apiVersion: v1
kind: ConfigMap
metadata:
  name: lomavuokraus-web-config
  namespace: ${K8S_NAMESPACE}
data:
  NEXT_PUBLIC_SITE_URL: ${NEXT_PUBLIC_SITE_URL}
  NEXT_PUBLIC_API_BASE: ${NEXT_PUBLIC_API_BASE}
  APP_ENV: ${APP_ENV}
  NEXT_PUBLIC_VERSION: ${APP_VERSION}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: lomavuokraus-web-varnish
  namespace: ${K8S_NAMESPACE}
data:
  default.vcl: |
    vcl 4.1;

    backend app {
      .host = "127.0.0.1";
      .port = "3000";
    }

    sub vcl_recv {
      if (req.method != "GET" && req.method != "HEAD") {
        return (pass);
      }

      # Never cache health
      if (req.url ~ "^/api/health") {
        return (pass);
      }

      # Cache image API responses
      if (req.url ~ "^/api/images/") {
        return (hash);
      }

      # Cache static assets
      if (req.url ~ "^/_next/static" ||
          req.url ~ "^/favicon" ||
          req.url ~ "^/robots.txt" ||
          req.url ~ "^/sitemap") {
        return (hash);
      }

      return (pass);
    }

    sub vcl_backend_response {
      # Default TTL
      set beresp.ttl = 1h;

      if (bereq.url ~ "^/api/images/") {
        set beresp.ttl = 24h;
        set beresp.http.Cache-Control = "public, max-age=86400, immutable";
      } else if (bereq.url ~ "^/_next/static") {
        set beresp.ttl = 7d;
        set beresp.http.Cache-Control = "public, max-age=604800, immutable";
      }
    }

    sub vcl_deliver {
      if (obj.hits > 0) {
        set resp.http.X-Cache = "HIT";
      } else {
        set resp.http.X-Cache = "MISS";
      }
    }
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: lomavuokraus-monitor
  namespace: ${K8S_NAMESPACE}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: lomavuokraus-monitor
rules:
  - apiGroups: [""]
    resources: ["nodes", "pods", "pods/status"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: lomavuokraus-monitor-${K8S_NAMESPACE}
subjects:
  - kind: ServiceAccount
    name: lomavuokraus-monitor
    namespace: ${K8S_NAMESPACE}
roleRef:
  kind: ClusterRole
  name: lomavuokraus-monitor
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: lomavuokraus-web
  namespace: ${K8S_NAMESPACE}
  labels:
    app: lomavuokraus-web
spec:
  replicas: ${APP_REPLICAS}
  selector:
    matchLabels:
      app: lomavuokraus-web
  template:
    metadata:
      labels:
        app: lomavuokraus-web
    spec:
      serviceAccountName: lomavuokraus-monitor
      imagePullSecrets:
        - name: registry-halla
      containers:
        - name: varnish
          image: varnish:7.5
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080
              name: http
          args: ["-a", ":8080", "-f", "/etc/varnish/default.vcl", "-s", "malloc,256m"]
          volumeMounts:
            - name: varnish-vcl
              mountPath: /etc/varnish/default.vcl
              subPath: default.vcl
          livenessProbe:
            httpGet:
              path: /api/health
              port: http
            initialDelaySeconds: 10
            periodSeconds: 15
          readinessProbe:
            httpGet:
              path: /api/health
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests:
              cpu: "50m"
              memory: "128Mi"
            limits:
              cpu: "200m"
              memory: "256Mi"
        - name: lomavuokraus-web
          image: ${K8S_IMAGE}
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
              name: app
          envFrom:
            - configMapRef:
                name: lomavuokraus-web-config
            - secretRef:
                name: lomavuokraus-web-secrets
          resources:
            requests:
              cpu: "100m"
              memory: "256Mi"
            limits:
              cpu: "500m"
              memory: "512Mi"
      volumes:
        - name: varnish-vcl
          configMap:
            name: lomavuokraus-web-varnish
---
apiVersion: v1
kind: Service
metadata:
  name: lomavuokraus-web
  namespace: ${K8S_NAMESPACE}
  labels:
    app: lomavuokraus-web
spec:
  selector:
    app: lomavuokraus-web
  ports:
    - name: http
      port: 80
      targetPort: http
  type: ClusterIP
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: https-redirect
  namespace: ${K8S_NAMESPACE}
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: lomavuokraus-web
  namespace: ${K8S_NAMESPACE}
  annotations:
    cert-manager.io/cluster-issuer: ${CLUSTER_ISSUER}
    kubernetes.io/ingress.class: ${INGRESS_CLASS}
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    traefik.ingress.kubernetes.io/router.middlewares: ${K8S_NAMESPACE}-https-redirect@kubernetescrd
spec:
  ingressClassName: ${INGRESS_CLASS}
  tls:
    - hosts:
        - ${APP_HOST}
        - ${API_HOST}
      secretName: lomavuokraus-web-tls
  rules:
    - host: ${APP_HOST}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: lomavuokraus-web
                port:
                  number: 80
    - host: ${API_HOST}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: lomavuokraus-web
                port:
                  number: 80