apiVersion: v1
kind: Service
metadata:
  name: sshca
  namespace: sshca
  labels:
    app.kubernetes.io/name: sshca
    app.kubernetes.io/component: sshca
    app.kubernetes.io/instance: sshca
    app.kubernetes.io/part-of: sshca
spec:
  ports:
  - port: 8087
    name: sshca
  selector:
    app.kubernetes.io/name: sshca
    app.kubernetes.io/component: sshca
    app.kubernetes.io/instance: sshca
  type: ClusterIP

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sshca
  namespace: sshca
  labels:
    app.kubernetes.io/name: sshca
    app.kubernetes.io/component: sshca
    app.kubernetes.io/part-of: sshca
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: sshca
      app.kubernetes.io/component: sshca
  template:
    metadata:
      labels:
        app.kubernetes.io/name: sshca
        app.kubernetes.io/component: sshca
    spec:
      enableServiceLinks: false
      containers:
      - name: sshca
        image: git.pyrocufflink.net/packages/sshca
        args:
        - -c
        - /etc/sshca/config.toml
        env:
        - name: RUST_LOG
          value: info,sshca=trace
        ports:
        - containerPort: 8087
          name: sshca
        readinessProbe: &probe
          httpGet:
            port: 8087
            path: /
          failureThreshold: 3
          periodSeconds: 60
          successThreshold: 1
          timeoutSeconds: 1
        startupProbe:
          <<: *probe
          failureThreshold: 30
          periodSeconds: 1
          successThreshold: 1
          timeoutSeconds: 1
        volumeMounts:
        - mountPath: /etc/ssh/ssh_known_hosts
          name: ssh-known-hosts
          subPath: ssh_known_hosts
          readOnly: true
        - mountPath: /etc/sshca
          name: sshca-config
          readOnly: true
        - mountPath: /run/sshca/libvirt
          name: sshca-libvirt-key
          readOnly: true
        - mountPath: /run/sshca/secrets/host/key
          name: sshca-host-key
          readOnly: true
        - mountPath: /run/sshca/secrets/host/passphrase
          name: sshca-host-passphrase
          readOnly: true
        - mountPath: /run/sshca/secrets/user/key
          name: sshca-user-key
          readOnly: true
        - mountPath: /run/sshca/secrets/user/passphrase
          name: sshca-user-passphrase
          readOnly: true
        - mountPath: /var/lib/sshca
          name: sshca-data
          readOnly: true
      imagePullSecrets:
      - name: imagepull-gitea
      securityContext:
        runAsNonRoot: true
        fsGroup: 298
      volumes:
      - name: sshca-config
        configMap:
          name: sshca-config
      - name: sshca-data
        secret:
          secretName: sshca-data
      - name: sshca-host-key
        secret:
          secretName: sshca-host-key
      - name: sshca-host-passphrase
        secret:
          secretName: sshca-host-passphrase
      - name: sshca-libvirt-key
        secret:
          secretName: sshca-libvirt-sshkey
      - name: sshca-user-key
        secret:
          secretName: sshca-user-key
      - name: sshca-user-passphrase
        secret:
          secretName: sshca-user-passphrase
      - name: ssh-known-hosts
        configMap:
          name: ssh-known-hosts