locals {
  rspamd-labels = merge(local.common-labels, {
    "app.kubernetes.io/component" = "rspamd"
  })
}

resource "kubectl_manifest" "rspamd_deploy" {
  yaml_body  = <<-EOF
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: "${var.instance}-rspamd"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.rspamd-labels)}
    spec:
      replicas: 1
      selector:
        matchLabels: ${jsonencode(local.rspamd-labels)}
      template:
        metadata:
          labels: ${jsonencode(local.rspamd-labels)}
        spec:
          securityContext:
            fsGroup: 101
          containers:
          - name: wildduck
            securityContext:
              capabilities:
                drop:
                - ALL
              readOnlyRootFilesystem: true
              runAsNonRoot: true
              runAsUser: 100
            image: "${var.images.rspamd.registry}/${var.images.rspamd.repository}:${var.images.rspamd.tag}"
            imagePullPolicy: "${var.images.rspamd.pullPolicy}"
            ports:
            - name: rspamd
              containerPort: 11333
              protocol: TCP
            resources:
              {}
            volumeMounts:
            - name: config
              mountPath: /app/rspamd/worker-normal.conf
              subPath: worker-normal.conf
            - name: config
              mountPath: /etc/rspamd/override.d/dmarc.conf
              subPath: dmarc.conf
            - name: config
              mountPath: /etc/rspamd/override.d/redis.conf
              subPath: redis.conf
          volumes:
          - name: config
            configMap:
              name: "${var.instance}-rspamd"
  EOF
}

resource "kubectl_manifest" "rspamd_config" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: "${var.instance}-rspamd"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.rspamd-labels)}
    data:
      worker-normal.conf: |-
        # Included from top-level .conf file

        worker "normal" {
            bind_socket = "*:11333";
            .include "$CONFDIR/worker-normal.inc"
            .include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-normal.inc"
            .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/worker-normal.inc"
        }
      dmarc.conf: |-
        actions = {
            quarantine = "add_header";
            reject = "reject";
        }
      redis.conf: |-
        servers = "${var.instance}-${var.component}-redis.${var.namespace}.svc:6379";
        db = "4";
  EOF
}

resource "kubectl_manifest" "rspamd_service" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: Service
    metadata:
      name: "${var.instance}-rspamd"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.rspamd-labels)}
    spec:
      type: ClusterIP
      ports:
      - port: 11333
        targetPort: rspamd
        protocol: TCP
        name: rspamd
      selector: ${jsonencode(local.rspamd-labels)}
  EOF
}