apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mongodb # Specifies the name of the statefulset
spec:
  serviceName: 'mongodb-service' # Specifies the service to use
  podManagementPolicy: OrderedReady # or Parallel
  replicas: 3
  selector:
    matchLabels:
      app: mongodb
  template:
    metadata:
      labels:
        app: mongodb
    spec:
      subdomain: mongodb-service
      securityContext:
        fsGroup: 999
      initContainers:
        - name: internal-keyfile-provisioner
          image: docker.io/library/mongo:latest
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          command:
            - sh
            - -c
            - |
              set -ex
              mkdir -p /opt/mongodb
              cp /tmp/raw-keyfile/mongodb-keyfile /opt/mongodb/mongodb-keyfile
              chmod 400 /opt/mongodb/mongodb-keyfile
              chown -R 999:999 /opt/mongodb
              chown -R 999:999 /data/db
              rm -f /data/db/mongod.lock
          volumeMounts:
            - name: raw-secret-keyfile-volume
              mountPath: /tmp/raw-keyfile
            - name: isolated-runtime-keyfile-volume
              mountPath: /opt/mongodb
            - name: mongodb-storage
              mountPath: /data/db
      containers:
        - name: mongodb
          image: docker.io/library/mongo:latest
          command:
            - mongod
          args:
            - '--replSet'
            - 'rs0'
            - '--auth'
            - '--clusterAuthMode'
            - 'keyFile'
            - '--keyFile'
            - '/opt/mongodb/mongodb-keyfile'
            - '--bind_ip_all'

          ports:
            - containerPort: 27017
          volumeMounts:
            - name: isolated-runtime-keyfile-volume
              mountPath: /opt/mongodb
            - name: mongodb-storage
              mountPath: /data/db
          env:
            - name: MONGO_REPLICA_SET_NAME
              value: rs0
            - name: MONGO_INITDB_ROOT_USERNAME
              valueFrom:
                secretKeyRef:
                  name: mongodb-secret
                  key: username
            - name: MONGO_INITDB_ROOT_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mongodb-secret
                  key: password
          readinessProbe:
            tcpSocket:
              port: 27017
            initialDelaySeconds: 15
            periodSeconds: 10
            timeoutSeconds: 5
          livenessProbe:
            tcpSocket:
              port: 27017
            initialDelaySeconds: 30
            periodSeconds: 20
            timeoutSeconds: 5
          resources:
            requests:
              cpu: '100m'
              memory: '256Mi'
            limits:
              cpu: '500m'
              memory: '512Mi'
      volumes:
        - name: raw-secret-keyfile-volume
          secret:
            secretName: mongodb-keyfile
            defaultMode: 0400
        - name: isolated-runtime-keyfile-volume
          emptyDir: {}
  volumeClaimTemplates:
    - metadata:
        name: mongodb-storage
      spec:
        accessModes: ['ReadWriteOnce']
        storageClassName: mongodb-storage-class
        resources:
          requests:
            storage: 5Gi