apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "cms-plugins.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "cms-plugins.labels" . | nindent 4 }}
spec:
  # SQLite is single-writer; do not scale beyond 1.
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      {{- include "cms-plugins.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "cms-plugins.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/version: {{ .Values.image.tag | quote }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.podSecurityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
        - name: cms-plugins
          # When `image.digest` is provided, pin by digest so a floating
          # tag (staging, production) doesn't confuse Helm into a no-op
          # upgrade when the underlying image changes. Tag stays as a
          # human-readable hint via the imagePullPolicy fallback path.
          image: "{{ .Values.image.repository }}{{- if .Values.image.digest -}}@{{ .Values.image.digest }}{{- else -}}:{{ .Values.image.tag }}{{- end }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          {{- with .Values.containerSecurityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          ports:
            - name: http
              containerPort: {{ .Values.service.port }}
          env:
            {{- range $key, $val := .Values.env }}
            - name: {{ $key }}
              value: {{ $val | quote }}
            {{- end }}
            # EMDASH_SITE_URL gates the CSRF check on plugin POST routes.
            # Astro inside the pod sees http://localhost:4321/, so without
            # this any browser request from https://<ingress.host>/ trips
            # the same-origin check. Derived from the ingress host so we
            # don't need to set it per-environment.
            {{- if and .Values.ingress.enabled .Values.ingress.host }}
            - name: EMDASH_SITE_URL
              value: "https://{{ .Values.ingress.host }}"
            {{- end }}
          envFrom:
            - secretRef:
                name: {{ .Values.existingSecret | default (printf "%s-secrets" (include "cms-plugins.fullname" .)) }}
          volumeMounts:
            - name: state
              mountPath: {{ .Values.persistence.mountPath }}
          livenessProbe:
            httpGet:
              path: {{ .Values.probes.liveness.path }}
              port: http
            initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
            periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
            timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }}
          readinessProbe:
            httpGet:
              path: {{ .Values.probes.readiness.path }}
              port: http
            initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
            periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
            timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      volumes:
        - name: state
          {{- if .Values.persistence.enabled }}
          persistentVolumeClaim:
            claimName: {{ include "cms-plugins.fullname" . }}-state
          {{- else }}
          emptyDir: {}
          {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}