domain/apps/dbgate/deploy.tf

locals {
   deploy-envs = [{
    "name" = "CONNECTIONS"
    "value" = local.connections
   },{
    "name" = "OAUTH_CLIENT_ID"
    "valueFrom" = {
      "secretKeyRef" = {
        "name" = "${var.component}-${var.instance}-id"
        "key" = "client-id"
      }
    }
   },{
    "name" = "OAUTH_CLIENT_SECRET"
    "valueFrom" = {
      "secretKeyRef" = {
        "name" = "${var.component}-${var.instance}-secret"
        "key" = "client-secret"
      }
    }
   }]
}

resource "kubectl_manifest" "deploy" {
  yaml_body  = <<-EOF
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: "${var.component}-${var.instance}"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common_labels)}
      annotations:
        configmap.reloader.stakater.com/reload: "${var.component}-${var.instance}"
        secret.reloader.stakater.com/reload: "${var.component}-${var.instance}"
    spec:
      replicas: 1
      selector:
        matchLabels: ${jsonencode(local.common_labels)}
      template:
        metadata:
          labels: ${jsonencode(local.common_labels)}
        spec:
          securityContext:
            fsGroup: 1000
            runAsGroup: 1000
            runAsUser: 1000
          containers:
          - name: dbgate
            securityContext:
              fsGroup: 1000
              runAsGroup: 1000
              runAsNonRoot: true
              runAsUser: 1000
            envFrom:
            - secretRef:
                name: "${var.component}-${var.instance}"
            - configMapRef:
                name: "${var.component}-${var.instance}"
            env: ${jsonencode(local.deploy-envs)}
            image: "${var.images.dbgate.registry}/${var.images.dbgate.repository}:${var.images.dbgate.tag}"
            imagePullPolicy: "${var.images.dbgate.pull_policy}"
            ports:
            - containerPort: 3000
              name: http
              protocol: TCP
            livenessProbe:
              failureThreshold: 3
              httpGet:
                path: /
                port: http
                scheme: HTTP
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /
                port: http
                scheme: HTTP
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            volumeMounts:
            - name: certs
              mountPath: /etc/local-ca
              readOnly: true
            - name: data
              mountPath: /home/node/.dbgate
          restartPolicy: Always
          volumes:
          - name: certs
            secret:
              secretName: "${var.instance}-cert"
              defaultMode: 0444
          - name: data
            persistentVolumeClaim:
              claimName: "${var.component}-${var.instance}"
          - name: run
            emptyDir: {}
  EOF
}