---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-gateway
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: oidc-gateway
subjects:
  - kind: ServiceAccount
    name: oidc-gateway
    namespace: oidc-gateway
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: oidc-gateway
---
apiVersion: codemowers.io/v1alpha1
kind: Redis
metadata:
  name: oidc-gateway
spec:
  capacity: 512Mi
  class: ephemeral
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oidc-gateway
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
  rules:
    - host: auth2.k-space.ee
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: oidc-gateway
                port:
                  number: 3000
  tls:
    - hosts:
        - "*.k-space.ee"
---
apiVersion: v1
kind: Service
metadata:
  name: oidc-gateway
spec:
  type: ClusterIP
  selector:
    app: oidc-gateway
  ports:
    - protocol: TCP
      port: 3000
---
apiVersion: batch/v1
kind: Job
metadata:
  name: oidc-key-manager
spec:
  template:
    spec:
      serviceAccountName: oidc-gateway
      containers:
        - name: oidc-key-manager
          image: docker.io/codemowers/passmower
          command: [ '/app/node_modules/.bin/key-manager', 'initialize', '-c', 'cluster' ]
      restartPolicy: Never
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oidc-gateway
  labels:
    app: oidc-gateway
spec:
  selector:
    matchLabels:
      app: oidc-gateway
  replicas: 3
  template:
    metadata:
      labels:
        app: oidc-gateway
    spec:
      serviceAccountName: oidc-gateway
      containers:
        - name: oidc-gateway
          image: docker.io/codemowers/passmower

          ports:
            - containerPort: 3000
          env:
            - name: ISSUER_URL
              value: 'https://auth2.k-space.ee/'
            - name: DEPLOYMENT_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.labels['app']
            - name: GROUP_PREFIX
              value: 'k-space'
            - name: ADMIN_GROUP
              value: 'k-space:kubernetes:admins'
#            - name: REQUIRED_GROUP # allow everyone to authenticate, limit access to services on client level.
#              value: 'codemowers:users'
            - name: GITHUB_ORGANIZATION # if not set, gateway will add user groups from all organizations that (s)he granted access for.
              value: 'codemowers'
            - name: ENROLL_USERS # allow everyone to self-register
              value: 'false'
            - name: NAMESPACE_SELECTOR
              value: '*'
            - name: PREFERRED_EMAIL_DOMAIN # try to make primary email consistent
              value: 'k-space.ee'
            - name: REQUIRE_CUSTOM_USERNAME
              value: 'true'
          envFrom:
            - secretRef:
                name: redis-oidc-gateway-owner-secrets
            - secretRef:
                name: oidc-keys
            - secretRef:
                name: email-credentials
            - secretRef:
                name: github-client
            - secretRef:
                name: slack-client
          readinessProbe:
            httpGet:
              path: /.well-known/openid-configuration
              port: 3000
              httpHeaders:
                - name: x-forwarded-for # suppress oidc-provider warning
                  value: 'https://auth2.k-space.ee/'
                - name: x-forwarded-proto # suppress oidc-provider warning
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 1
          volumeMounts:
            - mountPath: /app/tos
              name: tos
            - mountPath: /app/approval
              name: approval
            - mountPath: /app/src/views/custom/emails
              name: email-templates
      volumes:
        - name: tos
          configMap:
            name: oidc-gateway-tos-v1
        - name: approval
          configMap:
            name: oidc-gateway-approval-required
        - name: email-templates
          configMap:
            name: oidc-gateway-email-templates