---
####### Cairn plugin
# log collection
# https://vector.dev/docs/setup/installation/platforms/kubernetes/
# https://github.com/vectordotdev/vector/blame/master/distribution/kubernetes/vector-agent/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cairn-vector
  labels:
    app.kubernetes.io/name: cairn-vector
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cairn-vector
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
      - nodes
      - pods
    verbs:
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cairn-vector
  labels:
    app.kubernetes.io/name: cairn-vector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cairn-vector
subjects:
  - kind: ServiceAccount
    name: cairn-vector
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: cairn-vector
  labels:
    app.kubernetes.io/name: cairn-vector
spec:
  selector:
    matchLabels:
      name: cairn-vector
  template:
    metadata:
      labels:
        name: cairn-vector
    spec:
      serviceAccountName: cairn-vector
      # Run vector next to LMS
      affinity:
        podAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                    - lms
              topologyKey: kubernetes.io/hostname
      containers:
        - name: cairn-vector
          image: {{ CAIRN_VECTOR_DOCKER_IMAGE }}
          env:
            - name: VECTOR_SELF_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: VECTOR_SELF_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: VECTOR_SELF_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: PROCFS_ROOT
              value: /host/proc
            - name: SYSFS_ROOT
              value: /host/sys
            - name: VECTOR_LOG
              value: warn
          volumeMounts:
            - name: data
              mountPath: /var/lib/vector
            - name: var-log
              mountPath: /var/log/
              readOnly: true
            - mountPath: /etc/vector/vector.toml
              name: config
              subPath: k8s.toml
              readOnly: true
          securityContext:
            allowPrivilegeEscalation: false
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: cairn-vector
        - name: var-log
          hostPath:
            path: /var/log/
        - name: config
          configMap:
            name: cairn-vector-config
{% if CAIRN_RUN_CLICKHOUSE %}
---
# data storage
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cairn-clickhouse
  labels:
    app.kubernetes.io/name: cairn-clickhouse
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cairn-clickhouse
  template:
    metadata:
      labels:
        app.kubernetes.io/name: cairn-clickhouse
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
      containers:
        - name: cairn-clickhouse
          image: {{ CAIRN_CLICKHOUSE_DOCKER_IMAGE }}
          env:
            - name: CLICKHOUSE_DO_NOT_CHOWN
              value: "1"
          volumeMounts:
            - mountPath: /var/lib/clickhouse
              name: data
            - mountPath: /etc/clickhouse-server/users.d/cairn.xml
              name: user-config
              subPath: cairn.xml
            - mountPath: /scripts/clickhouse-auth.json
              name: clickhouse-auth
              subPath: auth.json
          ports:
            - containerPort: 8123
            - containerPort: 9000
          securityContext:
            allowPrivilegeEscalation: false
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: cairn-clickhouse
        - name: user-config
          configMap:
            name: cairn-clickhouse-user-config
        - name: clickhouse-auth
          configMap:
            name: cairn-clickhouse-auth
{% endif %}
---
# cairn frontend
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cairn-superset
  labels:
    app.kubernetes.io/name: cairn-superset
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cairn-superset
  template:
    metadata:
      labels:
        app.kubernetes.io/name: cairn-superset
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
      containers:
        - name: cairn-superset
          image: {{ CAIRN_SUPERSET_DOCKER_IMAGE }}
          volumeMounts:
            - mountPath: /app/superset_config.py
              name: config
              subPath: superset_config.py
            - mountPath: /app/bootstrap/
              name: bootstrap
            - mountPath: /app/superset/cairn/clickhouse-auth.json
              name: clickhouse-auth
              subPath: auth.json
          securityContext:
            allowPrivilegeEscalation: false
      volumes:
        - name: config
          configMap:
            name: cairn-superset-config
        - name: bootstrap
          configMap:
            name: cairn-superset-bootstrap
        - name: clickhouse-auth
          configMap:
            name: cairn-clickhouse-auth
---
# frontend worker
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cairn-superset-worker
  labels:
    app.kubernetes.io/name: cairn-superset-worker
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cairn-superset-worker
  template:
    metadata:
      labels:
        app.kubernetes.io/name: cairn-superset-worker
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
      containers:
        - name: cairn-superset-worker
          image: {{ CAIRN_SUPERSET_DOCKER_IMAGE }}
          args: ["celery", "--app=superset.tasks.celery_app:app", "worker", "-Ofair", "-l", "INFO"]
          volumeMounts:
            - mountPath: /app/superset_config.py
              name: config
              subPath: superset_config.py
          securityContext:
            allowPrivilegeEscalation: false
      volumes:
        - name: config
          configMap:
            name: cairn-superset-config
---
# frontend celery beat
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cairn-superset-worker-beat
  labels:
    app.kubernetes.io/name: cairn-superset-worker-beat
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cairn-superset-worker-beat
  template:
    metadata:
      labels:
        app.kubernetes.io/name: cairn-superset-worker-beat
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
      containers:
        - name: cairn-superset-worker-beat
          image: {{ CAIRN_SUPERSET_DOCKER_IMAGE }}
          args: ["celery", "--app=superset.tasks.celery_app:app", "beat", "--pidfile", "/tmp/celerybeat.pid", "-l", "INFO", "--schedule=/tmp/celerybeat-schedule"]
          volumeMounts:
            - mountPath: /app/superset_config.py
              name: config
              subPath: superset_config.py
          securityContext:
            allowPrivilegeEscalation: false
      volumes:
        - name: config
          configMap:
            name: cairn-superset-config
{% if CAIRN_RUN_POSTGRESQL %}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cairn-postgresql
  labels:
    app.kubernetes.io/name: cairn-postgresql
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cairn-postgresql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app.kubernetes.io/name: cairn-postgresql
    spec:
      securityContext:
        runAsUser: 70
        runAsGroup: 70
        fsGroup: 70
        fsGroupChangePolicy: "OnRootMismatch"
      containers:
        - name: cairn-postgresql
          image: docker.io/postgres:9.6-alpine
          env:
            - name: POSTGRES_USER
              value: "{{ CAIRN_POSTGRESQL_USERNAME }}"
            - name: POSTGRES_PASSWORD
              value: "{{ CAIRN_POSTGRESQL_PASSWORD }}"
            - name: POSTGRES_DB
              value: "{{ CAIRN_POSTGRESQL_DATABASE }}"
            # The following is required, otherwise postgresql refuses to
            # write to the non-empty directory which contains "lost+found".
            - name: PGDATA
              value: /var/lib/postgresql/data/pgdata
          ports:
            - containerPort: 5432
          volumeMounts:
            - mountPath: /var/lib/postgresql/data
              name: data
          securityContext:
            allowPrivilegeEscalation: false
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: cairn-postgresql
{% endif %}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cairn-watchcourses
  labels:
    app.kubernetes.io/name: cairn-watchcourses
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cairn-watchcourses
  template:
    metadata:
      labels:
        app.kubernetes.io/name: cairn-watchcourses
    spec:
      containers:
        - name: cairn-watchcourses
          image: {{ DOCKER_IMAGE_OPENEDX }}
          command: ["/bin/bash"]
          args: ["-c", "python /openedx/scripts/server.py"]
          volumeMounts:
            - mountPath: /openedx/edx-platform/lms/envs/tutor/
              name: settings-lms
            - mountPath: /openedx/edx-platform/cms/envs/tutor/
              name: settings-cms
            - mountPath: /openedx/config
              name: config
            - mountPath: /openedx/scripts
              name: scripts
            - mountPath: /openedx/clickhouse-auth.json
              name: clickhouse-auth
              subPath: auth.json
          securityContext:
            allowPrivilegeEscalation: false
          ports:
            - containerPort: 9282
      volumes:
      - name: settings-lms
        configMap:
          name: openedx-settings-lms
      - name: settings-cms
        configMap:
          name: openedx-settings-cms
      - name: config
        configMap:
          name: openedx-config
      - name: scripts
        configMap:
          name: cairn-openedx-scripts
      - name: clickhouse-auth
        configMap:
          name: cairn-clickhouse-auth
