# services/comms/guest-register-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: matrix-guest-register
  labels:
    app.kubernetes.io/name: matrix-guest-register
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: matrix-guest-register
  template:
    metadata:
      annotations:
        checksum/config: guest-register-proxy-5
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "comms"
        vault.hashicorp.com/agent-inject-secret-mas-admin-secret: "kv/data/atlas/comms/mas-admin-client-runtime"
        vault.hashicorp.com/agent-inject-template-mas-admin-secret: |
          {{- with secret "kv/data/atlas/comms/mas-admin-client-runtime" -}}{{ .Data.data.client_secret }}{{- end -}}
      labels:
        app.kubernetes.io/name: matrix-guest-register
    spec:
      serviceAccountName: comms-vault
      hostAliases:
        - ip: "10.43.36.27"
          hostnames:
            - "matrix-authentication-service"
            - "matrix-authentication-service.comms.svc.cluster.local"
        - ip: "10.43.216.45"
          hostnames:
            - "othrys-synapse-matrix-synapse"
            - "othrys-synapse-matrix-synapse.comms.svc.cluster.local"
      securityContext:
        runAsNonRoot: true
        runAsUser: 10001
        runAsGroup: 10001
      containers:
        - name: guest-register
          image: python:3.11-slim
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
          env:
            - name: PYTHONDONTWRITEBYTECODE
              value: "1"
            - name: PYTHONUNBUFFERED
              value: "1"
            - name: PORT
              value: "8080"
            - name: MAS_BASE
              value: http://matrix-authentication-service:8080
            - name: MAS_ADMIN_CLIENT_ID
              value: 01KDXMVQBQ5JNY6SEJPZW6Z8BM
            - name: MAS_ADMIN_CLIENT_SECRET_FILE
              value: /vault/secrets/mas-admin-secret
            - name: MAS_ADMIN_API_BASE
              value: http://matrix-authentication-service:8081/api/admin/v1
            - name: SYNAPSE_BASE
              value: http://othrys-synapse-matrix-synapse:8008
            - name: MATRIX_SERVER_NAME
              value: live.bstein.dev
            - name: RATE_WINDOW_SEC
              value: "60"
            - name: RATE_MAX
              value: "30"
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          readinessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 2
            periodSeconds: 10
            timeoutSeconds: 2
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 10
            periodSeconds: 20
            timeoutSeconds: 2
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              cpu: 250m
              memory: 256Mi
          volumeMounts:
            - name: app
              mountPath: /app/server.py
              subPath: server.py
              readOnly: true
          command:
            - python
            - /app/server.py
      volumes:
        - name: app
          configMap:
            name: matrix-guest-register
            items:
              - key: server.py
                path: server.py