---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: radicale-pvc
spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: radicale-conf
  labels:
    app: radicale
data:
  config: |-
{{ tpl (.Files.Get "files/radicale-configmap.ini" | indent 4) . }}
---
{{- $_ := set $ "homey_radicale_basic_auth" (include "homey.lookuporgensecret" (merge (dict "secretname" "radicale-basic-auth") $))}}
{{ include "homey.randomsecret" (merge (dict "secretname" "radicale-basic-auth" "secretval" .homey_radicale_basic_auth) $) }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: radicale
  labels:
    app: radicale
spec:
  replicas: 1
  selector:
    matchLabels:
      app: radicale
  template:
    metadata:
      labels:
        app: radicale
    spec:
      containers:
      - name: radicale
        image: tomsquest/docker-radicale
        imagePullPolicy: IfNotPresent
        ports:
        - name: dav
          containerPort: 5232
          protocol: TCP
        volumeMounts:
        - name: collections
          mountPath: /data/collections
        - name: config
          mountPath: /config/config
          subPath: config
          readOnly: true
      restartPolicy: Always
      volumes:
      - name: collections
        persistentVolumeClaim:
          claimName: radicale-pvc
      - name: config
        configMap:
          name: radicale-conf
---
apiVersion: v1
kind: Service
metadata:
  name: radicale
  labels:
    app.kubernetes.io/name: radicale
spec:
  type: ClusterIP
  ports:
    - name: dav
      port: 5232
      targetPort: 5232
    - name: http
      port:80
      targetPort: 80
  selector:
    app.kubernetes.io/name: radicale
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: radicale
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;
      proxy_set_header X-Remote-User $user;
      proxy_set_header X-Remote-Fullname $name;
      proxy_set_header X-Remote-Email $email;
spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - dav.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: dav.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: radicale
            port:
              number: 5232
---