# BasicStack Web — Kubernetes Deployment

## Prerequisites

- Docker + buildx
- kubectl with access to the basicstack cluster
- Container registry (e.g., GitHub Container Registry, Docker Hub)

## Build & Push Image

```bash
export REGISTRY=ghcr.io/basicstack     # or your registry
export TAG=$(git rev-parse --short HEAD)

# Build multi-arch or single-arch
docker build -t $REGISTRY/basicstack-web:$TAG -f ../Dockerfile ..

# Push
docker push $REGISTRY/basicstack-web:$TAG
```

## Update Deployment Image

Edit `20-deployment.yaml` and set the image:

```yaml
image: ghcr.io/basicstack/basicstack-web:abc1234
```

Or use `kubectl set image`:

```bash
kubectl set image deployment/basicstack-web basicstack-web=$REGISTRY/basicstack-web:$TAG \
  -n basicstack-web
```

## Apply Manifests

```bash
# Initial deploy
kubectl apply -f k8s/00-namespace.yaml
kubectl apply -f k8s/10-configmap.yaml
kubectl apply -f k8s/20-deployment.yaml
kubectl apply -f k8s/30-ingress.yaml

# Wait for rollout
kubectl rollout status deployment/basicstack-web -n basicstack-web
```

## Verify

```bash
# Check pods
kubectl get pods -n basicstack-web

# Check ingress
kubectl get ingress -n basicstack-web

# Test endpoint
curl -I https://basicstack.org
```

## TLS

cert-manager automatically provisions a TLS certificate for `basicstack.org` and `www.basicstack.org` using the `letsencrypt-prod` ClusterIssuer. The certificate is stored in the `basicstack-org-tls` secret.

DNS for `basicstack.org` must point to the cluster's ingress IP before cert-manager can complete the ACME challenge.

## Environment Variables

| Variable | Default | Description |
|---|---|---|
| `DIRECTUS_URL` | `https://directus.basicstack.de` | Directus CMS endpoint |
| `SITE_URL` | `https://basicstack.org` | Public site URL (for sitemap) |
| `NODE_ENV` | `production` | Node environment |

Change these in `10-configmap.yaml`.