apiVersion: apps/v1
kind: Deployment
metadata:
  name: gsc-shell-api
  namespace: gsc-shell
  labels:
    app.kubernetes.io/name: gsc-shell-api
    app.kubernetes.io/component: api
spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: gsc-shell-api
  template:
    metadata:
      labels:
        app.kubernetes.io/name: gsc-shell-api
    spec:
      containers:
        - name: api
          image: registry.gosec.internal/gsc-shell-api:v0.1.3
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 8080
          env:
            - name: PORT
              value: "8080"
            - name: KEYCLOAK_ISSUER
              value: "https://auth.gosec.cloud/realms/gosecCloud"
            # Discovery hits Keycloak via in-cluster service (pods can't reach
            # public auth.gosec.cloud over TLS); the issuer claim still has
            # to match the canonical hostname above.
            - name: KEYCLOAK_DISCOVERY_URL
              value: "https://keycloak.keycloak.svc.cluster.local:8443/realms/gosecCloud"
            - name: CACHE_TTL_SECONDS
              value: "60"
            - name: DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: gsc-shell-api-db
                  key: database-url
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /readyz
              port: 8080
            initialDelaySeconds: 3
            periodSeconds: 10
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              cpu: 250m
              memory: 256Mi
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: [ALL]
      imagePullSecrets:
        - name: registry-credentials
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/name: gsc-shell-api
                topologyKey: kubernetes.io/hostname
---
apiVersion: v1
kind: Service
metadata:
  name: gsc-shell-api
  namespace: gsc-shell
  labels:
    app.kubernetes.io/name: gsc-shell-api
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: gsc-shell-api
  ports:
    - name: http
      port: 8080
      targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gsc-shell-api
  namespace: gsc-shell
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - shell-api.gosec.internal
      secretName: gsc-shell-api-tls
  rules:
    - host: shell-api.gosec.internal
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: gsc-shell-api
                port:
                  number: 8080