# StatefulSet to run the actual vault server cluster.
{{ template "vault.mode" . }}
{{- if and (ne .mode "") (eq (.Values.global.enabled | toString) "true") }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{ template "vault.fullname" . }}
  labels:
    app: {{ template "vault.name" . }}
    chart: {{ template "vault.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
spec:
  serviceName: {{ template "vault.fullname" . }}
  podManagementPolicy: Parallel
  replicas: {{ template "vault.replicas" . }}
  updateStrategy:
    type: OnDelete
  selector:
    matchLabels:
      app: {{ template "vault.name" . }}
      chart: {{ template "vault.chart" . }}
      release: {{ .Release.Name }}
      component: server
  template:
    metadata:
      labels:
        app: {{ template "vault.name" . }}
        chart: {{ template "vault.chart" . }}
        release: {{ .Release.Name }}
        component: server
      {{ template "vault.annotations" . }}
    spec:
      {{ template "vault.affinity" . }}
      {{ template "vault.tolerations" . }}
      {{ template "vault.nodeselector" . }}
      terminationGracePeriodSeconds: 10
      serviceAccountName: {{ template "vault.fullname" . }}
      securityContext:
        fsGroup: {{ template "vault.fsgroup" . }}
      volumes:
        {{ template "vault.volumes" . }}
      containers:
        - name: vault
          {{ template "vault.resources" . }}
          securityContext:
            fsGroup: {{ template "vault.fsgroup" . }}
            privileged: true
          image: "{{ .Values.global.image }}"
          command: {{ template "vault.command" . }}
          args: {{ template "vault.args" . }}
          env:
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: VAULT_ADDR
              value: "http://localhost:8200"
            - name: SKIP_CHOWN
              value: "true"
            {{ template "vault.envs" . }}
            {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
          volumeMounts:
          {{ template "vault.mounts" . }}
          lifecycle:
            preStop:
              exec:
                command: ["vault", "step-down"]
          ports:
            - containerPort: 8200
              name: http
            - containerPort: 8201
              name: internal
            - containerPort: 8202
              name: replication
          readinessProbe:
            # Check status; unsealed vault servers return 0
            # The exit code reflects the seal status:
            #   0 - unsealed
            #   1 - error
            #   2 - sealed
            exec:
              command: ["/bin/sh", "-ec", "vault status"]
            failureThreshold: 2
            initialDelaySeconds: 5
            periodSeconds: 3
            successThreshold: 1
            timeoutSeconds: 5
  {{ template "vault.volumeclaims" . }}
{{ end }}