# payments-api-deployment.yaml
#
# The "workload with a secret" stand-in for the cloudtaser.io/demo-lab
# interactive demo. Deployed by Ansible onto the GKE confidential-compute
# node when the demo-lab VMs provision; scenario step 1 shows it running.
#
# It is NOT a real payments API. It is a busybox `httpd` listening on
# :5678 with one static page, chosen because:
#
#   - Every eBPF-blocked probe (ptrace, /proc/<pid>/mem, /proc/<pid>/environ)
#     needs a shell to exec into. busybox provides `sh`; distroless images
#     like hashicorp/http-echo do not -- the demo's earlier choice broke
#     every probe with "exec: sh: executable file not found in $PATH".
#
#   - The pod represents a generic "workload with a DB_PASSWORD secret"
#     scenario. Rename the Deployment + annotation env-map and the same
#     demo narrative applies to any pod that wants a credential fetched
#     into process memory instead of into a K8s Secret.
#
# The annotations that turn CloudTaser injection on for the demo
# workload are applied at scenario step 5, not here. The canonical
# annotation reference now lives in postgres-annotations.yaml — the
# four cloudtaser.io/* keys it uses are workload-agnostic.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: payments-api
  namespace: demo-app
  labels:
    app: payments-api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: payments-api
  template:
    metadata:
      labels:
        app: payments-api
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
      containers:
        - name: payments-api
          image: busybox:1.37
          command: [sh, -c]
          args:
            - |
              # Read $DB_PASSWORD and publish its length + a truncated
              # SHA-256 prefix to a landing page so a probe can PROVE
              # the secret landed without leaking the value.
              #
              # Pre-inject (step 1..5):   DB_PASSWORD is unset ->
              #   len=0, sha=e3b0c44298fc (empty-string SHA).
              # Post-inject (step 6):     wrapper populated $DB_PASSWORD
              #   into the process env -> len=<N>, sha=<first 12 hex>.
              # Matches the value in OpenBao so viewers can cross-check.
              #
              # A refreshing loop keeps /tmp/index.html in sync with the
              # current env (wrapper mutates env via prctl; we re-read
              # on each tick). The `app_sees_secret` probe curls :5678
              # and grep's for 'len=' (positive path).
              write_page() {
                LEN="${#DB_PASSWORD}"
                SHA=$(printf %s "${DB_PASSWORD:-}" | sha256sum | cut -c1-12)
                echo "payments-api demo -- DB_PASSWORD len=${LEN} sha256-prefix=${SHA}..." > /tmp/index.html
              }
              write_page
              (while true; do sleep 2; write_page; done) &
              exec busybox httpd -f -p 5678 -h /tmp
          ports:
            - containerPort: 5678
          readinessProbe:
            httpGet:
              path: /
              port: 5678
            initialDelaySeconds: 2
            periodSeconds: 5
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir:
            medium: Memory
            sizeLimit: 4Mi