# 对应文档：docs/04-12-nodejs-TLS与证书.md
# 累积：04-11 + Ingress TLS（websecure、secretName: nodejs-demo-tls）
# 应用前请先创建 TLS Secret，例如：
#   kubectl create secret tls nodejs-demo-tls --cert=fullchain.pem --key=privkey.pem -n default
# 证书 SAN 须覆盖 app.example.local（与 rules.host / tls.hosts 一致）
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nodejs-demo-data
  namespace: default
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nodejs-demo-config
  namespace: default
data:
  APP_MSG: "Hello from ConfigMap"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nodejs-demo
  namespace: default
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      app: nodejs-demo
  template:
    metadata:
      labels:
        app: nodejs-demo
    spec:
      nodeSelector:
        kubernetes.io/hostname: ylc62
      securityContext:
        fsGroup: 1000
      containers:
        - name: nodejs-demo
          image: node:18.20-alpine
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 1000
            readOnlyRootFilesystem: true
          env:
            - name: APP_MSG
              valueFrom:
                configMapKeyRef:
                  name: nodejs-demo-config
                  key: APP_MSG
          command:
            - node
            - "-e"
            - |
              const http=require('http');
              const msg=process.env.APP_MSG||'no env';
              http.createServer((q,s)=>s.end(msg)).listen(8080);
          ports:
            - containerPort: 8080
          resources:
            requests:
              cpu: "50m"
              memory: "64Mi"
            limits:
              cpu: "500m"
              memory: "256Mi"
          livenessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 3
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 2
            periodSeconds: 5
          volumeMounts:
            - name: tmp
              mountPath: /tmp
            - name: data
              mountPath: /data
      volumes:
        - name: tmp
          emptyDir: {}
        - name: data
          persistentVolumeClaim:
            claimName: nodejs-demo-data
---
apiVersion: v1
kind: Service
metadata:
  name: nodejs-demo
  namespace: default
spec:
  selector:
    app: nodejs-demo
  ports:
    - port: 80
      targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nodejs-demo
  namespace: default
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  tls:
    - hosts:
        - app.example.local
      secretName: nodejs-demo-tls
  rules:
    - host: app.example.local
      http:
        paths:
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: nodejs-demo
                port:
                  number: 80