---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: onepassword-connect
  namespace: security
spec:
  interval: 30m
  chart:
    spec:
      chart: app-template
      version: 1.5.1
      interval: 30m
      sourceRef:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system

  values:
    controller:
      annotations:
        reloader.stakater.com/auto: "true"

    image:
      repository: docker.io/1password/connect-api
      tag: 1.7.1@sha256:a4eb5764b6ad85cb3f2067e5c4eb903a41843302b0f39662f5da4762adaf9d1f

    env:
      OP_BUS_PORT: "11220"
      OP_BUS_PEERS: "localhost:11221"
      OP_HTTP_PORT: &port 8080
      OP_SESSION:
        valueFrom:
          secretKeyRef:
            name: onepassword-connect-secret
            key: onepassword-credentials.json

    service:
      main:
        ports:
          http:
            port: *port

    ingress:
      main:
        enabled: true
        ingressClassName: "nginx"
        annotations:
          nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
        hosts:
          - host: &host "1pwconnect.valinor.social"
            paths:
              - path: /
        tls:
          - hosts:
              - *host

    probes:
      liveness:
        enabled: true
        custom: true
        spec:
          httpGet:
            path: /heartbeat
            port: *port
          initialDelaySeconds: 15
          periodSeconds: 30
          failureThreshold: 3
      readiness:
        enabled: true
        custom: true
        spec:
          httpGet:
            path: /health
            port: *port
          initialDelaySeconds: 15
      startup:
        enabled: true
        custom: true
        spec:
          httpGet:
            path: /health
            port: *port
          failureThreshold: 30
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1

    podSecurityContext:
      runAsUser: 999
      runAsGroup: 999

    persistence:
      shared:
        enabled: true
        type: emptyDir
        mountPath: /home/opuser/.op/data

    resources:
      requests:
        cpu: 5m
        memory: 10Mi
      limits:
        memory: 100Mi

    sidecars:
      sync:
        name: sync
        image: docker.io/1password/connect-sync:1.7.1@sha256:7e6f7ff94ba4784e05b815e205a8edab6a3f8cdd0c0a4ea3c5b611328e09a9ed
        env:
          - name: OP_SESSION
            valueFrom:
              secretKeyRef:
                name: onepassword-connect-secret
                key: onepassword-credentials.json
          - name: OP_HTTP_PORT
            value: &port 8081
          - name: OP_BUS_PORT
            value: "11221"
          - name: OP_BUS_PEERS
            value: "localhost:11220"
        readinessProbe:
          httpGet:
            path: /health
            port: *port
          initialDelaySeconds: 15
        livenessProbe:
          httpGet:
            path: /heartbeat
            port: *port
          failureThreshold: 3
          periodSeconds: 30
          initialDelaySeconds: 15
        volumeMounts:
          - name: shared
            mountPath: /home/opuser/.op/data