort: {{ .Values.gateway.probe.nodePort }}
  {{- end }}
  selector:
    app: {{.Values.gateway.name}}
  type: {{ .Values.gateway.serviceType }}
{{- if .Values.gateway.loadBalancerClass }}
  loadBalancerClass: {{ .Values.gateway.loadBalancerClass }}
{{- end }}
{{- if .Values.gateway.loadBalancerIP }}
  loadBalancerIP: {{ .Values.gateway.loadBalancerIP }}
{{- end }}
{{- if .Values.gateway.loadBalancerSourceRanges }}
  loadBalancerSourceRanges:
  {{- range .Values.gateway.loadBalancerSourceRanges }}
  - {{ . }}
  {{- end }}
{{- end }}
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: {{.Values.gateway.name}}
  namespace: {{ .Release.Namespace }}
  labels:
    linkerd.io/extension: multicluster
    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
{{end -}}