apiVersion: v1
kind: ServiceAccount
metadata:
  name: k8up
  namespace: k8up
  labels:
    app: k8up
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: k8up
  labels:
    app: k8up
rules:
- apiGroups:
    - apiextensions.k8s.io
  resources:
    - customresourcedefinitions
  verbs:
    - get
    - watch
    - list
    - create
    - edit
    - patch
- apiGroups:
  - backup.appuio.ch
  resources:
    - '*'
  verbs:
    - '*'
- apiGroups:
  - ''
  resources:
  - pods
  - pods/exec
  - persistentvolumeclaims
  - events
  - serviceaccounts
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - '*'
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - '*'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: k8up-edit
  labels:
    app: k8up
    # Add these permissions to the "admin" and "edit" default roles.
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
  - apiGroups:
      - backup.appuio.ch
    resources:
      - "*"
    verbs:
      - "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: k8up-view
  labels:
    app: k8up
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - backup.appuio.ch
    resources:
      - "*"
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  labels:
    app: k8up
  name: k8up
subjects:
- kind: ServiceAccount
  name: k8up
  namespace: k8up
roleRef:
  apiGroup: rbac.authorization.k8s.io
  name: k8up
  kind: ClusterRole
---
apiVersion: v1
kind: Service
metadata:
  name: k8up-metrics
  namespace: k8up
  labels:
    app: k8up
spec:
  ports:
  - name: http
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: k8up
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: k8up
  namespace: k8up
  labels:
    app: k8up
spec:
  replicas: 1
  selector:
    matchLabels:
      app: k8up
  template:
    metadata:
      labels:
        app: k8up
    spec:
      containers:
      - name: k8up-operator
        image: docker.io/vshn/k8up:v0.1.10
        imagePullPolicy: Always
        env:
        - name: BACKUP_IMAGE
          value: docker.io/vshn/wrestic:v0.1.9
        - name: BACKUP_GLOBALACCESSKEYID
          valueFrom:
            secretKeyRef:
              name: global-s3-credentials
              key: access-key-id
        - name: BACKUP_GLOBALSECRETACCESSKEY
          valueFrom:
            secretKeyRef:
              name: global-s3-credentials
              key: access-key-secret
        - name: BACKUP_GLOBALREPOPASSWORD
          valueFrom:
            secretKeyRef:
              name: global-backup-secret
              key: secret
        - name: BACKUP_GLOBALS3ENDPOINT
          value: http://10.42.42.2:9000
        - name: BACKUP_GLOBALS3BUCKET
          value: knurrli-k8up
        - name: BACKUP_PROMURL
          value: prometheus-pushgateway.monitoring.svc:9091
        ports:
        - containerPort: 8080
          protocol: TCP
        resources:
          limits:
            cpu: 1
            memory: 2Gi
          requests:
            cpu: 0.5
            memory: 0.5Gi
      serviceAccountName: k8up