# https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cic-auth-proxy-meta
  namespace: grassroots
  labels:
    app: cic-auth-proxy-meta
    group: cic
  annotations:
      keel.sh/policy: "glob:master-*"
      keel.sh/trigger: poll
      keel.sh/pollSchedule: "@every 5m"
spec:
  selector:
    matchLabels:
      app: cic-auth-proxy-meta
  replicas: 1
  template:
    metadata:
      labels:
        app: cic-auth-proxy-meta
        group: cic
    spec:
      containers:
      - name: cic-auth-proxy-meta
        #image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:master-c05fafbf-1627493790 # {"$imagepolicy": "flux-system:cic-auth-proxy"} 
        image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:latest
        imagePullPolicy: Always
        resources:
          requests:
            cpu: 50m
            memory: 100Mi
          limits:
            cpu: 100m
            memory: 200Mi
        env:
        - name: PROXY_HOST
          value: cic-meta-server
        - name: PROXY_PORT
          value: "80"
        - name: PROXY_PATH_PREFIX
          value: "/"
        - name: HTTP_AUTH_ORIGIN
          value: https://meta-auth.dev.grassrootseconomics.net:443
        - name: HTTP_AUTH_REALM
          value: GE
        - name: ACL_CREDENTIALS_ENDPOINT
          value: http://key-server:8081/
        - name: ACL_PATH
          value: /data/acls/F3FAF668E82EF5124D5187BAEF26F4682343F692
        - name: GPG_PUBLICKEYS_ENDPOINT
          value: http://key-server:8080/.well-known/publickeys/
        - name: GPG_SIGNATURE_ENDPOINT
          value: http://key-server:8080/.well-known/signature/
        - name: GPG_TRUSTED_PUBLICKEY_FINGERPRINT # fingerprint of trusted key
          value: CCE2E1D2D0E36ADE0405E2D0995BB21816313BD5
        - name: GPG_HOMEDIR
          value: /usr/local/etc/cic-auth-proxy/.gnupg/
        - name: GPG_IMPORT_DIR
          value: /usr/local/etc/cic-auth-proxy/import/
        - name: GPG_PUBLICKEY_FILENAME
          value: publickeys.asc
        - name: GPG_SIGNATURE_FILENAME
          value: signature.asc
        - name: GPG_TRUSTED_PUBLICKEY_MATERIAL
          value: /usr/local/etc/cic-auth-proxy/trusted/trustedpublickey.asc
        ports:
        - containerPort: 8080
          name: http
        volumeMounts:
        - name: acl-config
          mountPath: /data/acls/
          readOnly: true
        - name: credentials-config
          mountPath: /data/noop/
          readOnly: true
        - name: trusted-publickey
          mountPath: /usr/local/etc/cic-auth-proxy/trusted/
        - name: gpg-homedir
          mountPath: /usr/local/etc/cic-auth-proxy/.gnupg
        - name: pgp-meta-test
          mountPath: /usr/local/etc/cic-auth-proxy/import
      volumes:
      - name: pgp-meta-test
        configMap:
          name: pgp-meta-test
      - name: acl-config
        configMap:
          name: cic-auth-proxy-acl-configmap
      - name: credentials-config
        configMap:
          name: cic-auth-proxy-credentials-configmap
      - name: trusted-publickey
        configMap:
          name: pgp-trusted-publickey
      - name: gpg-homedir
        emptyDir: {}
---
# https://kubernetes.io/docs/concepts/services-networking/service/
apiVersion: v1
kind: Service
metadata:
  name: cic-auth-proxy-meta
  namespace: grassroots
spec:
  selector:
    app: cic-auth-proxy-meta
  type: ClusterIP
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 8080