# booking — Nuxt 4 SSR public booking app on booking.dezky.eu. Fully public
# (no OIDC); only calls platform-api's /api/v1/public/* through its nitro proxy.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: booking
  namespace: dezky-apps
  labels:
    app.kubernetes.io/name: booking
    app.kubernetes.io/part-of: dezky
spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: booking
  template:
    metadata:
      labels:
        app.kubernetes.io/name: booking
    spec:
      containers:
        - name: booking
          # CI pins this to the commit SHA at deploy time (kustomize edit set image
          # in .gitea/workflows/ci.yml); :latest here is the fallback.
          image: git.lastcloud.io/ronnibaslund/dezky/booking:latest
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 3000
          env:
            - name: HOST
              value: "0.0.0.0"
            - name: PORT
              value: "3000"
            - name: NUXT_PUBLIC_SITE_URL
              value: https://booking.dezky.eu
            - name: PLATFORM_API_INTERNAL_URL
              value: http://platform-api.dezky-apps.svc.cluster.local:3001
          # NUXT_PUBLIC_TURNSTILE_SITE_KEY is public but env-injected so the key
          # can rotate without a rebuild; lives in the Secret. See README.md.
          envFrom:
            - secretRef:
                name: booking-secrets
          resources:
            requests:
              cpu: 100m
              memory: 192Mi
            limits:
              memory: 512Mi
          readinessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 10
            periodSeconds: 15
          livenessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 30
            periodSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
  name: booking
  namespace: dezky-apps
  labels:
    app.kubernetes.io/name: booking
spec:
  selector:
    app.kubernetes.io/name: booking
  ports:
    - name: http
      port: 3000
      targetPort: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: booking
  namespace: dezky-apps
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer on
    # port 80; the redirect-https middleware bounces all other traffic to HTTPS.
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    traefik.ingress.kubernetes.io/router.middlewares: dezky-apps-redirect-https@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - booking.dezky.eu
      secretName: booking-dezky-eu-tls
  rules:
    - host: booking.dezky.eu
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: booking
                port:
                  number: 3000