# FieldWitness Kubernetes Deployment

## Architecture

```
                Field Devices (Tier 1)
                (Bootable USB + laptop)
                        |
                        | LAN / sneakernet
                        v
            ┌───────────────────────┐
            │  Org Server (Tier 2)  │  <-- server-deployment.yaml
            │  Full web UI + stego  │
            │  + attestation + fed  │
            │  Newsroom mini PC     │
            └───────────┬───────────┘
                        |
                        | gossip / federation API
                        v
            ┌───────────────────────┐
            │  Fed Relay (Tier 3)   │  <-- relay-deployment.yaml
            │  Attestation API only │
            │  VPS (Iceland, CH)    │
            │  Zero key knowledge   │
            └───────────────────────┘
```

## Quick Start

```bash
# Build images
docker build -t fieldwitness-server --target server -f deploy/docker/Dockerfile .
docker build -t fieldwitness-relay --target relay -f deploy/docker/Dockerfile .

# Deploy to Kubernetes
kubectl apply -f deploy/kubernetes/namespace.yaml
kubectl apply -f deploy/kubernetes/server-deployment.yaml
kubectl apply -f deploy/kubernetes/relay-deployment.yaml
```

## Notes

- **Single writer**: Both deployments use `replicas: 1` with `Recreate` strategy.
  FieldWitness uses SQLite and append-only binary logs that require single-writer access.
  Do not scale horizontally.
- **PVCs**: Both deployments require persistent volumes. The server needs 10Gi,
  the relay needs 5Gi. Adjust based on expected attestation volume.
- **Security**: The relay stores only attestation records (image hashes + signatures).
  It never sees encryption keys, plaintext messages, or original images.
  If the relay is seized, the attacker gets cryptographic hashes — nothing actionable.
- **Ingress**: Not included. Configure your own ingress controller with TLS termination.
  The federation API should be TLS-encrypted in transit.