apiVersion: apps/v1
kind: Deployment
metadata:
  name: apolo-ejabberd
  namespace: apolo
  labels:
    app.kubernetes.io/name: apolo-ejabberd
    app.kubernetes.io/part-of: apolo
    app.kubernetes.io/component: ejabberd
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: apolo-ejabberd
  template:
    metadata:
      labels:
        app.kubernetes.io/name: apolo-ejabberd
        app.kubernetes.io/part-of: apolo
        app.kubernetes.io/component: ejabberd
    spec:
      imagePullSecrets:
        - name: harbor-cred

      # >>> Asegura permisos/ownership en volúmenes
      securityContext:
        runAsUser: 9000
        runAsGroup: 9000
        fsGroup: 9000
        fsGroupChangePolicy: "OnRootMismatch"

      initContainers:
        - name: make-chat-pem
          image: alpine:latest
          command: ["/bin/sh","-lc"]
          args:
            - |
              set -eu
              mkdir -p /work/conf
              cat /tls/tls.key /tls/tls.crt > /work/conf/chat.pem
              chmod 600 /work/conf/chat.pem
          volumeMounts:
            - { name: tls,  mountPath: /tls, readOnly: true }
            - { name: conf, mountPath: /work/conf }

        - name: fix-perms
          image: alpine:latest
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          command: ["/bin/sh","-lc"]
          args:
            - |
              set -eu
              chown -R 9000:9000 /home/ejabberd/database || true
              chown -R 9000:9000 /home/ejabberd/logs || true
              chown -R 9000:9000 /home/ejabberd/conf || true
          volumeMounts:
            - { name: data, mountPath: /home/ejabberd/database }
            - { name: logs, mountPath: /home/ejabberd/logs }
            - { name: conf, mountPath: /home/ejabberd/conf }

      containers:
        - name: ejabberd
          image: harbor.c2et.com/xrf-ssl/xrf-ejabberd:6.0
          imagePullPolicy: IfNotPresent
          envFrom:
            - secretRef:
                name: apolo-ejabberd-secret
          ports:
            - { name: c2s,   containerPort: 5222, protocol: TCP }
            - { name: s2s,   containerPort: 5269, protocol: TCP }
            - { name: https, containerPort: 5443, protocol: TCP }
            - { name: http,  containerPort: 5280, protocol: TCP }
          readinessProbe:
            tcpSocket: { port: 5222 }
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            tcpSocket: { port: 5222 }
            initialDelaySeconds: 30
            periodSeconds: 20
          volumeMounts:
            - { name: data,   mountPath: /home/ejabberd/database }
            - { name: logs,   mountPath: /home/ejabberd/logs }
            - { name: conf,   mountPath: /home/ejabberd/conf }
            - { name: confmap, mountPath: /home/ejabberd/conf/ejabberd.yml, subPath: ejabberd.yml }
            # inetrc opcional (para callar el warning)
            - { name: inetrc, mountPath: /home/ejabberd/conf/inetrc, subPath: inetrc, readOnly: true }

      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: apolo-ejabberd-data
        - name: logs
          persistentVolumeClaim:
            claimName: apolo-ejabberd-logs
        - name: conf
          emptyDir: {}
        - name: confmap
          configMap:
            name: apolo-ejabberd-config
        - name: tls
          secret:
            secretName: chat-tls
        - name: inetrc
          configMap:
            name: apolo-ejabberd-inetrc
            optional: true