apiVersion: v1
kind: ServiceAccount
metadata:
  name: s3uploader
  namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: s3uploader
  namespace: default
  labels:
    app.kubernetes.io/component: s3uploader
  annotations:
    kubernetes.io/change-cause: "${TIMESTAMP} Deployed commit id: ${COMMIT}"
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: s3uploader
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: '10%'
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: s3uploader
    spec:
      serviceAccountName: s3uploader
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: "app.kubernetes.io/component"
                  operator: In
                  values:
                  - s3uploader
              topologyKey: kubernetes.io/hostname
      containers:
      - name: s3uploader
        image: registry.gitlab.com/unboundsoftware/s3uploader:${COMMIT}
        imagePullPolicy: IfNotPresent
        env:
        - name: BUCKET
          value: upload.unbound.se
        - name: RETURN_URL
          value: https://uploads.unbound.se
        - name: AWS_DEFAULT_REGION
          value: "eu-west-1"
        - name: AWS_REGION
          value: "eu-west-1"
        - name: AWS_ROLE_ARN
          value: "arn:aws:iam::724902258495:role/s3uploader.default.sa.k8s.unbound.se"
        - name: AWS_WEB_IDENTITY_TOKEN_FILE
          value: "/var/run/secrets/amazonaws.com/serviceaccount/token"
        - name: AWS_STS_REGIONAL_ENDPOINTS
          value: "regional"
        ports:
        - containerPort: 80
          name: http
        resources:
          requests:
            memory: 10Mi
            cpu: 10m
          limits:
            memory: 100Mi
            cpu: 100m
        readinessProbe:
          httpGet:
            path: /health
            port: 80
          failureThreshold: 1
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 5
        livenessProbe:
          httpGet:
            path: /health
            port: 80
          failureThreshold: 3
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        volumeMounts:
        - mountPath: "/var/run/secrets/amazonaws.com/serviceaccount/"
          name: aws-token
      restartPolicy: Always
      volumes:
      - name: aws-token
        projected:
          sources:
          - serviceAccountToken:
              audience: "amazonaws.com"
              expirationSeconds: 86400
              path: token
      securityContext:
        fsGroup: 65534
---
apiVersion: v1
kind: Service
metadata:
  name: s3uploader
  labels:
    app.kubernetes.io/component: s3uploader
spec:
  selector:
    app.kubernetes.io/component: s3uploader
  ports:
  - port: 80
    name: http
    targetPort: 80
  type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: s3uploader-ingress
  annotations:
    kubernetes.io/ingress.class: "alb"
    alb.ingress.kubernetes.io/group.name: unbound
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: instance
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/healthcheck-path: /health
spec:
  rules:
  - host: "upload.unbound.se"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: s3uploader
            port:
              number: 80