apiVersion: apps/v1
kind: Deployment
metadata:
  name: datatracker
spec:
  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: datatracker
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: datatracker
    spec:
      securityContext:
        runAsNonRoot: true
      containers:
        # -----------------------------------------------------
        # ScoutAPM Container
        # -----------------------------------------------------
        - name: scoutapm
          image: "scoutapp/scoutapm:version-1.4.0"
          imagePullPolicy: IfNotPresent
          livenessProbe:
            exec:
              command:
                - "sh"
                - "-c"
                - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
          securityContext:
            readOnlyRootFilesystem: true
            runAsUser: 65534 # "nobody" user by default
            runAsGroup: 65534  # "nogroup" group by default
        # -----------------------------------------------------
        # Datatracker Container
        # -----------------------------------------------------
        - name: datatracker
          image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
          imagePullPolicy: Always
          ports:
            - containerPort: 80
              name: http
              protocol: TCP
          volumeMounts:
            - name: dt-vol
              mountPath: /a
            - name: dt-tmp
              mountPath: /tmp
            - name: dt-cfg
              mountPath: /workspace/ietf/settings_local.py
              subPath: settings_local.py
          envFrom:
            - configMapRef:
                name: django-config
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsUser: 1000
            runAsGroup: 1000
      volumes:
        # To be overriden with the actual shared volume
        - name: dt-vol
        - name: dt-tmp
          emptyDir:
            sizeLimit: "2Gi"
        - name: dt-cfg
          configMap:
            name: files-cfgmap
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: django-config
data:
    # n.b., these are debug values / non-secret secrets
  DATATRACKER_SERVER_MODE: "development"  # development for staging, production for production
  DATATRACKER_ADMINS: |-
    Robert Sparks <rjsparks@nostrum.com>
    Ryan Cross <rcross@amsl.com>
    Kesara Rathnayake <kesara@staff.ietf.org>
    Jennifer Richards <jennifer@staff.ietf.org>
    Nicolas Giard <nick@staff.ietf.org>
  DATATRACKER_ALLOWED_HOSTS: ".ietf.org"  # newline-separated list also allowed
  # DATATRACKER_DATATRACKER_DEBUG: "false"
  
  # DB access details - needs to be filled in
  # DATATRACKER_DBHOST: "db"
  # DATATRACKER_DBPORT: "5432"
  # DATATRACKER_DBNAME: "datatracker"
  # DATATRACKER_DBUSER: "django"  # secret
  # DATATRACKER_DBPASS: "RkTkDPFnKpko"  # secret
  
  DATATRACKER_DJANGO_SECRET_KEY: "PDwXboUq!=hPjnrtG2=ge#N$Dwy+wn@uivrugwpic8mxyPfHk"  # secret

  # Set this to point testing / staging at the production statics server until we
  # sort that out
  # DATATRACKER_STATIC_URL: "https://static.ietf.org/dt/12.10.0/"
  
  # DATATRACKER_EMAIL_DEBUG: "true"
  
  # Outgoing email details
  # DATATRACKER_EMAIL_HOST: "localhost"  # defaults to localhost
  # DATATRACKER_EMAIL_PORT: "2025"  # defaults to 2025

  # The value here is the default from settings.py (i.e., not actually secret)
  DATATRACKER_NOMCOM_APP_SECRET_B64: "m9pzMezVoFNJfsvU9XSZxGnXnwup6P5ZgCQeEnROOoQ="  # secret

  DATATRACKER_IANA_SYNC_PASSWORD: "this-is-the-iana-sync-password"  # secret
  DATATRACKER_RFC_EDITOR_SYNC_PASSWORD: "this-is-the-rfc-editor-sync-password"  # secret
  DATATRACKER_YOUTUBE_API_KEY: "this-is-the-youtube-api-key"  # secret
  DATATRACKER_GITHUB_BACKUP_API_KEY: "this-is-the-github-backup-api-key"  # secret

  # API key configuration
  DATATRACKER_API_KEY_TYPE: "ES265"
  # secret - value here is the default from settings.py (i.e., not actually secret)
  DATATRACKER_API_PUBLIC_KEY_PEM_B64: |-
    Ci0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tCk1Ga3dFd1lIS29aSXpqMENBUVlJS
    29aSXpqMERBUWNEUWdBRXFWb2pzYW9mREpTY3VNSk4rdHNodW15Tk01TUUKZ2Fyel
    ZQcWtWb3ZtRjZ5RTdJSi9kdjRGY1YrUUtDdEovck9TOGUzNlk4WkFFVll1dWtoZXM
    weVoxdz09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
  # secret - value here is the default from settings.py (i.e., not actually secret)
  DATATRACKER_API_PRIVATE_KEY_PEM_B64: |- 
    Ci0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLQpNSUdIQWdFQU1CTUdCeXFHU000O
    UFnRUdDQ3FHU000OUF3RUhCRzB3YXdJQkFRUWdvSTZMSmtvcEtxOFhySGk5ClFxR1
    F2RTRBODNURllqcUx6KzhnVUxZZWNzcWhSQU5DQUFTcFdpT3hxaDhNbEp5NHdrMzY
    yeUc2Ykkwemt3U0IKcXZOVStxUldpK1lYcklUc2duOTIvZ1Z4WDVBb0swbitzNUx4
    N2ZwanhrQVJWaTY2U0Y2elRKblgKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=

  # DATATRACKER_MEETECHO_API_BASE: "https://meetings.conf.meetecho.com/api/v1/"
  DATATRACKER_MEETECHO_CLIENT_ID: "this-is-the-meetecho-client-id"  # secret
  DATATRACKER_MEETECHO_CLIENT_SECRET: "this-is-the-meetecho-client-secret"  # secret

  # DATATRACKER_MATOMO_SITE_ID: "7"  # must be present to enable Matomo
  # DATATRACKER_MATOMO_DOMAIN_PATH: "analytics.ietf.org"

  CELERY_PASSWORD: "this-is-a-secret"  # secret

  DATATRACKER_APP_API_TOKENS_JSON: "{}"  # secret 

  # use this to override default - one entry per line
  # DATATRACKER_CSRF_TRUSTED_ORIGINS: |-
  #   https://datatracker.staging.ietf.org

  # Scout configuration
  DATATRACKER_SCOUT_KEY: "this-is-the-scout-key"
  DATATRACKER_SCOUT_NAME: "StagingDatatracker"
---
apiVersion: v1
kind: Service
metadata:
  name: datatracker
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app: datatracker