apiVersion: v1
kind: Namespace
metadata:
  name: sentryflow
  labels:
    app.kubernetes.io/part-of: sentryflow
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sentryflow
  namespace: sentryflow
  labels:
    app.kubernetes.io/part-of: sentryflow
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sentryflow
  labels:
    app.kubernetes.io/part-of: sentryflow
rules:
  - apiGroups:
      - networking.istio.io
    verbs:
      - get
      - create
      - delete
    resources:
      - envoyfilters
  - apiGroups:
      - extensions.istio.io
    verbs:
      - get
      - create
      - delete
    resources:
      - wasmplugins
  - apiGroups:
      - ""
    verbs:
      - get
    resources:
      - configmaps
  - apiGroups:
      - apps
    verbs:
      - get
    resources:
      - deployments
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sentryflow
  labels:
    app.kubernetes.io/part-of: sentryflow
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sentryflow
subjects:
  - kind: ServiceAccount
    name: sentryflow
    namespace: sentryflow
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: sentryflow
  namespace: sentryflow
  labels:
    app.kubernetes.io/part-of: sentryflow
data:
  config.yaml: |2-
    filters:
      server:
        port: 8081
      envoy:
        uri: 5gsec/sentryflow-httpfilter:latest

    receivers:
      serviceMeshes:
        - name: istio-sidecar
          namespace: istio-system

    exporter:
      grpc:
        port: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sentryflow
  namespace: sentryflow
  labels:
    app.kubernetes.io/part-of: sentryflow
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sentryflow
  template:
    metadata:
      labels:
        app: sentryflow
    spec:
      serviceAccountName: sentryflow
      containers:
        - name: sentryflow
          image: docker.io/5gsec/sentryflow:latest
          imagePullPolicy: Always
          args:
            - --config
            - /var/lib/sentryflow/config.yaml
          volumeMounts:
            - mountPath: /var/lib/sentryflow/
              name: sentryflow
          ports:
            - containerPort: 8080
              name: exporter
              protocol: TCP
          securityContext:
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1111
            allowPrivilegeEscalation: false
          readinessProbe:
            httpGet:
              port: 8081 # Make sure to use the same port as `.filters.server.port` field in configMap
              path: /healthz
              httpHeaders:
                - name: status
                  value: "200"
            initialDelaySeconds: 5
      terminationGracePeriodSeconds: 30
      volumes:
        - name: sentryflow
          configMap:
            name: sentryflow
            defaultMode: 420
---
apiVersion: v1
kind: Service
metadata:
  namespace: sentryflow
  name: sentryflow
  labels:
    app.kubernetes.io/part-of: sentryflow
spec:
  selector:
    app: sentryflow
  ports:
    - name: exporter
      port: 8080
      targetPort: 8080
      protocol: TCP
    - name: filter-server
      port: 8081 # Make sure to use the same port as `.filters.server.port` field in configMap
      targetPort: 8081 # Make sure to use the same port as `.filters.server.port` field in configMap
      protocol: TCP