apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "authentik.fullname" . }}-web
  labels:
    app.kubernetes.io/name: {{ include "authentik.name" . }}
    helm.sh/chart: {{ include "authentik.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    k8s.goauthentik.io/component: web
spec:
  replicas: {{ .Values.serverReplicas }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "authentik.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      k8s.goauthentik.io/component: web
  template:
    metadata:
      labels:
        app.kubernetes.io/name: {{ include "authentik.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        k8s.goauthentik.io/component: web
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - {{ include "authentik.name" . }}
                - key: app.kubernetes.io/instance
                  operator: In
                  values:
                  - {{ .Release.Name }}
                - key: k8s.goauthentik.io/component
                  operator: In
                  values:
                  - web
              topologyKey: "kubernetes.io/hostname"
      initContainers:
        - name: authentik-database-migrations
          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
          args: [migrate]
          envFrom:
            - configMapRef:
                name: {{ include "authentik.fullname" . }}-config
              prefix: AUTHENTIK_
            - secretRef:
                name: {{ include "authentik.fullname" . }}-secret-key
              prefix: AUTHENTIK_
          env:
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-redis"
                  key: redis-password
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-postgresql"
                  key: postgresql-password
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
          args: [server]
          envFrom:
            - configMapRef:
                name: {{ include "authentik.fullname" . }}-config
              prefix: AUTHENTIK_
            - secretRef:
                name: {{ include "authentik.fullname" . }}-secret-key
              prefix: AUTHENTIK_
          env:
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-redis"
                  key: "redis-password"
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-postgresql"
                  key: "postgresql-password"
          volumeMounts:
            - name: authentik-uploads
              mountPath: /media
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /-/health/live/
              port: http
              initialDelaySeconds: 15
          readinessProbe:
            httpGet:
              path: /-/health/ready/
              port: http
              initialDelaySeconds: 15
          resources:
            requests:
              cpu: 100m
              memory: 300M
            limits:
              cpu: 300m
              memory: 600M
      volumes:
        - name: authentik-uploads
          persistentVolumeClaim:
            claimName: {{ include "authentik.fullname" . }}-uploads