apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "rsh-backend.fullname" . }}
  labels:
    {{- include "rsh-backend.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
    type: Recreate
  selector:
    matchLabels:
      {{- include "rsh-backend.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "rsh-backend.selectorLabels" . | nindent 8 }}
      annotations:
        {{- if .Values.authorizedKeys }}
        checksum/authorized-keys: {{ .Values.authorizedKeys | sha256sum }}
        {{- end }}
    spec:
      serviceAccountName: {{ include "rsh-backend.serviceAccountName" . }}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      {{- if .Values.authorizedKeys }}
      initContainers:
        - name: seed-authorized-keys
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - /bin/sh
            - -c
            - |
              set -eu
              install -m 600 /seed/authorized_keys /var/lib/rsh/authorized_keys
          volumeMounts:
            - name: data
              mountPath: /var/lib/rsh
            - name: authorized-keys
              mountPath: /seed
              readOnly: true
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
      {{- end }}
      containers:
        - name: rsh-backend
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
              containerPort: 7777
              protocol: TCP
          env:
            - name: RSH_DATA
              value: /var/lib/rsh
            - name: RSH_BIND
              value: 0.0.0.0:7777
            {{- range $k, $v := .Values.env }}
            - name: {{ $k }}
              value: {{ $v | quote }}
            {{- end }}
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 2
            periodSeconds: 5
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - name: data
              mountPath: /var/lib/rsh
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir: {}
        - name: data
        {{- if .Values.persistence.enabled }}
          persistentVolumeClaim:
            claimName: {{ include "rsh-backend.fullname" . }}-data
        {{- else }}
          emptyDir: {}
        {{- end }}
        {{- if .Values.authorizedKeys }}
        - name: authorized-keys
          secret:
            secretName: {{ include "rsh-backend.fullname" . }}-authorized-keys
            items:
              - key: authorized_keys
                path: authorized_keys
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}