# Deploys an instance of Nixery into the cluster.
#
# The service via which Nixery is exposed has a private DNS entry
# pointing to it, which makes it possible to resolve `nixery.local`
# in-cluster without things getting nasty.
#
# The 'nixery-keys' secret was configured manually using a created
# service account key. This does not use metadata-based authentication
# due to the requirement for having an actual PEM-key to sign with.
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nixery
  namespace: kube-public
  labels:
    app: nixery
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nixery
  template:
    metadata:
      labels:
        app: nixery
    spec:
      containers:
      - name: nixery
        image: eu.gcr.io/tazjins-infrastructure/nixery:demo
        imagePullPolicy: Always
        volumeMounts:
          - name: nixery-secrets
            mountPath: /var/nixery
        env:
          - name: BUCKET
            value: {{ .bucket}}
          - name: PORT
            value: "{{ .port }}"
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /var/nixery/gcs-key.json
          - name: GCS_SIGNING_KEY
            value: /var/nixery/gcs-key.pem
          - name: GCS_SIGNING_ACCOUNT
            value: {{ .account }}
          - name: GIT_SSH_COMMAND
            value: 'ssh -F /var/nixery/ssh_config'
          - name: NIXERY_PKGS_REPO
            value: {{ .repo }}
      volumes:
        - name: nixery-secrets
          secret:
            secretName: nixery-secrets
            defaultMode: 256
---
apiVersion: v1
kind: Service
metadata:
  name: nixery
  namespace: kube-public
  annotations:
    cloud.google.com/load-balancer-type: "Internal"
spec:
  selector:
    app: nixery
  type: LoadBalancer
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080