apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

# No namespace: transformer — kubectl --context=prod is configured with 'ai'
# as its default namespace, so all resources without an explicit namespace
# land in 'ai' automatically.

resources:
  # Base: init.yaml, sandbox namespace, RBAC, admission-policy, sandbox-quotas,
  #       network-policies, gateway.yaml, web.yaml, ingress.yaml, gateway-ingress.yaml
  - ../base
  # Add the 'ai' namespace (base only creates 'sandbox')
  - namespaces.yaml
  # Prod infrastructure (postgres, minio, kafka, flink, relay, ingestor, qdrant, dragonfly, iceberg)
  - infrastructure.yaml
  # gateway-config ConfigMap is intentionally excluded from kustomize.
  # It contains an op:// reference for the DB password. Apply via:
  #   bin/config-update prod gateway-config

patches:
  - path: patch-gateway-rbac-subject.yaml
  - path: patch-web.yaml
  - path: patch-gateway-ingress.yaml

configMapGenerator:
  - name: relay-config
    files:
      - config.yaml=configs/relay-config.yaml
  - name: ingestor-config
    files:
      - config.yaml=configs/ingestor-config.yaml
  - name: flink-config
    files:
      - config.yaml=configs/flink-config.yaml

# Secrets managed via bin/secret-update prod (op inject | kubectl apply)
secretGenerator: []

generatorOptions:
  disableNameSuffixHash: true

images:
  - name: dexorder/ai-gateway
    newName: git.dxod.org/dexorder/dexorder/ai-gateway
    newTag: latest
  - name: ghcr.io/dexorder/gateway
    newName: git.dxod.org/dexorder/dexorder/ai-gateway
    newTag: latest
  - name: dexorder/ai-web
    newName: git.dxod.org/dexorder/dexorder/ai-web
    newTag: latest
  - name: dexorder/ai-flink
    newName: git.dxod.org/dexorder/dexorder/ai-flink
    newTag: latest
  - name: dexorder/ai-relay
    newName: git.dxod.org/dexorder/dexorder/ai-relay
    newTag: latest
  - name: dexorder/ai-ingestor
    newName: git.dxod.org/dexorder/dexorder/ai-ingestor
    newTag: latest