apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{ include "wg-easy.name" . }}
  labels:
    app: {{ include "wg-easy.name" . }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      app: {{ include "wg-easy.name" . }}
  template:
    metadata:
      labels:
        app: {{ include "wg-easy.name" . }}
    spec:
      securityContext:
        sysctls:
          {{- if .Values.sysctls.ipv4Forward }}
          - name: net.ipv4.ip_forward
            value: "1"
          {{- end }}
          {{- if .Values.sysctls.ipv6Forward }}
          - name: net.ipv6.conf.all.forwarding
            value: "1"
          {{- end }}
      containers:
        - name: {{ include "wg-easy.name" . }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
              containerPort: 51821
              protocol: TCP
            - name: wireguard
              containerPort: {{ .Values.service.wgPort }}
              protocol: UDP
          envFrom:
            - configMapRef:
                name: {{ include "wg-easy.name" . }}
          securityContext:
            capabilities:
              add: ["NET_ADMIN", "SYS_MODULE"]
          volumeMounts:
            - name: wg-easy-data
              mountPath: /etc/wireguard
  volumeClaimTemplates:
    - metadata:
        name: wg-easy-data
      spec:
        accessModes: {{ .Values.persistence.accessModes }}
        resources:
          requests:
            storage: {{ .Values.persistence.size }}
        {{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }}
        storageClassName: {{ .Values.persistence.storageClass | quote }}
        {{- end }}