apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: rxminder-couchdb
spec:
  template:
    spec:
      containers:
        - name: couchdb
          resources:
            requests:
              memory: '512Mi'
              cpu: '200m'
            limits:
              memory: '1Gi'
              cpu: '1000m'
          # Production environment variables
          env:
            - name: COUCHDB_USER
              valueFrom:
                secretKeyRef:
                  name: couchdb-secret
                  key: username
            - name: COUCHDB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: couchdb-secret
                  key: password
            # Production CouchDB configuration
            - name: ERL_FLAGS
              value: '-setcookie monster'
            - name: COUCHDB_SECRET
              value: 'changeme_in_production'
          # Production health checks with tighter timings
          livenessProbe:
            httpGet:
              path: /_up
              port: 5984
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
            failureThreshold: 3
          readinessProbe:
            httpGet:
              path: /_up
              port: 5984
            initialDelaySeconds: 10
            periodSeconds: 5
            timeoutSeconds: 5
            failureThreshold: 3
          # Security context for production
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 5984
            runAsGroup: 5984
            capabilities:
              drop:
                - ALL
          # Volume mounts with proper permissions
          volumeMounts:
            - name: couchdb-data
              mountPath: /opt/couchdb/data
            - name: couchdb-config
              mountPath: /opt/couchdb/etc/local.d
              readOnly: true
      # Pod-level security and scheduling for production
      securityContext:
        fsGroup: 5984
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      # Production scheduling preferences for database
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: app
                    operator: In
                    values:
                      - rxminder
                  - key: component
                    operator: In
                    values:
                      - database
              topologyKey: kubernetes.io/hostname
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: node-type
                    operator: In
                    values:
                      - database
                      - storage
      # Toleration for production node taints
      tolerations:
        - key: 'node-role.kubernetes.io/production'
          operator: 'Equal'
          value: 'true'
          effect: 'NoSchedule'
        - key: 'node-role.kubernetes.io/database'
          operator: 'Equal'
          value: 'true'
          effect: 'NoSchedule'
      # Additional volumes for production configuration
      volumes:
        - name: couchdb-config
          configMap:
            name: couchdb-production-config
  # Production volume claim template with SSD storage
  volumeClaimTemplates:
    - metadata:
        name: couchdb-data
        labels:
          app: rxminder
          component: database
          environment: production
      spec:
        accessModes: ['ReadWriteOnce']
        storageClassName: ssd
        resources:
          requests:
            storage: 10Gi