kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: grist
  namespace: grist
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: Secret
metadata:
  name: grist-auth
  namespace: grist
  annotations:
    kube-1password: mr6spkkx7n3memkbute6ojaarm
    kube-1password/vault: Kubernetes
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
  name: grist
  namespace: grist
spec:
  type: ClusterIP
  ports:
  - port: 80
    targetPort: web
    name: web
  selector:
    app: grist
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grist
  namespace: grist
  labels:
    app: grist
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: grist
  template:
    metadata:
      labels:
        app: grist
    spec:
      containers:
      - args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://localhost:8484
        - --http-address=$(HOST_IP):8000
        - --redirect-url=https://grist.cluster.fun/oauth2/callback
        - --email-domain=marcusnoble.co.uk
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
        - --cookie-expire=336h0m0s
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: grist-auth
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: grist-auth
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
        name: oauth-proxy
        ports:
        - containerPort: 8000
          protocol: TCP
          name: proxy
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      - name: web
        image: gristlabs/grist:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 8484
          name: web
        env:
        - name: APP_HOME_URL
          value: "https://grist.cluster.fun/"
        - name: APP_DOC_URL
          value: "https://grist.cluster.fun/"
        - name: GRIST_MAX_UPLOAD_ATTACHMENT_MB
          value: "0"
        - name: GRIST_MAX_UPLOAD_IMPORT_MB
          value: "0"
        - name: PORT
          value: "8484"
        - name: DEBUG
          value: "1"
        - name: GRIST_SINGLE_ORG
          value: "docs"
        - name: GRIST_DEFAULT_EMAIL
          value: "grist@marcusnoble.co.uk"
        - name: REDIS_URL
          value: "redis://localhost:6379"
        command:
        - sh
        - -c
        - |
          yarn add connect-redis@3.4.0
          yarn run start:prod
        volumeMounts:
          - name: storage
            mountPath: /persist
      - name: redis
        image: redis:6
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 6379
          name: redis
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: grist
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grist
  namespace: grist
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - grist.cluster.fun
    secretName: grist-ingress
  rules:
  - host: grist.cluster.fun
    http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: grist
            port:
              number: 80