apiVersion: apps/v1
kind: Deployment
metadata:
  name: snauw-counter
  namespace: snauw-counter
  labels:
    app.kubernetes.io/name: snauw-counter
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: snauw-counter
    app.kubernetes.io/version: ${IMAGE_TAG:-latest}
spec:
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      app.kubernetes.io/name: snauw-counter
      app.kubernetes.io/component: web
  template:
    metadata:
      labels:
        app.kubernetes.io/name: snauw-counter
        app.kubernetes.io/component: web
        app.kubernetes.io/part-of: snauw-counter
        app.kubernetes.io/version: ${IMAGE_TAG:-latest}
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5000"
        prometheus.io/path: "/metrics"
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        fsGroup: 1001
      containers:
      - name: snauw-counter
        image: ${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG:-latest}
        ports:
        - containerPort: 5000
          name: http
          protocol: TCP
        env:
        - name: FLASK_ENV
          valueFrom:
            configMapKeyRef:
              name: snauw-counter-config
              key: FLASK_ENV
        - name: DATABASE_URL
          valueFrom:
            configMapKeyRef:
              name: snauw-counter-config
              key: DATABASE_URL
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: snauw-counter-secrets
              key: secret-key
        - name: PROMETHEUS_MULTIPROC_DIR
          valueFrom:
            configMapKeyRef:
              name: snauw-counter-config
              key: PROMETHEUS_MULTIPROC_DIR
        volumeMounts:
        - name: secrets
          mountPath: /etc/secrets
          readOnly: true
        - name: tmp
          mountPath: /tmp
        - name: sqlite-data
          mountPath: /app/data
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "200m"
        livenessProbe:
          httpGet:
            path: /health
            port: http
          initialDelaySeconds: 30
          periodSeconds: 30
          timeoutSeconds: 10
          failureThreshold: 3
        readinessProbe:
          httpGet:
            path: /health
            port: http
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: false
          capabilities:
            drop:
            - ALL
      volumes:
      - name: secrets
        secret:
          secretName: snauw-counter-secrets
          defaultMode: 0400
      - name: tmp
        emptyDir: {}
      - name: sqlite-data
        persistentVolumeClaim:
          claimName: snauw-counter-sqlite-pvc
      imagePullSecrets:
      - name: ghcr-secret