# StatefulSet to run the actual vault server cluster.
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{ template "vault.fullname" . }}-server
  labels:
    app: {{ template "vault.name" . }}
    chart: {{ template "vault.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  serviceName: {{ template "vault.fullname" . }}-server
  podManagementPolicy: Parallel
  replicas: {{ .Values.server.replicas }}
  selector:
    matchLabels:
      app: {{ template "vault.name" . }}
      chart: {{ template "vault.chart" . }}
      release: {{ .Release.Name }}
      component: server
  template:
    metadata:
      labels:
        app: {{ template "vault.name" . }}
        chart: {{ template "vault.chart" . }}
        release: {{ .Release.Name }}
        component: server
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app: {{ template "vault.name" . }}
                  release: "{{ .Release.Name }}"
                  component: server
              topologyKey: kubernetes.io/hostname
      terminationGracePeriodSeconds: 10
      securityContext:
        fsGroup: 1000
      volumes:
        - name: config
          configMap:
            name: {{ template "vault.fullname" . }}-server-config
        {{- range .Values.server.extraVolumes }}
        - name: userconfig-{{ .name }}
          {{ .type }}:
            {{- if (eq .type "configMap") }}
            name: {{ .name }}
            {{- else if (eq .type "secret") }}
            secretName: {{ .name }}
            {{- end }}
        {{- end }}
      containers:
        - name: vault
          securityContext:
            fsGroup: 1000
            # TODO: confirm Vault needs this
            privileged: true
          image: "{{ default .Values.global.image .Values.server.image }}"
          env:
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: VAULT_ADDR 
              value: "http://localhost:8200"
          command:
            - "vault"
            - "server"
            - "-config=/vault/config/"
          volumeMounts:
            - name: data
              mountPath: /vault/data
            - name: config
              mountPath: /vault/config
            {{- range .Values.server.extraVolumes }}
            - name: userconfig-{{ .name }}
              readOnly: true
              mountPath: /vault/userconfig/{{ .name }}
            {{- end }}
          lifecycle:
            preStop:
              exec:
                command:
                - vault step-down
          ports:
            - containerPort: 8200
              name: http
          #readinessProbe:
          #  # NOTE(mitchellh): when our HTTP status endpoints support the
          #  # proper status codes, we should switch to that. This is temporary.
          #  # TODO: verify for Vault
          #  #exec:
          #  #  command:
          #  #    - "/bin/sh"
          #  #    - "-ec"
          #  #    - |
          #  #      curl http://127.0.0.1:8500/v1/status/leader 2>/dev/null | \
          #  #      grep -E '".+"'
          #  failureThreshold: 2
          #  initialDelaySeconds: 5
          #  periodSeconds: 3
          #  successThreshold: 1
          #  timeoutSeconds: 5
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: {{ .Values.server.storage }}
        {{- if .Values.server.storageClass }}
        storageClassName: {{ .Values.server.storageClass }}
        {{- end }}
{{- end }}