# rdev-logs-agent DaemonSet
#
# Collects stdout/stderr from rdev and projects namespace pods and ships them
# to the rdev Citadel environment (tenant bf874fbf-6150-4aa9-b7bc-db531791bde1).
#
# The Citadel Helm chart's DaemonSet uses a single static tenant ID (k3s infra).
# This dedicated agent uses namespace-filtered glob patterns to route only
# rdev/projects container logs to the correct tenant:
#
#   /var/log/containers/<pod>_<namespace>_<container>-<id>.log
#
# Glob patterns *_rdev_* and *_projects_* match exactly those namespaces.
#
# CITADEL_API_KEY is read from the existing rdev-credentials secret.
# Tenant ID and Citadel URL are hardcoded — update if rdev environment is recreated.
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: rdev-logs-agent
  namespace: rdev
  labels:
    app.kubernetes.io/name: rdev-logs-agent
    app.kubernetes.io/part-of: rdev
spec:
  selector:
    matchLabels:
      app: rdev-logs-agent
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: rdev-logs-agent
        app.kubernetes.io/name: rdev-logs-agent
        app.kubernetes.io/part-of: rdev
    spec:
      serviceAccountName: rdev-api
      imagePullSecrets:
        - name: ghcr-secret
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst

      containers:
        - name: agent
          image: gcr.io/orchard9/citadel-agent:v0.4.7
          imagePullPolicy: IfNotPresent

          command:
            - citadel-agent
          args:
            - tail
            - --tenant
            - "bf874fbf-6150-4aa9-b7bc-db531791bde1"
            - --http
            - --http-url
            - "http://citadel-community.citadel.svc.cluster.local"
            - --insecure
            - --admin-port
            - "9191"
            # Namespace-filtered globs: only rdev and projects namespace container logs
            # Filename pattern: <pod>_<namespace>_<container>-<id>.log
            - "/var/log/containers/*_rdev_*.log"
            - "/var/log/containers/*_projects_*.log"

          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: CITADEL_API_KEY
              valueFrom:
                secretKeyRef:
                  name: rdev-credentials
                  key: CITADEL_API_KEY

          ports:
            - name: admin
              containerPort: 9191
              protocol: TCP

          livenessProbe:
            httpGet:
              path: /health
              port: admin
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 3

          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              cpu: 200m
              memory: 128Mi

          volumeMounts:
            - name: varlog
              mountPath: /var/log
              readOnly: true
            - name: tmp
              mountPath: /tmp

          securityContext:
            runAsNonRoot: false
            runAsUser: 0
            readOnlyRootFilesystem: false
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL

      volumes:
        - name: varlog
          hostPath:
            path: /var/log
            type: Directory
        - name: tmp
          emptyDir: {}