apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "authentik.fullname" . }}-worker
  labels:
    app.kubernetes.io/name: {{ include "authentik.name" . }}
    helm.sh/chart: {{ include "authentik.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    k8s.goauthentik.io/component: worker
spec:
  replicas: {{ .Values.workerReplicas }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "authentik.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
      k8s.goauthentik.io/component: worker
  template:
    metadata:
      labels:
        app.kubernetes.io/name: {{ include "authentik.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
        k8s.goauthentik.io/component: worker
    spec:
      {{- if .Values.kubernetesIntegration }}
      serviceAccountName: {{ include "authentik.fullname" . }}-sa
      {{- else }}
      automountServiceAccountToken: false
      {{- end }}
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - {{ include "authentik.name" . }}
                - key: app.kubernetes.io/instance
                  operator: In
                  values:
                  - {{ .Release.Name }}
                - key: k8s.goauthentik.io/component
                  operator: In
                  values:
                  - worker
              topologyKey: "kubernetes.io/hostname"
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
          args: [worker]
          envFrom:
            - configMapRef:
                name: "{{ include "authentik.fullname" . }}-config"
              prefix: "AUTHENTIK_"
            - secretRef:
                name: {{ include "authentik.fullname" . }}-secret-key
              prefix: AUTHENTIK_
          env:
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-redis"
                  key: "redis-password"
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-postgresql"
                  key: "postgresql-password"
            {{ if .Values.geoip.enabled -}}
            - name: AUTHENTIK_AUTHENTIK__GEOIP
              value: /geoip/GeoLite2-City.mmdb
            {{- end }}
          {{ if .Values.geoip.enabled -}}
          volumeMounts:
            - name: geoip
              mountPath: /geoip
          {{- end }}
          resources:
            requests:
              cpu: 150m
              memory: 400M
            limits:
              cpu: 300m
              memory: 600M
      {{ if .Values.geoip.enabled -}}
      volumes:
        - name: geoip
          persistentVolumeClaim:
            claimName: {{ include "authentik.fullname" . }}-geoip
      {{- end -}}