apiVersion: apps/v1
kind: Deployment
metadata:
  name: trillian
  namespace: rekor
spec:
  selector:
    matchLabels:
      app-service: trillian-internal
  template:
    metadata:
      labels:
        app-service: trillian-internal
    spec:
      serviceAccountName: trillian-service-account
      initContainers:
      - name: create-secret
        image: bzl://hack/deps:kubectl_container_push
        command:
        - "/bin/sh"
        - "-c"
        args:
        - if kubectl get -n rekor secret credentials; then kubectl delete -n rekor secret credentials; fi; kubectl get -n database secret credentials -o yaml | yq '.metadata.namespace = "rekor" | del(.metadata["creationTimestamp", "annotations"])' | kubectl apply -f -
      - name: create-table
        image: bzl://third_party/k8s/chainguard:sigstore_scaffolding_trillian_createdb_container_push
        args:
        - --mysql_uri=$(DB_USER):$(DB_PWD)@tcp(db-internal.database:3306)
        - --db_name=$(DB_NAME)
        env:
        - name: DB_NAME
          valueFrom:
            secretKeyRef:
              name: credentials
              key: name
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: credentials
              key: user
        - name: DB_PWD
          valueFrom:
            secretKeyRef:
              name: credentials
              key: password
      containers:
      - name: server
        image: bzl://third_party/k8s/chainguard:trillian_logserver_container_push
        args:
        - "--mysql_uri=$(DB_USER):$(DB_PWD)@tcp(db-internal.database:3306)/$(DB_NAME)"
        - "--logtostderr"
        - "--rpc_endpoint=0.0.0.0:8090"
        - "--http_endpoint=0.0.0.0:8091"
        - "..."
        ports:
        - name: rpc-server
          containerPort: 8090
        - name: http-server
          containerPort: 8091
        env:
        - name: DB_NAME
          valueFrom:
            secretKeyRef:
              name: credentials
              key: name
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: credentials
              key: user
        - name: DB_PWD
          valueFrom:
            secretKeyRef:
              name: credentials
              key: password
        resources:
          limits:
            cpu: "100m"
            memory: 64Mi
          requests:
            cpu: "1m"
            memory: "8Mi"
      - name: signer
        image: bzl://third_party/k8s/chainguard:trillian_logsigner_container_push
        args:
        - "--mysql_uri=$(DB_USER):$(DB_PWD)@tcp(db-internal.database:3306)/$(DB_NAME)"
        - "--logtostderr"
        - "--rpc_endpoint=0.0.0.0:8190"
        - "--http_endpoint=0.0.0.0:8191"
        - "--force_master"
        - "--batch_size=1000"
        - "--sequencer_guard_window=0"
        - "--sequencer_interval=200ms"
        ports:
        - name: rpc-signer
          containerPort: 8190
        - name: http-signer
          containerPort: 8191
        env:
        - name: DB_NAME
          valueFrom:
            secretKeyRef:
              name: credentials
              key: name
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: credentials
              key: user
        - name: DB_PWD
          valueFrom:
            secretKeyRef:
              name: credentials
              key: password
        resources:
          limits:
            cpu: "100m"
            memory: 128Mi
          requests:
            cpu: "10m"
            memory: "16Mi"