#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: rekor-system
  labels:
    name: rekor-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: rekor-system
  name: rekor-server
  labels:
    app: rekor-server
spec:
  replicas: 3
  selector:
    matchLabels:
      app: rekor-server
  template:
    metadata:
      labels:
        app: rekor-server
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/path: /metrics
        prometheus.io/port: "2112"
    spec:
      containers:
      - name: rekor-server
        image: ko://github.com/sigstore/rekor/cmd/rekor-server
        ports:
        - containerPort: 3000
        - containerPort: 2112 # metrics
        args: [
          "serve",
          "--trillian_log_server.address=trillian-server",
          "--trillian_log_server.port=8090",
          "--rekor_server.address=0.0.0.0",
          "--redis_server.address=10.234.175.59",
          "--redis_server.port=6379",
          "--trillian_log_server.tlog_id=3904496407287907110",
          "--log_type=prod",
          "--rekor_server.signer=$(KMS)",
          "--trillian_log_server.sharding_config=/sharding/sharding-config.yaml",
          "--enable_attestation_storage=$(ENABLE_ATTESTATION_STORAGE)",
          "--attestation_storage_bucket=$(ATTESTATION_BUCKET)"
        ]
        volumeMounts:
        - name: sharding-config
          mountPath: /sharding
        env:
        - name: KMS
          valueFrom:
            configMapKeyRef:
              name: rekor-config
              key: kms
        - name: ENABLE_ATTESTATION_STORAGE
          valueFrom:
            configMapKeyRef:
              name: rekor-config
              key: enable_attestation_storage
        - name: ATTESTATION_BUCKET
          valueFrom:
            configMapKeyRef:
              name: rekor-config
              key: attestation_bucket
        resources:
          requests:
            memory: "1G"
            cpu: ".5"
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          capabilities:
            drop:
            - all
      volumes:
        - name: sharding-config
          configMap:
            name: sharding-config
---
apiVersion: v1
kind: Service
metadata:
  namespace: rekor-system
  name: rekor-server
spec:
  selector:
    app: rekor-server
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 80
      targetPort: 3000
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: sharding-config
  namespace: rekor-system
data:
  sharding-config.yaml: "" 
---