apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "timetracker.fullname" . }}-backend
  labels:
    {{- include "timetracker.backend.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.backend.replicaCount }}
  selector:
    matchLabels:
      {{- include "timetracker.backend.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "timetracker.backend.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "timetracker.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
        - name: backend
          image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}"
          imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
          env:
            - name: NODE_ENV
              value: {{ .Values.backend.env.nodeEnv | quote }}
            - name: PORT
              value: {{ .Values.backend.env.port | quote }}
            - name: PG_USERNAME
              {{- if .Values.postgresql.auth.existingSecret }}
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.postgresql.auth.existingSecret }}
                  key: username
              {{- else }}
              value: {{ .Values.postgresql.auth.username | quote }}
              {{- end }}
            - name: PG_PASSWORD
              {{- if .Values.postgresql.auth.existingSecret }}
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.postgresql.auth.existingSecret }}
                  key: password
              {{- else }}
              value: {{ .Values.postgresql.auth.password | quote }}
              {{- end }}
            - name: DATABASE_URL
              value: "postgresql://$(PG_USERNAME):$(PG_PASSWORD)@{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}/{{ .Values.postgresql.database }}"
            - name: OIDC_ISSUER_URL
              value: {{ .Values.backend.oidc.issuerUrl | quote }}
            - name: OIDC_CLIENT_ID
              value: {{ .Values.backend.oidc.clientId | quote }}
            - name: OIDC_REDIRECT_URI
              value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s/api/auth/callback" | quote }}
            - name: OIDC_IOS_REDIRECT_URI
              value: {{ .Values.backend.oidc.iosRedirectUri | quote }}
            - name: SESSION_SECRET
              value: {{ .Values.backend.session.secret | quote }}
            - name: JWT_SECRET
              value: {{ .Values.backend.jwt.secret | quote }}
            - name: APP_URL
              value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s" | quote }}
          ports:
            - name: http
              containerPort: 3001
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 5
            periodSeconds: 5
          resources:
            {{- toYaml .Values.backend.resources | nindent 12 }}