{{ if .Values.clair.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ template "harbor.clair" . }}
  labels:
{{ include "harbor.labels" . | indent 4 }}
    component: clair
spec:
  replicas: {{ .Values.clair.replicas }}
  selector:
    matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
      component: clair
  template:
    metadata:
      labels:
{{ include "harbor.labels" . | indent 8 }}
        component: clair
      annotations:
        checksum/secret: {{ include (print $.Template.BasePath "/clair/clair-secret.yaml") . | sha256sum }}
{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }}
        checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }}
{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }}
        checksum/tls: {{ include (print $.Template.BasePath "/clair/clair-tls.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.clair.podAnnotations }}
{{ toYaml .Values.clair.podAnnotations | indent 8 }}
{{- end }}
    spec:
      securityContext:
        fsGroup: 10000
{{- if .Values.clair.serviceAccountName }}
      serviceAccountName: {{ .Values.clair.serviceAccountName }}
{{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: clair
{{- if contains "/" .Values.clair.clair.image.repository }}
        image: "{{ .Values.clair.clair.image.repository }}"
{{- else }}
        image: "{{ .Values.clair.clair.image.hub | default .Values.global.hub }}/{{ .Values.clair.clair.image.repository }}:{{ .Values.clair.clair.image.tag | default .Values.global.tag }}{{ template "beagle.arch" . }}"
{{- end }}
        imagePullPolicy: "{{ .Values.imagePullPolicy | default .Values.global.imagePullPolicy }}"
        livenessProbe:
          httpGet:
            path: /health
            port: 6061
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 6061
          initialDelaySeconds: 30
          periodSeconds: 10
        args: ["-log-level", "{{ .Values.logLevel }}"]
        env:
        {{- if has "clair" .Values.proxy.components }}
        - name: HTTP_PROXY
          value: "{{ .Values.proxy.httpProxy }}"
        - name: HTTPS_PROXY
          value: "{{ .Values.proxy.httpsProxy }}"
        - name: NO_PROXY
          value: "{{ template "harbor.noProxy" . }}"
        {{- end }}
{{- if .Values.clair.clair.resources }}
        resources:
{{ toYaml .Values.clair.clair.resources | indent 10 }}
{{- end }}
        ports:
        - containerPort: 6060
        volumeMounts:
        - name: config
          mountPath: /etc/clair/config.yaml
          subPath: config.yaml
        {{- if .Values.internalTLS.enabled }}
        - name: clair-internal-certs
          mountPath: /etc/harbor/ssl/clair
        {{- end }}
        {{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
      - name: adapter
        image: {{ .Values.clair.adapter.image.repository }}:{{ .Values.clair.adapter.image.tag }}
        imagePullPolicy: {{ .Values.imagePullPolicy }}
        livenessProbe:
          httpGet:
            path: /probe/healthy
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.clairAdapter.containerPort" . }}
          initialDelaySeconds: 300
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /probe/ready
            scheme: {{ include "harbor.component.scheme" . | upper }}
            port: {{ template "harbor.clairAdapter.containerPort" . }}
          initialDelaySeconds: 30
          periodSeconds: 10
        env:
        - name: SCANNER_CLAIR_URL
          # To avoid a pod cannot reach itself via service IP when the clusters disable hairpin
          value: "http://127.0.0.1:6060"
        - name: SCANNER_STORE_REDIS_URL
          valueFrom:
              secretKeyRef:
                name: {{ template "harbor.clair" . }}
                key: redis
        - name: SCANNER_CLAIR_DATABASE_URL
          valueFrom:
              secretKeyRef:
                name: {{ template "harbor.clair" . }}
                key: database
        {{- if .Values.internalTLS.enabled }}
        - name: INTERNAL_TLS_ENABLED
          value: "true"
        - name: SCANNER_API_SERVER_ADDR
          value: ":8443"
        - name: SCANNER_API_SERVER_TLS_KEY
          value: /etc/harbor/ssl/clair/tls.key
        - name: SCANNER_API_SERVER_TLS_CERTIFICATE
          value: /etc/harbor/ssl/clair/tls.crt
        {{- end }}
        - name: SCANNER_LOG_LEVEL
          value: "{{ .Values.logLevel }}"
{{- if .Values.clair.adapter.resources }}
        resources:
{{ toYaml .Values.clair.adapter.resources | indent 10 }}
{{- end }}
        ports:
        - containerPort: {{ template "harbor.clairAdapter.containerPort" . }}
        {{- if or .Values.internalTLS.enabled .Values.caBundleSecretName }}
        volumeMounts:
        {{- if .Values.internalTLS.enabled }}
        - name: clair-internal-certs
          mountPath: /etc/harbor/ssl/clair
        {{- end }}
        {{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 8 }}
        {{- end }}
        {{- end }}
      volumes:
      - name: config
        secret:
          secretName: "{{ template "harbor.clair" . }}"
      {{- if .Values.internalTLS.enabled }}
      - name: clair-internal-certs
        secret:
          secretName: {{ template "harbor.internalTLS.clair.secretName" . }}
      {{- end }}
      {{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolume" . | indent 6 }}
      {{- end }}
    {{- with .Values.clair.nodeSelector }}
      nodeSelector:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.clair.affinity }}
      affinity:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.clair.tolerations }}
      tolerations:
{{ toYaml . | indent 8 }}
    {{- end }}
{{ end }}