---
# SurrealDB StatefulSet for SecretumVault storage
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vault-surrealdb
  namespace: secretumvault
  labels:
    app: vault-surrealdb
spec:
  serviceName: vault-surrealdb
  replicas: 1
  selector:
    matchLabels:
      app: vault-surrealdb
  template:
    metadata:
      labels:
        app: vault-surrealdb
      annotations:
        prometheus.io/scrape: "false"
    spec:
      containers:
      - name: surrealdb
        image: surrealdb/surrealdb:latest
        imagePullPolicy: IfNotPresent

        ports:
        - name: ws
          containerPort: 8000
          protocol: TCP

        # SurrealDB command with authentication enabled
        args:
        - "start"
        - "--bind"
        - "0.0.0.0:8000"
        - "--user"
        - "vault"
        - "--pass"
        - "$(SURREAL_PASSWORD)"
        - "--log"
        - "info"

        env:
        - name: SURREAL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: vault-surrealdb-secret
              key: password
        - name: RUST_LOG
          value: "info"

        volumeMounts:
        - name: data
          mountPath: /var/lib/surrealdb

        livenessProbe:
          tcpSocket:
            port: ws
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3

        readinessProbe:
          tcpSocket:
            port: ws
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3

        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "250m"

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

      terminationGracePeriodSeconds: 30

  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 5Gi

---
# SurrealDB Service (headless for direct pod access)
apiVersion: v1
kind: Service
metadata:
  name: vault-surrealdb
  namespace: secretumvault
  labels:
    app: vault-surrealdb
spec:
  clusterIP: None
  selector:
    app: vault-surrealdb
  ports:
  - name: ws
    port: 8000
    targetPort: ws

---
# SurrealDB Client Service (for connecting vault)
apiVersion: v1
kind: Service
metadata:
  name: vault-surrealdb-client
  namespace: secretumvault
  labels:
    app: vault-surrealdb
spec:
  type: ClusterIP
  selector:
    app: vault-surrealdb
  ports:
  - name: ws
    port: 8000
    targetPort: ws
    protocol: TCP

---
# Secret for SurrealDB authentication
apiVersion: v1
kind: Secret
metadata:
  name: vault-surrealdb-secret
  namespace: secretumvault
type: Opaque
stringData:
  password: "change-me-in-production"