apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: node-red-1
  name: node-red-1
  namespace: node-red
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: node-red-1
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-config.cfg: x
        vault.hashicorp.com/agent-inject-template-config.cfg: |
          cookie_secret='0ViLJk3i3NNRaTvoIFlXaA=='
          cookie_domains=['werts.us']
          whitelist_domains=[".werts.us"]
          # only users with this domain will be let in
          email_domains=["werts.us","strudelline.net","andariese.net"]

          {{- with secret "kvv2/data/k8s-ns/node-red/node-red-1-werts-oidc" }}
          client_id="{{ .Data.data.client_id }}"
          client_secret="{{ .Data.data.client_secret }}"
          {{- end }}
          cookie_secure="false"

          redirect_url="https://red-1.werts.us/oauth2/callback"

          upstreams = [ "http://localhost:1880" ]
          skip_auth_routes = [
            "!=^/admin(/.*)?$"
          ]

          reverse_proxy = true
          set_xauthrequest = true

          provider="oidc"
          oidc_issuer_url="https://auth.werts.us/realms/werts"
        vault.hashicorp.com/role: default
      creationTimestamp: null
      labels:
        app: node-red-1
    spec:
      containers:
      - env:
        - name: CHROMIUM_USER_FLAGS
          value: --no-sandbox --disable-setuid-sandbox
        image: jamesandariese/node-red-with-chrome
        imagePullPolicy: Always
        name: node-red-1
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /data
          name: data-pv
      - image: haproxy
        imagePullPolicy: Always
        name: haproxy
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /usr/local/etc/haproxy
          name: haproxy-config
          readOnly: true
      - args:
        - --http-address=0.0.0.0:4180
        - --config=/vault/secrets/config.cfg
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          name: http
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
      - name: data-pv
        nfs:
          path: /volume1/k8s-volumes/node-red-1
          server: 172.16.18.1
      - configMap:
          defaultMode: 420
          name: node-red-1-haproxy-config
        name: haproxy-config
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: node-red-1
  namespace: node-red
spec:
  ingressClassName: istio
  rules:
  - host: red-1.werts.us
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: node-red-1
            port:
              number: 4180