---
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
  name: {{ .Release.Name }}-redis
spec:
  fields:
    - fieldName: redis-password
      length: "32"
      encoding: hex
---
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
  name: {{ .Release.Name }}-redis
spec:
  authentication:
    passwordFromSecret:
      name: {{ .Release.Name }}-redis
      key: redis-password
  replicas: 1
  resources:
    requests:
      cpu: 500m
      memory: 500Mi
    limits:
      cpu: 600m
      memory: 750Mi
---
apiVersion: secretgenerator.mittwald.de/v1alpha1
kind: StringSecret
metadata:
  name: {{ .Release.Name }}-database
  labels:
    cnpg.io/reload: "true"
spec:
  data:
    username: {{ .Release.Name }}
  fields:
    - fieldName: password
      length: "32"
      encoding: hex
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: {{ .Release.Name }}-database
spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:17
  storage:
    size: 1Gi
    storageClass: postgres
  affinity:
    podAntiAffinityType: required
    nodeSelector:
      codemowers.io/lvm-ubuntu-vg: enterprise-ssd
  resources:
    requests:
      cpu: "100m"
      memory: "1Gi"
    limits:
      cpu: "1"
      memory: "4Gi"
  postgresql:
    parameters:
      max_connections: "300"
      shared_buffers: "512MB"
      effective_cache_size: "2GB"
  managed:
    roles:
    - name: {{ .Release.Name }}
      ensure: present
      login: true
      passwordSecret:
        name: {{ .Release.Name }}-database
---
apiVersion: postgresql.cnpg.io/v1
kind: Database
metadata:
  name: {{ .Release.Name }}
spec:
  name: {{ .Release.Name }}
  owner: {{ .Release.Name }}
  cluster:
    name: {{ .Release.Name }}-database
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: Policy
metadata:
  name: {{ .Release.Name }}-policy
spec:
  name: {{ .Release.Name }}-policy
  s3InstanceRef: minio/default
  policyContent: >-
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:*"
          ],
          "Resource": [
            "arn:aws:s3:::{{ .Release.Name }}",
            "arn:aws:s3:::{{ .Release.Name }}/*"
          ]
        }
      ]
    }
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: S3User
metadata:
  name: {{ .Release.Name }}-bucket
spec:
  accessKey: {{ .Release.Name }}-bucket
  policies:
    - {{ .Release.Name }}-policy
  s3InstanceRef: minio/default
---
apiVersion: s3.onyxia.sh/v1alpha1
kind: Bucket
metadata:
  name: {{ .Release.Name }}
spec:
  name: {{ .Release.Name }}
  s3InstanceRef: minio/default
  quota:
    default: 100000000
---
apiVersion: v1
kind: Service
metadata:
  name: {{ .Release.Name }}
spec:
  type: ClusterIP
  selector:
    app: {{ .Release.Name }}
  ports:
    - name: http
      port: 80
      targetPort: 8000
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ .Release.Name }}
spec:
  secretName: {{ .Release.Name }}-tls
  dnsNames:
    - {{ .Values.hostname }}
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{ .Release.Name }}
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  ingressClassName: traefik
  rules:
    - host: {{ .Values.hostname }}
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: {{ .Release.Name }}
                port:
                  number: 80
  tls:
    - secretName: {{ .Release.Name }}-tls