apiVersion: v1
kind: ServiceAccount
metadata:
  name: dch-webhooks
  labels:
    app.kubernetes.io/name: dch-webhooks
    app.kubernetes.io/component: dch-webhooks
    app.kubernetes.io/part-of: dch-webhooks

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: dch-webhooks
    app.kubernetes.io/component: dch-webhooks
    app.kubernetes.io/instance: dch-webhooks
    app.kubernetes.io/part-of: dch-webhooks
  name: dch-webhooks
spec:
  ports:
  - name: http
    port: 8000
  selector:
    app.kubernetes.io/name: dch-webhooks
    app.kubernetes.io/component: dch-webhooks
    app.kubernetes.io/instance: dch-webhooks
  type: ClusterIP

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dch-webhooks
  labels:
    app.kubernetes.io/name: dch-webhooks
    app.kubernetes.io/component: dch-webhooks
    app.kubernetes.io/instance: dch-webhooks
    app.kubernetes.io/part-of: dch-webhooks
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: dch-webhooks
      app.kubernetes.io/component: dch-webhooks
      app.kubernetes.io/instance: dch-webhooks
  template:
    metadata:
      labels:
        app.kubernetes.io/name: dch-webhooks
        app.kubernetes.io/component: dch-webhooks
        app.kubernetes.io/instance: dch-webhooks
    spec:
      containers:
      - name: dch-webhooks
        image: git.pyrocufflink.net/infra/dch-webhooks
        env:
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
        - name: ANSIBLE_JOB_YAML
          value: /etc/dch-webhooks/ansible-job.yaml
        envFrom:
        - configMapRef:
            name: dch-webhooks
        ports:
        - name: http
          containerPort: 8000
        startupProbe: &probe
          httpGet:
            path: /
            port: 8000
          periodSeconds: 1
          timeoutSeconds: 1
          successThreshold: 1
          failureThreshold: 10
        readinessProbe:
          <<: *probe
          periodSeconds: 60
          failureThreshold: 2
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /run/dch-root-ca.crt
          name: root-ca
          subPath: dch-root-ca.crt
        - mountPath: /run/secrets/du5t1n.me/firefly
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
        - mountPath: /run/secrets/du5t1n.me/rabbitmq
          name: rabbitmq-cert
          readOnly: true
        - mountPath: /run/secrets/du5t1n.me/step-ca
          name: step-ca-password
        - mountPath: /tmp
          name: tmp
          subPath: tmp
        - mountPath: /etc/dch-webhooks
          name: host-provisioner
          readOnly: true
      securityContext:
        runAsNonRoot: true
      serviceAccountName: dch-webhooks
      volumes:
      - name: firefly-token
        secret:
          secretName: firefly-token
          optional: true
      - name: host-provisioner
        configMap:
          name: host-provisioner
          optional: true
      - name: paperless-token
        secret:
          secretName: paperless-token
          optional: true
      - name: rabbitmq-cert
        secret:
          secretName: rabbitmq-cert
          optional: true
      - name: root-ca
        configMap:
          name: dch-root-ca
      - name: step-ca-password
        secret:
          secretName: step-ca-password
          optional: true
      - name: tmp
        emptyDir:
          medium: Memory