# Complete HSM Secrets Operator Setup Example
# This file demonstrates a full deployment with all components

---
# Namespace for the operator
apiVersion: v1
kind: Namespace
metadata:
  name: hsm-secrets-operator-system
  labels:
    control-plane: controller-manager
    app.kubernetes.io/name: hsm-secrets-operator
    app.kubernetes.io/version: v1.0.0

---
# HSM Device Configuration
apiVersion: hsm.j5t.io/v1alpha1
kind: HSMDevice
metadata:
  name: production-hsm
  namespace: hsm-secrets-operator-system
  labels:
    environment: production
    device-type: pico-hsm
spec:
  deviceType: PicoHSM
  
  # Discovery configuration
  discovery:
    usb:
      vendorId: "20a0"
      productId: "4230"
  
  # PKCS#11 configuration
  pkcs11:
    libraryPath: "/usr/lib/opensc-pkcs11.so"
    slotId: 0
    pinSecret:
      name: "production-hsm-pin"
      key: "pin"
    tokenLabel: "PicoHSM"
  
  nodeSelector:
    hsm.j5t.io/enabled: "true"
  maxDevices: 2

---
# Production Database Secret
apiVersion: hsm.j5t.io/v1alpha1
kind: HSMSecret
metadata:
  name: production-database
  namespace: production
  labels:
    app: webapp
    type: database
    criticality: high
spec:
  # HSM path is automatically set to the metadata.name (production-database)
  parentRef:
    name: controller-manager
    namespace: hsm-secrets-operator-system
  secretName: "webapp-database-credentials"
  autoSync: true
  syncInterval: 600  # 10 minutes
  secretType: Opaque

---
# TLS Certificate Secret
apiVersion: hsm.j5t.io/v1alpha1
kind: HSMSecret
metadata:
  name: webapp-tls
  namespace: production
  labels:
    app: webapp
    type: tls
spec:
  # HSM path is automatically set to the metadata.name (webapp-tls)
  parentRef:
    name: controller-manager
    namespace: hsm-secrets-operator-system
  secretName: "webapp-tls-cert"
  autoSync: true
  syncInterval: 3600  # 1 hour
  secretType: kubernetes.io/tls

---
# Production Namespace
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    environment: production
    hsm.j5t.io/enabled: "true"

---
# Web Application Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: webapp
  namespace: production
  labels:
    app: webapp
    version: v1.0.0
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 1
  selector:
    matchLabels:
      app: webapp
  template:
    metadata:
      labels:
        app: webapp
        version: v1.0.0
    spec:
      # Pod anti-affinity for high availability
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - webapp
              topologyKey: kubernetes.io/hostname
      
      containers:
      - name: webapp
        image: nginx:1.21-alpine
        ports:
        - containerPort: 8080
          name: http
        
        # Use HSM-backed secrets
        env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: webapp-database-credentials
              key: database_url
        - name: DB_USERNAME
          valueFrom:
            secretKeyRef:
              name: webapp-database-credentials
              key: username
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: webapp-database-credentials
              key: password
        
        # Mount TLS certificate
        volumeMounts:
        - name: tls-certs
          mountPath: /etc/ssl/certs/webapp
          readOnly: true
        
        # Health checks
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
        
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 5
          timeoutSeconds: 3
        
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 512Mi
        
        securityContext:
          runAsNonRoot: true
          runAsUser: 1000
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
      
      volumes:
      - name: tls-certs
        secret:
          secretName: webapp-tls-cert
      
      securityContext:
        fsGroup: 2000

---
# Service for the web application
apiVersion: v1
kind: Service
metadata:
  name: webapp-service
  namespace: production
  labels:
    app: webapp
spec:
  selector:
    app: webapp
  ports:
  - port: 80
    targetPort: 8080
    name: http
  type: ClusterIP

---
# Ingress with TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: webapp-ingress
  namespace: production
  labels:
    app: webapp
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - webapp.example.com
    secretName: webapp-tls-cert  # HSM-backed TLS certificate
  rules:
  - host: webapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: webapp-service
            port:
              number: 80

---
# Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: webapp-hpa
  namespace: production
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: webapp
  minReplicas: 3
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80

---
# Pod Disruption Budget
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: webapp-pdb
  namespace: production
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: webapp

---
# Network Policy for production environment
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: webapp-network-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: webapp
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: TCP
      port: 5432  # Database
    - protocol: TCP
      port: 443   # HTTPS
    - protocol: UDP
      port: 53    # DNS

---
# RBAC for production applications
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: webapp-secrets-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]
- apiGroups: ["hsm.j5t.io"]
  resources: ["hsmsecrets"]
  verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: webapp-secrets-access
  namespace: production
subjects:
- kind: ServiceAccount
  name: default
  namespace: production
roleRef:
  kind: Role
  name: webapp-secrets-reader
  apiGroup: rbac.authorization.k8s.io

---
# Monitoring: ServiceMonitor for Prometheus
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: hsm-operator-metrics
  namespace: hsm-secrets-operator-system
  labels:
    app: hsm-secrets-operator
spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  endpoints:
  - port: https
    path: /metrics
    scheme: https
    bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    tlsConfig:
      insecureSkipVerify: true