---
# etcd StatefulSet for SecretumVault storage
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vault-etcd
  namespace: secretumvault
  labels:
    app: vault-etcd
spec:
  serviceName: vault-etcd
  replicas: 3
  selector:
    matchLabels:
      app: vault-etcd
  template:
    metadata:
      labels:
        app: vault-etcd
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "2379"
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - vault-etcd
            topologyKey: kubernetes.io/hostname

      containers:
      - name: etcd
        image: quay.io/coreos/etcd:v3.5.9
        imagePullPolicy: IfNotPresent

        ports:
        - name: client
          containerPort: 2379
          protocol: TCP
        - name: peer
          containerPort: 2380
          protocol: TCP

        env:
        - name: ETCD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: ETCD_INITIAL_CLUSTER_STATE
          value: "new"
        - name: ETCD_INITIAL_CLUSTER_TOKEN
          value: "etcd-cluster-vault"
        - name: ETCD_INITIAL_CLUSTER
          value: "vault-etcd-0=http://vault-etcd-0.vault-etcd:2380,vault-etcd-1=http://vault-etcd-1.vault-etcd:2380,vault-etcd-2=http://vault-etcd-2.vault-etcd:2380"
        - name: ETCD_LISTEN_CLIENT_URLS
          value: "http://0.0.0.0:2379"
        - name: ETCD_ADVERTISE_CLIENT_URLS
          value: "http://$(ETCD_NAME).vault-etcd:2379"
        - name: ETCD_LISTEN_PEER_URLS
          value: "http://0.0.0.0:2380"
        - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
          value: "http://$(ETCD_NAME).vault-etcd:2380"
        - name: ETCD_AUTO_COMPACTION_RETENTION
          value: "24h"
        - name: ETCD_AUTO_COMPACTION_MODE
          value: "revision"

        volumeMounts:
        - name: data
          mountPath: /etcd-data

        livenessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - ETCDCTL_API=3 etcdctl --endpoints=http://localhost:2379 endpoint health
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3

        readinessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - ETCDCTL_API=3 etcdctl --endpoints=http://localhost:2379 endpoint health
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3

        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "250m"

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

      terminationGracePeriodSeconds: 30

  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 10Gi

---
# etcd Service (headless for peer discovery)
apiVersion: v1
kind: Service
metadata:
  name: vault-etcd
  namespace: secretumvault
  labels:
    app: vault-etcd
spec:
  clusterIP: None
  selector:
    app: vault-etcd
  ports:
  - name: client
    port: 2379
    targetPort: client
  - name: peer
    port: 2380
    targetPort: peer

---
# etcd Client Service (for connecting vault)
apiVersion: v1
kind: Service
metadata:
  name: vault-etcd-client
  namespace: secretumvault
  labels:
    app: vault-etcd
spec:
  type: ClusterIP
  selector:
    app: vault-etcd
  ports:
  - name: client
    port: 2379
    targetPort: client
    protocol: TCP