apiVersion: hsm.j5t.io/v1alpha1
kind: HSMSecret
metadata:
  name: webapp-tls-cert
  namespace: default
  labels:
    app: webapp
    type: tls-certificate
  annotations:
    hsm.j5t.io/description: "TLS certificate and key for webapp.example.com"
spec:
  # HSM path is automatically set to the metadata.name (webapp-tls-cert)
  
  # ParentRef identifies which operator instance should handle this HSMSecret
  parentRef:
    name: controller-manager
    namespace: hsm-secrets-operator-system
  
  # Name of the TLS Secret to create (optional, defaults to metadata.name)
  secretName: "webapp-tls"
  
  # Enable automatic sync
  autoSync: true
  
  # Check for certificate updates every hour
  syncInterval: 3600
  
  # Create a TLS secret type
  secretType: kubernetes.io/tls

---
# Example Ingress using the TLS secret
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: webapp-ingress
  namespace: default
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - webapp.example.com
    # Use the HSM-backed TLS secret
    secretName: webapp-tls
  rules:
  - host: webapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: webapp-service
            port:
              number: 80

---
# Example service for the webapp
apiVersion: v1
kind: Service
metadata:
  name: webapp-service
  namespace: default
spec:
  selector:
    app: webapp
  ports:
  - port: 80
    targetPort: 8080
    name: http
  type: ClusterIP