apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "the-other-dude.fullname" . }}-api
  labels:
    {{- include "the-other-dude.apiLabels" . | nindent 4 }}
spec:
  replicas: {{ .Values.api.replicaCount }}
  selector:
    matchLabels:
      {{- include "the-other-dude.apiSelectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "the-other-dude.apiSelectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
      containers:
        - name: api
          image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag }}"
          imagePullPolicy: {{ .Values.api.image.pullPolicy }}
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
          # Load non-sensitive config from ConfigMap
          envFrom:
            - configMapRef:
                name: {{ include "the-other-dude.fullname" . }}-config
          # Load secrets as individual environment variables
          env:
            - name: JWT_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ include "the-other-dude.fullname" . }}-secrets
                  key: JWT_SECRET_KEY
            - name: CREDENTIAL_ENCRYPTION_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ include "the-other-dude.fullname" . }}-secrets
                  key: CREDENTIAL_ENCRYPTION_KEY
            - name: FIRST_ADMIN_EMAIL
              valueFrom:
                secretKeyRef:
                  name: {{ include "the-other-dude.fullname" . }}-secrets
                  key: FIRST_ADMIN_EMAIL
            - name: FIRST_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ include "the-other-dude.fullname" . }}-secrets
                  key: FIRST_ADMIN_PASSWORD
          livenessProbe:
            httpGet:
              path: {{ .Values.api.probes.liveness.path }}
              port: http
            initialDelaySeconds: {{ .Values.api.probes.liveness.initialDelaySeconds }}
            periodSeconds: {{ .Values.api.probes.liveness.periodSeconds }}
            failureThreshold: {{ .Values.api.probes.liveness.failureThreshold }}
          readinessProbe:
            httpGet:
              path: {{ .Values.api.probes.readiness.path }}
              port: http
            initialDelaySeconds: {{ .Values.api.probes.readiness.initialDelaySeconds }}
            periodSeconds: {{ .Values.api.probes.readiness.periodSeconds }}
            failureThreshold: {{ .Values.api.probes.readiness.failureThreshold }}
          resources:
            {{- toYaml .Values.api.resources | nindent 12 }}
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
            capabilities:
              drop:
                - ALL