# portal — Nuxt 4 SSR customer portal on app.dezky.eu. Talks to platform-api
# over the cluster network via its nitro proxy (PLATFORM_API_INTERNAL_URL) and
# authenticates users through Authentik (OIDC).
apiVersion: apps/v1
kind: Deployment
metadata:
  name: portal
  namespace: dezky-apps
  labels:
    app.kubernetes.io/name: portal
    app.kubernetes.io/part-of: dezky
spec:
  # Sessions live on the dezky-data Redis (server/plugins/session-storage.ts,
  # SESSION_REDIS_URL from the app secret) — safe to run multiple replicas.
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: portal
  template:
    metadata:
      labels:
        app.kubernetes.io/name: portal
    spec:
      containers:
        - name: portal
          # CI pins this to the commit SHA at deploy time (kustomize edit set image
          # in .gitea/workflows/ci.yml); :latest here is the fallback.
          image: git.lastcloud.io/ronnibaslund/dezky/portal:latest
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 3000
          env:
            - name: HOST
              value: "0.0.0.0"
            - name: PORT
              value: "3000"
            - name: NUXT_PUBLIC_PORTAL_URL
              value: https://app.dezky.eu
            - name: NUXT_PUBLIC_BOOKING_URL
              value: https://booking.dezky.eu
            # Cluster-internal address of platform-api for the nitro proxy.
            - name: PLATFORM_API_INTERNAL_URL
              value: http://platform-api.dezky-apps.svc.cluster.local:3001
            - name: NUXT_API_BASE
              value: http://platform-api.dezky-apps.svc.cluster.local:3001
          # OIDC client id/secret + Authentik public URL come from the Secret.
          envFrom:
            - secretRef:
                name: portal-secrets
          resources:
            requests:
              cpu: 100m
              memory: 192Mi
            limits:
              memory: 512Mi
          readinessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 10
            periodSeconds: 15
          livenessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 30
            periodSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
  name: portal
  namespace: dezky-apps
  labels:
    app.kubernetes.io/name: portal
spec:
  selector:
    app.kubernetes.io/name: portal
  ports:
    - name: http
      port: 3000
      targetPort: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: portal
  namespace: dezky-apps
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer on
    # port 80; the redirect-https middleware bounces all other traffic to HTTPS.
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    traefik.ingress.kubernetes.io/router.middlewares: dezky-apps-redirect-https@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - app.dezky.eu
      secretName: app-dezky-eu-tls
  rules:
    - host: app.dezky.eu
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: portal
                port:
                  number: 3000