apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitlab-shell
  namespace: public-service
  labels:
    app: gitlab
    component: gitlab-shell
spec:
  selector:
    matchLabels:
      app: gitlab
      component: gitlab-shell
  template:
    metadata:
      labels:
        app: gitlab
        component: gitlab-shell
    spec:
      initContainers:
        - name: configure
          image: busybox:latest
          imagePullPolicy: IfNotPresent
          command: ['sh', '/config/configure']
          env:
          resources:
            requests:
              cpu: 50m
          volumeMounts:
          - name: shell-config
            mountPath: /config
            readOnly: true
          - name: shell-init-secrets
            mountPath: /init-config
            readOnly: true
          - name: shell-secrets
            mountPath: /init-secrets
            readOnly: false
      containers:
        - name: gitlab-shell
          image: registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v13.7.0
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 2222
              name: ssh
          env:
            - name: GITALY_FEATURE_DEFAULT_ON
              value: "1"
            - name: CONFIG_TEMPLATE_DIRECTORY
              value: '/etc/gitlab-shell'
            - name: CONFIG_DIRECTORY
              value: '/srv/gitlab-shell'
            - name: KEYS_DIRECTORY
              value: '/etc/gitlab-secrets/ssh'
          resources:
            requests:
              cpu: 0
              memory: 6M
          livenessProbe:
            exec:
              command:
              - /scripts/healthcheck
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 3
            successThreshold: 1
            failureThreshold: 3
          volumeMounts:
            - name: shell-config
              mountPath: '/etc/gitlab-shell'
            - name: shell-secrets
              mountPath: '/etc/gitlab-secrets'
              readOnly: true
            - name: sshd-config
              mountPath: /etc/ssh/sshd_config
              subPath: sshd_config
              readOnly: true
            - name: etc-ssl-certs
              mountPath: /etc/ssl/certs/
              readOnly: true
      securityContext:
        runAsUser: 1000
        fsGroup: 1000      
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              topologyKey: kubernetes.io/hostname
              labelSelector:
                matchLabels:
                  app: gitlab
                  component: gitlab-shell
      volumes:
      - name: shell-config
        configMap:
          name: gitlab-shell
      - name: sshd-config
        configMap:
          name: gitlab-shell-sshd
      - name: shell-init-secrets
        projected:
          defaultMode: 0440
          sources:
            - secret:
                name: "gitlab-shell-host-keys"
            - secret:
                name: "gitlab-shell-secret"
                items:
                  - key: "secret"
                    path: shell/.gitlab_shell_secret
      - name: shell-secrets
        emptyDir:
          medium: "Memory"
      - name: etc-ssl-certs
        emptyDir:
          medium: "Memory"