---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: telemt
  labels:
    app: telemt
spec:
  selector:
    matchLabels:
      app: telemt
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: telemt
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: mtproxy
                    operator: Exists
      serviceAccountName: mtproxy
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      initContainers:
        - name: register-proxy
          image: bitnami/kubectl:latest
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: tgproxy-secret
                  key: SECRET
            - name: TELEMT_PORT
              valueFrom:
                secretKeyRef:
                  name: telemt-secret
                  key: PORT
          command:
            - /bin/bash
            - -c
            - |
              set -e
              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
              if [ -z "${SERVER}" ]; then
                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
                exit 1
              fi
              # Build dd-prefixed secret for TLS mode: dd + secret + hex(tls_domain)
              # "ya.ru" = 79612e7275
              DD_SECRET="dd${SECRET}79612e7275"
              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${DD_SECRET}"
              echo "Registering telemt: ${SERVER} -> ${LINK}"
              if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
                kubectl patch secret telemt-links -n "${NAMESPACE}" \
                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
              else
                kubectl create secret generic telemt-links -n "${NAMESPACE}" \
                  --from-literal="${SERVER}=${LINK}"
              fi
              echo "Done"
      containers:
        - name: telemt
          image: ghcr.io/telemt/telemt:latest
          imagePullPolicy: Always
          ports:
            - name: proxy
              containerPort: 30444
              protocol: TCP
            - name: api
              containerPort: 9091
              protocol: TCP
          workingDir: /run/telemt
          env:
            - name: RUST_LOG
              value: info
          volumeMounts:
            - name: workdir
              mountPath: /run/telemt
            - name: config
              mountPath: /run/telemt/config.toml
              subPath: config.toml
              readOnly: true
            - name: etcdir
              mountPath: /etc/telemt
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
      volumes:
        - name: config
          secret:
            secretName: telemt-secret
            items:
              - key: config.toml
                path: config.toml
        - name: workdir
          emptyDir:
            medium: Memory
            sizeLimit: 1Mi
        - name: etcdir
          emptyDir:
            medium: Memory
            sizeLimit: 1Mi