apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-sizer-webhook
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gitlab-sizer-webhook
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitlab-sizer-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gitlab-sizer-webhook
subjects:
  - kind: ServiceAccount
    name: gitlab-sizer-webhook
    namespace: ci-sizer
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitlab-sizer-webhook
  labels:
    app: gitlab-sizer-webhook
spec:
  replicas: 2
  selector:
    matchLabels:
      app: gitlab-sizer-webhook
  template:
    metadata:
      labels:
        app: gitlab-sizer-webhook
    spec:
      serviceAccountName: gitlab-sizer-webhook
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
        runAsGroup: 65534
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: webhook
          image: edp.buildth.ing/devfw-cicd/gitlab-webhook-edge-connect:latest
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --listen-addr=:8443
            - --tls-cert-file=/etc/webhook/tls/tls.crt
            - --tls-key-file=/etc/webhook/tls/tls.key
            - --sizer-url=http://sizer-receiver.ci-sizer.svc:8080
            - --sizer-sidecar-image=edp.buildth.ing/devfw-cicd/ci-sizer-collector:latest
          env:
            - name: WEBHOOK_SIZER_READ_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitlab-sizer-webhook-tokens
                  key: sizer-read-token
            - name: WEBHOOK_SIZER_PUSH_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitlab-sizer-webhook-tokens
                  key: sizer-push-token
            - name: HTTP_PROXY
              valueFrom:
                configMapKeyRef:
                  name: gitlab-sizer-webhook-config
                  key: HTTP_PROXY
                  optional: true
            - name: HTTPS_PROXY
              valueFrom:
                configMapKeyRef:
                  name: gitlab-sizer-webhook-config
                  key: HTTPS_PROXY
                  optional: true
            - name: NO_PROXY
              valueFrom:
                configMapKeyRef:
                  name: gitlab-sizer-webhook-config
                  key: NO_PROXY
                  optional: true
          volumeMounts:
            - name: webhook-tls
              mountPath: /etc/webhook/tls
              readOnly: true
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 8443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 200m
              memory: 128Mi
      volumes:
        - name: webhook-tls
          secret:
            secretName: gitlab-sizer-webhook-tls
---
apiVersion: v1
kind: Service
metadata:
  name: gitlab-sizer-webhook
  labels:
    app: gitlab-sizer-webhook
spec:
  selector:
    app: gitlab-sizer-webhook
  ports:
    - port: 443
      targetPort: 8443
      protocol: TCP