---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: checklists-backend
  namespace: checklists
  labels:
    app: checklists-backend
    service: api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: checklists-backend
  template:
    metadata:
      labels:
        app: checklists-backend
        service: checklists-backend
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: checklists
        vault.hashicorp.com/agent-inject-secret-checklists-db: secrets/data/postgresql/apps/checklists
        vault.hashicorp.com/agent-inject-template-checklists-db: |-
          {{- with secret "secrets/data/postgresql/apps/checklists" -}}
          DATABASE_HOST=postgresql.checklists.svc.cluster.local
          DATABASE_PORT=5432
          DATABASE_NAME=checklists_db
          DATABASE_USER={{ index .Data.data "username" }}
          DATABASE_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-checklists-jwt-public: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-checklists-jwt-public: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "public_key" }}
          {{- end -}}
    spec:
      serviceAccountName: checklists-vault
      containers:
        - name: api
          image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd
          imagePullPolicy: IfNotPresent
          command: ["/bin/bash", "-ec"]
          args:
            - |
              set -a
              [ -f /vault/secrets/checklists-db ] && . /vault/secrets/checklists-db
              [ -f /vault/secrets/checklists-jwt-public ] && export JWT_AUTH_PUBLIC_KEY="$(cat /vault/secrets/checklists-jwt-public)"
              set +a
              exec ./entrypoint.sh
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
          env:
            - name: HTTP_APP_HOST
              value: 0.0.0.0
            - name: HTTP_APP_PORT
              value: "8000"
            - name: HTTP_APP_ROOT_PATH
              value: /checklists
            - name: HTTP_APP_WORKERS
              value: "1"
            - name: HTTP_APP_ADMIN_ENABLE
              value: "true"
            - name: JWT_AUTH_ENABLE
              value: "true"
            - name: DEBUG
              value: "false"

          resources:
            requests:
              cpu: "25m"
              memory: 128Mi
      imagePullSecrets:
        - name: regcred