apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "backstage.fullname" . }}
  namespace: {{ .Values.namespaceOverride }}
  labels:
    {{- include "backstage.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "backstage.selectorLabels" . | nindent 6 }}
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        {{- include "backstage.selectorLabels" . | nindent 8 }}
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ .Values.service.targetPort }}"
        prometheus.io/path: "/metrics"
    spec:
      serviceAccountName: {{ include "backstage.serviceAccountName" . }}
      automountServiceAccountToken: true
      securityContext:
        fsGroup: 1000
        runAsUser: 1000
        runAsNonRoot: true
      containers:
      - name: backstage
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        ports:
        - name: http
          containerPort: {{ .Values.service.targetPort }}
          protocol: TCP
        env:
        - name: NODE_ENV
          value: "production"
        # Database credentials from secret
        - name: POSTGRES_HOST
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: POSTGRES_HOST
        - name: POSTGRES_PORT
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: POSTGRES_PORT
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: POSTGRES_USER
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: POSTGRES_PASSWORD
        # OAuth credentials
        - name: AUTH_GOOGLE_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: AUTH_GOOGLE_CLIENT_ID
        - name: AUTH_GOOGLE_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: AUTH_GOOGLE_CLIENT_SECRET
        # Backend secret
        - name: BACKEND_SECRET
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: BACKEND_SECRET
        # ArgoCD integration
        - name: ARGOCD_AUTH_TOKEN
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: ARGOCD_AUTH_TOKEN
        # Argo Workflows integration
        - name: ARGO_WORKFLOWS_TOKEN
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: ARGO_WORKFLOWS_TOKEN
        # Gitea integration
        - name: GITEA_USERNAME
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: GITEA_USERNAME
        - name: GITEA_PASSWORD
          valueFrom:
            secretKeyRef:
              name: backstage-secrets
              key: GITEA_PASSWORD
        volumeMounts:
        - name: config
          mountPath: /app/app-config.production.yaml
          subPath: app-config.production.yaml
          readOnly: true
        command:
        - node
        - packages/backend
        - --config
        - app-config.production.yaml
        {{- with .Values.livenessProbe }}
        livenessProbe:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.readinessProbe }}
        readinessProbe:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        resources:
          {{- toYaml .Values.resources | nindent 10 }}
      volumes:
      - name: config
        configMap:
          name: backstage-config
      restartPolicy: Always