apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: {{ deploy.namespace }}
  name: onionbalance
  labels:
    app: onionbalance
spec:
  replicas: 1
  selector:
    matchLabels:
      app: onionbalance
  strategy:
    type: Recreate
  revisionHistoryLimit: 5
  template:
    metadata:
      labels:
        app: onionbalance
    spec:
      nodeName: {{ deploy.worker.name }}
      serviceAccountName: onionbalance
      securityContext:
        runAsUser: 998
        fsGroup: 998
      initContainers:
      - name: prepare-onion-lib
        image: busybox
        command: ['sh', '-c', 'chown 998:998 /var/lib/tor && chmod 0750 /var/lib/tor']
        securityContext:
          runAsUser: 0
        volumeMounts:
        - name: onion-lib
          mountPath: /var/lib/tor
      containers:
      - name: tor
        image: spreadspace/onionbalance:{{ desc.globals.deployment.parameter.onionbalance_image_version }}
        imagePullPolicy: Always
        args:
        - /run-tor.sh
        volumeMounts:
        - name: onion-run
          mountPath: /var/run/tor
        - name: onion-lib
          mountPath: /var/lib/tor
      - name: balance
        image: spreadspace/onionbalance:{{ desc.globals.deployment.parameter.onionbalance_image_version }}
        imagePullPolicy: Always
        args:
        - /run-balance.sh
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: onion-run
          mountPath: /var/run/tor
        - name: onion-lib
          mountPath: /var/lib/tor
        - name: onion-keys
          readOnly: true
          mountPath: /var/run/secrets/spreadspace.org/onionbalance
      volumes:
      - name: onion-run
        emptyDir:
          medium: Memory
      - name: onion-lib
        emptyDir:
          medium: Memory
      - name: onion-keys
        secret:
          secretName: onionbalance