# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: Apache-2.0

---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  name: arvados-keep-proxy-https
  labels:
    app: arvados-keep-proxy-https
    chart: {{ template "arvados.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: arvados-keep-proxy-https
      release: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app: arvados-keep-proxy-https
        release: {{ .Release.Name }}
    spec:
      containers:
        - name: {{ .Chart.Name }}
          image: "nginx:1.10"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          volumeMounts:
            - name: nginx-configmap
              mountPath: /etc/nginx/conf.d/default.conf
              subPath: nginx.conf
            - name: ssl-configmap
              mountPath: /etc/nginx/ssl.crt
              subPath: cert
            - name: ssl-configmap
              mountPath: /etc/nginx/ssl.key
              subPath: key
      volumes:
        - name: ssl-configmap
          configMap:
            name: ssl-configmap
        - name: nginx-configmap
          configMap:
            name: arvados-keep-proxy-https-configmap
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: arvados-keep-proxy-https-configmap
  labels:
    app: {{ template "arvados.name" . }}
    chart: {{ template "arvados.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
data:
  nginx.conf: |
    upstream httpContainer {
      server                arvados-keep-proxy:25107;
    }
    
    server {
      listen                0.0.0.0:25107 ssl;
      server_name           arvados-keep-proxy-https;
    
      proxy_connect_timeout 90s;
      proxy_read_timeout    300s;
      proxy_set_header      X-Real-IP $remote_addr;
    
      ssl                   on;
      ssl_certificate       /etc/nginx/ssl.crt;
      ssl_certificate_key   /etc/nginx/ssl.key;
    
      # Clients need to be able to upload blocks of data up to 64MiB in size.
      client_max_body_size  64m;
    
      # Redirect plain HTTP requests to HTTPS.
      error_page 497 301 =307 https://$host:$server_port$request_uri;
    
      location / {
        proxy_pass          http://httpContainer;
        proxy_set_header    Upgrade         $http_upgrade;
        proxy_set_header    Connection      "upgrade";
        proxy_set_header    Host            $host:$server_port;
        proxy_set_header    X-Forwarded-For $remote_addr;
      }
    }
---
apiVersion: v1
kind: Service
metadata:
  name: arvados-keep-proxy-https
  labels:
    app: {{ template "arvados.name" . }}
    chart: {{ template "arvados.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  type: LoadBalancer
  loadBalancerIP: "8.8.8.8"
  ports:
  - name: https
    port: 25107
    targetPort: 25107
    protocol: TCP
  selector:
    app: arvados-keep-proxy-https