{{- if .Values.cloudSqlProxy.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backstage-cloudsql-proxy
  namespace: {{ .Values.namespaceOverride }}
  labels:
    {{- include "backstage.labels" . | nindent 4 }}
    app: backstage-cloudsql-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: backstage-cloudsql-proxy
  template:
    metadata:
      labels:
        app: backstage-cloudsql-proxy
        {{- include "backstage.selectorLabels" . | nindent 8 }}
    spec:
      serviceAccountName: {{ .Values.cloudSqlProxyServiceAccount.name }}
      automountServiceAccountToken: true
      securityContext:
        fsGroup: 65532
        runAsUser: 65532
        runAsNonRoot: true
      containers:
      - name: cloud-sql-proxy
        image: "{{ .Values.cloudSqlProxy.image.repository }}:{{ .Values.cloudSqlProxy.image.tag }}"
        args:
          - "{{ .Values.cloudSqlProxy.connectionName }}"
          - "--port={{ .Values.cloudSqlProxy.port }}"
          - "--address=0.0.0.0"
          {{- if .Values.cloudSqlProxy.privateIp }}
          - "--private-ip"
          {{- end }}
        ports:
        - name: postgres
          containerPort: {{ .Values.cloudSqlProxy.port }}
          protocol: TCP
        securityContext:
          runAsNonRoot: true
          runAsUser: 65532
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: false
        resources:
          {{- toYaml .Values.cloudSqlProxy.resources | nindent 10 }}
{{- end }}