## @section Global parameters

## @param nameOverride Override the name of the application.
nameOverride: "squidex"

## @param labels [object] Labels to add to the deployment.
labels:
  # custom: "custom"

service:
  ## @param service.type Kubernetes Service type.
  ##
  type: ClusterIP
  ## @param service.port Kubernetes Service port.
  ##
  port: 8080

deployment:
  ## @param deployment.replicaCount Number of replicas (ignored if autoscaling enabled).
  replicaCount: 1
  ## @param deployment.revisionHistoryLimit [default: 2] Number of revision history.
  revisionHistoryLimit: 2
  ## @param deployment.serviceAccountName Name of the service account to use.
  serviceAccountName: ""
  ## @param deployment.strategy.type Deployment strategy type.
  strategy:
    type: RollingUpdate
    ## @param deployment.strategy.rollingUpdate.maxSurge Maximum number of pods that can be created above the desired amount.
    rollingUpdate:
      maxSurge: 1
      ## @param deployment.strategy.rollingUpdate.maxUnavailable Maximum number of unavailable pods during update.
      maxUnavailable: 0
  ## @param deployment.restartPolicy Pod restart policy.
  restartPolicy: Always
  ## @param deployment.annotations Annotations to add to the deployment.
  annotations:
    # vault.hashicorp.com/agent-pre-populate-only: "true"
    # vault.hashicorp.com/agent-limits-cpu: 50m
    # vault.hashicorp.com/agent-limits-mem: 64Mi
    # vault.hashicorp.com/agent-requests-cpu: 10m
    # vault.hashicorp.com/agent-requests-mem: 16Mi
  ## @param deployment.command Command to run in the container.
  command:
    # - sh
    # - -c
  ## @param deployment.args Arguments to pass to the container.
  args:
    # - 'dotnet Squidex.dll'

## @param networkPolicy.enabled Enable network policies.
networkPolicy:
  enabled: false
  ## @skip networkPolicy.ingressRules
  ingressRules:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
        - podSelector:
            matchLabels:
              app.kubernetes.io/instance: ingress-nginx
      ports:
        - port: 8080
          protocol: TCP
  ## @skip networkPolicy.egressRules
  egressRules:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP

selectors:
  ## @skip selectors.component
  ##
  component: squidex
  ## @skip selectors.partOf
  ##
  partOf: ""
  ## @skip selectors.version
  ##
  version: ""
image:
  ## @param image.repository Squidex image registry.
  ##
  repository: squidex/squidex
  ## @param image.pullPolicy Squidex image pull policy.
  ##
  pullPolicy: IfNotPresent

## @param resources [object] Resource requests and limits.
resources:
  limits:
    memory: "1Gi"
  requests:
    cpu: "200m"
    memory: "512Mi"
## @skip nodeSelector
nodeSelector: { }
## @skip tolerations
tolerations: [ ]
## @skip affinity
affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
    - weight: 100
      podAffinityTerm:
        labelSelector:
          matchLabels:
            app.kubernetes.io/instance: squidex
            app.kubernetes.io/component: squidex
        topologyKey: kubernetes.io/hostname
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/arch
          operator: In
          values:
          - amd64
          - arm64

## @param topologySpreadConstraints [array] Topology spread constraints for pod scheduling.
topologySpreadConstraints:
  # - maxSkew: 1
  #   topologyKey: kubernetes.io/hostname
  #   whenUnsatisfiable: DoNotSchedule
  #   labelSelector:
  #     matchLabels:
  #       app.kubernetes.io/instance: squidex
  #       app.kubernetes.io/component: squidex

## @param priorityClassName [nullable] Priority class name for the pod.
priorityClassName:

## @skip clusterSuffix
clusterSuffix: cluster.local

## @param runAsNonRoot Run container as non-root user.
runAsNonRoot: true

## @skip podSecurityContext [object]
## You can modify the security context userepd to run PODS in the cluster
## For information regarding which settings are required per policy see: https://kubernetes.io/docs/concepts/security/pod-security-standards/
## An example that follows the Restricted profile is described below:
#
podSecurityContext:
  seccompProfile:
    type: RuntimeDefault
  runAsNonRoot: true
  runAsUser: 10000
  runAsGroup: 10000
  fsGroup: 10000

## @skip containerSecurityContext [object]
## You can modify the security context used to run CONTAINERS in the cluster
## For information regarding which settings are required per policy see: https://kubernetes.io/docs/concepts/security/pod-security-standards/
## readOnlyRootFilesystem: true not supported becasue of backup and restore process
## An example that follows the Restricted profile is described below:
#
containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
    add:
      - NET_BIND_SERVICE

## @skip auth
auth:
  ## 

ingress:
  ## @param ingress.enabled True to deploy an ingress.
  ## If true, Squidex Ingress will be created.
  ##
  enabled: false
  ## @param ingress.ingressClassName The ingress class.
  ingressClassName: nginx
  ## @param ingress.annotations [object] Ingress annotations.
  annotations:
    #   kubernetes.io/ingress.class: nginx
    #   kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 50m
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    nginx.ingress.kubernetes.io/proxy-buffers: 4 256k
    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 256k
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
  ## @param ingress.hostName The host name for the ingress.
  ## 
  hostName: squidex.local
  
  ## @skip ingress.tls
  tls: [ ]
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

## @section Squidex parameters

env:
  # Define the type of the event store
  ## @param env.EVENTSTORE__MONGODB__DATABASE The name of the database for events.
  EVENTSTORE__MONGODB__DATABASE: "Squidex"

  ## @skip env.EVENTSTORE__TYPE
  ## Define the type of the event store
  ##
  EVENTSTORE__TYPE: MongoDb

  # CREATE LOCAL ADMIN USER
  ## @param env.IDENTITY__ADMINEMAIL The initial admin email address.
  ##
  IDENTITY__ADMINEMAIL: ""
  ## @param env.IDENTITY__ADMINPASSWORD The initial admin email address.
  ##
  IDENTITY__ADMINPASSWORD: ""
  ## @param env.IDENTITY__ADMINRECREATE Recreate the admin if it does not exist or the password does not match.
  ##
  IDENTITY__ADMINRECREATE: false
  ## @param env.IDENTITY__ALLOWPASSWORDAUTH Enable password auth. Set this to false if you want to disable local login, leaving only 3rd party login options.
  ## 
  IDENTITY__ALLOWPASSWORDAUTH: "true"
  ## @param env.IDENTITY__LOCKAUTOMATICALLY Lock new users automatically, the administrator must unlock them.
  ##
  IDENTITY__LOCKAUTOMATICALLY: "false" 
  ## @param env.IDENTITY__PRIVACYURL The url to you privacy statements.
  ##
  IDENTITY__PRIVACYURL: "https://squidex.io/privacy"
  ## @param env.IDENTITY__SHOWPII Set to true to show PII (Personally Identifiable Information) in the logs.
  ## 
  IDENTITY__SHOWPII: true # 

  ## @param env.IDENTITY__GOOGLECLIENT Google client ID (keep empty to disable Google authentication).
  ##
  IDENTITY__GOOGLECLIENT: null
  ## @param env.IDENTITY__GOOGLESECRET Google client secret (keep empty to disable Google authentication).
  ##
  IDENTITY__GOOGLESECRET: null

  ## @param env.IDENTITY__GITHUBCLIENT Github client ID (keep empty to disable Github authentication).
  ##
  IDENTITY__GITHUBCLIENT: null
  ## @param env.IDENTITY__GITHUBSECRET Github client secret (keep empty to disable Github authentication).
  ##
  IDENTITY__GITHUBSECRET: null

  ## @param env.IDENTITY__MICROSOFTCLIENT Microsoft client ID (keep empty to disable Microsoft authentication).
  ##
  IDENTITY__MICROSOFTCLIENT: null
  ## @param env.IDENTITY__MICROSOFTSECRET Microsoft client secret (keep empty to disable Microsoft authentication).
  ##
  IDENTITY__MICROSOFTSECRET: null
  ## @param env.IDENTITY__MICROSOFTTENANT Optional tenant name for Azure AD.
  ##
  IDENTITY__MICROSOFTTENANT: null

  # Settings for your custom oidc server
  ## @param env.IDENTITY__OIDCAUTHORITY The URL to the custom OIDC authority.
  ##
  IDENTITY__OIDCAUTHORITY: null
  ## @param env.IDENTITY__OIDCCLIENT The client ID to the authority.
  ##
  IDENTITY__OIDCCLIENT: null
  ## @param env.IDENTITY__OIDCSECRET The client secret to the authority.
  ##
  IDENTITY__OIDCSECRET: null
  ## @param env.IDENTITY__OIDCGETCLAIMSFROMUSERINFOENDPOINT True to get claims from the user endpoint.
  ##
  IDENTITY__OIDCGETCLAIMSFROMUSERINFOENDPOINT: false
  ## @param env.IDENTITY__OIDCMETADATAADDRESS A custom address for OIDC metadata.
  ##
  IDENTITY__OIDCMETADATAADDRESS: null
  ## @param env.IDENTITY__OIDCNAME The name of the OIDC integration or server. Used in the UI.
  ##
  IDENTITY__OIDCNAME: null
  ## @param env.IDENTITY__OIDCRESPONSETYPE The type of the response. id_token or code.
  ##
  IDENTITY__OIDCRESPONSETYPE: null 
  ## @param env.IDENTITY__OIDCSCOPES The scopes.
  ##
  IDENTITY__OIDCSCOPES: [] # ["email"]
  ## @param env.IDENTITY__OIDCSINGOUTREDIRECTURL The redirect URL for the sign out.
  ##
  IDENTITY__OIDCSINGOUTREDIRECTURL: null

  ## @skip env.LETSENCRYPT_HOST
  LETSENCRYPT_HOST: null
  ## @skip env.LETSENCRYPT_EMAIL
  LETSENCRYPT_EMAIL: null

  ## @param env.LOGGING__APPLICATIONINSIGHTS__ENABLED Enable monitoring via application insights.
  ##
  LOGGING__APPLICATIONINSIGHTS__ENABLED: false
  ## @param env.LOGGING__APPLICATIONINSIGHTS__CONNECTIONSTRING The connection string to application insights.
  ##
  LOGGING__APPLICATIONINSIGHTS__CONNECTIONSTRING: null # "instrumentationkey=keyvalue"
  ## @param env.LOGGING__COLORS Use colors in the console output.
  ##
  LOGGING__COLORS: false
  ## @param env.LOGGING__HUMAN Setting the flag to true, enables well formatteds json logs.
  ##
  LOGGING__HUMAN: false
  ## @param env.LOGGING__LEVEL Trace, Debug, Information, Warning, Error, Fatal.
  ##
  LOGGING__LEVEL: Warning
  ## @param env.LOGGING__LOGREQUESTS Set to false to disable logging of http requests.
  ##
  LOGGING__LOGREQUESTS: true
  ## @param env.LOGGING__OTLP__ENABLED True, to enable OpenTelemetry Protocol integration.
  ##
  LOGGING__OTLP__ENABLED: false
  ## @param env.LOGGING__OLTP__ENDPOINT The endpoint to the agent.
  ##
  LOGGING__OLTP__ENDPOINT: null
  ## @param env.LOGGING__STACKDRIVER__ENABLED True, to enable stackdriver integration.
  ##
  LOGGING__STACKDRIVER__ENABLED: false
  ## @param env.LOGGING__STOREENABLED False to disable the log store for HTTP requests.
  ##
  LOGGING__STOREENABLED: true
  ## @param env.LOGGING__STORERETENTIONINDAYS The number of days request log items will be stored.
  ##
  LOGGING__STORERETENTIONINDAYS: 90

  ## @skip env.STORE__TYPE
  STORE__TYPE: MongoDb
  ## @param env.STORE__MONGODB__DATABASE The name of the main database.
  ##
  STORE__MONGODB__DATABASE: "Squidex"
  ## @param env.STORE__MONGODB__CONTENTDATABASE The name of the database for content items.
  ##
  STORE__MONGODB__CONTENTDATABASE: "SquidexContent"
  
  ## @skip env.ASSETSTORE__TYPE
  ASSETSTORE__TYPE: MongoDb

  ## @param env.URLS__BASEURL Set the base url of your application, to generate correct urls in background process.
  ##
  URLS__BASEURL: https://squidex.local/ # 

  ## @param env.URLS__ENFORCEHTTPS Set it to true to redirect the user from http to https permanently.
  ##
  URLS__ENFORCEHTTPS: false

  ## @param env.ASPNETCORE_URLS An override to ensure that kestrel starts on a non-privileged port.
  ##
  ASPNETCORE_URLS: http://+:8080

# Bind secrets and configmaps directly into env as object name strings. Useful for managing sensitive data such as connection strings without exposing them to helm values
extraSecrets: []
extraConfigMaps: []

extraVolumes: []
extraVolumeMounts: []

## @param autoscaling.enabled Enable autoscaling for the deployment.
autoscaling:
  enabled: false
  ## @param autoscaling.maxReplicas Maximum number of replicas.
  maxReplicas: 6
  ## @param autoscaling.minReplicas Minimum number of replicas.
  minReplicas: 3
  ## @param autoscaling.targetCPUUtilizationPercentage Target CPU utilization percentage.
  targetCPUUtilizationPercentage: 85

## @param podDisruptionBudget.minAvailable Minimum number of available pods.
podDisruptionBudget:
  minAvailable: 1
  ## @param podDisruptionBudget.unhealthyPodEvictionPolicy Policy for evicting unhealthy pods.
  unhealthyPodEvictionPolicy: AlwaysAllow

## @section MongoDB parameters
mongodb:
  ## @param mongodb.architecture MongoDB(®) architecture (standalone or replicaset).
  ##
  architecture: replicaset
  ## @param mongodb.enabled Uses the custom mongoDB instance.
  ##
  enabled: true
  ## @param mongodb.replicaCount The number of replicas.
  ##
  replicaCount: 3
  
  auth:
    ## @param mongodb.auth.enabled Enable authentication for MongoDB.
    ##
    enabled: false
    ## @param mongodb.auth.rootUsername The MongoDB root user name.
    ##
    rootUsername: ""
    ## @param mongodb.auth.rootPassword The MongoDB root password.
    ##
    rootPassword: ""
    ## @param mongodb.auth.existingSecret The name of the existing secret to use for authentication.
    ##
    existingSecret: ""
  
  persistence:
    ## @param mongodb.persistence.enabled If true, persistent volume claims are created.
    ##
    enabled: true
    ## @param mongodb.persistence.storageClass The storage class for the persistent volume claim.
    ##
    storageClass: ""
    ## @param mongodb.persistence.accessModes Persistent volume access modes.
    ##
    accessModes:
      - ReadWriteOnce
    ## @param mongodb.persistence.size Persistent volume size.
    ##
    size: 10Gi

  ## @skip mongodb.arbiter
  arbiter:
    ## @skip mongodb.arbiter.enabled
    enabled: false
  
  ## @skip mongodb.nodeSelector
  nodeSelector: {}