#
# ============LICENSE_START=======================================================
#  Copyright (C) 2022-2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# ============LICENSE_END=========================================================
#
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: webhook-app
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: webhook-app
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: webhook-app
    namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jwt-proxy-admission-controller-deployment
  namespace: default
  labels:
    app: jwt-proxy-admission-controller
    app.kubernetes.io/instance: jwt-proxy-admission-controller
    app.kubernetes.io/name: jwt-proxy-admission-controller
spec:
  selector:
    matchLabels:
      app: jwt-proxy-admission-controller
  template:
    metadata:
      labels:
        app: jwt-proxy-admission-controller
        version: v1
        app.kubernetes.io/instance: jwt-proxy-admission-controller
        app.kubernetes.io/name: jwt-proxy-admission-controller
    spec:
      serviceAccountName: webhook-app
      containers:
      - name: jwt-proxy-admission-controller
        image: ktimoney/rapps-webhook
        imagePullPolicy: IfNotPresent
        command: ["/app/rapps-webhook"]
        args: [
                "-port", "8443",
                "-tlsCertFile", "/certs/tls.crt",
                "-tlsKeyFile", "/certs/tls.key",
                "-secret", "cm-keycloak-client-certs",
              ]
        ports:
        - containerPort: 8443
        resources:
          limits:
            memory: 256Mi
            cpu: "250m"
          requests:
            memory: 128Mi
            cpu: "80m"
        volumeMounts:
          - readOnly: true
            mountPath: /certs
            name: webhook-cert
      volumes:
        - name: webhook-cert
          secret:
            secretName: cm-webhook-server-certs
  replicas: 1
---
apiVersion: v1
kind: Service
metadata:
  name: jwt-proxy-admission-controller
  namespace: default
  labels:
    app: jwt-proxy-admission-controller
    app.kubernetes.io/instance: jwt-proxy-admission-controller
    app.kubernetes.io/name: jwt-proxy-admission-controller
spec:
  selector:
    app: jwt-proxy-admission-controller
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443
      nodePort: 30570
  type: NodePort
---