---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: rfi-backend-api
  namespace: rfi
  labels:
    app: rfi-backend-api
    service: api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: rfi-backend-api
  template:
    metadata:
      labels:
        app: rfi-backend-api
        service: api
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: rfi
        vault.hashicorp.com/agent-inject-secret-rfi-db: secrets/data/postgresql/apps/rfi
        vault.hashicorp.com/agent-inject-template-rfi-db: |-
          {{- with secret "secrets/data/postgresql/apps/rfi" -}}
          DB_HOST=postgresql.rfi.svc.cluster.local
          DB_PORT=5432
          DB_NAME=rfi_db
          DB_USER={{ index .Data.data "username" }}
          DB_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-rfi-s3: secrets/data/minio/apps/rfi
        vault.hashicorp.com/agent-inject-template-rfi-s3: |-
          {{- with secret "secrets/data/minio/apps/rfi" -}}
          YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }}
          YC_S3_BUCKET_NAME=rfi
          YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
          YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-rfi-rabbitmq: secrets/data/rabbitmq/apps/rfi
        vault.hashicorp.com/agent-inject-template-rfi-rabbitmq: |-
          {{- with secret "secrets/data/rabbitmq/apps/rfi" -}}
          RABBITMQ_VHOST={{ index .Data.data "vhost" }}
          RABBITMQ_USERNAME={{ index .Data.data "username" }}
          RABBITMQ_PASSWORD={{ index .Data.data "password" }}
          RABBITMQ_PORT=5672
          RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-rfi-django-auth: secrets/data/vault/common/django_auth
        vault.hashicorp.com/agent-inject-template-rfi-django-auth: |-
          {{- with secret "secrets/data/vault/common/django_auth" -}}
          DJANGO_SECRET_KEY={{ index .Data.data "key" }}
          SAREX_BACKEND_AUTH={{ index .Data.data "key" }}
          {{- end -}}
    spec:
      serviceAccountName: rfi-vault
      containers:
        - name: api
          image: cr.yandex/crp3ccidau046kdj8g9q/rfi-backend:production_d1e2e80d
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-ec"]
          args:
            - |
              set -a
              [ -f /vault/secrets/rfi-db ] && . /vault/secrets/rfi-db
              [ -f /vault/secrets/rfi-s3 ] && . /vault/secrets/rfi-s3
              [ -f /vault/secrets/rfi-rabbitmq ] && . /vault/secrets/rfi-rabbitmq
              [ -f /vault/secrets/rfi-django-auth ] && . /vault/secrets/rfi-django-auth
              set +a
              exec ./entrypoint.sh
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
          env:
            - name: JWT_AUTH_ENABLE
              value: "True"
            - name: NOTIFICATIONS_ENABLE
              value: "false"
            - name: NOTIFICATIONS_EMAIL_FROM
              value: hello@sarex.io
            - name: NOTIFICATIONS_SERVICE_URL
              value: https://srx-wb.ru/rfi
            - name: SAREX_BACKEND_URL
              value: http://backend-svc.django.svc.cluster.local
            - name: EAV_URL
              value: http://backend-svc.eav.svc.cluster.local:80
            - name: GATEWAY_URL
              value: http://pdm-api.documentations.svc.cluster.local:8080
          resources:
            requests:
              cpu: "1"
              memory: 1Gi
      imagePullSecrets:
        - name: regcred