apiVersion: apps/v1
kind: Deployment
metadata:
  name: bulwark
  namespace: stalwart
spec:
  replicas: 1
  selector:
    matchLabels:
      app: bulwark
  template:
    metadata:
      labels:
        app: bulwark
    spec:
      containers:
        - name: bulwark
          image: src.DOMAIN_SUFFIX/studio/bulwark:latest
          ports:
            - name: http
              containerPort: 3000
          env:
            - name: JMAP_SERVER_URL
              value: https://mail.DOMAIN_SUFFIX
            - name: OAUTH_ENABLED
              value: "true"
            - name: OAUTH_ONLY
              value: "true"
            - name: LOG_LEVEL
              value: "debug"
            - name: OAUTH_SCOPES
              value: "openid email profile offline_access"
            - name: COOKIE_SECURE
              value: "false"
            - name: OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-bulwark
                  key: CLIENT_ID
            - name: OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-bulwark
                  key: CLIENT_SECRET
            - name: OAUTH_ISSUER_URL
              value: https://auth.DOMAIN_SUFFIX
            - name: SESSION_SECRET
              valueFrom:
                secretKeyRef:
                  name: stalwart-app-secrets
                  key: admin-password
          livenessProbe:
            httpGet:
              path: /
              port: 3000
            initialDelaySeconds: 10
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /
              port: 3000
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests:
              memory: 128Mi
              cpu: 50m
            limits:
              memory: 512Mi
              cpu: 500m