apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: '{{ .Release.Name }}'
  labels:
    app: '{{ .Release.Name }}'
spec:
  serviceName: '{{ .Release.Name }}-headless'
  replicas: 1
  selector:
    matchLabels:
      app: '{{ .Release.Name }}'
  template:
    metadata:
      labels:
        app: '{{ .Release.Name }}'
    spec:
      containers:
        - name: '{{ .Release.Name }}'
          image: ghcr.io/jordan-dalby/bytestash:latest
          ports:
            - containerPort: 5000
              name: http
          env:
            - name: OIDC_ENABLED
              value: 'true'
            - name: OIDC_DISPLAY_NAME
              value: OIDC
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientId
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: clientSecret
            - name: OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: '{{ .Release.Name }}-client'
                  key: configuration

          volumeMounts:
            - mountPath: /data/snippets
              name: bytestash-data

      # Defines security context for the pod to avoid running as root.
      # securityContext:
      #   runAsUser: 1000
      #   runAsGroup: 1000
      #   fsGroup: 1000

  volumeClaimTemplates:
    - metadata:
        name: bytestash-data
      spec:
        accessModes: ['ReadWriteOnce']
        storageClassName: '{{ .Values.environment }}'
        resources:
          requests:
            storage: 5Gi