deploy priority-pass app to cluster via private registry

- SvelteKit frontend + FastAPI backend in single pod with sidecar pattern
- Images pushed to 10.0.20.10:5050 private registry (v4/v1)
- SvelteKit server route proxies /api/transform to backend on 127.0.0.1:8000
- Exposed at priority-pass.viktorbarzin.me (Cloudflare-proxied, no auth)
- Uses imagePullSecrets for authenticated registry pulls

stacks/priority-pass/main.tf

@@ -0,0 +1,123 @@
+variable "tls_secret_name" {
+  type      = string
+  sensitive = true
+}
+
+resource "kubernetes_namespace" "priority-pass" {
+  metadata {
+    name = "priority-pass"
+    labels = {
+      "istio-injection" = "disabled"
+      tier              = local.tiers.aux
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../../modules/kubernetes/setup_tls_secret"
+  namespace       = "priority-pass"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "priority-pass" {
+  metadata {
+    name      = "priority-pass"
+    namespace = "priority-pass"
+    labels = {
+      run  = "priority-pass"
+      tier = local.tiers.aux
+    }
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        run = "priority-pass"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          run = "priority-pass"
+        }
+      }
+      spec {
+        image_pull_secrets {
+          name = "registry-credentials"
+        }
+        container {
+          name  = "frontend"
+          image = "10.0.20.10:5050/priority-pass-frontend:v4"
+          port {
+            container_port = 3000
+          }
+          env {
+            name  = "BACKEND_URL"
+            value = "http://127.0.0.1:8000"
+          }
+          env {
+            name  = "ORIGIN"
+            value = "https://priority-pass.viktorbarzin.me"
+          }
+          resources {
+            limits = {
+              memory = "128Mi"
+            }
+            requests = {
+              cpu    = "10m"
+              memory = "128Mi"
+            }
+          }
+        }
+        container {
+          name  = "backend"
+          image = "10.0.20.10:5050/priority-pass-backend:v1"
+          port {
+            container_port = 8000
+          }
+          resources {
+            limits = {
+              memory = "256Mi"
+            }
+            requests = {
+              cpu    = "10m"
+              memory = "256Mi"
+            }
+          }
+        }
+      }
+    }
+  }
+  lifecycle {
+    ignore_changes = [spec[0].template[0].spec[0].dns_config]
+  }
+}
+
+resource "kubernetes_service" "priority-pass" {
+  metadata {
+    name      = "priority-pass"
+    namespace = "priority-pass"
+    labels = {
+      run = "priority-pass"
+    }
+  }
+  spec {
+    selector = {
+      run = "priority-pass"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 3000
+    }
+  }
+}
+
+module "ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  namespace       = "priority-pass"
+  name            = "priority-pass"
+  tls_secret_name = var.tls_secret_name
+  protected       = false
+  max_body_size   = "10m"
+}

stacks/priority-pass/terragrunt.hcl

@@ -0,0 +1 @@
+../../terragrunt.hcl

stacks/priority-pass/tiers.tf

@@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}