apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "telegram-gateway.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "telegram-gateway.labels" . | nindent 4 }}
spec:
  revisionHistoryLimit: 3
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "telegram-gateway.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      annotations:
        checksum/bots-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
        {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      labels:
        {{- include "telegram-gateway.labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "telegram-gateway.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args: ["serve", "--config", "/etc/telegram-gateway/bots.yaml", "--addr", ":{{ .Values.service.port }}"]
          env:
            - name: LISTEN_ADDR
              value: ":{{ .Values.service.port }}"
            - name: CONFIG_PATH
              value: /etc/telegram-gateway/bots.yaml
            # Auth layer — voir factory/docs/adr/20260509-telegram-gateway-auth.md.
            # AUTH_SECRET et ALLOWED_USERS arrivent via envFrom secretRef.
            - name: REDIS_URL
              value: {{ .Values.auth.redisURL | quote }}
            - name: AUTH_SESSION_TTL
              value: {{ .Values.auth.sessionTTL | quote }}
          envFrom:
            - secretRef:
                name: {{ .Values.secret.name }}
          ports:
            - name: http
              containerPort: {{ .Values.service.port }}
              protocol: TCP
          livenessProbe:
            {{- toYaml .Values.livenessProbe | nindent 12 }}
          readinessProbe:
            {{- toYaml .Values.readinessProbe | nindent 12 }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - name: bots-config
              mountPath: /etc/telegram-gateway
              readOnly: true
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: bots-config
          configMap:
            name: {{ include "telegram-gateway.fullname" . }}-bots
        - name: tmp
          emptyDir: {}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}