# platform-api — NestJS control plane (tenants, partners, users, scheduling,
# provisioning). Internal-only Service on :3001 plus a public Ingress for
# api.dezky.eu (consumed by booking's nitro proxy and the Stalwart webhook).
apiVersion: apps/v1
kind: Deployment
metadata:
  name: platform-api
  namespace: dezky-apps
  labels:
    app.kubernetes.io/name: platform-api
    app.kubernetes.io/part-of: dezky
spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: platform-api
  template:
    metadata:
      labels:
        app.kubernetes.io/name: platform-api
      annotations:
        # Bump to force a rolling restart when only the ConfigMap changed —
        # pods read it as env, which is only resolved at container start.
        dezky.eu/config-rev: "4"
    spec:
      containers:
        - name: platform-api
          # CI pins this to the commit SHA at deploy time (kustomize edit set image
          # in .gitea/workflows/ci.yml); :latest here is the fallback.
          image: git.lastcloud.io/ronnibaslund/dezky/platform-api:latest
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 3001
          env:
            - name: PORT
              value: "3001"
            - name: DEZKY_ENV
              value: production
          # Non-secret config (Stalwart URL, feature toggles, etc.) comes from a
          # ConfigMap; secrets (Mongo URI, credential key, Stalwart password,
          # webhook secret) come from the Secret. See README.md.
          envFrom:
            - configMapRef:
                name: platform-api-config
            - secretRef:
                name: platform-api-secrets
          resources:
            requests:
              cpu: 100m
              memory: 192Mi
            limits:
              memory: 512Mi
          readinessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 10
            periodSeconds: 15
          livenessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 30
            periodSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
  name: platform-api
  namespace: dezky-apps
  labels:
    app.kubernetes.io/name: platform-api
spec:
  selector:
    app.kubernetes.io/name: platform-api
  ports:
    - name: http
      port: 3001
      targetPort: http
---
# Public ingress for api.dezky.eu. TLS via cert-manager (HTTP-01) + Traefik.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: platform-api
  namespace: dezky-apps
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - api.dezky.eu
      secretName: api-dezky-eu-tls
  rules:
    - host: api.dezky.eu
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: platform-api
                port:
                  number: 3001