---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend
  namespace: drawings
  labels:
    app: backend
spec:
  replicas: 1
  selector:
    matchLabels:
      app: backend
  template:
    metadata:
      labels:
        app: backend
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: drawings
        vault.hashicorp.com/agent-inject-secret-drawings-db: secrets/data/postgresql/apps/drawings
        vault.hashicorp.com/agent-inject-template-drawings-db: |-
          {{- with secret "secrets/data/postgresql/apps/drawings" -}}
          POSTGRES_ADDRESS=postgresql.drawings.svc.cluster.local:5432
          POSTGRES_DB=drawings_db
          POSTGRES_USER={{ index .Data.data "username" }}
          POSTGRES_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
    spec:
      serviceAccountName: drawings-vault
      containers:
        - name: backend
          image: cr.yandex/crp3ccidau046kdj8g9q/drawings-api:015e68e1b2a3dcc13f0b405e1f761b154a825d24
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-ec"]
          args:
            - |
              set -a
              [ -f /vault/secrets/drawings-db ] && . /vault/secrets/drawings-db
              set +a
              exec ./entrypoint.sh
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          env:
            - name: POSTGRES_POOL_SIZE
              value: "3"
            - name: API_ADDRESS
              value: 0.0.0.0:8000
            - name: ENABLE_SSL
              value: "0"
      imagePullSecrets:
        - name: regcred