{{- if .Values.backend.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tower-backend
  labels:
    {{- include "tower.labels" . | nindent 4 }}
    odoosky.io/role: backend
spec:
  replicas: {{ .Values.backend.replicas }}
  selector:
    matchLabels:
      app.kubernetes.io/name: tower
      odoosky.io/role: backend
  template:
    metadata:
      labels:
        {{- include "tower.labels" . | nindent 8 }}
        odoosky.io/role: backend
    spec:
      serviceAccountName: tower
      containers:
        - name: tower
          image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}"
          imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
          ports:
            - name: http
              containerPort: 8080
          env:
            - name: TOWER_LISTEN_ADDR
              value: ":8080"
            - name: TOWER_GITEA_URL
              value: {{ .Values.config.giteaURL | quote }}
            - name: TOWER_GITEA_ORG
              value: {{ .Values.config.giteaOrg | quote }}
            - name: TOWER_CHART_REPO
              value: {{ .Values.config.chartRepo | quote }}
            - name: TOWER_ARGOCD_URL
              value: {{ .Values.config.argoCDURL | quote }}
            - name: TOWER_ARGOCD_USERNAME
              value: {{ .Values.config.argoCDUsername | quote }}
            - name: TOWER_ARGOCD_DESTINATION
              value: {{ .Values.config.argoCDDestination | quote }}
            - name: TOWER_ARGOCD_PROJECT
              value: {{ .Values.config.argoCDProject | quote }}
            - name: TOWER_ARGOCD_NAMESPACE
              value: {{ .Values.config.argoCDNamespace | quote }}
            - name: TOWER_TENANT_NAMESPACE
              value: {{ .Values.config.tenantNamespace | quote }}
            - name: TOWER_GITEA_TOKEN
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.existingSecret }}
                  key: GITEA_TOKEN
            - name: TOWER_ARGOCD_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.existingSecret }}
                  key: ARGOCD_PASSWORD
            # Cloudflare creds for per-tenant DNS automation. Optional —
            # if absent, deploys to the in-cluster destination still
            # work (wildcard A handles them); deploys to non-default
            # servers fail fast with a clear error.
            - name: TOWER_CLOUDFLARE_TOKEN
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.existingSecret }}
                  key: CLOUDFLARE_TOKEN
                  optional: true
            - name: TOWER_CLOUDFLARE_ZONE_ID
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.existingSecret }}
                  key: CLOUDFLARE_ZONE_ID
                  optional: true
          readinessProbe:
            httpGet:
              path: /healthz
              port: 8080
            initialDelaySeconds: 2
            periodSeconds: 5
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 15
          resources:
            {{- toYaml .Values.backend.resources | nindent 12 }}
{{- end }}