apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultwarden
  namespace: vaultwarden
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vaultwarden
  template:
    metadata:
      labels:
        app: vaultwarden
    spec:
      volumes:
        - name: data-dir
          emptyDir: {}
        - name: rsa-keys
          secret:
            secretName: vaultwarden-rsa
            defaultMode: 0644
      containers:
        - name: vaultwarden
          image: vaultwarden/server:testing
          imagePullPolicy: Always
          resources:
            limits:
              memory: "128Mi"
              cpu: "500m"
            requests:
              memory: "64Mi"
              cpu: "100m"
          envFrom:
            - secretRef:
                name: vaultwarden
            - configMapRef:
                name: vaultwarden-env
          env:
            - name: LOG_LEVEL
              value: debug
          ports:
            - containerPort: 80
              name: web
          volumeMounts:
            - name: rsa-keys
              mountPath: /data/keys
              readOnly: true
            - name: data-dir
              mountPath: /data
---
apiVersion: v1
kind: Service
metadata:
  name: vaultwarden
  namespace: vaultwarden
  labels:
    app: vaultwarden
spec:
  selector:
    app: vaultwarden
  ports:
  - port: 80
    targetPort: 80
    name: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vaultwarden
  namespace: vaultwarden
  annotations:
    cert-manager.io/cluser-issuer: "le-issuer"
spec:
  tls:
  - hosts:
    - pw.gmem.ca
    secretName: gmem-ca-wildcard
  rules:
    - host: pw.gmem.ca
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  vaultwarden
                port:
                  number: 80
---
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: vaultwarden
  namespace: vaultwarden
spec:
  hostAPI: http://infisical:8080
  resyncInterval: 10
  authentication:
    kubernetesAuth:
      identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
      serviceAccountRef:
        name: infisical-auth
        namespace: infisical
      secretsScope:
        projectSlug: kubernetes-homelab-dp67
        envSlug: prod
        secretsPath: "/vaultwarden"
  managedSecretReference:
    secretName: vaultwarden
    secretNamespace: vaultwarden
    creationPolicy: "Owner"
---
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: vaultwarden-rsa
  namespace: vaultwarden
spec:
  hostAPI: http://infisical:8080
  resyncInterval: 10
  authentication:
    kubernetesAuth:
      identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
      serviceAccountRef:
        name: infisical-auth
        namespace: infisical
      secretsScope:
        projectSlug: kubernetes-homelab-dp67
        envSlug: prod
        secretsPath: "/vaultwarden/keys"
  managedSecretReference:
    secretName: vaultwarden-rsa
    secretNamespace: vaultwarden
    creationPolicy: "Owner"