# services/maintenance/metis-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: metis
  namespace: maintenance
spec:
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app: metis
  template:
    metadata:
      labels:
        app: metis
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
        metis.bstein.dev/config-rev: "2026-04-05-03"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/role: "maintenance"
        vault.hashicorp.com/agent-inject-secret-metis-ssh-env.sh: "kv/data/atlas/maintenance/metis-ssh-keys"
        vault.hashicorp.com/agent-inject-secret-metis-runtime-env.sh: "kv/data/atlas/maintenance/metis-runtime"
        vault.hashicorp.com/agent-inject-secret-metis-harbor-env.sh: "kv/data/atlas/harbor/harbor-core"
        vault.hashicorp.com/agent-inject-template-metis-ssh-env.sh: |
          {{ with secret "kv/data/atlas/maintenance/metis-ssh-keys" }}
          export METIS_SSH_KEY_BASTION="{{ .Data.data.bastion_pub }}"
          export METIS_SSH_KEY_BRAD="{{ .Data.data.brad_pub }}"
          export METIS_SSH_KEY_HECATE_TETHYS="{{ .Data.data.hecate_tethys_pub }}"
          export METIS_SSH_KEY_HECATE_DB="{{ .Data.data.hecate_db_pub }}"
          {{ end }}
        vault.hashicorp.com/agent-inject-template-metis-runtime-env.sh: |
          {{ with secret "kv/data/atlas/maintenance/metis-runtime" }}
          export METIS_K3S_TOKEN="{{ .Data.data.k3s_token }}"
          {{ end }}
        vault.hashicorp.com/agent-inject-template-metis-harbor-env.sh: |
          {{ with secret "kv/data/atlas/harbor/harbor-core" }}
          export METIS_HARBOR_PASSWORD="{{ .Data.data.harbor_admin_password }}"
          {{ end }}
    spec:
      serviceAccountName: metis
      terminationGracePeriodSeconds: 30
      nodeSelector:
        kubernetes.io/hostname: titan-22
        kubernetes.io/arch: amd64
        node-role.kubernetes.io/accelerator: "true"
      containers:
        - name: metis
          image: registry.bstein.dev/bstein/metis:0.1.0-9-amd64
          imagePullPolicy: Always
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -e
              . /vault/secrets/metis-runtime-env.sh
              . /vault/secrets/metis-harbor-env.sh
              . /vault/secrets/metis-ssh-env.sh
              exec metis serve
          envFrom:
            - configMapRef:
                name: metis
          ports:
            - name: http
              containerPort: 8080
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 2
          readinessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 5
            timeoutSeconds: 2
          volumeMounts:
            - name: metis-data
              mountPath: /var/lib/metis
          resources:
            requests:
              cpu: 250m
              memory: 512Mi
            limits:
              cpu: "2"
              memory: 4Gi
      volumes:
        - name: metis-data
          persistentVolumeClaim:
            claimName: metis-data