---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultwarden
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: vaultwarden
      app.kubernetes.io/part-of: vaultwarden
  template:
    metadata:
      labels:
        app.kubernetes.io/name: vaultwarden
        app.kubernetes.io/part-of: vaultwarden
    spec:
      containers:
      - name: vaultwarden
        image: vaultwarden
        envFrom:
          - secretRef:
              name: vaultwarden-api-config
        env:
          - name: DATABASE_URL
            valueFrom:
              secretKeyRef:
                name: vaultwarden-db-credentials-vaultwarden
                key: PQ_URL
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 8080
        volumeMounts:
          - name: data
            mountPath: /data
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
              - ALL
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 1
              preference:
                matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values:
                      - arm64
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: vaultwarden-data
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        runAsNonRoot: true