# Defaults for the cms-plugins chart.
# Per-env overrides come from values-staging.yaml / values-production.yaml
# and from the FluxCD HelmRelease's `values:` block.

image:
  repository: git.oleks.space/oleks/cms-plugins
  tag: develop-latest
  # The tag is a mutable floating pointer (CI retags <branch>-latest onto
  # each new build), so kubelet must always re-pull — IfNotPresent would
  # pin the node to whatever digest it cached first and never roll.
  pullPolicy: Always

service:
  port: 4321

ingress:
  enabled: true
  host: cms-plugins.kotkanagrilli.fi
  # TLS terminates at the Caddy reverse-proxy at the cluster edge
  # (matches the woodpecker / emdash-kotkanagrilli pattern). The
  # Ingress object is plain — no inline TLS, no cert-manager Certificate.
  className: kube-system-traefik

# SQLite is single-writer — pin to one node so the local-path PV is sticky.
# kotkan hosts the kotkanagrilli subdomain pool, matching the
# anton-helm-workloads convention (hello-kotkan, kotkanagrilli, etc.).
nodeSelector:
  kubernetes.io/hostname: kotkan

tolerations: []
affinity: {}

persistence:
  enabled: true
  storageClass: local-path
  size: 5Gi
  # Mounted at /app/state. The image symlinks /app/data.db and /app/uploads
  # into this volume, so a single PVC covers SQLite + uploaded media.
  mountPath: /app/state

# Plain env values (non-secret).
env:
  HOST: "0.0.0.0"
  PORT: "4321"
  NODE_ENV: production
  DEPLOY_TARGET: node
  STATE_DIR: /app/state
  EMDASH_ALLOWED_ORIGINS: ""

# All secrets project from one Secret. Keys expected:
#   - EMDASH_ENCRYPTION_KEY  (required)
existingSecret: cms-plugins-secrets

imagePullSecrets:
  - name: gitea-registry-creds

probes:
  liveness:
    # /_emdash/api/health requires auth (401 to unauthenticated requests),
    # so kubelet probes fail and the pod gets killed. The site root is
    # public and a 200 from it is a reasonable proxy for "the server is up".
    path: /
    initialDelaySeconds: 30
    periodSeconds: 30
    timeoutSeconds: 5
  readiness:
    path: /
    initialDelaySeconds: 5
    periodSeconds: 10
    timeoutSeconds: 5

resources:
  requests:
    cpu: 100m
    memory: 256Mi
  limits:
    cpu: "1"
    memory: 1Gi

podSecurityContext:
  fsGroup: 1001
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 1001
  runAsGroup: 1001
  allowPrivilegeEscalation: false
  capabilities:
    drop: [ALL]