apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "authentik.fullname" . }}-worker
  labels:
    app.kubernetes.io/name: {{ include "authentik.name" . }}
    helm.sh/chart: {{ include "authentik.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    k8s.goauthentik.io/component: worker
spec:
  replicas: {{ .Values.workerReplicas }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "authentik.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      k8s.goauthentik.io/component: worker
  template:
    metadata:
      labels:
        app.kubernetes.io/name: {{ include "authentik.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        k8s.goauthentik.io/component: worker
    spec:
      {{- if .Values.kubernetesIntegration }}
      serviceAccountName: {{ include "authentik.fullname" . }}-sa
      {{- end }}
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - {{ include "authentik.name" . }}
                - key: app.kubernetes.io/instance
                  operator: In
                  values:
                  - {{ .Release.Name }}
                - key: k8s.goauthentik.io/component
                  operator: In
                  values:
                  - worker
              topologyKey: "kubernetes.io/hostname"
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
          args: [worker]
          envFrom:
            - configMapRef:
                name: "{{ include "authentik.fullname" . }}-config"
              prefix: "AUTHENTIK_"
          env:
            - name: AUTHENTIK_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: "{{ include "authentik.fullname" . }}-secret-key"
                  key: secret_key
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-redis"
                  key: "redis-password"
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-postgresql"
                  key: "postgresql-password"
          resources:
            requests:
              cpu: 150m
              memory: 400M
            limits:
              cpu: 300m
              memory: 600M