{{ if .Values.linkerd.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: linkerd
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "5"
  #finalizers:
  #- resources-finalizer.argocd.argoproj.io
spec:
  destination:
    namespace: linkerd
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.cluster_config.manifests }}
    path: {{ .Values.cluster_config.policies }}/linkerd
    targetRevision: HEAD
  - repoURL: 'https://helm.linkerd.io/stable'
    targetRevision: {{ .Values.linkerd.version }}
    chart: linkerd-control-plane
    helm:
      values: |
        identityTrustAnchorsPEM: {{- .Values.linkerd.trustAnchorPEM | toYaml | indent 7 }}
        identity:
          issuer:
            scheme: {{ .Values.linkerd.secretScheme }}
            {{- if .Values.linkerd.identityIssuerPEM }}
            tls:
              crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }}
            {{- end }}
        policyValidator:
          externalSecret: true
          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
        proxyInjector:
          externalSecret: true
          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
        profileValidator:
          externalSecret: true
          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}

  project: sys
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: sys
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    {{- if .Values.linkerd.autosync }}
    automated:
      prune: true
      # selfHeal: false
    {{- end }}
  ignoreDifferences:
  - group: batch
    kind: CronJob
    jsonPointers:
      - /spec/schedule
  - kind: Secret
    name:  linkerd-proxy-injector-k8s-tls
    jsonPointers:
    - /data/tls.crt
    - /data/tls.key
  - kind: Secret
    name:  linkerd-sp-validator-k8s-tls
    jsonPointers:
    - /data/tls.crt
    - /data/tls.key
  - kind: Secret
    name:  linkerd-tap-k8s-tls
    jsonPointers:
    - /data/tls.crt
    - /data/tls.key
  - kind: Secret
    name:  linkerd-policy-validator-k8s-tls
    jsonPointers:
    - /data/tls.crt
    - /data/tls.key
  - group: admissionregistration.k8s.io
    kind: MutatingWebhookConfiguration
    name: linkerd-proxy-injector-webhook-config
    jqPathExpressions:
      - '.webhooks[0].clientConfig.caBundle'
  - group: admissionregistration.k8s.io
    kind: ValidatingWebhookConfiguration
    name: linkerd-sp-validator-webhook-config
    jqPathExpressions:
      - '.webhooks[0].clientConfig.caBundle'
  - group: admissionregistration.k8s.io
    kind: ValidatingWebhookConfiguration
    name: linkerd-policy-validator-webhook-config
    jqPathExpressions:
      - '.webhooks[0].clientConfig.caBundle'
  - group: apiregistration.k8s.io/v1
    kind: APIService
    name: v1alpha1.tap.linkerd.io
    jsonPointers:
    - /spec/caBundle
{{ end }}