apiVersion: apps/v1
kind: Deployment
metadata:
  name: ${APP_NAME}
  labels:
    app: ${APP_NAME}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ${APP_NAME}
  template:
    metadata:
      labels:
        app: ${APP_NAME}
    spec:
      containers:
      - name: app-container
        image: ${FULL_IMAGE_NAME}
        ports:
        - containerPort: 80
---
# NOTA: Il servizio ora è ClusterIP (interno), non più LoadBalancer.
# Non costa nulla e non ha IP pubblico diretto.
apiVersion: v1
kind: Service
metadata:
  name: ${APP_NAME}-service
spec:
  type: ClusterIP
  selector:
    app: ${APP_NAME}
  ports:
  - port: 80
    targetPort: 80
---
# LA PARTE NUOVA: INGRESS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ${APP_NAME}-ingress
  annotations:
    # Queste due righe attivano la magia SSL automatica
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    kubernetes.io/tls-acme: "true"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - ${APP_NAME}.demo.bytebuilder.it  
    secretName: ${APP_NAME}-tls   
  rules:
  - host: ${APP_NAME}.demo.bytebuilder.it 
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ${APP_NAME}-service
            port:
              number: 80