---
# REDIS
# HINWEIS:
# - Redis nutzt ein Longhorn-Volume (PVC) für Persistenz.
# - Repliken = 1 bedeutet: Kein echtes Redis-HA, aber Daten überleben Node-/Pod-Neustarts.
# - Für echtes Redis-HA (Multi-Node) brauchst du später Redis Sentinel / Redis Operator
#   oder ein externes/managed Redis.
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: authentik-redis
  namespace: authentik
spec:
  serviceName: authentik-redis
  replicas: 1
  selector:
    matchLabels:
      app: authentik-redis
  template:
    metadata:
      labels:
        app: authentik-redis
    spec:
      containers:
        - name: redis
          image: redis:7-alpine
          command: ["redis-server", "--requirepass", "$(REDIS_PASSWORD)"]
          ports:
            - containerPort: 6379
          env:
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: AUTHENTIK_REDIS__PASSWORD
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
          volumeMounts:
            - name: redis-data
              mountPath: /data
  volumeClaimTemplates:
    - metadata:
        name: redis-data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: longhorn
        resources:
          requests:
            storage: 2Gi
---
apiVersion: v1
kind: Service
metadata:
  name: authentik-redis
  namespace: authentik
spec:
  ports:
    - port: 6379
      targetPort: 6379
  selector:
    app: authentik-redis
---
# POSTGRES
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: authentik-postgresql
  namespace: authentik
spec:
  serviceName: authentik-postgresql
  replicas: 1
  selector:
    matchLabels:
      app: authentik-postgresql
  template:
    metadata:
      labels:
        app: authentik-postgresql
    spec:
      # InitContainer: Bereinige lost+found Verzeichnis von Longhorn
      initContainers:
        - name: init-postgres-data
          image: busybox:latest
          command: ["sh", "-c"]
          args:
            - |
              # Entferne lost+found Verzeichnis (wird von Longhorn/ext4 erstellt)
              rm -rf /var/lib/postgresql/data/lost+found
              # Stelle sicher, dass das Verzeichnis leer ist (nur bei neuem Volume)
              find /var/lib/postgresql/data -mindepth 1 -maxdepth 1 ! -name "lost+found" -exec rm -rf {} + || true
          securityContext:
            runAsUser: 0
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
      containers:
        - name: postgres
          image: postgres:15-alpine
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_DB
              value: authentik
            - name: POSTGRES_USER
              value: authentik
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: authentik-secrets
                  key: AUTHENTIK_POSTGRESQL__PASSWORD
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
  volumeClaimTemplates:
    - metadata:
        name: postgres-data
      spec:
        accessModes: [ "ReadWriteOnce" ]
        storageClassName: longhorn
        resources:
          requests:
            storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
  name: authentik-postgresql
  namespace: authentik
spec:
  ports:
    - port: 5432
      targetPort: 5432
  selector:
    app: authentik-postgresql