# services/jitsi/launcher-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jitsi-launcher
  namespace: jitsi
spec:
  replicas: 1
  selector:
    matchLabels: { app: jitsi-launcher }
  template:
    metadata:
      labels: { app: jitsi-launcher }
    spec:
      serviceAccountName: jitsi
      nodeSelector:
        kubernetes.io/hostname: titan-22
        kubernetes.io/arch: amd64
      containers:
        - name: launcher
          image: docker.io/tiangolo/uvicorn-gunicorn-fastapi:python3.11-slim
          imagePullPolicy: IfNotPresent
          env:
            - { name: JWT_SECRET_FILE, value: "/var/lib/jitsi-jwt/jwt" }
            - { name: JWT_ISSUER, value: "https://sso.bstein.dev/realms/atlas" }
            - { name: JWT_AUDIENCE, value: "jitsi" }
            - { name: JWT_APP_ID, value: "jitsi" }
            - { name: PUBLIC_URL, value: "https://meet.bstein.dev" }
            # Allow any authenticated user to mint; tighten later by setting comma list
            - { name: ALLOWED_GROUPS, value: "" }
            - { name: JWT_TTL_SECONDS, value: "600" }
          ports:
            - { name: http, containerPort: 80 }
          volumeMounts:
            - { name: app, mountPath: /app/main.py, subPath: app.py }
            - { name: jwt, mountPath: /var/lib/jitsi-jwt, readOnly: true }
          readinessProbe:
            httpGet:
              path: /health
              port: 80
            initialDelaySeconds: 5
            periodSeconds: 10
      volumes:
        - name: app
          configMap:
            name: jitsi-launcher
            defaultMode: 0444
        - name: jwt
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: jitsi-jwt