{{ if .Values.notary.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ template "harbor.notary-server" . }}
  labels:
{{ include "harbor.labels" . | indent 4 }}
    component: notary-server
spec:
  replicas: {{ .Values.notary.server.replicas }}
  selector:
    matchLabels:
{{ include "harbor.matchLabels" . | indent 6 }}
      component: notary-server
  template:
    metadata:
      labels:
{{ include "harbor.labels" . | indent 8 }}
        component: notary-server
      annotations:
        checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }}
        checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }}
{{- if .Values.notary.podAnnotations }}
{{ toYaml .Values.notary.podAnnotations | indent 8 }}
{{- end }}
    spec:
      securityContext:
        fsGroup: 10000
{{- if .Values.notary.server.serviceAccountName }}
      serviceAccountName: {{ .Values.notary.server.serviceAccountName }}
{{- end -}}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: notary-server
        image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }}
        imagePullPolicy: {{ .Values.imagePullPolicy }}
{{- if .Values.notary.server.resources }}
        resources:
{{ toYaml .Values.notary.server.resources | indent 10 }}
{{- end }}
        env:
        - name: MIGRATIONS_PATH
          value: migrations/server/postgresql
        - name: DB_URL
          value: {{ template "harbor.database.notaryServer" . }}
        volumeMounts:
        - name: config
          mountPath: /etc/notary/server-config.postgres.json
          subPath: server.json
        - name: token-service-certificate
          mountPath: /root.crt
          subPath: tls.crt
        - name: signer-certificate
          mountPath: /etc/ssl/notary/ca.crt
          subPath: ca.crt
        - name: etc-localtime
          mountPath: /etc/localtime
      volumes:
      - name: etc-localtime
        hostPath:
          path: /etc/localtime
      - name: config
        secret:
          secretName: "{{ template "harbor.notary-server" . }}"
      - name: token-service-certificate
        secret:
          {{- if .Values.core.secretName }}
          secretName: {{ .Values.core.secretName }}
          {{- else }}
          secretName: {{ template "harbor.core" . }}
          {{- end }}
      - name: signer-certificate
        secret:
          {{- if .Values.notary.secretName }}
          secretName: {{ .Values.notary.secretName }}
          {{- else }}
          secretName: {{ template "harbor.notary-server" . }}
          {{- end }}
    {{- with .Values.notary.nodeSelector }}
      nodeSelector:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.notary.affinity }}
      affinity:
{{ toYaml . | indent 8 }}
    {{- end }}
    {{- with .Values.notary.tolerations }}
      tolerations:
{{ toYaml . | indent 8 }}
    {{- end }}
{{ end }}