# SooSeF Federation Relay — Lightweight attestation sync relay.
# Deploy on a VPS in a favorable jurisdiction for geographic redundancy.
# Stores only attestation records — zero knowledge of encryption keys.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: soosef-relay
  namespace: soosef
  labels:
    app.kubernetes.io/name: soosef
    app.kubernetes.io/component: relay
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: soosef
      app.kubernetes.io/component: relay
  template:
    metadata:
      labels:
        app.kubernetes.io/name: soosef
        app.kubernetes.io/component: relay
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
        - name: relay
          image: soosef-relay:latest
          ports:
            - containerPort: 8000
              name: federation
          env:
            - name: SOOSEF_DATA_DIR
              value: /data
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              memory: "256Mi"
              cpu: "100m"
            limits:
              memory: "1Gi"
              cpu: "1000m"
          livenessProbe:
            httpGet:
              path: /health
              port: 8000
            initialDelaySeconds: 10
            periodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: relay-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: relay-data
  namespace: soosef
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
  name: soosef-relay
  namespace: soosef
spec:
  selector:
    app.kubernetes.io/name: soosef
    app.kubernetes.io/component: relay
  ports:
    - name: federation
      port: 8000
      targetPort: 8000
  type: ClusterIP